PCI DSS
What Is PCI DSS? Definition and How It Works
Definition
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements established by the major card networks to protect cardholder data throughout the payment processing environment, applicable to any entity that stores, processes, or transmits payment card data.
How it works
PCI DSS is maintained by the PCI Security Standards Council, founded by Visa, Mastercard, American Express, Discover, and JCB. The current version is PCI DSS 4.0, which introduced updated requirements around authentication, access control, and targeted risk analysis compared to prior versions.
The standard is organised into 12 requirement areas covering: network security controls, secure configurations, cardholder data protection, transmission security, vulnerability management, access control, physical security, monitoring and logging, security testing, and information security policy.
Compliance level is determined by transaction volume. PCI Level 1 applies to merchants processing over 6 million card transactions annually and requires an annual on-site assessment by a Qualified Security Assessor (QSA) and a formal Report on Compliance (ROC). Levels 2, 3, and 4 apply to merchants with lower volumes and permit annual Self-Assessment Questionnaires (SAQs) aligned to the merchant's integration type.
PCI DSS is not a government regulation but is contractually enforced through card network operating rules. Non-compliant merchants who suffer a data breach face fines from card networks, increased transaction fees, forensic audit costs, and potential loss of card acceptance privileges.
Why it matters
Scope reduction is the most valuable architectural strategy: every system that stores, processes, or transmits cardholder data is in PCI scope. Using tokenisation, hosted payment pages, and point-to-point encryption to minimise the footprint of in-scope systems reduces both the compliance burden and the blast radius of a potential breach.
Compliance is annual but security is continuous: a PCI assessment confirms compliance at a point in time. The standard requires continuous compliance, ongoing vulnerability scanning, access control maintenance, logging, and patching, throughout the year, not just at assessment time.
Version migration has deadlines: PCI DSS 4.0 introduced phased compliance requirements, some of which become mandatory on a published timeline. Merchants must monitor PCI SSC communications for requirement activation dates and plan migrations accordingly.
Third-party service providers carry their own compliance obligations: merchants who rely on payment providers, hosting companies, and software vendors must verify those providers are PCI-certified for the services they provide. A merchant's own compliance does not cover third-party components that are out of the merchant's control.
With PXP
PXP maintains PCI DSS Level 1 certification, assessed annually by an independent QSA. Merchants using PXP's hosted payment page or tokenisation services remove card data handling from their own environments, reducing their PCI scope to the residual systems that interact with tokens and transaction references.
Frequently asked questions
What are the 12 requirements of PCI DSS?
The 12 requirements cover: 1) network security controls; 2) secure system configurations; 3) protecting stored cardholder data; 4) encrypting data in transmission; 5) protecting against malware; 6) developing secure systems; 7) restricting cardholder data access; 8) identifying users and authenticating access; 9) physical access restriction; 10) logging and monitoring access; 11) regular security testing; 12) maintaining an information security policy.
What transaction volume determines PCI compliance level?
Level 1: over 6 million transactions annually (any single card brand), requires annual QSA audit and ROC. Level 2: 1-6 million transactions annually, annual SAQ and quarterly scans. Level 3: 20,000 to 1 million e-commerce transactions, annual SAQ and quarterly scans. Level 4: under 20,000 e-commerce or up to 1 million other transactions, annual SAQ recommended, quarterly scans.
What is the difference between PCI compliance and PCI certification?
PCI compliance means a merchant or service provider has met all applicable PCI DSS requirements as validated through their annual assessment process. PCI certification is an informal term sometimes used to describe service providers (like payment platforms and hosting companies) that have been independently audited by a QSA and issued an Attestation of Compliance (AOC). Merchants should request AOCs from service providers rather than relying on self-reported compliance claims.
What happens to merchants who are non-compliant and suffer a data breach?
Non-compliant merchants who experience a card data breach face card network fines (typically $5,000 to $100,000 per month of non-compliance), costs of a mandatory forensic investigation (PFI audit), potential loss of card acceptance privileges, reimbursement of fraud losses attributable to the breach, and increased transaction fees. The financial exposure from a breach as a non-compliant merchant is substantially higher than the cost of compliance.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started