In a nutshell
PCI-DSS is a global standard set by the card brands (Visa, Mastercard, Amex, Discover, JCB) for protecting cardholder data, from your website to your storeroom.
The case for action
Why your organisation needs PCI-DSS
The upside
What your organisation gains
Keep your ability to take card payments — and avoid acquirer fines.
Reduce breach cost and fraud exposure on cardholder data.
Lower scope (and effort) by tokenising and outsourcing payments.
Reassure customers their card details are handled responsibly.
Scope
Who it covers — and where
Who it applies to
Any merchant or service provider that stores, processes or transmits cardholder data — even if you outsource payments, parts of the standard still apply.
Where it applies
Global — required by all major card schemes.
Timing
When you need to act
Continuous. v4.0.1 is in force, with several new requirements becoming mandatory from 31 March 2025.
The path forward
Your roadmap to compliance
A practical journey — not a bureaucratic checklist. Tackle these stages in order and you'll move from "we should look into this" to ready.
- 1
Determine your merchant level (1–4) based on annual card transactions.
- 2
Reduce scope — use a hosted/iframe payment page so card data never touches your servers.
- 3
Complete the right Self-Assessment Questionnaire (SAQ A, A-EP, D, etc.) or engage a QSA.
- 4
Run quarterly ASV scans on internet-facing systems.
- 5
Maintain ongoing logging, patching and access reviews.
- 6
Submit your Attestation of Compliance (AoC) to your acquirer annually.
Reality check
Common struggles (and how to fix them)
The struggle
Scope creep — call recordings, emails and CRMs accidentally store PAN.
The fix
Mask or tokenise card numbers at the point of capture and audit recordings quarterly.
Quick answers
Frequently asked questions
Need a head start on PCI-DSS?
Use our ready-to-go tools and templates to skip the blank page.
Browse the storeRate this guide
Be the first to rate.