What Is PCI DSS? Payment Card Industry Data Security Standard, Explained
PCI DSS (Payment Card Industry Data Security Standard) is the information security standard for every organization that stores, processes, or transmits payment card data. Accept card payments, and it applies to you, whatever your size.
The standard is maintained by the PCI Security Standards Council, founded in 2006 by Visa, Mastercard, American Express, Discover, and JCB. It isn't a law. It's a contractual requirement that card networks and acquiring banks enforce, with fines and, in the worst case, loss of the ability to take card payments.
PCI DSS is organized into 12 core requirements covering areas like network security, protection of stored account data, access control, and continuous monitoring and testing. The current version is PCI DSS 4.0.1, published by the Council in 2024; the last future-dated requirements of the 4.x line became mandatory on March 31, 2025.
How much of the standard lands on you depends on how you handle card data. An online store that redirects shoppers to a hosted payment page (Stripe Checkout, for example) never touches card numbers, which shrinks its compliance scope to a short self-assessment questionnaire. A platform that stores card numbers on its own servers faces the full weight of the standard.
This page is a definition, not compliance advice.
Why it matters for custom software
Architecture decides your PCI scope. When we build ecommerce software, we keep card data out of the client's systems entirely, using hosted payment fields and tokenization from the payment provider. The store gets paid, the card numbers never land in its database, and the compliance burden stays small.