What Is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a global security standard created by Visa, Mastercard, American Express, Discover, and JCB. Any business that stores, processes, or transmits credit card data must comply.
There are four compliance levels based on transaction volume:
| Level | Annual Transactions | Requirements |
|---|---|---|
| Level 1 | 6M+ | Annual on-site audit + quarterly network scan |
| Level 2 | 1M – 6M | Annual self-assessment questionnaire (SAQ) + quarterly scan |
| Level 3 | 20K – 1M (e-commerce) | Annual SAQ + quarterly scan |
| Level 4 | Under 20K | Annual SAQ (recommended) |
The 12 PCI DSS Requirements
PCI DSS 4.0 (the current version as of 2024) organizes requirements into six categories:
Build and Maintain a Secure Network
Install firewalls, don't use vendor-supplied default passwords, and segment your cardholder data environment from the rest of your network.
Protect Cardholder Data
Encrypt stored card data and encrypt transmission across open networks. Never store CVV codes, PINs, or full magnetic stripe data after authorization.
Maintain a Vulnerability Management Program
Use updated antivirus software and develop secure applications. Patch known vulnerabilities promptly.
Implement Strong Access Controls
Restrict access to cardholder data on a need-to-know basis. Assign unique IDs to each person with access. Restrict physical access to systems.
Monitor and Test Networks
Track all access to network resources and cardholder data. Regularly test security systems and processes.
Maintain an Information Security Policy
Document and enforce a comprehensive security policy for all personnel.
How Modern Platforms Reduce PCI Scope
Here's the good news: you probably don't need to handle raw card data at all.
Modern payment platforms use tokenization and hosted payment fields to keep card data off your servers entirely. This dramatically reduces your PCI scope:
SAQ A vs SAQ D
By using hosted payment fields (like Stripe Elements or Adyen Drop-in), you qualify for SAQ A — the simplest self-assessment questionnaire with only ~30 requirements. If you handle raw card data yourself, you need SAQ D with 300+ requirements.
With a payment orchestration platform like Tagada, your PCI scope is minimized because:
- Card data is tokenized at the point of entry
- Tokens are stored by the processor, not on your servers
- Your checkout never touches raw card numbers
- You can switch processors without re-collecting card data
Non-Compliance Penalties
The consequences of PCI non-compliance are severe:
- Fines: $5,000 – $100,000 per month from card brands
- Increased transaction fees: processors may raise rates
- Liability: you're liable for fraud losses from a breach
- Account termination: processors can refuse to work with you
- Reputation damage: mandatory breach disclosure requirements
PCI Compliance Checklist for Ecommerce
If you're running an ecommerce business, here's the minimum:
- Use a PCI-compliant payment processor
- Use hosted payment fields or redirects — never collect raw card data
- Enable HTTPS on your entire site
- Keep all software and plugins updated
- Use strong, unique passwords for admin accounts
- Document your security practices
- Complete your annual SAQ