What Is PCI Compliance?

PCI compliance means meeting the requirements of the Payment Card Industry Data Security Standard (PCI DSS), a global security standard established by the PCI Security Standards Council (PCI SSC) — an organization founded in 2006 by Visa, Mastercard, American Express, Discover, and JCB. Any business that stores, processes, or transmits credit card data must comply with PCI DSS, regardless of size or transaction volume.

## What Is PCI DSS?

PCI DSS is a set of 12 high-level requirements organized into six categories, each containing detailed sub-requirements. The standard is currently on version 4.0 (released in March 2022, with enforcement beginning in March 2025). The six categories are:

1. **Build and maintain a secure network and systems** — Install and maintain firewalls, change default passwords, and secure all system components. 2. **Protect cardholder data** — Encrypt stored cardholder data and encrypt transmission of cardholder data across open networks. 3. **Maintain a vulnerability management program** — Use and regularly update anti-malware software, develop and maintain secure systems and applications. 4. **Implement strong access control measures** — Restrict access to cardholder data on a need-to-know basis, authenticate access to system components, restrict physical access to cardholder data. 5. **Regularly monitor and test networks** — Track and monitor all access to network resources and cardholder data, regularly test security systems and processes. 6. **Maintain an information security policy** — Maintain a policy that addresses information security for all personnel.

## Compliance Levels

PCI DSS defines four compliance levels for merchants based on annual transaction volume:

- **Level 1**: Over 6 million card transactions per year. Requires an annual on-site assessment by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV). - **Level 2**: 1-6 million transactions per year. Requires an annual Self-Assessment Questionnaire (SAQ) and quarterly ASV scans. - **Level 3**: 20,000-1 million e-commerce transactions per year. Requires an annual SAQ and quarterly ASV scans. - **Level 4**: Fewer than 20,000 e-commerce transactions or up to 1 million total transactions per year. Requires an annual SAQ and quarterly ASV scans (requirements may vary by acquirer).

## How PSPs Help with PCI Compliance

Modern payment service providers like Stripe, Adyen, and Braintree significantly reduce merchants' PCI compliance burden. By using a PSP's hosted payment page, tokenization, or client-side encryption (like Stripe Elements or Adyen's Drop-in), merchants can avoid handling raw card data entirely. This typically qualifies them for SAQ A — the simplest self-assessment questionnaire — rather than the more demanding SAQ D required for merchants that directly process card data.

When a consumer enters their card details into a PSP's hosted form, the card data goes directly to the PSP's PCI-compliant servers, never touching the merchant's infrastructure. The merchant receives a token representing the card, which can be used for charges but cannot be reverse-engineered to obtain the original card number. This architecture means the merchant's PCI scope is dramatically reduced.

## Consequences of Non-Compliance

Non-compliance with PCI DSS can result in significant penalties: monthly fines ranging from $5,000 to $100,000 imposed by card networks through the acquiring bank, increased transaction fees, mandatory forensic investigations in the event of a data breach (costing $50,000-$500,000+), liability for fraudulent transactions, potential termination of the ability to accept card payments, and reputational damage. In the event of a data breach, non-compliant merchants may also face regulatory fines under data protection laws (GDPR, CCPA, etc.) and class-action lawsuits from affected cardholders.

## PCI DSS 4.0 Changes

PCI DSS 4.0 introduced several significant changes from version 3.2.1, including a shift toward a "customized approach" that allows organizations to meet security objectives through methods of their choosing (alongside the traditional "defined approach"), enhanced multi-factor authentication requirements, expanded encryption requirements, and new e-commerce security requirements including mandatory use of mechanisms to detect and prevent web-based attacks on payment pages (to combat Magecart-style attacks).