PCI DSS
PCI DSS is the security standard every business handling card data must follow to protect cardholder information from theft.
PCI DSS (Payment Card Industry Data Security Standard) is the set of security requirements that any business storing, processing, or transmitting card data must follow. Created by the major card networks, it exists to protect cardholder information from breaches and fraud. The current version is v4.0.1, whose future-dated requirements became mandatory on March 31, 2025.
What it covers
PCI DSS is organized into control areas, including:
- Protect cardholder data — encrypt card data in storage and in transit, and never store the full card number or CVC in the clear.
- Secure networks — use firewalls, avoid vendor default passwords, and segment systems that touch card data.
- Access control — limit who can reach cardholder data and log every access.
- Ongoing testing — scan for vulnerabilities and monitor systems continuously.
How compliance is validated
Most smaller businesses validate through a Self-Assessment Questionnaire (SAQ). The lightest version, SAQ A, applies when card entry is fully outsourced to a compliant provider — for example, a checkout hosted by your payment gateway. As of the January 2025 SAQ A revision, merchants must also confirm their site isn't exposed to malicious scripts that could skim card data.
Why it matters
The single biggest lever on PCI scope is not handling raw card data yourself. When a processor captures and stores the card through tokenization, and your servers only ever see a token, most of the standard's requirements fall on the provider instead of you. That's why using a hosted checkout or a payment method token dramatically reduces your compliance burden — the sensitive data never lands in your systems in the first place.
Related terms
Updated July 6, 2026