Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesFrameworks & Standards

What is PCI DSS?

If your business touches card data, PCI DSS applies. Here is what the standard requires and how to reduce the effort.

7 min read

PCI DSS (Payment Card Industry Data Security Standard) is the security standard for any organisation that stores, processes, or transmits cardholder data. It is maintained by the PCI Security Standards Council and enforced by the card brands and acquiring banks, not a government, but non-compliance can mean fines, higher fees, or losing the ability to take card payments.

The current version is PCI DSS v4.0 (with v4.0.1 clarifications). This guide covers who it applies to, the requirements, and the fastest route to compliance: shrinking what is in scope.

Key takeaways
  • Applies to anyone who stores, processes, or transmits cardholder data.
  • v4.0 has 12 requirements grouped under six control objectives.
  • Your validation path (SAQ vs ROC) and effort depend on your merchant level and how you handle card data.
  • Reducing scope (for example via tokenization or a hosted payment page) is the biggest effort saver.

Who must comply and at what level

Any merchant or service provider handling card data is in scope. The card brands define merchant levels by annual transaction volume, which determines how you validate: smaller merchants often complete a Self-Assessment Questionnaire (SAQ), while larger ones need an on-site assessment and a Report on Compliance (ROC) from a Qualified Security Assessor.

The 12 requirements

PCI DSS v4.0 organises controls under six objectives:

  • Build and maintain a secure network and systems (firewalls, no vendor defaults).
  • Protect account data (protect stored data, encrypt in transit).
  • Maintain a vulnerability management programme (anti-malware, secure development).
  • Implement strong access control (need-to-know, unique IDs, physical access).
  • Regularly monitor and test networks (logging, and regular VAPT).
  • Maintain an information security policy.

How to get and stay compliant

The single highest-impact move is reducing scope: the less card data you store and the fewer systems that touch it, the smaller and cheaper compliance becomes. Tokenization and hosted or redirected payment pages can take most of your environment out of scope.

Beyond that, PCI DSS expects continuous work: vulnerability scanning, penetration testing, monitoring, and evidence that controls operate. Automating that evidence keeps you ready between assessments.

Frequently asked questions

Is PCI DSS a law?
No, it is a contractual standard enforced by the card brands and acquiring banks. But the consequences of non-compliance, including fines and losing card-processing ability, make it effectively mandatory for anyone taking card payments.
What is the difference between an SAQ and a ROC?
A Self-Assessment Questionnaire is a self-validation used by smaller merchants; a Report on Compliance is a formal assessment by a Qualified Security Assessor, required at higher levels.
How do we reduce PCI scope?
Store less card data and isolate the systems that handle it. Tokenization and hosted or redirected payment pages move much of your environment out of scope, cutting cost and effort.
How does NMT help with PCI DSS?
NMT runs the required vulnerability scanning and penetration testing, monitors your external exposure, and automates control evidence, so you validate and stay compliant with less manual work.

Shrink your PCI scope and stay ready

See what card-touching assets are exposed first, then reduce and monitor them.

Run a free check
Related
Compliance & Assurance solution Guide: What is VAPT? Cybersecurity for NBFCs & fintechs