HomeResourcesGlossaryPCI DSS
Cybersecurity Glossary

What is PCI DSS (Payment Card Industry Data Security Standard)?

The Payment Card Industry Data Security Standard (PCI DSS) is the required security standard for any business that stores, processes, or transmits credit card data. Compliance is mandatory — not optional — for accepting card payments, and is governed by the PCI Security Standards Council and enforced by card brands.

Blocks 99% of password attacks
Required by most cyber insurance
Core to SOC 2, HIPAA, PCI
How It Works

How PCI DSS works

Three-step view of how it operates in practice.

1

Determine merchant level

Levels 1-4 based on transaction volume. Most SMBs are Level 4 (under 20K transactions).

2

Scope the cardholder data environment (CDE)

Identify every system that stores, processes, or transmits cardholder data. The smaller the CDE, the easier compliance.

3

Validate annually

Self-Assessment Questionnaire (SAQ) for lower volumes; external auditor Report on Compliance (ROC) for Level 1 merchants.

PCI DSS Variants

PCI DSS merchant levels

A clear breakdown of the common variants.

Level

Level 1

6M+ transactions/year. Annual onsite audit (ROC).

Most common

Level 2

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

Level 3

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Level 4

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why PCI DSS matters for SMBs

The Payment Card Industry Data Security Standard (PCI DSS) is the required security standard for any business that stores, processes, or transmits credit card…

83%
of breaches involving payment card data target SMB merchants rather than enterprises
Source: Verizon Payment Security Report, 2024
Pitfalls

Common PCI DSS mistakes

  • Storing card numbers unnecessarilyThe easiest way to reduce PCI scope: don’t store card data. Use a PCI-compliant payment processor that returns tokens.
  • Broad CDE scopingAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
  • Forgetting physical controlsPCI applies to paper too — receipts, order forms, returned merchandise with card numbers. Physical security matters.
  • One-time compliancePCI is continuous. Changes to systems, vendors, or processes require reassessment.
Common Questions

PCI DSS frequently asked questions

Even with a payment processor, you’re still a merchant and responsible for PCI compliance — usually SAQ-A (simplest level), but still required.
Version 4.0 (enforced March 2024) adds flexibility for modern architectures, stronger authentication requirements, and risk-based targeted reviews.
Fines ($5K-$100K/month from card brands), higher transaction fees, potential loss of ability to accept cards, and breach liability.
Yes — PCI Requirement 1 mandates firewalls around the CDE. Requirements have gotten more prescriptive over versions.
Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.
Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.
Related Terms

Related glossary terms

SOC 2

Policies that adapt to device, location, and risk signals.

HIPAA

A security model that verifies every request as if it came from an open network.

MFA

Give users only the access they need — nothing more.

Cyber Insurance

FIDO2 keys and passkeys that cannot be proxied or replayed.
Identity & Access

Accepting card payments?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services
No commitment · Local engineers · Response within 1 business day