Skip to main content

    We value your privacy

    We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Read our Cookie Policy to learn more.

    Skip to main content
    Back to Glossary
    framework
    2 min read

    PCI DSS

    PCI DSS is a set of security standards for organizations that process, store, or transmit credit card information to maintain a secure environment.

    PCI DSS is a global security standard for organizations handling branded credit cards from major card schemes.

    The 12 requirements: 1. Install and maintain network security controls 2. Apply secure configurations 3. Protect stored account data 4. Protect cardholder data during transmission 5. Protect against malware 6. Develop secure systems and software 7. Restrict access by business need-to-know 8. Identify users and authenticate access 9. Restrict physical access 10. Log and monitor access 11. Test security regularly 12. Maintain security policies

    Compliance validation depends on transaction volume: - Level 1 (6M+ transactions): Annual QSA audit - Level 2-4: Self-Assessment Questionnaires (SAQ)

    Why It Matters

    PCI DSS compliance is mandatory for any organization that processes, stores, or transmits credit card data. Non-compliance exposes organizations to fines of $5,000-$100,000 per month from payment brands and potential loss of the ability to process card payments entirely. Even companies using payment processors like Stripe must achieve basic PCI compliance—the scope is reduced but not eliminated.

    Key Points

    Required for any organization handling payment card data
    Current version is 4.0 (released 2022)
    Validation method depends on transaction volume
    Non-compliance can result in fines and loss of card processing
    12 core requirements across 6 control objectives

    Applicable Compliance Frameworks

    PCI DSS

    Related Terms

    Encryption at Rest

    Encryption at rest protects data stored on disks, databases, or storage systems by converting it to an unreadable format that requires a key to decrypt.

    Encryption in Transit

    Encryption in transit protects data as it moves between systems, networks, or devices, typically using TLS/SSL protocols to prevent interception.

    Access Control

    Access control is a security mechanism that regulates who can view or use resources in a computing environment, ensuring only authorized users can access systems and data.

    Frequently Asked Questions

    Do I need PCI if I use Stripe?

    Using payment processors reduces scope but doesn't eliminate it. You still need basic compliance (usually SAQ A).

    What happens if I'm not PCI compliant?

    Fines from payment brands ($5,000-$100,000/month), increased transaction fees, and potential loss of card processing ability.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    SOC 2 Compliance

    Trust services criteria for security, availability, and confidentiality

    Learn more
    Standard

    ISO 27001 Certification

    International standard for information security management

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with PCI DSS?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms