The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard for any organization that stores, processes, or transmits payment card data. It is maintained by the PCI Security Standards Council (PCI SSC), an organization founded in 2006 by the major card brands — American Express, Discover, JCB International, Mastercard, and Visa.

PCI DSS is not a law. It is a contractual requirement: the card brands and acquiring banks oblige merchants and service providers to comply through their payment agreements. The current version is v4.0.1, published in June 2024 as a limited revision to v4.0 (which itself was published in March 2022). The most demanding new v4.x requirements, prescribed as best practice during a transition period, became mandatory on 31 March 2025.

What is PCI DSS, and is it a law?

PCI DSS is a baseline of technical and operational requirements designed to protect account data. It applies to all entities involved in payment card processing.

It is not government legislation. Compliance is enforced contractually by the payment card brands and acquiring banks through their agreements with merchants and service providers. Failure to comply can lead to fines, higher transaction fees, or loss of the ability to accept card payments — penalties imposed by the card brands and banks, not courts.

The standard is published and maintained by the PCI Security Standards Council (PCI SSC), an independent body founded in 2006 by American Express, Discover, JCB, Mastercard, and Visa. The PCI SSC writes the standard; the individual card brands set and enforce compliance programs.

What are the 12 requirements and 6 goals?

PCI DSS organizes its controls into 6 goals containing 12 core requirements:

Build and maintain a secure network and systems

  1. Install and maintain network security controls.
  2. Apply secure configurations to all system components.

Protect account data 3. Protect stored account data. 4. Protect cardholder data with strong cryptography during transmission over open, public networks.

Maintain a vulnerability management program 5. Protect all systems and networks from malicious software. 6. Develop and maintain secure systems and software.

Implement strong access control measures 7. Restrict access to system components and cardholder data by business need to know. 8. Identify users and authenticate access to system components. 9. Restrict physical access to cardholder data.

Regularly monitor and test networks 10. Log and monitor all access to system components and cardholder data. 11. Test security of systems and networks regularly.

Maintain an information security policy 12. Support information security with organizational policies and programs.

Who does PCI DSS apply to?

PCI DSS applies to any organization that stores, processes, or transmits cardholder data, and to entities that could affect the security of that data — regardless of size or transaction volume.

This includes:

  • Merchants — businesses that accept payment cards.
  • Service providers — companies that handle cardholder data on behalf of others (e.g., payment gateways, processors, hosting providers).

"Cardholder data" includes the primary account number (PAN), and where stored alongside the PAN, the cardholder name, expiration date, and service code. "Sensitive authentication data" (e.g., full track data, card verification codes, PINs) is subject to stricter rules and generally must not be stored after authorization.

What are the four merchant levels?

Merchants are classified into four levels based on their annual card transaction volume. These levels — and the specific thresholds and validation rules — are defined and enforced by the individual card brands (such as Visa and Mastercard), not by the PCI SSC. Thresholds can vary slightly by brand, but the common framework is:

  • Level 1 — the largest merchants (commonly over 6 million transactions per year for a card brand, or any merchant that has suffered a breach). Typically requires an annual on-site assessment.
  • Level 2 — roughly 1 to 6 million transactions per year.
  • Level 3 — roughly 20,000 to 1 million e-commerce transactions per year.
  • Level 4 — the smallest merchants (commonly fewer than 20,000 e-commerce transactions, or up to 1 million total transactions per year).

The level determines how an organization must validate compliance. Always confirm exact thresholds with your acquiring bank or the relevant card brand.

What is the difference between an SAQ and a ROC?

How an organization validates and reports its compliance depends on its level and the card brands' rules.

  • Self-Assessment Questionnaire (SAQ) — a self-validation tool that eligible merchants and service providers use to assess and report their own compliance. There are multiple SAQ types matched to how the entity handles card data (e.g., e-commerce vs. card-present). SAQs are typically used by smaller merchants.

  • Report on Compliance (ROC) — a detailed, formal report documenting the results of a full PCI DSS assessment, typically conducted by a Qualified Security Assessor. A ROC is generally required for the largest merchants (commonly Level 1).

Both paths conclude with an Attestation of Compliance (AOC) — a signed statement attesting to the results of the SAQ or ROC.

What are QSAs and ASVs?

The PCI SSC qualifies independent organizations and individuals to perform assessment and scanning activities.

  • Qualified Security Assessor (QSA) — a company (and its qualified employees) certified by the PCI SSC to perform on-site PCI DSS assessments and produce a Report on Compliance.

  • Approved Scanning Vendor (ASV) — an organization approved by the PCI SSC to perform external vulnerability scans of internet-facing systems. Where applicable, entities are generally required to pass quarterly ASV scans.

There is also the Internal Security Assessor (ISA) program, which qualifies an organization's own staff to support internal PCI DSS efforts.

What changed from v3.2.1 to v4.0/v4.0.1?

PCI DSS v4.0 was published in March 2022, the first major revision since v3.0. It introduced expanded requirements (such as broader multi-factor authentication, enhanced controls for payment pages, and a "customized approach" to meeting control objectives) and a new "targeted risk analysis" concept for setting certain control frequencies.

  • v3.2.1 was retired on 31 March 2024, after which v4.x became the only active version.
  • v4.0.1 was published in June 2024 as a limited revision — it made formatting corrections and clarifications but added or removed no requirements. v4.0 was retired on 31 December 2024, leaving v4.0.1 as the sole supported version.
  • A set of new requirements were initially future-dated (treated as best practice during a transition period) and became mandatory on 31 March 2025.

Always work from the official documents on the PCI SSC Document Library for exact requirement text and dates.

Frequently asked questions

Is PCI DSS a legal requirement?

No. PCI DSS is an industry standard enforced contractually by the payment card brands and acquiring banks, not a government law. However, non-compliance can result in fines, higher fees, or loss of the ability to process card payments.

Which version of PCI DSS is current?

PCI DSS v4.0.1, published in June 2024, is the current and only supported version. It is a limited revision of v4.0 and adds or removes no requirements. Earlier versions v3.2.1 and v4.0 have been retired.

What happened on 31 March 2025?

A set of new v4.x requirements that had been future-dated (treated as best practice during a transition period) became mandatory on 31 March 2025 and must now be assessed in a PCI DSS assessment.

How many requirements does PCI DSS have?

PCI DSS is built around 12 core requirements, grouped into 6 control goals — from securing networks and protecting stored data to access control, monitoring, and maintaining a security policy.

Who has to comply with PCI DSS?

Any organization that stores, processes, or transmits cardholder data — including merchants and service providers — regardless of size, as well as entities that could affect the security of that data.

What is the difference between a QSA and an ASV?

A Qualified Security Assessor (QSA) is certified by the PCI SSC to perform on-site PCI DSS assessments and produce a Report on Compliance. An Approved Scanning Vendor (ASV) is approved to perform external vulnerability scans of internet-facing systems.

Official sources