Glossary

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is the mandatory security standard for any organization that stores, processes, or transmits cardholder data. It defines 12 core requirements, 4 merchant levels, and 9 self-assessment questionnaire types. The current version is 4.0, fully enforceable as of March 2025.

What PCI DSS is

PCI DSS stands for Payment Card Industry Data Security Standard. It's the security standard every organization that stores, processes, or transmits cardholder data must follow. It's maintained by the PCI Security Standards Council (a body run by Visa, Mastercard, Amex, Discover, and JCB) and enforced by the card brands plus your acquiring bank.

The current version is PCI DSS 4.0 (released March 2022). Some new requirements were "future-dated" — informational from 4.0's release until March 31, 2025, then fully mandatory. As of 2026 you should be operating against 4.0 in full.

Who's regulated: if you accept credit or debit cards in any form, PCI DSS applies. Even if you outsource everything to Stripe Checkout, you're still in scope — just at the lowest tier (SAQ A).

The 12 core requirements

PCI DSS organizes its hundreds of sub-requirements under 12 top-level numbered requirements:

  1. Install and maintain network security controls. Firewalls, segmentation between the cardholder data environment (CDE) and the rest of your network.
  2. Apply secure configurations to all system components. No vendor defaults; documented baseline configs.
  3. Protect stored account data. Encryption at rest, key management, data retention/disposal policies. (Don't store more than you have to.)
  4. Protect cardholder data with strong cryptography during transmission over open public networks. TLS 1.2+, validated cipher suites.
  5. Protect all systems and networks from malicious software. Anti-malware on systems "commonly affected" by malware, plus continuous monitoring on others.
  6. Develop and maintain secure systems and software. Secure SDLC, vulnerability management, code review, patch cadences.
  7. Restrict access to system components and cardholder data by business need-to-know.
  8. Identify users and authenticate access to system components. MFA on all access to the CDE, strong password requirements.
  9. Restrict physical access to cardholder data. Badges, visitor logs, secure media handling.
  10. Log and monitor all access to system components and cardholder data. Daily log review for the CDE.
  11. Test security of systems and networks regularly. Quarterly external ASV scans, annual penetration tests, quarterly internal scans.
  12. Support information security with organizational policies and programs. The "everything else" requirement — written policies, training, incident response, vendor management.

The 4 merchant levels

LevelVisa transactions/yearValidation
Level 16M+ (any channel) — or any merchant the card brand designatesAnnual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), plus quarterly ASV scan
Level 21M – 6MAnnual Self-Assessment Questionnaire (SAQ); some acquirers require ROC
Level 320K – 1M e-commerceAnnual SAQ + quarterly ASV scan
Level 4< 20K e-commerce or < 1M totalAnnual SAQ; ASV scan if e-commerce

Your acquiring bank assigns your level. Each card brand has its own thresholds — Mastercard and Visa differ slightly. The numbers above are Visa's; Mastercard is similar; Amex and Discover have their own programs.

Which SAQ applies to you

For Levels 2-4 (and Level 1 for service providers), you self-assess via a Self-Assessment Questionnaire. There are 9 SAQ types — the right one depends on how you handle card data:

SaaS rule of thumb: if you use Stripe Checkout / Braintree hosted / similar full-redirect, you're SAQ A. If you embed Stripe Elements or any iframe on your own page, you jump to SAQ A-EP. If you ever see raw card data — even briefly — you're SAQ D.

What's new in PCI DSS 4.0

Versus 3.2.1 (the previous version), 4.0 introduces:

PCI DSS vs other frameworks

FrameworkScopeStyleAudit
PCI DSS 4.0Cardholder data onlyPrescriptiveQSA ROC or SAQ
SOC 2Anything you scopePrinciples-basedCPA attestation
ISO 27001Whole ISMSRisk-basedExternal certification body
HIPAAePHI onlyRequired + addressableHHS audit on request

How to get to PCI DSS compliance

  1. Determine your level + SAQ type. Talk to your acquirer. Get this wrong and the rest of the work is misdirected.
  2. Scope your CDE. Map every system, network, and person that touches cardholder data. Aggressively segment what's NOT in scope — that's where most overspend comes from.
  3. Run a gap assessment against the SAQ or full DSS as applicable.
  4. Remediate over a defined timeline. Quarterly ASV scans start now so you have clean reports by audit time.
  5. Submit the SAQ (or get the ROC done) and the Attestation of Compliance (AoC). File annually.

Track PCI DSS in one platform.

Pre-mapped to all 12 requirements, with evidence collection, quarterly scan tracking, and policy templates. 7-day trial, no card.

Start your free trial →