Payment Card Industry Data Security Standard
pee-see-eye dee-ess-ess
A security standard for any organization that handles credit card data, requiring specific controls to protect cardholder information.
PCI DSS is the security standard that governs how companies handle credit card data. If your product accepts, processes, stores, or transmits cardholder data, you must comply. The standard is maintained by the PCI Security Standards Council, which includes Visa, Mastercard, Amex, Discover, and JCB.
Compliance involves 12 requirement categories covering network security, access control, encryption, monitoring, and vulnerability management. The level of compliance depends on your transaction volume. Level 1 merchants (over 6 million transactions per year) need an annual on-site audit. Smaller merchants can self-assess with a questionnaire.
Most SaaS companies avoid PCI scope entirely by using payment processors like Stripe. Stripe handles the credit card data, so your systems never touch it. This reduces your PCI burden to the simplest self-assessment questionnaire (SAQ A). If you store card numbers in your own database, you are taking on significant compliance overhead. Companies pursuing PCI compliance often also need SOC 2 and ISO 27001 certifications.
Examples
A startup integrates Stripe for payments.
By using Stripe Elements, credit card numbers go directly from the user's browser to Stripe's servers. The startup's backend never sees the card data. Their PCI scope is minimal: SAQ A, the simplest questionnaire.
A company builds its own payment processing.
The engineering team stores credit card numbers in their database. They are now in PCI scope for SAQ D, the most comprehensive assessment. They need network segmentation, encryption, quarterly vulnerability scans, and an annual audit.
An auditor reviews a company's PCI compliance.
The auditor checks that cardholder data is encrypted at rest, access is logged, firewalls are configured, and employees are trained. They find that one developer has direct database access to production payment tables. That is a finding.
Frequently asked questions
Do I need PCI compliance if I use Stripe?
You still need to be compliant, but your scope is minimal. Using Stripe Elements or Checkout means card data never touches your servers. You complete SAQ A, the simplest self-assessment, which has about 20 questions.
What are the penalties for PCI non-compliance?
Fines range from $5,000 to $100,000 per month from the card brands. Your acquiring bank may also increase transaction fees or terminate your merchant account. A data breach while non-compliant makes everything worse.
Related terms
An auditing standard that evaluates whether a company's systems meet trust service criteria for security, availability, and confidentiality.
An international standard for information security management systems that provides a framework for managing and protecting sensitive data.
The US federal law that sets standards for protecting sensitive patient health information from disclosure.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.