Skip to main content

GLOSSARY · Compliance

Payment Card Industry Data Security Standard PCI DSS

Security framework that any business handling credit card data must comply with. Set by the major card brands; enforced through banks and payment processors via contract, not government regulation.

Detailed definition

PCI DSS is the security framework that applies to any business that accepts, stores, processes, or transmits credit card data. Unlike HIPAA, it’s not a government regulation — it’s a contractual obligation enforced by the card brands (Visa, Mastercard, Amex, Discover, JCB) through your acquiring bank or payment processor. Fail to comply and you can lose the ability to accept cards, plus face fines after a breach.

Merchant levels — your obligations depend on volume

Card brands tier merchants by annual transaction count. The thresholds vary slightly by brand, but Visa’s are illustrative:

LevelAnnual Visa transactionsValidation requirement
16M+Annual on-site audit by a Qualified Security Assessor (QSA)
21M-6MAnnual Self-Assessment Questionnaire (SAQ) + on-site option
320K-1M e-commerceAnnual SAQ
4Under 20K e-commerce or under 1M totalAnnual SAQ

Most SMBs are Level 3 or 4 — they complete a Self-Assessment Questionnaire annually rather than hiring a QSA.

SAQ types — your specific obligations depend on architecture

The SAQ you complete depends on how cardholder data flows through your environment:

  • SAQ A — fully outsourced e-commerce; you redirect to a hosted payment page, never touch card data
  • SAQ A-EP — e-commerce site that controls the page presenting the payment form (even if the form posts directly to a payment processor)
  • SAQ B / B-IP — standalone terminals or imprint-only environments
  • SAQ C-VT — virtual terminal only
  • SAQ C — payment application connected to the internet, no e-commerce
  • SAQ D — anything that doesn’t fit the above; the comprehensive one with 300+ controls

Most small e-commerce sites can structure their payment flow to qualify for SAQ A, which is dramatically simpler than SAQ A-EP or SAQ D. This is by far the most leverage you have — designing the integration so card data never touches your servers at all.

The 12 requirements summarized

PCI DSS organizes into 12 requirements across six control groups:

  1. Build and maintain a secure network — firewall configuration, vendor defaults
  2. Protect cardholder data — storage minimization, encryption in transit
  3. Maintain a vulnerability management program — antivirus, secure development
  4. Implement strong access control — least privilege, unique IDs, physical access
  5. Regularly monitor and test networks — logging, vulnerability scanning, penetration testing
  6. Maintain an information security policy — documented, reviewed annually

For SMB clients, the bulk of the technical work is at the firewall, MFA, EDR, patching, and logging layers — which overlap heavily with HIPAA and SOC 2 work if those also apply.

RELATED TERMS

AUTHORITATIVE SOURCES

External references

Need help applying PCI DSS to your business?

We've done this kind of work across New York. First conversation is free.