Instant downloadAuditor-writtenSecure Stripe checkout

PCI DSS: The Complete Guide to Payment Card Data Security

PCI DSS compliance applies to any business that touches payment cards — taking payments, processing them, or storing card data. It’s the global security standard that keeps cardholder data safe, and falling short can mean fines, higher transaction fees, or losing the ability to accept cards at all. This guide explains what PCI DSS compliance involves end to end: what the standard is, who must comply, the twelve requirements, how you validate, and how to get compliant.

PCI DSS compliance toolkit with policy templates
An editable PCI DSS compliance toolkit covering all 12 requirements.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for any organization that stores, processes, or transmits cardholder data. It’s maintained by the PCI Security Standards Council, founded by the major card brands — Visa, Mastercard, American Express, Discover, and JCB.

It’s contractual, not legal

An important nuance: PCI DSS isn’t a government law. It’s a contractual requirement imposed by the card brands and your acquiring bank. But don’t let that fool you — non-compliance can mean fines, higher fees, or losing the ability to accept cards, and a breach can be devastating.

Who must comply?

Any merchant or service provider that handles cardholder data — from a small online store to a global payment processor. The way you validate compliance scales with your size and transaction volume, which is defined by compliance levels — see our guide to PCI DSS compliance levels.

The 12 requirements

PCI DSS is organized into 12 core requirements, grouped under six goals — from building secure networks to maintaining an information security policy. We walk through all twelve in our breakdown of the 12 requirements.

Skip the blank page.

The PCI DSS Toolkit gives you the policies and procedures the standard requires — information security policy, access control, encryption, incident response, and more — as fully editable, auditor-written files mapped to PCI DSS v4.0.

Explore the PCI DSS Toolkit →

How you validate PCI DSS compliance

Depending on your level, you validate compliance through a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA), usually alongside network scans. We explain the process in how to become PCI DSS compliant.

PCI DSS v4.0

The standard moved to version 4.0 (with a v4.0.1 update), introducing more flexibility and a range of new requirements. If you’re working from older guidance, read our guide to what changed in v4.0.

The documentation you’ll need

PCI DSS requires specific policies and procedures as evidence. See the full list in the documentation checklist.

What happens if you’re not PCI DSS compliant

Falling short of PCI DSS compliance carries real consequences. Acquiring banks and card brands can levy monthly non-compliance fees, raise your transaction rates, or — in serious cases — withdraw your ability to accept cards altogether. If a breach exposes cardholder data, fines can run from thousands to millions of dollars, and you may also be liable for forensic investigation, card reissuance, and customer notification costs. Beyond the financial hit, a publicised payment breach erodes the customer trust that is hardest to rebuild. Treating PCI DSS compliance as ongoing risk management, rather than a one-off box-tick, is what protects both your revenue and your reputation. The official standard that governs these obligations is published by the PCI Security Standards Council.

How to get started

Begin by understanding your scope — wherever cardholder data flows — then implement the required controls and document the policies behind them. Starting from a complete, mapped policy set makes validation far faster.

Skip the blank page.

The PCI DSS Toolkit gives you the policies and procedures the standard requires — information security policy, access control, encryption, incident response, and more — as fully editable, auditor-written files mapped to PCI DSS v4.0.

Explore the PCI DSS Toolkit →

Explore the PCI DSS series

Shopping Cart