What is PCI DSS?
If your business touches card data, PCI DSS applies. Here is what the standard requires and how to reduce the effort.
PCI DSS (Payment Card Industry Data Security Standard) is the security standard for any organisation that stores, processes, or transmits cardholder data. It is maintained by the PCI Security Standards Council and enforced by the card brands and acquiring banks, not a government, but non-compliance can mean fines, higher fees, or losing the ability to take card payments.
The current version is PCI DSS v4.0 (with v4.0.1 clarifications). This guide covers who it applies to, the requirements, and the fastest route to compliance: shrinking what is in scope.
- Applies to anyone who stores, processes, or transmits cardholder data.
- v4.0 has 12 requirements grouped under six control objectives.
- Your validation path (SAQ vs ROC) and effort depend on your merchant level and how you handle card data.
- Reducing scope (for example via tokenization or a hosted payment page) is the biggest effort saver.
Who must comply and at what level
Any merchant or service provider handling card data is in scope. The card brands define merchant levels by annual transaction volume, which determines how you validate: smaller merchants often complete a Self-Assessment Questionnaire (SAQ), while larger ones need an on-site assessment and a Report on Compliance (ROC) from a Qualified Security Assessor.
The 12 requirements
PCI DSS v4.0 organises controls under six objectives:
- Build and maintain a secure network and systems (firewalls, no vendor defaults).
- Protect account data (protect stored data, encrypt in transit).
- Maintain a vulnerability management programme (anti-malware, secure development).
- Implement strong access control (need-to-know, unique IDs, physical access).
- Regularly monitor and test networks (logging, and regular VAPT).
- Maintain an information security policy.
How to get and stay compliant
The single highest-impact move is reducing scope: the less card data you store and the fewer systems that touch it, the smaller and cheaper compliance becomes. Tokenization and hosted or redirected payment pages can take most of your environment out of scope.
Beyond that, PCI DSS expects continuous work: vulnerability scanning, penetration testing, monitoring, and evidence that controls operate. Automating that evidence keeps you ready between assessments.
Frequently asked questions
Shrink your PCI scope and stay ready
See what card-touching assets are exposed first, then reduce and monitor them.
Run a free check