Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Is PCI DSS Mandatory?

The Payment Card Industry Data Security Standard (PCI DSS) was created by the Payment Card Industry Security Standards Council (PCI SSC). This council includes brands like MasterCard, VISA and American Express. It was created to develop, encourage, and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Whilst PCI DSS is not a law, it is a contractual agreement, and there can be consequences for non-compliance.

Who needs to comply?

PCI DSS applies to all businesses worldwide that store, process and/or transmit cardholder data. In short, that is all businesses that accept cards as a means of payment, whether online or in a store.

Compliance is important to prevent a breach or a fine, but it also increases customer confidence that their card data is processed safely by the organisation.

Is PCI DSS Mandatory?

PCI DSS is not a law. It is a contractual agreement between the business and the acquiring bank the money is paid into. However, some states in the USA have incorporated the standard into state law (Washington and Nevada, for example).

Regardless of the size of the company or amount of payment transactions, any organisation involved in payment card processing is contractually required to be PCI DSS compliant. Without compliance, legal action could be taken, or fines imposed.

What are the consequences of non-compliance?

PCI DSS fines are based on each individual business and the circumstances. Fines can be imposed for non-compliance to all or parts of the standard, or for a breach caused by lack of compliance.

The fines vary, and can be imposed annually, monthly or ad-hoc. They can range from $1000 to $100,000 per month depending on the severity of the non-compliance. If a breach occurs in an organisation, the cost and time to recover often outweighs the actual cost of the fine, so it is important to comply.

How to comply

Businesses are categorised into four levels, depending on the number of annual transactions, and each brand (Visa, Mastercard etc) have their own levels, but typically the levels are as follows:

  • Level one – Over 6 million transactions annually
  • Level two – Between 1 and 6 million transactions annually
  • Level three – Between 20,000 and 1 million transactions annually
  • Level four – Less than 20,000 transactions annually


Depending on your level, which your acquiring bank will make you aware of, you may need to submit a Report on Compliance by a Qualified Security Assessor, or for lower levels, only a Self-Assessment Questionnaire is required.

If you’re looking for more information on PCI DSS compliance, our online guide includes more information about the 12 requirements, the types of cardholder data and the assessment process. Click the button below to download a free sample document from our PCI DSS toolkit.

Download free Document

Over 3000 businesses have purchased our toolkits


The sample documents are very rich in their scope. Our attorneys have reviewed our edits and can find no fault with what is presented.

Institute for Supply Management

View all Testimonials