If your business processes card payments, you’re responsible for keeping that data safe. PCI DSS sets the standards for how payment information should be handled so it isn’t stolen or misused. Following these rules protects your customers, helps you avoid fines, and keeps your business out of the headlines for the wrong reasons.
What does PCI DSS mean?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules designed to keep cardholder data safe during credit card transactions. It’s maintained by the PCI Security Standards Council (PCI SSC), an organisation created by major card networks like Visa, Mastercard, and American Express.
If your business stores, processes, or transmits credit card data, following PCI DSS is part of the deal you make with your acquiring bank. It’s there to help protect your customers, reduce the risk of a data breach, and avoid costly penalties.
For merchants handling large transaction volumes or operating across multiple countries, PCI DSS also provides a consistent framework for managing payment security across different regions and service providers.
PCI compliance levels
PCI compliance levels are defined by the PCI SSC and vary based on your annual transaction volume. Each level determines the scope of your PCI compliance requirements and the validation methods you must use.
- Level 1: Over 6 million card transactions annually
- Level 2: Between 1 and 6 million transactions
- Level 3: Between 20,000 and 1 million e-commerce transactions
- Level 4: Fewer than 20,000 e-commerce or up to 1 million other transactions
Higher PCI levels require more rigorous validation, often including an annual audit by a Qualified Security Assessor (QSA). Lower levels may allow for a Self-Assessment Questionnaire (SAQ).
12 PCI compliance requirements
The foundation of PCI DSS certification rests on 12 core requirements grouped into six control objectives:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parametres
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programmes
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors
These requirements are designed to cover the full lifecycle of credit card data within your systems.
Validation methods
|
PCI Level |
Validation Method |
|
Level 1 |
|
|
Level 2 |
|
|
Level 3 |
|
|
Level 4 |
|
Your PCI compliance process will differ depending on your level. The Report on Compliance (RoC) is a detailed audit performed by a Qualified Security Assessor. It is only required for the highest-volume merchants at Level 1, where transaction scale and risk demand in-depth, independent verification.
Most other merchants validate through a Self-Assessment Questionnaire (SAQ), a structured checklist to confirm PCI requirements are met. All levels must also complete quarterly Approved Scanning Vendor (ASV) scans to detect vulnerabilities in internet-facing systems. Finally, the Attestation of Compliance (AoC) is a signed declaration that the business has met applicable PCI DSS standards.
For Level 4 merchants, which process the fewest transactions, these requirements are lighter—focused mainly on the SAQ, ASV scans, and AoC—without the need for a formal RoC.
Integration types and how they affect PCI DSS scope
Hosted payment pages
Your payment provider hosts the entire checkout form, so card data never touches your systems. This usually qualifies for SAQ A, with minimal PCI requirements.
iFrame or embedded fields (SAQ A-EP)
Payment fields are embedded on your site but processed by the provider. You have more control over the checkout design, but the page still falls partly under PCI scope—requiring SAQ A-EP.
Direct post / API integration
Your systems handle card data before sending it to the processor. This puts you in full PCI scope, requiring SAQ D or, for larger merchants, a Report on Compliance (RoC).
Client-side encryption or tokenisation
Some businesses reduce PCI scope by encrypting card data in the browser before it ever reaches their servers, or by replacing it with tokens from a PCI-compliant gateway.
How encryption and tokenisation help
Encryption and tokenisation are key security measures that protect cardholder data.
- Encryption secures card data in transit, ensuring that intercepted information is unreadable.
- Tokenisation replaces credit card data with a non-sensitive equivalent, which cannot be reversed without a secure key.
Point-to-point encryption (P2PE), if implemented correctly, offers the highest level of protection for card-present transactions. Service providers that specialise in these technologies can significantly reduce your exposure and streamline your PCI compliance process.
Maintaining compliance
PCI compliance needs to be maintained year-round, not just during audits. Standards evolve. Threats change. Vulnerabilities can appear anytime. Regular vulnerability scans, quarterly ASV scans, penetration testing, and timely security updates are essential to keep up. Staff training also plays a big role—employees should know how to handle payment data securely and spot potential risks.
The right tools can simplify this work. Compliance management platforms help track tasks and audit evidence, while endpoint security, firewalls, and intrusion detection systems protect networks. Tokenisation, encryption, and PCI-certified payment providers can reduce your compliance scope and risk. By building these processes into daily operations, businesses can stay compliant without scrambling at audit time.
What happens if you’re not compliant?
Failure to meet PCI DSS requirements can have significant consequences:
- Fines: Issued by card schemes via your acquirer
- Data breach costs: Investigation, remediation, customer notifications, and legal fees
- Reputation loss: Customers lose trust when cardholder data is compromised
- Higher fees or termination: Your acquirer may increase rates or terminate your agreement
Being non-compliant also leaves you more vulnerable to fraud and limits your ability to work with trusted service providers.
Choosing a PCI-compliant payment gateway
The gateway you choose determines how much payment data your systems handle and, in turn, your PCI DSS compliance scope. A compliant provider can take on most of the security requirements, lowering your risk of data breaches, fines, and the cost of higher-scope compliance.
When deciding, confirm the provider has current PCI DSS certification and can provide proof. Look for strong built-in security like encryption and tokenisation, plus integration options—such as hosted checkout or secure APIs—that suit your business model and minimise exposure.
Antom offers a fully PCI-certified gateway with tokenisation, encryption, and risk tools as standard. Its flexible integration options help merchants keep compliance scope low while enabling advanced payment capabilities, making it easier to process payments securely and maintain customer trust.
