What are the maximum penalties for PCI DSS non-compliance?

Card brands impose fines of $5,000–$100,000 per month through your acquiring bank. After a confirmed data breach, fines can be substantially higher, and your ability to accept card payments may be revoked. You also become liable for fraudulent charges on compromised cards and mandatory forensic investigation costs. Breaches regularly result in settlements exceeding $100 million.

Who needs to comply with PCI DSS?

Any organisation that stores, processes, or transmits payment card data must comply with PCI DSS. This includes merchants, payment processors, banks, and any service provider that handles cardholder data. If you use a fully hosted payment solution and never see card data, your scope is minimal (SAQ A) — but you are still subject to PCI DSS.

If I use Stripe, Square, or PayPal, do I still need PCI DSS compliance?

Yes, but your scope is much reduced. If you use hosted payment fields (like Stripe Elements or PayPal's hosted checkout) and never handle card data yourself, you qualify for SAQ A — the simplest self-assessment. You still need to complete and submit it to your acquiring bank. Using these processors correctly is the easiest way to minimise PCI DSS obligations.

What is an SAQ and how do I know which one applies to me?

A Self-Assessment Questionnaire (SAQ) is a validation tool for merchants not required to have a full on-site audit. The type depends on how you process payments: SAQ A (fully outsourced, no card data), SAQ B (POS terminals, no e-commerce), SAQ C-VT (web-based virtual terminals), SAQ D (all other merchants). Your acquiring bank can advise on which applies.

What are the penalties for PCI DSS non-compliance?

PCI DSS is enforced by card brands (Visa, Mastercard, etc.) through your acquiring bank. Fines typically range from $5,000 to $100,000 per month for non-compliance. After a data breach, fines can be significantly higher, and you may lose the ability to accept card payments. Liability for fraudulent charges on compromised cards also falls to you.

What changed in PCI DSS v4.0 vs v3.2.1?

Key changes include: MFA now required for all access to the CDE (not just remote access), minimum password length increased to 12 characters, new requirements for e-commerce script inventory and integrity verification, phishing-resistant MFA requirements, and a new customised approach for meeting requirements using alternative controls. All future-dated v4.0 requirements became mandatory March 31, 2025.

Free PCI DSS Compliance Checklist

What is PCI DSS and who must comply?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements maintained by the PCI Security Standards Council (PCI SSC), founded by American Express, Discover, JCB, Mastercard, and Visa. PCI DSS applies to any organisation that stores, processes, or transmits cardholder data — including merchants of all sizes, payment processors, acquiring banks, issuing banks, and all service providers involved in payment processing. There is no revenue or transaction volume threshold: if you accept card payments, PCI DSS applies.

Merchants are categorised into four levels based on annual Visa transaction volume. Level 1 merchants (over 6 million transactions) require an annual on-site assessment by a Qualified Security Assessor (QSA). Level 2–4 merchants may self-assess using the appropriate Self-Assessment Questionnaire (SAQ). Using a hosted payment solution like Stripe Elements, Braintree Drop-in, or PayPal Checkout — where card data never touches your servers — significantly reduces scope and typically qualifies merchants for SAQ A, the simplest form.

PCI DSS v4.0.1 — what changed in 2025?

PCI DSS v4.0 was released in March 2022 and replaced v3.2.1, which retired on March 31, 2024. PCI DSS v4.0.1, a minor clarification update, was released in June 2024. The standard introduces 64 new requirements, many of which were "best practices" with a compliance deadline of March 31, 2025. Key new requirements include: customised implementation approach (flexibility in how controls are implemented), targeted risk analyses (replacing prescriptive frequencies with risk-based timelines), multi-factor authentication for all access to the cardholder data environment (Req. 8.4.2), and expanded e-commerce security requirements covering payment page scripts (Req. 6.4.3 and 11.6.1).

Non-compliance can result in fines from card brands of $5,000–$100,000 per month, increased transaction fees, mandatory forensic investigations following a breach, and ultimately card acceptance privileges being revoked. Data breaches involving cardholder data regularly result in settlements exceeding $100 million.

How to use this PCI DSS compliance checklist

Begin by determining your merchant level and applicable SAQ type — your acquiring bank can confirm this. The 12 requirements in this checklist map directly to the PCI DSS v4.0.1 standard. Each item includes the official requirement reference so you can cross-check against the full standard published at pcisecuritystandards.org. Items marked "mandatory from March 2025" were previously future-dated requirements.

If your business also stores health data, review our HIPAA checklist. If you operate internationally and handle EU customer data, the GDPR checklist applies as well. Download the PDF to share your progress with your QSA, internal audit team, or acquiring bank.

PCI DSS v4.0.1 Compliance Checklist (2026)

Req. 1 — Network Security Controls

Req. 2 — Secure Configurations

Req. 3 — Protect Stored Account Data

Req. 4 — Protect Data in Transit

Req. 5 — Protect Against Malware

Req. 6 — Secure Systems & Software

Req. 7 — Restrict Access by Business Need

Req. 8 — Identify Users & Authenticate Access

Req. 9 — Restrict Physical Access

Req. 10 — Log & Monitor All Access

Req. 11 — Test Security Regularly

Req. 12 — Information Security Policy

What is PCI DSS and who must comply?

PCI DSS v4.0.1 — what changed in 2025?

How to use this PCI DSS compliance checklist

Frequently Asked Questions

Related compliance checklists