PCI DSS
What Is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is the global security standard that defines the mandatory technical and operational controls for any entity that stores, processes, or transmitspayment card data. It was created in 2004 by Visa, Mastercard, American Express, Discover, and JCB, and is maintained by the PCI Security Standards Council (PCI SSC).
The current version is PCI DSS v4.0, published in March 2022. New requirements initially marked as best practices became mandatory on March 31, 2025, directly impacting merchants, processors, payment gateways, and service providers across Europe.
How PCI DSS Works
The standard is structured into 6 control objectives that group 12 security requirements:
- Build and maintain secure networks: implement network security controls and apply hardened configurations across all components.
- Protect cardholder data: safeguard stored account data through encryption or tokenization and encrypt transmission over open public networks.
- Vulnerability management: protect systems against malware and develop secure applications.
- Access control: restrict access to data based on business need, authenticate users, and limit physical access.
- Monitoring and testing: log all access to cardholder data and regularly test system security.
- Security policy: support protection efforts with organizational policies and programs.
The level of validation required depends on the merchant’s annual transaction volume. The four compliance levels for merchants are:
| Level | Annual transactions | Required validation |
|---|---|---|
| 1 | More than 6 million | Annual QSA audit + quarterly ASV scan |
| 2 | 1–6 million | Self‑Assessment Questionnaire (SAQ) + ASV scan |
| 3 | 20,000–1 million | SAQ + ASV scan |
| 4 | Fewer than 20,000 | SAQ (recommended) |
Regulatory Impact and Applicable Security Under PCI
PCI DSS does not operate in isolation within the European context. Its requirements complement the PSD2 Directive (Directive (EU) 2015/2366) and its Spanish transposition through the Royal Decree‑Law 19/2018 on payment services, which mandates Strong Customer Authentication (SCA) for electronic transactions.
This means that a merchant in Spain must comply simultaneously with PCI DSS for card data protection and with PSD2/SCA for payer authentication. Both frameworks reinforce each other: PCI DSS protects data at rest and in transit, while SCA ensures that the person initiating the payment is the legitimate cardholder.
For ecommerce merchants, the impact is significant. A non‑compliant PCI DSS environment can lead to fines ranging from €5,000 to €100,000 per month, imposed by card schemes through the acquirer. But the real cost goes beyond penalties: losing the ability to accept card payments completely halts the operation of any online store.
Operational Advantages and Disadvantages of PCI DSS
Advantages:
- Reduces the risk of data breaches and the costs associated with security incidents.
- Builds buyer trust, positively impacting checkout conversion rates.
- Facilitates integration with acquirers and processors that require PCI certification as a contractual condition.
Disadvantages:
- Certification costs for a Level 1 merchant can exceed €50,000 annually, including QSA audits, ASV scans, and technical remediation.
- Requires continuous review: PCI DSS is not a one‑time event but an ongoing process with quarterly and annual validations.
- Scope complexity can generate additional costs if the network is not properly segmented.
Was this term useful?
Leave a Comment