What Is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — through the PCI Security Standards Council (PCI SSC). It defines how organizations must protect cardholder data (CHD) and sensitive authentication data (SAD).
PCI-DSS is not a law — it's a contractual requirement embedded in merchant agreements with card brands and acquiring banks. Violating it doesn't result in government prosecution. It results in fines from your payment processor, increased transaction fees, mandatory forensic investigations after breaches, and — in the worst case — loss of the ability to accept card payments.
The current version is PCI DSS 4.0, which replaced version 3.2.1 on March 31, 2024. Version 4.0 introduces 64 new requirements, with the future-dated requirements fully effective as of March 31, 2025.
Who Must Comply with PCI-DSS?
PCI-DSS applies to every organization that stores, processes, or transmits cardholder data — regardless of size, industry, or transaction volume. Two categories:
Merchants
- ✓ Retail stores accepting card payments
- ✓ E-commerce websites
- ✓ Restaurants and food service
- ✓ Healthcare providers billing by card
- ✓ Hotels and hospitality
- ✓ Any business accepting Visa/MC/Amex
Service Providers
- ✓ Payment processors
- ✓ Managed service providers (MSPs)
- ✓ Hosting companies
- ✓ SaaS platforms handling card data
- ✓ Third-party billing services
- ✓ Tokenization providers
PCI-DSS Merchant Levels
Visa and Mastercard define 4 merchant levels based on annual transaction volume. Your level determines your validation requirements — specifically whether you can self-assess (SAQ) or require an on-site audit by a Qualified Security Assessor (QSA).
| Level | Transaction Volume (Annual) | Validation Required | Assessment Type |
|---|---|---|---|
| Level 1 | Over 6 million transactions | Annual ROC + quarterly network scan + ASV scan | On-site QSA audit required |
| Level 2 | 1–6 million transactions | Annual SAQ + quarterly network scan | Self-assessment or QSA |
| Level 3 | 20,000–1 million e-commerce transactions | Annual SAQ + quarterly network scan | Self-assessment (SAQ) |
| Level 4 | Under 20,000 e-commerce or under 1M other transactions | Annual SAQ + quarterly network scan (recommended) | Self-assessment (SAQ) |
Note: Visa and Mastercard definitions differ slightly. After a breach, merchants may be upgraded to Level 1 regardless of transaction volume.
The 12 PCI-DSS Requirements
PCI DSS 4.0 is organized into 6 goals and 12 requirements. Every in-scope organization must satisfy all 12.
SAQ Types: Which One Applies to You?
The Self-Assessment Questionnaire (SAQ) you complete depends entirely on how your business accepts card payments. Choosing the wrong SAQ understates your compliance requirements.
Card-not-present merchants who have outsourced all cardholder data functions to a PCI-compliant third party. No electronic storage, processing, or transmission of card data on your systems or premises. ~22 requirements.
E-commerce merchants who outsource payment processing but whose website affects the security of the payment transaction (e.g., your site loads payment page elements that could be modified). ~191 requirements.
Merchants using only imprint machines or standalone dial-out terminals (not connected to any other system). No electronic storage of cardholder data. ~41 requirements.
Merchants using only standalone PTS-approved point-of-interaction devices connected via IP to the payment processor. ~83 requirements.
Merchants with payment application systems connected to the internet (but not via a web browser). No electronic storage of cardholder data. ~160 requirements.
Merchants using only web-based virtual terminals via a standard browser on a dedicated device. Isolated network segment from business systems. ~131 requirements.
All other merchants not fitting another SAQ type — including e-commerce merchants that process or store cardholder data. ~329 requirements.
PCI-DSS Compliance Checklist
Use this checklist to assess your current posture. Each item represents a common gap found in assessments.
Get Your PCI-DSS Readiness Score in 2 Minutes
ComplianceStack's PCI Compliance Pulse scores your readiness across all 12 requirements, identifies your SAQ type, and prioritizes your top gaps.
Start Free PCI Assessment →PCI-DSS Penalties and Fines
PCI-DSS fines aren't levied by a government agency — they flow through the payment chain: card brands → acquiring banks → merchants. Your bank passes the fines to you.
| Scenario | Penalty Range |
|---|---|
| Non-compliance fine (monthly) | $5,000–$100,000/month |
| Post-breach fine per compromised card | $50–$90 per card record |
| Mandatory forensic investigation (PFI) | $50,000–$200,000+ |
| Card reissuance costs | Up to $25 per affected card |
| Increased transaction fees (post-breach) | 0.5%–1% per transaction, indefinitely |
| Loss of card acceptance privileges | Possible — permanent for repeat violators |
Real-World Breach Costs
- Target (2013): ~40M cards compromised. Total cost: $252 million in settlements, fines, and remediation.
- Heartland Payment Systems (2008): ~130M cards compromised. Total cost: $140 million.
- TJX Companies (2006): ~45M cards. Total cost: $256 million.
Non-compliance multiplier for PCI: 3.8× (Ponemon 2025). Average non-compliant organization spends 3.8× more on a breach than an organization that was compliant at time of breach.
PCI DSS 4.0: Key Changes
PCI DSS 4.0 became the only active version on March 31, 2024. The future-dated requirements were fully effective March 31, 2025. Here are the most significant changes:
Expanded MFA Requirements
Multi-factor authentication is now required for all non-console access into the CDE — not just remote access. This means any admin, support, or maintenance access to CDE systems requires MFA, even from internal networks.
E-Commerce / Skimming Protection (Req 6.4.3, 11.6.1)
New requirements specifically targeting Magecart-style attacks: payment page scripts must be authorized, integrity must be verified, and changes must trigger alerts. HTTP headers on payment pages must be monitored. This directly addresses the surge in supply-chain card skimming.
Customized Approach
Organizations may now use a "customized approach" to meet PCI DSS objectives — demonstrating that controls achieve the stated security objective through alternative means. This provides flexibility but requires significant documentation and QSA validation.
Targeted Risk Analysis
Organizations can now use targeted risk analysis to determine appropriate frequencies for certain controls (instead of using the default defined frequencies). Requires formal documentation and approval.
Password Requirements Updated
Minimum password length increased from 7 to 12 characters for new implementations. Also aligns with NIST SP 800-63 guidance — organizations can move away from mandatory rotation if monitoring for compromised credentials is in place.
How to Become PCI-DSS Compliant: Step-by-Step
Define Your Scope — Identify the CDE
Map every system that stores, processes, or transmits cardholder data. Include connected systems. Your goal is to minimize scope through network segmentation and tokenization — smaller scope means fewer requirements to satisfy.
Determine Your Merchant Level and SAQ Type
Based on your annual transaction volume and how you accept payments, determine whether you're Level 1–4 and which SAQ type applies. Check with your acquiring bank — they set the requirements for your specific account.
Conduct a Gap Assessment
Compare your current security controls against the applicable PCI DSS requirements. Document every gap. This becomes your remediation roadmap. Use ComplianceStack's PCI Compliance Pulse for an instant gap summary.
Remediate Gaps
Address gaps systematically — starting with the highest-risk items. Common quick wins: change default passwords, enable MFA on admin accounts, implement patch management, segment the CDE from other networks, enable logging.
Complete Validation
Level 1 merchants: schedule annual QSA audit and produce a Report on Compliance (ROC). All others: complete the applicable SAQ, schedule quarterly ASV external scans, and conduct internal vulnerability scans quarterly.
Maintain Compliance Year-Round
PCI compliance is not a one-time event. Maintain quarterly scans, annual assessments, ongoing monitoring, and security awareness training. Any significant system change (new payment terminal, network change) may re-open compliance scope.