GLOSSARY · Compliance
Payment Card Industry Data Security Standard PCI DSS
Security framework that any business handling credit card data must comply with. Set by the major card brands; enforced through banks and payment processors via contract, not government regulation.
Detailed definition
PCI DSS is the security framework that applies to any business that accepts, stores, processes, or transmits credit card data. Unlike HIPAA, it’s not a government regulation — it’s a contractual obligation enforced by the card brands (Visa, Mastercard, Amex, Discover, JCB) through your acquiring bank or payment processor. Fail to comply and you can lose the ability to accept cards, plus face fines after a breach.
Merchant levels — your obligations depend on volume
Card brands tier merchants by annual transaction count. The thresholds vary slightly by brand, but Visa’s are illustrative:
| Level | Annual Visa transactions | Validation requirement |
|---|---|---|
| 1 | 6M+ | Annual on-site audit by a Qualified Security Assessor (QSA) |
| 2 | 1M-6M | Annual Self-Assessment Questionnaire (SAQ) + on-site option |
| 3 | 20K-1M e-commerce | Annual SAQ |
| 4 | Under 20K e-commerce or under 1M total | Annual SAQ |
Most SMBs are Level 3 or 4 — they complete a Self-Assessment Questionnaire annually rather than hiring a QSA.
SAQ types — your specific obligations depend on architecture
The SAQ you complete depends on how cardholder data flows through your environment:
- SAQ A — fully outsourced e-commerce; you redirect to a hosted payment page, never touch card data
- SAQ A-EP — e-commerce site that controls the page presenting the payment form (even if the form posts directly to a payment processor)
- SAQ B / B-IP — standalone terminals or imprint-only environments
- SAQ C-VT — virtual terminal only
- SAQ C — payment application connected to the internet, no e-commerce
- SAQ D — anything that doesn’t fit the above; the comprehensive one with 300+ controls
Most small e-commerce sites can structure their payment flow to qualify for SAQ A, which is dramatically simpler than SAQ A-EP or SAQ D. This is by far the most leverage you have — designing the integration so card data never touches your servers at all.
The 12 requirements summarized
PCI DSS organizes into 12 requirements across six control groups:
- Build and maintain a secure network — firewall configuration, vendor defaults
- Protect cardholder data — storage minimization, encryption in transit
- Maintain a vulnerability management program — antivirus, secure development
- Implement strong access control — least privilege, unique IDs, physical access
- Regularly monitor and test networks — logging, vulnerability scanning, penetration testing
- Maintain an information security policy — documented, reviewed annually
For SMB clients, the bulk of the technical work is at the firewall, MFA, EDR, patching, and logging layers — which overlap heavily with HIPAA and SOC 2 work if those also apply.
HOW WE HELP
Related Bytes Unlimited services
Need help applying PCI DSS to your business?
We've done this kind of work across New York. First conversation is free.