What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the major card networks — Visa, Mastercard, American Express, Discover, and JCB — to protect cardholder data. Any business that stores, processes, or transmits credit or debit card information is required to comply.

Non-compliance doesn't just carry a risk of fines — a data breach at a non-compliant merchant can result in card network penalties, loss of the ability to accept card payments, and serious reputational damage.

The Six Core Goals of PCI DSS

  1. Build and maintain a secure network: Use firewalls and avoid vendor-supplied default passwords.
  2. Protect cardholder data: Encrypt stored data and data in transit.
  3. Maintain a vulnerability management program: Use and regularly update antivirus software; develop and maintain secure systems.
  4. Implement strong access control measures: Restrict access to cardholder data on a need-to-know basis.
  5. Regularly monitor and test networks: Track and monitor all access to network resources and cardholder data.
  6. Maintain an information security policy: Create and enforce a formal security policy for all staff.

PCI DSS Compliance Levels

Compliance requirements scale with your transaction volume. There are four merchant levels:

LevelAnnual Transaction VolumeKey Requirements
Level 1Over 6 million transactionsAnnual on-site audit by a QSA; quarterly network scans
Level 21–6 million transactionsAnnual Self-Assessment Questionnaire (SAQ); quarterly scans
Level 320,000–1 million eCommerce transactionsAnnual SAQ; quarterly scans
Level 4Fewer than 20,000 eCommerce or up to 1 million other transactionsAnnual SAQ (recommended); quarterly scans (recommended)

Most small businesses fall into Level 4, which has the lightest formal requirements — but compliance is still mandatory, not optional.

Self-Assessment Questionnaires (SAQs)

The SAQ is a self-validation tool for merchants who don't require a full on-site audit. There are multiple SAQ types (A, B, C, D, etc.) depending on how you accept and handle card data. The right SAQ for your business depends on your specific payment environment:

  • SAQ A: For card-not-present merchants who fully outsource payment processing (e.g., using an iframe or redirect). The simplest to complete.
  • SAQ B: For merchants using standalone terminals not connected to other systems.
  • SAQ C: For merchants whose payment application systems are connected to the internet.
  • SAQ D: For all other merchants — the most comprehensive questionnaire.

Practical Steps to Reduce Your PCI Scope

The most effective way to simplify PCI compliance is to reduce how much cardholder data your systems ever touch:

  • Use a hosted payment page or iframe: When the card form is hosted by your payment provider (not your server), cardholder data never touches your infrastructure.
  • Implement tokenization: Replace stored card numbers with tokens that are useless if stolen.
  • Enable 3D Secure: Adds a layer of authentication and shifts fraud liability away from you in many cases.
  • Segment your network: Isolate payment processing systems from the rest of your business network.

Common Compliance Mistakes to Avoid

  • Storing full card numbers or CVV codes after transaction authorization — this is prohibited.
  • Using outdated SSL/TLS versions for data transmission.
  • Sharing admin credentials among multiple staff members.
  • Failing to apply security patches promptly to payment-related systems.
  • Assuming that using a compliant payment provider makes you automatically compliant — it reduces scope, but doesn't eliminate your responsibility.

Where to Get Help

The PCI Security Standards Council (PCI SSC) publishes all official documentation, SAQ forms, and guidance at pcisecuritystandards.org. Your payment processor or acquiring bank can also point you to the right SAQ type and provide guidance specific to your setup. For Level 1 merchants, a Qualified Security Assessor (QSA) is required for the annual audit.