Glossary · Compliance

What is
PCI-DSS?

Complexity Working
Shows up Monthly
Scope Network-native
Operator relevance Context
Related pci scope tokenization cnp merchant account
Share definition X LinkedIn Reddit HN Email
Quick definition

PCI-DSS (Payment Card Industry Data Security Standard) is the security standard all merchants handling cardholder data must comply with. Current version: 4.0.1.

The short answer

PCI-DSS (Payment Card Industry Data Security Standard) is a set of security requirements every business that handles cardholder data must meet. It's governed by the PCI Security Standards Council and enforced via the card networks + your acquirer.

In plain English

If you touch card data — even briefly — PCI-DSS applies to you. "Touch" means: accept it in your checkout, transmit it, store it, process it, or even be capable of touching it (e.g., your network could see it pass through). The scope of what the standard applies to is called your "PCI scope."

The trick most modern operators use: minimize scope by never actually seeing card data. Tokenize at the processor (Stripe.js, Square Web Payments SDK, Authorize.net Accept.js) so the card number goes directly from the customer to the processor without ever touching your server. Your scope shrinks dramatically.

How it shows up in your business

  • Merchant Levels 1-4 based on volume: Level 1 (6M+ transactions/year) requires on-site audit; Level 4 (under 20k transactions) typically self-assessment.
  • SAQ types (Self-Assessment Questionnaire): A (only iframe checkout), A-EP (redirect but page hosts checkout), B (card-present imprint), C (card-present POS), D (the catch-all, hardest).
  • Annual attestation required — either via audit or SAQ depending on level.
  • Quarterly scans required for external-facing systems (ASV scans).
  • Penalties for non-compliance: $5k-$100k/month fines, card-brand enforcement actions, potential account closure.

Numbers to know

Current PCI-DSS version: 4.0.1 (released April 2024, mandatory compliance deadline March 2025). Key changes: MFA on all access (not just admin), targeted risk analyses, customized approach option. Previous version (3.2.1) sunset March 2024.

Cost of compliance: Level 1 audit typically $50k-$150k annually. Level 4 self-assessment: $5k-$25k annually. Non-compliant fines: $5k-$100k/month per acquirer.

Why multi-brand operators care

Every brand in your portfolio falls under your consolidated PCI-DSS scope if they route through any shared infrastructure. Operators who've minimized scope on one brand often blow it up when they add the 5th brand through a custom checkout. Using hosted checkout + tokenization consistently across every sub-brand keeps scope minimized. multiflow, as an orchestration layer that never sees card data, is SAQ D-SP (service provider) scoped with minimal exposure — we're not in your card data path.

Related glossary terms

pci scope tokenization cnp merchant account

Processing across
multiple brands?

multiflow consolidates your ledger, keeps per-brand billing descriptors, and fans out payouts to the right legal entity.

Start your application How it works

The Operator Briefing

Twice-monthly. No fluff.

Processor shutdowns, reserve-hold playbooks, reconciliation lessons, and the merchant-account decisions that save operators six-figure years. Delivered to your inbox — never spam.

No spam. Unsubscribe in one click.

We use essential cookies · Privacy