Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you request to download our free implementation guide, we use your name, company name (which is optional) and your email address to email you a link to download the requested document. We may also email you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

Reveal Menu

Is PCI DSS Mandatory?

The Payment Card Industry Data Security Standard (PCI DSS) was created by the Payment Card Industry Security Standards Council (PCI SSC). This council includes brands like MasterCard, VISA and American Express. It was created to develop, encourage, and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Whilst PCI DSS is not a law, it is a contractual agreement, and there can be consequences for non-compliance.

Who needs to comply?

PCI DSS applies to all businesses worldwide that store, process and/or transmit cardholder data. In short, that is all businesses that accept cards as a means of payment, whether online or in a store.

Compliance is important to prevent a breach or a fine, but it also increases customer confidence that their card data is processed safely by the organisation.

Is PCI DSS Mandatory?

PCI DSS is not a law. It is a contractual agreement between the business and the acquiring bank the money is paid into. However, some states in the USA have incorporated the standard into state law (Washington and Nevada, for example).

Regardless of the size of the company or amount of payment transactions, any organisation involved in payment card processing is contractually required to be PCI DSS compliant. Without compliance, legal action could be taken, or fines imposed.

What are the consequences of non-compliance?

PCI DSS fines are based on each individual business and the circumstances. Fines can be imposed for non-compliance to all or parts of the standard, or for a breach caused by lack of compliance.

The fines vary, and can be imposed annually, monthly or ad-hoc. They can range from $1000 to $100,000 per month depending on the severity of the non-compliance. If a breach occurs in an organisation, the cost and time to recover often outweighs the actual cost of the fine, so it is important to comply.

How to comply

Businesses are categorised into four levels, depending on the number of annual transactions, and each brand (Visa, Mastercard etc) have their own levels, but typically the levels are as follows:

  • Level one – Over 6 million transactions annually
  • Level two – Between 1 and 6 million transactions annually
  • Level three – Between 20,000 and 1 million transactions annually
  • Level four – Less than 20,000 transactions annually


Depending on your level, which your acquiring bank will make you aware of, you may need to submit a Report on Compliance by a Qualified Security Assessor, or for lower levels, only a Self-Assessment Questionnaire is required.

If you’re looking for more information on PCI DSS compliance, our online guide includes more information about the 12 requirements, the types of cardholder data and the assessment process. Click the button below to download a free sample document from our PCI DSS toolkit.

Download free Document

Over 3000 businesses have purchased our toolkits


The documents are excellent in covering a vast number of key areas in terms of ISO. I particularly like the layout and the comprehensive nature of the documents provided.

Senior Manager
GTI Group, UK

View all Testimonials