PCI DSS

PCI DSS sets the baseline security requirements for every merchant, PSP, gateway, and processor that touches cardholder data. For most merchants, the practical goal of PCI compliance is less about the specific technical controls and more about minimizing scope — limiting the systems and processes that are subject to the standard.

PCI DSS Compliance Levels

Compliance requirements scale with transaction volume:

• Level 1: Merchants processing over 6 million Visa or Mastercard transactions annually. Requires annual on-site assessment by a Qualified Security Assessor (QSA) plus quarterly network scans. Cost: $15,000–$100,000+/year.
• Level 2: 1–6 million transactions/year. Annual Self-Assessment Questionnaire (SAQ) plus quarterly scans.
• Level 3: 20,000–1 million e-commerce transactions/year. SAQ plus quarterly scans.
• Level 4: Under 20,000 e-commerce or up to 1 million total transactions/year. SAQ recommended.

The 12 PCI DSS Requirements

PCI DSS v4.0 (current) organizes requirements around six goals:

1. Install and maintain network security controls
2. Apply secure configurations to all system components
3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission over open networks
5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software
7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data
10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly
12. Support information security with organizational policies and programs

Scope Reduction Strategies

For most merchants, the highest-value PCI DSS work is scope reduction — limiting which systems are subject to the standard. Key approaches:

• Tokenization: Replace stored PANs with tokens, eliminating the need to secure card storage environments.
• Hosted payment pages: Use PSP-hosted checkout forms so card data never touches merchant servers.
• iFrame integration: Embed PSP checkout iFrames that handle card entry, keeping cardholder data out of merchant systems.
• Point-to-Point Encryption (P2PE): For in-person payments, certified P2PE solutions significantly reduce POS system scope.

PCI DSS and SAQ Types

Different integration models map to different SAQ (Self-Assessment Questionnaire) types, each with different control requirements. SAQ A (the simplest, for merchants using hosted payment pages) requires far fewer controls than SAQ D (for merchants who store, process, or transmit cardholder data directly). Choosing an integration architecture that qualifies for SAQ A is a significant compliance cost reduction.