// Glossary · compliance

PCI DSS

Also: Payment Card Industry Data Security Standard · PCI compliance

Payment Card Industry Data Security Standard. Required for any business storing, processing, or transmitting card data. Twelve main requirements across six control areas.

PCI DSS is the security standard governing how businesses handle credit card data, maintained by the Payment Card Industry Security Standards Council on behalf of Visa, Mastercard, American Express, Discover, and JCB. Any business that stores, processes, or transmits cardholder data is required to comply, regardless of size or transaction volume. The standard covers 12 main requirements grouped under 6 control areas: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control, regularly monitor and test networks, and maintain an information security policy. The depth of compliance required scales with merchant level, which itself depends on annual transaction volume.

For most funded SaaS and e-commerce businesses, PCI compliance is achieved by outsourcing card handling to a PCI-compliant payment processor (Stripe, Adyen, Braintree) and never touching card data directly. This reduces the compliance scope dramatically. A business using Stripe Checkout where the card data never hits its own servers can self-attest to a short SAQ-A questionnaire annually instead of going through a full PCI audit. The cost difference between the two paths is roughly 50,000 dollars per year in audit fees, plus the operational overhead of running a PCI-scoped environment. The decision to outsource card handling is usually the highest-leverage compliance decision a fintech or e-commerce founder makes.

Where PCI compliance gets serious is for businesses that genuinely need to handle card data directly: payment processors themselves, marketplaces with split payments, and fintech building their own card programs. These businesses run full PCI environments with network segmentation, encryption key management, quarterly vulnerability scans, annual penetration tests, and on-site QSA audits. The AI Ops Department handles the evidence collection layer for the audit, paired with SOC 2 overlap to avoid duplicating controls. The combined cost of PCI plus SOC 2 plus a dedicated security lead can easily run 300,000 dollars per year for a fintech operating its own card infrastructure.

// Examples
  • A Series A SaaS uses Stripe Checkout exclusively, qualifying for SAQ-A self-attestation at $0 audit cost versus $40K for a full audit.
  • A marketplace handling split payments runs SAQ-D-MER with quarterly ASV scans and annual penetration testing, total annual compliance cost roughly $85K.
  • A fintech building its own card program completes Level 1 PCI assessment with on-site QSA audit, integrating PCI evidence with SOC 2 evidence to cut combined cost by 28% versus running them in parallel.
// Common questions
Do I need PCI compliance if I use Stripe?
Yes, but at a much reduced scope. Using Stripe Checkout or similar hosted card forms qualifies most SaaS for SAQ-A, the shortest self-attestation questionnaire. The card data never touches your infrastructure, so most PCI requirements do not apply. Skipping PCI entirely is not an option even with Stripe, but the compliance burden is minimal.
What are the merchant levels?
Level 1 is over 6 million Visa/Mastercard transactions annually, requiring on-site QSA audits. Level 2 is 1 to 6 million transactions. Level 3 is 20,000 to 1 million e-commerce transactions. Level 4 is everyone else, requiring only annual self-attestation. Most funded startups are Level 4 until they hit scale.
How much does PCI compliance cost?
SAQ-A (using a hosted payment processor) costs essentially zero in audit fees, just internal time. Full Level 1 PCI assessment runs 50,000 to 150,000 dollars annually depending on environment complexity. The cost gap between outsourced and in-house card handling is large enough that almost no funded startup should handle card data directly unless the business model genuinely requires it.
Does PCI overlap with SOC 2?
Substantially. Both require similar controls around access management, encryption, vulnerability management, and monitoring. Companies running both compliance programs in parallel can typically reuse 50 to 70 percent of evidence and control documentation. Audit firms that do both can quote a discounted combined engagement that saves 20 to 35 percent versus running them separately.
// Related terms
// Ready to ship?

EOI runs fractional AI departments for funded teams under 50. Sales, Content, Ops, Support. Live in 14 days on a monthly retainer.

Apply for a sprint See all departments