What is PCI DSS?

What PCI DSS Covers

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security rules that exist for one reason: to stop criminals stealing card payment data. The standard was created by the five major card brands -- Visa, Mastercard, American Express, Discover, and JCB -- who formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to manage and update the rules.

First published in 2004, PCI DSS establishes a baseline of security controls that every organisation handling card data must follow. It does not matter whether you are a multinational retailer processing millions of transactions or a two-person business taking the occasional phone payment. If card data passes through your systems, PCI DSS applies to you.

The 12 Requirements

PCI DSS is built around 12 core requirements, grouped into six practical categories. Think of them as layers of defence -- each one addresses a different way that card data could be compromised.

Build and Maintain a Secure Network

• Install and maintain network security controls such as firewalls and security groups to keep unauthorised traffic out
• Change all vendor-supplied default passwords and security settings before deploying any system -- attackers try default credentials first

Protect Account Data

• Protect stored cardholder data using encryption and strict access controls so that even if someone gets into your systems, the data is unreadable
• Encrypt cardholder data whenever it travels across open or public networks -- for example, between a call centre and a payment gateway

Maintain a Vulnerability Management Programme

• Use and regularly update anti-virus and anti-malware software across all systems
• Keep applications and systems patched and up to date, because known vulnerabilities are the easiest way in for attackers

Implement Strong Access Control

• Restrict access to cardholder data strictly on a need-to-know basis -- if someone does not need the data to do their job, they should not have access
• Assign unique user IDs so that every action on every system can be traced to a specific person
• Control physical access to servers, offices, and data centres where cardholder data is stored

Regularly Monitor and Test Networks

• Log and monitor all access to network resources and cardholder data -- if something suspicious happens, you need to know about it quickly
• Test security systems and processes regularly through vulnerability scans and penetration testing

Maintain an Information Security Policy

• Document and maintain a security policy that covers all personnel, contractors, and third parties with access to your environment

Why PCI DSS Exists

Before PCI DSS, each card brand had its own separate security programme. Merchants had to juggle different requirements from Visa, Mastercard, and the rest, often duplicating effort and creating gaps. PCI DSS unified these into a single standard that applies universally, making it clearer for businesses to understand what they need to do.

The underlying goal is straightforward: if every organisation that touches card data follows the same minimum security standards, the chances of a data breach drop significantly. And when breaches do happen, the damage is contained because the data is encrypted, access is limited, and there are logs to trace what happened.

PCI DSS Versions

The standard evolves as threats change. PCI DSS v4.0, released in March 2022, brought significant updates including more flexible approaches to meeting requirements, stronger authentication standards, and a greater focus on continuous security rather than point-in-time compliance. Organisations had until 31 March 2025 to fully transition to v4.0.

Compliance Levels

Merchants are grouped into four levels based on their annual transaction volume. Level 1 merchants -- those processing over six million card transactions per year -- face the most rigorous requirements, including an annual on-site audit by a Qualified Security Assessor (QSA). Smaller merchants can validate compliance through self-assessment questionnaires (SAQs), which are less intensive but still mandatory.

Service providers that store, process, or transmit card data on behalf of merchants have their own compliance requirements, typically assessed at Level 1 regardless of volume.

PCI DSS and Telephone Payments

Telephone payments present a unique challenge for PCI DSS compliance. When a customer reads their card number to an agent, or enters it on their phone keypad, that data passes through the voice channel. Call recordings capture it. Agents hear it. Screens may display it. All of these touchpoints bring systems into PCI DSS scope.

This is why technologies like DTMF masking have become essential for businesses that take payments over the phone. By preventing card data from entering the agent environment, these solutions remove entire swathes of infrastructure from the scope of PCI DSS assessment -- a process known as descoping.

Consequences of Non-Compliance

Failing to comply with PCI DSS carries real consequences. Card brands can impose fines ranging from several thousand to hundreds of thousands of pounds per month. Your acquiring bank may increase your transaction processing fees or, in serious cases, terminate your merchant agreement entirely -- meaning you can no longer accept card payments.

Beyond the financial penalties, a data breach caused by poor security can devastate customer trust. Businesses that suffer breaches often see customer churn, negative press coverage, and long-term reputational damage that takes years to recover from. For many organisations, the cost of non-compliance far outweighs the investment required to get compliant in the first place.