Article
PCI DSS: How your business can stay compliant
The Payment Card Industry Data Security Standard (PCI DSS) is key to protecting cardholder data. Here's everything you need to know.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of global requirements to protect businesses and their customers.
By complying with PCI DSS, businesses ensure sensitive payment information is handled securely — reducing the risk of fraud and data breaches.
We're sharing everything you need to know about PCI DSS, including who it applies to and how Adyen can help you stay compliant.
Hint: Businesses who accept credit or debit card payments, we're looking at you.
What is PCI DSS?
PCI DSS is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC).
It includes 12 technical and operational requirements, primarily to protect cardholder data and sensitive account data, reduce data breaches, and decrease fraud.
While there are other security standards related to protecting cardholder data, PCI DSS is the primary (and mandatory) standard for merchants handling credit and debit card transactions.
Who is the Payment Card Industry Security Standards Council?
The PCI SSC is a global forum consisting of major credit card companies like Visa, Mastercard, American Express, Discover, and JCB.
Who does PCI DSS apply to?
The PCI DSS requirements apply to:
Companies that process credit or debit card transactions
Companies that collect, store, or transmit cardholder data* or sensitive authentication data**
*Cardholder data includes the full primary account number (PAN) plus the cardholder's name, expiration date, and service code.
**Sensitive authentication data is security-related information used to authenticate cardholders and authorise payment card transactions.
This means all entities involved in payment card processing, i.e. merchants, processors, acquirers, issuers, and service providers must comply with PCI DSS.
PCI DSS compliance levels
Level 1
Criteria
Merchants processing over 6 million transactions per year (Visa, Mastercard, Discover, or Amex)
Required document
On-site PCI DSS Assessment Attestation of Compliance (AoC)
Level 2
Criteria
Merchants processing 1 to 6 million transactions annually
Required document
Self-Assessment Questionnaire (SAQ)
Level 3
Criteria
Merchants processing 20,000 to 1 million transactions annually
Required document
Self-Assessment Questionnaire (SAQ)
Level 4
Criteria
Merchants processing fewer than 20,000 transactions annually
Required document
Self-Assessment Questionnaire (SAQ)
PCI DSS requirements
Meeting PCI DSS compliance requirements involves adhering to comprehensive security standards designed to protect cardholder data and ensure safe transactions.
Here are the 12 requirements that every organisation must follow:
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect all systems against malware and regularly update antivirus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel
How can businesses comply with PCI DSS?
In order to comply, businesses have two options:
Take on the full responsibility to assess and comply with the PCI DSS requirements themselves
Work with a payment provider that reduces the PCI DSS scope for them
The benefits of complying with PCI DSS
Complying with PCI DSS isn't just about meeting industry requirements. Here are three additional ways it'll benefit your organisation:
#1: Security
PCI DSS helps businesses protect cardholder data, reduce fraud, and minimise the chance of data breaches.
#2: Cost
Businesses that don't comply may face significant penalties and fees imposed by card brands.
#3: Reputation
PCI DSS is an industry-wide accepted standard which strengthens businesses' reputations and maintains customers' trust. With it, customers can feel confident that the business is responsible — increasing brand loyalty.
Risks of non-compliance
The consequences can be extreme if a business fails to meet the PCI DSS compliance requirements:
The risk of payment data breaches increases
Your reputation can take a hit
Fees that range from $5,000 (USD) to $500,000 (USD) depending on the severity of the violation
How Adyen can help businesses stay PCI DSS compliant
Adyen simplifies PCI DSS compliance by offering integrations and solutions that minimise your compliance burden while ensuring safe payment processing:
Drop-in/components/plugins: These pre-built integrations securely process payment data on Adyen’s servers, eliminating the need for your business to store or handle sensitive cardholder information.
Pay by Link: Send secure payment links via email or messaging platforms, allowing customers to complete transactions in a secure, Adyen-hosted environment — keeping sensitive data off your systems.
Hosted checkout: Adyen’s customisable, secure payment page processes and stores all cardholder data on Adyen’s infrastructure, minimising your PCI DSS obligations.
In-person payments (IPP): Secure, end-to-end encrypted payment terminals ensure that all cardholder data is processed safely by Adyen, reducing your responsibilities for in-store transactions.
Comprehensive documentation and support: Our PCI DSS Compliance Guide outlines key requirements and best practices, keeping you up to date with evolving industry standards.
With these integrations, your business can process payments securely — minus the complexity of handling or storing sensitive cardholder data.