Understanding PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all organizations that accept, process, store, or transmit credit card information maintain a secure environment. It was created by the PCI Security Standards Council (PCI SSC), founded by Visa, MasterCard, American Express, Discover, and JCB.
The current version is PCI DSS v4.0, released in 2022 with full enforcement from March 2025. Learn more about PCI DSS.
PCI DSS applies to any organization that stores, processes, or transmits cardholder data, including:
- E-commerce businesses accepting online payments
- Retail stores with point-of-sale systems
- Payment processors and gateways
- Financial institutions issuing cards
- SaaS companies handling subscription payments
- Any service provider handling card data
Compliance Levels
PCI DSS has four compliance levels based on annual transaction volume:
- Level 1: 6+ million transactions/year — requires annual on-site assessment by QSA
- Level 2: 1-6 million transactions/year — annual SAQ and quarterly network scans
- Level 3: 20,000-1 million e-commerce transactions/year — annual SAQ and quarterly scans
- Level 4: Under 20,000 e-commerce or up to 1 million other transactions — annual SAQ