What is PCI DSS Compliance?

PCI DSS was developed by five of the world’s largest payment card networks - Visa, Mastercard, American Express, Discover and JCB - through a governing body called the Payment Card Industry Security Standards Council (PCI SSC). The goal was simple: set up a common framework that businesses everywhere could follow to cut back on the danger of card data breaches and fraud.

This guide breaks down what PCI DSS actually is, who it applies to, what compliance looks like in practice, and what’s legitimately at stake if a business falls short. Whether you’re encountering this standard for the first time or trying to get a clearer picture of your obligations, here’s what you need to know.

The Core Purpose Behind PCI DSS

PCI DSS - the Payment Card Industry Data Security Standard - is a set of security standards built to protect cardholder data at every stage it moves through a business. That means when data is stored, when it’s being processed, and when it’s sent from one place to another. The goal is simple: to make it harder for that data to fall into the wrong hands.

It includes the cardholder’s name, the card expiration date, and the service code printed on the card - it also covers sensitive authentication data like the full magnetic stripe information and the CVV security code. That combination of details is what criminals need to commit fraud or to sell stolen card data in bulk.

Cardholder data is a steady target because it has immediate value to bad actors and can be used or resold quickly after a breach.

PCI DSS was created in 2004 by the card businesses - Visa, Mastercard, American Express, Discover, and JCB - working together through the PCI Security Standards Council. Before that, each card brand had its own separate security programme. A unified standard made more sense and gave businesses one steady framework to work toward instead of a few competing ones.

The urgency behind this framework becomes clearer when you look at what happens without it. Data breaches in the payments space are not rare events. One study found that most businesses hit by a card data breach were not compliant with PCI DSS at the time of the attack; it’s not a coincidence - gaps in compliance tend to be just the gaps that attackers exploit.

It’s worth being honest about what PCI DSS is and isn’t, though - it’s not a government law, and failing to meet it won’t land anyone in court on its own - it’s a contractual requirement set by card networks, enforced through the agreements businesses sign with their payment processors and banks. The consequences for non-compliance are fines, higher transaction fees, and in some cases the loss of the ability to accept card payments - but the mechanism is commercial rather than legal.

That distinction matters as we look at who actually needs to comply.

Which Businesses PCI DSS Actually Applies To

If your business accepts, processes, or stores card payment data in any form, PCI DSS applies to you. That covers retail stores, e-commerce sites, subscription services, hospitality businesses, and anyone else that takes card payments. There is no industry exemption and no minimum revenue threshold to cross before the rules kick in.

The way compliance works in practice can depend on your merchant level. PCI DSS uses a tiered system based on how many card transactions your business processes each year, and the level you fall into determines what you have to show for compliance.

Merchant Level	Annual Visa Transactions	Compliance Validation
Level 1	Over 6 million	Annual on-site audit by QSA
Level 2	1 million - 6 million	Annual SAQ + ASV scan
Level 3	20,000 - 1 million (e-commerce)	Annual SAQ + ASV scan
Level 4	Under 20,000 (e-commerce) or up to 1 million (other)	SAQ recommended

Level 1 merchants face the most intensive scrutiny, with a full on-site audit carried out by a Qualified Security Assessor each year. Levels 2 and 3 use a Self-Assessment Questionnaire combined with an Approved Scanning Vendor scan. Level 4 is the most common tier for small businesses, and the compliance steps are lighter. But the obligations don’t disappear.

That last point is worth dwelling on. A lot of small business owners believe that low transaction volumes mean they can skip compliance altogether. Level 4 merchants are still expected to meet PCI DSS standards. The validation process is less demanding, not absent.

It is also worth knowing that card networks like Visa and Mastercard each publish their own merchant level definitions, which can vary slightly from each other. Your acquiring bank is usually the one to tell you which level applies to your business, so it’s a good idea to check with them directly instead of self-assigning a level based on a rough estimate.

Service providers that manage card data on behalf of merchants work under a separate but related framework, with their own compliance tiers.

What the PCI DSS Requirements Actually Cover

PCI DSS is built around 12 core requirements, grouped into six control goals. Together they cover everything from how you build your network to how you train your staff, and go well past having a firewall in place.

The six control goals move through a logical progression. You start with building and maintaining a protected network, then move into protecting cardholder data itself. From there, the focus changes to vulnerability management, strong access controls, watching and testing, and finally maintaining an information security policy.

Each of the areas carries technical and organisational weight. Access control requirements go into detail about who can see what, and under what conditions.

The latest version is PCI DSS v4.0.1, which became active in December 2024 and replaced v4.0. The total number of requirements grew from 370 to over 500 in this version. That is an actual increase, and it reflects how much more demanding the card data environment has become.

Version 4.0 introduced 64 new requirements. Of those, 51 became mandatory on March 31, 2025. Many of these address areas like multi-factor authentication, e-commerce security, and targeted risk analysis - things that were either loosely defined or not addressed at all in earlier versions.

It is worth understanding what “scope” means here. Any system, person, or process that touches cardholder data falls within the compliance boundary. That can include cloud environments, third-party vendors, and internal tools that connect to payment systems.

Scope creep is a concern for businesses. The more systems you connect to your payment environment, the more you pull into the compliance boundary. That is why segmentation - keeping payment systems separate from the rest of your network - is the primary tool for managing this.

The 12 requirements are not a box-ticking exercise, and each one maps to a real-world threat. The documentation and testing behind them can be substantial. Smaller businesses using self-assessment questionnaires still have to work through the relevant controls carefully.

The full standard runs to hundreds of pages, and the supporting guidance documents add considerably more detail on top of that.

The Real Cost of Failing to Meet PCI DSS Standards

Non-compliance isn’t just a paperwork problem. Card businesses can fine your acquiring banks between $5,000 and $10,000 per month for merchants who fall short of PCI DSS standards, and those banks usually pass those costs straight down to the merchant.

But the fines are arguably the least of your worries. If a breach happens while you’re non-compliant, the liability picture changes drastically. Your bank and card businesses can hold you responsible for the cost of fraudulent transactions, card replacement programs, and forensic investigations. Those costs can run into the hundreds of thousands of dollars for even a mid-sized business.

There’s also the question of your ability to take card payments at all. In serious cases, acquiring banks can terminate a merchant’s ability to process cards entirely. For most businesses, that’s not a recoverable situation.

Reputational damage follows a breach closely. Customers who hear that their card data was exposed don’t like to come back, and news of a data incident spreads fast regardless of how small the business is. Increased transaction fees are another common consequence, as banks adjust their risk pricing for merchants they now see as a liability.

Full compliance is also less common than you’d expect. Verizon’s research found that only 27.9% of organisations were compliant with PCI DSS in 2019. More recent data from 2023 shows wide variation in how well businesses meet certain requirements, with some controls seeing much stronger adoption than others.

That inconsistency matters because partial compliance doesn’t protect you the way full compliance does. A business can tick most of the boxes and still have a gap that exposes cardholder data. The card businesses and your bank don’t grade on a curve when something goes wrong.

The financial hit from a breach also tends to arrive in waves. First come the immediate investigation and remediation costs. Then come the fines and possible litigation. Then you’re left rebuilding trust with customers and renegotiating terms with your payment processor from a weaker position.

None of this is theoretical. Businesses of all sizes have experienced this exact sequence of events, and the pattern is steady enough that treating PCI DSS as optional is a genuine financial gamble.

Staying Compliant Is a Moving Target - Here’s How to Keep Up

The numbers make the urgency clear. Verizon’s 2023 data found that only 47.6% of organizations were compliant with Requirement 11 - which covers security testing and vulnerability scanning - at the time of their interim assessments; it’s not a minor gap. Falling short in areas like this is where breaches happen and where the consequences follow: fines, lost payment processing rights, and damaged customer trust.

A helpful next step is to audit where you actually stand right now. Know your merchant level, which Self-Assessment Questionnaire (SAQ) applies to your environment, and look at which requirements your latest setup doesn’t yet meet. If your environment is complex or you’re not sure how to interpret v4.0.1’s requirements, a Qualified Security Assessor (QSA) can help you find gaps before an assessor - or an attacker - does.