To protect cardholder data, PCI-compliant companies follow a set of credit card data security standards, known as PCI DSS. Explore why PCI compliance matters to all organizations that handle or process card payments.
Payment Card Industry (PCI) compliance means obeying a set of security policies for cardholder data. All organizations that process transactions with credit, debit, and/or prepaid cards are subject to PCI compliance requirements.
Credit card data needs to remain secret to be secure, and becoming PCI compliant establishes that a company can be trusted to keep that data secret. Just as a homeowner would not lend their house keys to someone they couldn’t trust with their belongings, credit card brands won't trust a merchant with payment card data if that merchant fails to keep it secure.
If a business stores, processes, or transmits credit cardholder data — whether over the Internet, by phone, in an app, on paper, or in person — they must follow a set of rules for protecting information about those payments.
Although PCI compliance is not required by US federal law, the credit card companies can impose non-compliance fees to businesses that fail to properly secure cardholder data. More critically, failing to protect cardholder data makes it easier for criminals to steal that data. Such theft is a significant risk — over the next 10 years, the global payment card industry is forecast to lose an accumulated $397 billion worldwide from fraud, according to projections from the Nilson Report.
PCI DSS stands for "Payment Card Industry Data Security Standard” (PCI DSS). The PCI DSS framework guides businesses with robust processes for securing cardholder transaction data and card authentication information. It is intended to protect both cardholder data and authentication data with requirements that help prevent, detect, and react to security incidents.
PCI compliance applies globally to every merchant who accepts credit cards, debit cards, or prepaid cards. This means businesses of all sizes, from a corner coffee shop to a multinational designer clothing brand, are subject to PCI compliance — even if they use a third party for processing transactions.
Cardholder transaction data addressed by the PCI DSS includes:
Sensitive authentication data covered by the PCI DSS includes:
The PCI DSS framework comprises 12 fundamental requirements (with more than 300 sub-requirements):
PCI DSS and related security standards are administered by the PCI Security Standards Council (PCI SSC), an industry organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. Participating organizations also include merchants, payment card issuing banks, processors, developers and other vendors.
The first version, PCI DSS 1.0, was introduced in 2004. In 2006, the PCI SSC released version 1.1, which asked merchants to review all online applications and establish firewalls for added security.
The PCI DSS has continued to evolve over the years in response to data breaches and vulnerabilities appearing across the card-processing ecosystem. The current version 3.2.1, issued in 2018, currently coexists with version 4.0.
PCI DSS v4.0 was published in 2022 to “address emerging threats and technologies and enable innovative methods to combat new threats.” Organizations have until March 31, 2025 to comply with all PCI DSS v4.0 requirements.
Although the core PCI DSS requirements have not fundamentally changed, the new v4.0 provides greater focus on how security controls should be implemented. Examples of changes include:
Here is a summary of the key changes from v.3.2.1 to v4.0.
PCI compliance is enforced by the credit card brands responsible for payment processing. When a merchant (e.g., someone who accepts payment cards as a payment method for goods and services) makes a certain number of payment card transactions per year, they are required to complete a full PCI DSS Report on Compliance. If they fail to do so, they are subject to fines.
PCI DSS penalties are based on a number of factors, such as the severity of the violation, how long it took to fix or remediate the issue, and whether there was a breach. If a company remains PCI non-compliant, there is also a chance that they won’t be able to use credit cards for any payments within their system.
PCI DSS divides companies (or "merchants," as the standards call them) into four levels based on the number of card transactions they process during a 12-month period.
The four levels* are:
The way a merchant can get certified as PCI compliant changes based on their level. Generally speaking, the more transactions they handle, the more rigorous the compliance auditing requirements.
For example, Level 2-4 merchants fill out and submit an annual Self-Assessment Questionnaire (SAQ). There are different SAQ types, depending on the way the merchant processes payment card information. Organizations should refer to the SAQ Instructions and Guidelines to help determine which (if any) SAQ applies to their organization.
Level 1 merchants (like Cloudflare), which handle more than six million transactions a year, are audited annually. Level 1 merchants must receive a Report on Compliance from a PCI SSC Qualified Security Assessor (QSA) or PCI SSC Internal Security Assessor (ISA. This process for Level 1 merchants takes place either once a year or once a quarter, depending on the card company. Level 1 merchants may also have onsite data security assessments.
Finally, all merchants need to fill out and submit an Attestation of Compliance (AOC) form, which is basically a statement to the credit card company that the merchant is PCI compliant.
*These definitions are mostly accurate, but each credit card brand defines and assesses compliance slightly differently. It is important to check with each credit card company for their specific program criteria.
Cloudflare maintains PCI DSS Level 1 compliance, and has been PCI compliant since 2014. Many of our customers also require that we provide a copy of our AOC, which basically tells the credit card company we are PCI compliant. If we did not have this certification, we could not work with certain customers, nor would our acquiring bank allow us to use payment cards as a payment method for our services.
We also help our customers maintain security through their own websites and applications. Here are some examples of how Cloudflare can help businesses meet certain PCI DSS requirements:
Learn more about Cloudflare’s website and application security services.