What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is the global information security standard for organisations that store, process or transmit cardholder data, governed by the PCI Security Standards Council (PCI SSC) — established by Visa, Mastercard, American Express, Discover and JCB. The current version is PCI DSS v4.0 (March 2022), with v3.2.1 retired on 31 March 2024 and v4.0 future-dated requirements effective 31 March 2025.
12 high-level requirements
- Build secure networks: firewalls (R1), no vendor defaults (R2).
- Protect cardholder data: encryption at rest (R3), encryption in transit (R4).
- Vulnerability management: antivirus (R5), secure development (R6).
- Access control: need-to-know (R7), unique IDs (R8), physical access (R9).
- Monitoring: log all access (R10), regular testing (R11).
- Information security policy: documented programme (R12).
Compliance levels
- Level 1: >6M transactions/year — Report on Compliance (ROC) by QSA.
- Levels 2-4: tiered Self-Assessment Questionnaire (SAQ).
- Quarterly ASV scans for all internet-facing systems.
v4.0 key changes
- Customised Approach: alternative to defined controls, requires targeted risk analysis.
- Phishing-resistant MFA: mandatory for all access to cardholder data environment.
- Targeted Risk Analyses: documented basis for frequency-based requirements.
- Increased third-party scrutiny for service providers and shared infrastructure.
Who must comply, and how it sits next to data protection
PCI DSS is the security standard that any business storing, processing or transmitting payment-card data must meet. It is not a law but a contractual requirement imposed by the card networks, and non-compliance can mean fines, higher processing fees, or loss of the ability to take card payments. Obligations scale with transaction volume across defined merchant levels, ranging from a self-assessment questionnaire to a full on-site audit. The smartest architectural move for most startups is to reduce scope — using a compliant payment processor and tokenisation so raw card data never touches their own systems. PCI DSS sits alongside, not instead of, data-protection law: the KVKK and GDPR still apply to the personal data around a payment, so the two compliance tracks must be handled together.