If your business processes card payments, you’re responsible for keeping that data safe. PCI DSS sets the standards for how payment information should be handled so it isn’t stolen or misused. Following these rules protects your customers, helps you avoid fines, and keeps your business out of the headlines for the wrong reasons.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules designed to keep cardholder data safe during credit card transactions. It’s maintained by the PCI Security Standards Council (PCI SSC), an organisation created by major card networks like Visa, Mastercard, and American Express.
If your business stores, processes, or transmits credit card data, following PCI DSS is part of the deal you make with your acquiring bank. It’s there to help protect your customers, reduce the risk of a data breach, and avoid costly penalties.
For merchants handling large transaction volumes or operating across multiple countries, PCI DSS also provides a consistent framework for managing payment security across different regions and service providers.
PCI compliance levels are defined by the PCI SSC and vary based on your annual transaction volume. Each level determines the scope of your PCI compliance requirements and the validation methods you must use.
Higher PCI levels require more rigorous validation, often including an annual audit by a Qualified Security Assessor (QSA). Lower levels may allow for a Self-Assessment Questionnaire (SAQ).
The foundation of PCI DSS certification rests on 12 core requirements grouped into six control objectives:
These requirements are designed to cover the full lifecycle of credit card data within your systems.
|
PCI Level |
Validation Method |
|
Level 1 |
|
|
Level 2 |
|
|
Level 3 |
|
|
Level 4 |
|
Your PCI compliance process will differ depending on your level. The Report on Compliance (RoC) is a detailed audit performed by a Qualified Security Assessor. It is only required for the highest-volume merchants at Level 1, where transaction scale and risk demand in-depth, independent verification.
Most other merchants validate through a Self-Assessment Questionnaire (SAQ), a structured checklist to confirm PCI requirements are met. All levels must also complete quarterly Approved Scanning Vendor (ASV) scans to detect vulnerabilities in internet-facing systems. Finally, the Attestation of Compliance (AoC) is a signed declaration that the business has met applicable PCI DSS standards.
For Level 4 merchants, which process the fewest transactions, these requirements are lighter—focused mainly on the SAQ, ASV scans, and AoC—without the need for a formal RoC.
Your payment provider hosts the entire checkout form, so card data never touches your systems. This usually qualifies for SAQ A, with minimal PCI requirements.
Payment fields are embedded on your site but processed by the provider. You have more control over the checkout design, but the page still falls partly under PCI scope—requiring SAQ A-EP.
Your systems handle card data before sending it to the processor. This puts you in full PCI scope, requiring SAQ D or, for larger merchants, a Report on Compliance (RoC).
Some businesses reduce PCI scope by encrypting card data in the browser before it ever reaches their servers, or by replacing it with tokens from a PCI-compliant gateway.
Encryption and tokenisation are key security measures that protect cardholder data.
Point-to-point encryption (P2PE), if implemented correctly, offers the highest level of protection for card-present transactions. Service providers that specialise in these technologies can significantly reduce your exposure and streamline your PCI compliance process.
PCI compliance needs to be maintained year-round, not just during audits. Standards evolve. Threats change. Vulnerabilities can appear anytime. Regular vulnerability scans, quarterly ASV scans, penetration testing, and timely security updates are essential to keep up. Staff training also plays a big role—employees should know how to handle payment data securely and spot potential risks.
The right tools can simplify this work. Compliance management platforms help track tasks and audit evidence, while endpoint security, firewalls, and intrusion detection systems protect networks. Tokenisation, encryption, and PCI-certified payment providers can reduce your compliance scope and risk. By building these processes into daily operations, businesses can stay compliant without scrambling at audit time.
Failure to meet PCI DSS requirements can have significant consequences:
Being non-compliant also leaves you more vulnerable to fraud and limits your ability to work with trusted service providers.
The gateway you choose determines how much payment data your systems handle and, in turn, your PCI DSS compliance scope. A compliant provider can take on most of the security requirements, lowering your risk of data breaches, fines, and the cost of higher-scope compliance.
When deciding, confirm the provider has current PCI DSS certification and can provide proof. Look for strong built-in security like encryption and tokenisation, plus integration options—such as hosted checkout or secure APIs—that suit your business model and minimise exposure.
Antom offers a fully PCI-certified gateway with tokenisation, encryption, and risk tools as standard. Its flexible integration options help merchants keep compliance scope low while enabling advanced payment capabilities, making it easier to process payments securely and maintain customer trust.