What is PCI DSS and who needs it?

PCI DSS (Payment Card Industry Data Security Standard) is the security framework required by Visa, Mastercard, American Express, and the other major card brands for any business handling cardholder data. There's no federal law requiring it, but you can't accept card payments without it — your payment processor will require attestation.

Who PCI DSS applies to

Anyone who accepts payment cards: restaurants, retailers, e-commerce, professional services, healthcare practices, nonprofits accepting donations, B2B businesses with corporate card programs. Even one transaction triggers PCI applicability.

Merchant levels (annual transaction volume)

• Level 1: 6M+ transactions/year — annual on-site assessment by QSA
• Level 2: 1M-6M transactions — annual assessment, can be self or QSA
• Level 3: 20K-1M e-commerce transactions — annual Self-Assessment Questionnaire (SAQ)
• Level 4: Under 20K e-commerce or under 1M total transactions — annual SAQ

The 12 PCI DSS requirements

1. Install and maintain firewall configuration
2. Don't use vendor-supplied defaults (passwords, security parameters)
3. Protect stored cardholder data (encryption, masking)
4. Encrypt transmission across open/public networks
5. Protect systems against malware
6. Develop and maintain secure systems and applications (patching, secure dev)
7. Restrict access by business need-to-know
8. Identify and authenticate access (MFA for admin access)
9. Restrict physical access to cardholder data
10. Track and monitor all access (logging, log review)
11. Regularly test security systems and processes (quarterly vuln scans, annual pen test)
12. Maintain an information security policy

Scope reduction strategies

The single biggest cost reduction in PCI compliance is shrinking the cardholder data environment (CDE). Use point-to-point encryption (P2PE) terminals so card data never touches your network. Use tokenization so post-transaction you only hold tokens, not card numbers. Outsource e-commerce checkout to a hosted page (Stripe, Square, etc.). Done right, many SMBs can fit on SAQ-A with minimal direct compliance burden.