What is Payment Card Industry Data Security Standards (PCI-DSS)?

PCI DSS is a set of requirements outlined by the PCI Council for securing the processing, transmission, and storage of payment data by the merchants and third-party service providers.

Is PCI DSS Compliance Mandatory?

PCI DSS is a data security standard, and not a regulation enforced by law. However, compliance to the standard is mandated by the contracts signed by the merchants with the card brands (Visa, MasterCard, etc.) and with the banks that handle their payment processing.

What are the penalties for non-compliance to PCI-DSS Standards?

PCI non-compliance can result in penalties ranging from $5,000 to $100,000 per month by the credit card companies. The penalties levied depend on the volume of clients, the volume of transactions, the merchant level of PCI-DSS, and the time or duration for non-compliance.

What is an Attestation of Compliance (AOC)?

An Attestation of Compliance is a document of declaration to be attached with SAQ that states the merchant’s eligibility to perform and have performed the appropriate Self-Assessment.

What is the Self-Assessment Questionnaire (SQA)?

Generally, small merchants or service providers who are not required to provide Compliance reports but wish to demonstrate their efforts towards securing sensitive data use SAQ for validation. SAQ is a self-validation tool and a merchant’s statement of PCI Compliance. It contains a series of questions relating to the 12 requirements of the PCI DSS Compliance with options of “Yes and No” that need to be answered by the merchants. For questions that are answered as “No,” an attached remediation plan describing actions it plans to take to resolve the issue are required.

Is PCI-DSS Compliance still applicable if an organization avails third-party service?

Yes. Outsourcing services or using third-party services will not exclude a company from PCI DSS compliance. Although, outsourcing to the third-party will reduce the risk exposure and consequently reduce the efforts to validate compliance. But the company cannot completely ignore PCI DSS Compliance.

What are the PCI Compliance levels and how are they determined?

Merchants who fall in the scope of PCI Compliance will most likely fall in one of the four merchant levels, based on the transaction volume over 12 months. The transaction volume is based on the aggregate number of Visa transactions which is inclusive of credit, debit, and prepaid from a merchant “Doing Business As” (DBA). In cases where a merchant has more than one DBA, Visa acquirers should consider an aggregate volume of transactions stored, processed, or transmitted to determine the validation level.

Level 1


  • Merchants processing more than 6 million Visa, Mastercard, or Discover transactions annually via any channel.
  • Merchants processing more than 2.5 million American Express transactions annually.
  • Merchants processing more than 1 million JCB transactions annually.
  • Merchants that have suffered a data breach or cyberattack resulting in cardholder data being compromised.
  • Merchants that have been identified by another card issuer as Level 1.

Level 2


  • Merchants processing between 1 million and 6 million Visa, Mastercard, or Discover transactions per year via any channel.
  • Merchants processing between 50,000 to 2.5 million American Express transactions annually.
  • Merchants processing less than 1 million JCB transactions annually.

Level 3


  • Merchants processing between 20,000 and 1 million Visa e-commerce transactions annually.
  • Merchants processing 20,000 MasterCard e-commerce transactions annually, but less than or equal to 1 million total MasterCard transactions annually.
  • Merchants that process 20,000 to 1 million discover card-not-present only transactions annually.
  • Less than 50,000 American Express transactions.

Level 4


  • Merchants processing less than 20,000 Visa or MasterCard e-commerce transactions annually.
  • All other merchants processing up to 1 million Visa or MasterCard transactions annually.