PCI DSS compliance is mandatory for every business that accepts card payments. This guide explains what it is, what level applies to your business, and how to achieve compliance without unnecessary cost or complexity.
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands to protect cardholder data. If your business stores, processes, or transmits card data, PCI DSS applies to you — regardless of size.
PCI DSS Compliance Levels
Your PCI DSS level depends on your annual transaction volume:
- Level 1: Over 6 million transactions — requires annual audit by a Qualified Security Assessor (QSA)
- Level 2: 1-6 million transactions — annual Self-Assessment Questionnaire (SAQ)
- Level 3: 20,000-1 million e-commerce transactions
- Level 4: Under 20,000 e-commerce or up to 1 million total transactions
The 12 PCI DSS Requirements
PCI DSS is built around 12 core requirements covering firewalls, encryption, access controls, vulnerability scanning, penetration testing, and security policies. PCI DSS v4.0 introduced more flexible approaches to meeting these requirements.
Key Compliance Documents
- Attestation of Compliance (AOC) — confirms your compliance status
- Report on Compliance (ROC) — detailed assessment report for Level 1 entities
- SAQ — self-assessment for smaller businesses
Understanding PCI DSS Scope
Your PCI DSS scope includes every system in your Cardholder Data Environment (CDE). The larger your scope, the more expensive compliance becomes.
How to Reduce PCI Scope
The most effective approach is descoping — removing card data from your environment entirely:
- DTMF masking removes card data from phone channels
- Tokenisation replaces card numbers with non-sensitive tokens
- Hosted payment pages keep card data off your website
- P2PE encrypts data from capture to processor
The Cost of Non-Compliance
PCI DSS non-compliance can result in fines of $5,000-$100,000 per month, increased processing fees, and potential loss of card acceptance. If a data breach occurs while non-compliant, the consequences are significantly worse.
Phone Payment Compliance
Contact centres face unique PCI challenges. Pause and resume is an outdated approach. Modern solutions use DTMF masking to keep card data out of the voice channel entirely. Learn more about Paytia's DTMF suppression.
Getting Started
Start by determining your compliance level, mapping your CDE, and identifying opportunities to descope. For phone payments, contact Paytia to see how DTMF masking can reduce your scope by up to 95%.