What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security requirements designed to protect cardholder data wherever it is stored, processed, or transmitted. Any organisation that accepts, processes, or handles card payments must comply with PCI DSS.
What PCI DSS Covers
PCI DSS was created by the major card brands -- Visa, Mastercard, American Express, Discover, and JCB -- through the Payment Card Industry Security Standards Council (PCI SSC). First published in 2004, it establishes a baseline of security controls that every organisation handling card data must follow.
The standard applies to all entities involved in payment card processing, including merchants, service providers, banks, and any third party that stores, processes, or transmits cardholder data. It does not matter how large or small the organisation is -- if card data passes through your systems, PCI DSS applies.
The 12 Requirements
PCI DSS is built around 12 core requirements, grouped into six categories:
Build and Maintain a Secure Network
- Install and maintain network security controls (firewalls, security groups)
- Do not use vendor-supplied default passwords or security settings
Protect Account Data
- Protect stored cardholder data using encryption and access controls
- Encrypt transmission of cardholder data across open or public networks
Maintain a Vulnerability Management Programme
- Protect systems and networks from malicious software
- Develop and maintain secure systems and applications
Implement Strong Access Control
- Restrict access to cardholder data on a business need-to-know basis
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Log and monitor all access to network resources and cardholder data
- Test security systems and processes regularly
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
PCI DSS Versions
The standard is updated periodically to address new threats. PCI DSS v4.0, released in March 2022, introduced significant changes including more flexible approaches to meeting requirements and stronger authentication standards. Organisations had until 31 March 2025 to fully transition to v4.0.
Compliance Levels
Merchants are categorised into four levels based on their annual transaction volume. Level 1 merchants (over six million transactions per year) face the most rigorous assessment requirements, including an annual on-site audit by a Qualified Security Assessor (QSA). Smaller merchants may validate compliance through self-assessment questionnaires (SAQs).
Consequences of Non-Compliance
Failing to comply with PCI DSS can result in significant fines from card brands, increased transaction fees, and in severe cases, loss of the ability to accept card payments. Beyond financial penalties, a data breach resulting from poor security can cause lasting damage to customer trust and brand reputation.
Paytia is certified to PCI DSS Level 1, the highest level of security certification in the payment card industry. This means Paytia's platform has been independently audited and verified to meet every one of the 12 PCI DSS requirements.
By routing card payment data through Paytia's certified infrastructure, businesses can remove their own contact centres and telephony systems from PCI DSS scope entirely. This approach -- known as descoping -- means organisations do not need to secure every agent workstation, call recording server, or network segment against the full weight of PCI DSS requirements.
For more detail on how Paytia helps businesses meet their compliance obligations, see our PCI DSS compliance page.
Frequently Asked Questions
Who needs to comply with PCI DSS?
Any organisation that stores, processes, or transmits payment card data must comply with PCI DSS. This includes retailers, online shops, call centres, service providers, and any business that accepts card payments -- regardless of size or transaction volume.
What is the difference between PCI DSS Level 1 and other levels?
PCI DSS Level 1 applies to organisations processing over six million card transactions per year, or any service provider handling large volumes of card data. Level 1 requires an annual on-site audit by a Qualified Security Assessor. Lower levels (2 through 4) allow self-assessment questionnaires, which are less rigorous but still mandatory.
What happens if my business is not PCI DSS compliant?
Non-compliance can lead to fines from card brands ranging from thousands to hundreds of thousands of pounds per month. You may also face higher transaction processing fees, and in serious cases, your acquiring bank may revoke your ability to accept card payments altogether.
See how Paytia handles pci dss
Book a personalised demo and we'll show you how our platform works with your setup.
Request a Demo