What is PCI-DSS (Payment Card Industry Data Security Standard)?
The PCI Security Standards Council's mandatory security standard for any organization that stores, processes, or transmits payment card data. Current version is PCI-DSS v4.0.1 (2024). Compliance levels (1-4) are determined by transaction volume.
Full explanation
PCI-DSS applies to any merchant or service provider that handles cardholder data (CHD). The 12 core requirements cover network security, access control, encryption, monitoring, and incident response. Level 1 merchants (>6M Visa/Mastercard transactions/year) require an annual on-site Qualified Security Assessor (QSA) audit; Levels 2-4 may use Self-Assessment Questionnaires (SAQs). Penalties for non-compliance range from $5,000 to $100,000/month plus card-brand sanctions. Most modern SaaS offloads PCI scope by using Stripe / Adyen / Braintree (which keep the cardholder data in their PCI-certified scope).
Example
A startup integrates Stripe Checkout for card processing. Cardholder data never touches the startup's servers — Stripe handles it under their Level 1 PCI compliance. The startup completes SAQ A (the simplest PCI questionnaire, for fully outsourced card handling) and avoids most PCI scope.
Related
FAQ
Do I need PCI compliance if I use Stripe?
Yes, but the scope is dramatically reduced. Using Stripe Checkout (cardholder data goes directly to Stripe, never your servers) puts you in SAQ A — the simplest tier. Storing or relaying card data yourself escalates you back into Level 1 territory.
What's PCI-DSS v4.0?
The 2022 major revision (transitioned from v3.2.1). Adds explicit requirements for encryption-in-transit on internal networks, multi-factor auth on all administrative access, and stronger validation of customized controls. Effective March 2024 with key requirements becoming mandatory through 2025.