PCI DSS stands for Payment Card Industry Data Security Standard. It is a global security standard that defines technical and operational requirements for protecting cardholder data and sensitive authentication data during payment processing. The standard is maintained by the Payment Card Industry Security Standards Council, founded by major card networks including Visa, Mastercard, American Express, Discover, and JCB.
The standard is a complex system of requirements aimed at protecting cardholders' data during payments. Certification for compliance with these requirements indicates that the company cares about the security of its customers' personal information.
PCI DSS helps organisations reduce the risk of card data theft, payment fraud, and unauthorised access to cardholder information.
PCI DSS applies to any organisation that stores, processes, or transmits cardholder data. This includes:
Both large organisations and small companies are required to undergo certification.
PCI DSS includes 12 core requirements grouped around security areas such as network protection, account data security, vulnerability management, access control, monitoring, testing, and information security policies.
Here's a gist of the PCI DSS requirements:
PCI DSS affects how businesses design payment flows, choose providers, store payment data, and manage integrations. For merchants, it can influence checkout architecture, provider selection, and the decision to use hosted payment pages or server-to-server integrations.
For PSPs and payment businesses, PCI DSS is part of the operational foundation. It shapes infrastructure security, access control, monitoring, incident response, and how cardholder data is handled across payment systems.
PCI DSS compliance means meeting the applicable requirements of the standard and validating that compliance through the required assessment process.
To validate compliance, organisations may need to complete a Self-Assessment Questionnaire (SAQ), submit an Attestation of Compliance (AOC), perform vulnerability scans through an Approved Scanning Vendor (ASV), or undergo an independent assessment by a Qualified Security Assessor (QSA), depending on their role, transaction volume, and acquiring bank requirements.
Merchant compliance levels are usually based on annual card transaction volume and determine the type of validation process required. In many cases, merchants are grouped into compliance levels based on annual card transaction volume. Level 1 usually applies to the largest merchants and requires the most detailed assessment, often including a Report on Compliance completed by a QSA. Lower levels may be able to validate compliance through an SAQ, although acquiring banks and card schemes may set additional requirements.
The availability of the PCI DSS compliance certificate proves the company's serious approach to security and clients' data protection. It is perceived as a quality mark that indicates the reliability and trustworthiness of such a business.
Non-compliance can lead to serious consequences, including fines imposed by acquiring banks, higher processing costs, increased audit requirements, account restrictions, or termination of payment processing services.
For a deeper overview, read our quick guide to PCI DSS compliance.
Corefy is PCI DSS Level 1 certified and undergoes regular assessment by a Qualified Security Assessor (QSA). This validates the security controls applied to Corefy's in-scope infrastructure, development, operations, support, and payment services.
Using Corefy-hosted payment flows can help reduce a client’s PCI DSS scope because sensitive card data is handled within Corefy’s certified environment. However, each business should confirm its own PCI DSS responsibilities based on its payment setup, integration type, and acquiring requirements.
