PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for any business that accepts, processes, stores, or transmits credit card information. If your website takes payments, PCI DSS applies to you.

Disclaimer: This guide is for educational purposes only and does not constitute legal or security advice. PCI DSS compliance requirements depend on your specific business. Consult a Qualified Security Assessor (QSA) or your payment processor for guidance specific to your situation.

What Is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The standard was created in 2004 by the founding payment brands -- Visa, Mastercard, American Express, Discover, and JCB -- and is now managed by the PCI Security Standards Council (PCI SSC).

PCI DSS is not a law enacted by a government. It is an industry standard enforced through contracts between merchants, payment processors, and card brands. However, non-compliance can result in significant financial penalties, and some states have enacted laws that incorporate PCI DSS requirements. The current version is PCI DSS v4.0, which was released in March 2022 with a transition period allowing organizations to implement the new requirements. As of March 31, 2025, PCI DSS v4.0 became the sole active version.

Who Needs to Comply?

PCI DSS applies to any entity that stores, processes, or transmits cardholder data or sensitive authentication data. This includes:

  • Merchants of any size who accept card payments (online or in-person)
  • Payment processors and payment service providers
  • Banks and financial institutions that issue cards or process transactions
  • Any third-party service providers who store, process, or transmit cardholder data on behalf of a merchant

Even if you use a third-party payment processor like Stripe, Square, or PayPal to handle payments on your website, you still have PCI DSS obligations. The scope of those obligations depends on how your payment integration works.

Compliance Levels

Merchants are classified into four levels based on their annual transaction volume. The exact thresholds vary by card brand, but Visa's widely used classification is:

  • Level 1 -- Over 6 million Visa transactions per year, or any merchant that has experienced a data breach, or any merchant that Visa determines should be Level 1
  • Level 2 -- 1 million to 6 million Visa transactions per year
  • Level 3 -- 20,000 to 1 million Visa e-commerce transactions per year
  • Level 4 -- Fewer than 20,000 Visa e-commerce transactions per year, or up to 1 million total Visa transactions per year

Most small businesses fall into Level 4. Level 4 merchants are typically required to complete an annual Self-Assessment Questionnaire (SAQ) and may need to perform quarterly network vulnerability scans by an Approved Scanning Vendor (ASV), depending on how they process payments.

The 12 PCI DSS Requirements

PCI DSS v4.0 organizes its requirements into six goals with 12 main requirement categories:

Build and Maintain a Secure Network and Systems

  1. Install and maintain network security controls (such as firewalls)
  2. Apply secure configurations to all system components

Protect Account Data

  1. Protect stored account data
  2. Protect cardholder data with strong cryptography during transmission over open, public networks

Maintain a Vulnerability Management Program

  1. Protect all systems and networks from malicious software
  2. Develop and maintain secure systems and software

Implement Strong Access Control Measures

  1. Restrict access to system components and cardholder data by business need to know
  2. Identify users and authenticate access to system components
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Log and monitor all access to system components and cardholder data
  2. Test security of systems and networks regularly

Maintain an Information Security Policy

  1. Support information security with organizational policies and programs

How Payment Integration Affects Your Scope

The way you integrate payment processing into your website significantly affects your PCI DSS compliance burden:

  • Redirect / hosted payment page -- The customer is redirected to the payment processor's website (like PayPal checkout or Stripe Checkout hosted page). Your website never handles card data. This is the simplest approach and has the smallest PCI scope.
  • Embedded iframe / JavaScript -- A payment form from the processor is embedded in your page via an iframe or JavaScript SDK (like Stripe Elements). Card data goes directly from the customer's browser to the processor. Your server never sees card data, but your website's front-end code could potentially be compromised.
  • Direct post / API -- Your website collects card data and sends it directly to the processor's API. This gives you more control over the payment experience but significantly increases your PCI scope because card data passes through your systems.

For most small business websites, using a hosted payment page or an embedded payment form (iframe/JavaScript) is the recommended approach. It minimizes your PCI compliance obligations while still providing a good customer experience.

Consequences of Non-Compliance

While PCI DSS is not a government law, the consequences of non-compliance can be severe:

  • Fines from card brands -- Payment card brands can impose fines on acquiring banks, which are typically passed down to merchants. Fines can range from $5,000 to $100,000 per month for non-compliance.
  • Increased transaction fees -- Non-compliant merchants may face higher processing fees
  • Loss of card processing ability -- In extreme cases, card brands can revoke a merchant's ability to accept card payments
  • Liability for breaches -- If a data breach occurs and you are not PCI compliant, you may be liable for the costs of the breach, including card reissuance costs, fraud losses, forensic investigation costs, and notification expenses
  • Legal liability -- Several U.S. states have enacted laws that reference PCI DSS, and a data breach involving card data can expose you to lawsuits and regulatory action

Practical Steps for Website Owners

  1. Use a reputable payment processor -- Choose a PCI-compliant payment processor (Stripe, Square, PayPal, etc.) and use their hosted or embedded payment forms to minimize your PCI scope
  2. Never store card data on your server -- Let your payment processor handle all card data storage. Do not save card numbers, CVVs, or magnetic stripe data in your database, logs, or email
  3. Use HTTPS everywhere -- Your entire website should use HTTPS (TLS encryption), not just your payment pages
  4. Complete your SAQ -- Determine which Self-Assessment Questionnaire applies to your business and complete it annually. Your payment processor or acquiring bank can help you identify the right SAQ.
  5. Keep software updated -- Keep your website platform, plugins, server operating system, and all software components up to date with security patches
  6. Use strong passwords and access controls -- Protect all administrative access to your website, hosting, and payment processor accounts with strong, unique passwords and multi-factor authentication where available
  7. Monitor your website for tampering -- PCI DSS v4.0 includes requirements for detecting unauthorized modifications to payment pages, such as script changes that could intercept card data (a technique known as web skimming or Magecart attacks)

Need a secure e-commerce website?

We build online stores with secure payment integration from the start, using trusted processors and best practices to protect your customers and minimize your PCI compliance burden.

View Our Services Contact Us