PCI DSS Compliance: Levels, Requirements & Cost
TL;DR - Summary
- What is PCI DSS compliance? - PCI DSS is a globally recognised security standard developed by the PCI Security Standards Council (PCI SSC) to protect cardholder data (such as card numbers, expiry dates, and cardholder names) and reduce payment fraud.
- Is PCI DSS mandatory for Indian businesses? - PCI DSS is not a law in India. However, the RBI requires licensed Payment Aggregators to comply with PCI DSS as part of its regulatory framework.
- What is the latest version of PCI DSS? - The latest active version is PCI DSS v4.0.1, which businesses should follow to meet the current PCI Security Standards Council requirements.
- How can an Indian merchant reduce compliance burden? - By using a trusted RBI-authorised third-party payment gateway to handle card data, Indian merchants can lower their compliance burden. These third-party payment gateways automatically handle PCI DSS compliance.
What is PCI DSS Compliance?
Payment Card Industry Data Security Standard (PCI DSS) is a suite of security policies which apply to card details for the financial transaction before, during, and after the transaction. These standards are developed and maintained by the PCI Security Standards Council. It encompasses key international card networks such as Visa, MasterCard, American Express, Discover and JCB.
PCI DSS is a globally recognised security standard followed by organisations that store, process, or transmit cardholder data. In India, the RBI requires licensed Payment Aggregators to comply with PCI DSS as part of its regulatory framework. Any Indian business, a big enterprise or a rapidly growing local e-commerce store, if they access card data, needs to comply with these standards.
The goal of PCI DSS is to reduce payment fraud and data breaches by making organisations implement strong security controls to manage cardholder data. PCI DSS v4.0.1 stresses the importance of ongoing security monitoring, frequent risk assessments and stronger authentication methods.
✅ PRO TIP
If you use a third-party payment gateway that is authorised, you will not have to deal directly with the raw card data, which will greatly reduce your PCI DSS compliance scope.
Why is PCI DSS Compliance Important?
PCI DSS compliance matters because it protects your business from data breaches, financial penalties, and the loss of customer trust that follow a payment security failure. Here is what is at stake:
- Protection from breaches: Hackers target weak payment systems to steal customers' credit card numbers, names, and bank details. Data breaches cause abrupt financial losses and ruin the reputation of any business.
- Financial penalties: Card networks and acquiring banks (the banks that process card payments for merchants) may impose penalties on non-compliant businesses following a data breach. The severity depends on factors such as the nature of the breach and the duration of non-compliance.
- Risk of losing your merchant account: A serious security failure can lead the banks to terminate your merchant account. If that happens, your business could permanently lose its ability to accept credit or debit card payments.
- Stronger customer trust: Indian consumers are increasingly wary of online fraud. When your business complies with PCI DSS standards, customers feel more confident sharing their payment information and completing transactions.
⚠️ COMMON MISCONCEPTION
Small businesses are not exempt from PCI DSS. Businesses of all sizes must ensure compliance. If you use a payment gateway, you do not own or access credit card information. Even in that case, your business is still legally responsible for ensuring that your payment processing company is PCI DSS compliant.
Who Needs PCI DSS Certification?
Any business that manages credit, debit or prepaid cardholder data is required to be PCI DSS certified. The scope of this standard covers companies that accept, process, store or transmit card data through in-store terminals, online checkouts or mail/telephone order (MOTO) transactions.
The payment ecosystem is divided into 3 groups:
Merchants
A merchant is any business that accepts card payments for goods or services, including e-commerce platforms, retail stores, restaurants, and hotels, as well as mail/telephone order (MOTO) businesses. Many business owners assume that outsourcing checkout to an external payment gateway transfers all security obligations elsewhere. It generally does not. Engaging a third-party vendor narrows a merchant's compliance scope but does not eliminate it.
Service Providers
Service providers handle or store card data for other businesses. This includes payment processors, gateways, web hosting platforms and cloud storage vendors, managed IT providers, as well as developers creating payment applications. These organisations store large amounts of financial data and have the most demanding compliance requirements under the standard.
Financial Institutions
This category includes the banking infrastructure behind the day-to-day card transactions. It covers acquiring banks that process payments for merchants, issuing banks that provide cards to consumers, ATM networks, and other banking networks involved in the payment transaction lifecycle.
The applicable regulatory framework for service exporters is the Foreign Exchange Management Act (FEMA) and RBI rules on inward remittances. Compliance means routing transfers through authorised banks, applying the correct purpose codes, and retaining a Foreign Inward Remittance Advice (FIRA) document for tax purposes. A compliant payment platform takes care of the card security dimension; the exporter’s responsibility is on the FEMA side.
What Are the Levels of PCI DSS Compliance?
For PCI DSS compliance, there are four levels. It is based on annual transaction volume, not revenue or headcount. At higher PCI DSS compliance levels, merchants must conduct independent audits, while self-assessment is sufficient at lower levels.
The table below shows PCI DSS compliance certification levels for merchants:
| Level | Who It Applies To | Annual Transaction Volume | Validation Requirement |
|---|---|---|---|
| Level 1 | Global enterprises and massive retail chains | Over 6 million transactions/year | Annual on-site audit by an external Qualified Security Assessor (QSA), producing a Report on Compliance (RoC) |
| Level 2 | Mid-sized companies and growing platforms | 1 million to 6 million transactions/year | Annual Self-Assessment Questionnaire (SAQ) and quarterly network scans |
| Level 3 | Regional businesses and established e-commerce sites | 20,000 to 1 million e-commerce transactions/year | Annual SAQ and quarterly network vulnerability scans |
| Level 4 | Small local shops and early-stage startups | Under 20,000 e-commerce transactions/year (or up to 1 million other transactions). | Annual SAQ; quarterly network scans are also recommended. Validation requirements vary by card brand and acquiring bank. |
For most freelancers, software consultants, and small exporters who route cross-border payments through an external aggregator, these higher-tier requirements do not apply directly. If any card data is involved, Level 4 is generally the relevant compliance level.
However, because the payment aggregator handles the cardholder data, direct PCI DSS certification is typically not required. Your compliant payment aggregator handles the transaction routing and carries the compliance obligations that come with it. You are obliged to standard business verification and cross-border documentation.
What Are the Requirements of PCI DSS?
PCI DSS v4.0.1 has 12 requirements organised under six control objectives. Each objective considers a different level of payment security.
Control Objective 1: Create and Maintain a Secure Network and Systems
- Install and maintain network security controls: Firewalls must be configured to block unauthorised traffic from reaching cardholder data.
- Apply secure configurations to all system components: Default vendor passwords must be replaced and system settings hardened before deployment.
Control Objective 2: Protect Account Data
- Protect stored account data: Stored card data must be encrypted or tokenised. Card Verification Value (CVV) codes and PINs cannot be retained after a transaction completes.
- Protect cardholder data with strong cryptography during transmission over open networks: Card data crossing the internet must be encrypted using Transport Layer Security (TLS) encryption for data in transit.
Control Objective 3: Maintain a Vulnerability Management Program
- Protect all systems against malware and maintain updated anti-virus software: Anti-virus and anti-malware software must be kept current on every in-scope device.
- Develop and successfully apply a coordinated plan of action to secure systems and software: Security patches must be applied without delay. Secure coding standards are mandatory for development teams.
Control Objective 4: Establish Robust Access Controls
- Limit access to cardholder information on a need-to-know basis: Card access must only be given to employees whose jobs require it.
- Recognise users and confirm access to system elements: Every user must have a unique login id and multi-factor authentication (MFA) is mandatory for all who access payment systems.
- Limit physical access to cardholder data: Server rooms must be locked. Also, physical media with payment data must be logged.
Control Objective 5: Regularly Monitor and Test Networks
- Record and monitor access to network resources and cardholder data: Maintain audit logs that show who accessed cardholder data, when the access occurred, and the actions performed so suspicious activity can be identified quickly.
- Conduct penetration testing on systems and networks on a periodic basis: Vulnerability scans must be done quarterly, and penetration testing must be done annually.
Control Objective 6: Maintain Information Security Policy
- Enable security of information with organisation policy and procedures: Companies should maintain a written security policy, conduct regular risk assessments, and train employees on security best practices. For businesses serving international clients, these measures should also align with broader requirements for tech exporters on global compliance.
How Much Does PCI DSS Compliance Cost?
PCI DSS compliance in India does not have a fixed price. Costs depend on your compliance level, infrastructure size, and how much remediation work is needed before an audit. The range is wide: roughly ₹50,000 per year for small merchants using hosted payment links, up to ₹25 lakhs or more for large enterprises running their own data centers.
The estimated industry ranges are:
| Business Size | Compliance Level | Estimated Annual Cost | Key Requirements |
|---|---|---|---|
| Small Merchants & Freelancers | Level 3 & 4 | ₹50,000 - ₹2 lakhs | Self-Assessment Questionnaire (SAQ) and basic technical configuration |
| Mid-Sized Organizations | Level 2 | ₹2 lakhs - ₹8 lakhs | Quarterly vulnerability scans, penetration testing, security consulting |
| Large Enterprises & Fintechs | Level 1 | ₹8 lakhs - ₹25 lakhs+ | On-site QSA audit, Report on Compliance (RoC), continuous monitoring |
Note: These are estimated industry ranges that vary significantly by organisation.
Breaking down the PCI DSS Compliance cost components:
- Assessment and auditing (₹2 lakh to ₹15 lakhs): For small merchants, this covers a security professional reviewing and signing off on an SAQ. At Level 1, it covers a certified QSA firm auditing the entire network environment.
- Quarterly ASV vulnerability scans (Starts from ₹20,000 per quarter): PCI DSS requires an Approved Scanning Vendor to scan internet-facing systems four times a year. Pricing scales with the number of public IP addresses in scope.
- Remediation and security upgrades (variable): Firewalls, encryption tools, multi-factor authentication, and tokenisation all need to be operational before an audit starts. For businesses building these from scratch, this is typically where most of the budget goes.
- Annual maintenance (₹1.5 lakhs to ₹5 lakhs): Anti-virus updates, log monitoring, and staff security training are ongoing obligations, not one-time costs.
💡 QUICK INSIGHT
Businesses that use a fully hosted, Level 1-certified payment platform can significantly reduce their direct PCI DSS compliance costs because the provider manages most of the security controls, audit requirements, and remediation efforts.
How to Verify Your Payment Platform Is PCI DSS Compliant?
5 Steps to Verify PCI DSS Compliance
Hover any step for details
Request the AOC
Ask for the platform's current Attestation of Compliance. Valid for 12 months only.
Check PCI & Visa Registries
Verify the platform's legal name on the PCI SSC list and Visa Global Registry.
Confirm RBI PA Licence
Cross-reference the RBI's authorised Payment Aggregator list.
Check Trust Pages
Click PCI DSS badges. A real one links to verification, not a static image.
Review Tech Docs
Look for TLS 1.2 or 1.3 encryption and tokenisation in developer documentation.
When evaluating a payment platform, do not take its security claims at face value. If a breach occurs on their end and they were not properly certified, liability can reach back to you. Verify credentials before signing anything. Here is how Indian businesses should approach that verification:
- Step 1: Request the Attestation of Compliance (AOC): Even if the platform carries the PCI DSS logo, ask the platform's compliance team for their current AOC document. An AOC is the primary document that confirms the provider has successfully completed a PCI DSS assessment. This is a formal document signed by an external Qualified Security Assessor confirming that the provider passed a PCI DSS v4.0.1 audit. Check the date AOCs are valid for 12 months. Anything older means their certification has lapsed.
- Step 2: PCI SSC and Card Network Registry Check: The PCI Security Standards Council maintains a list of validated service providers on its website. Go to the platform's official name and check if the compliance is up to date. Visa maintains its own Global Registry of Service Providers. To make sure the certification is current, do a search for the exact legal name of the platform in both.
- Step 3: Confirmation of RBI Payment Aggregator Authorisation: All valid payment aggregators in India are mandated to have a Payment Aggregator licence from the Reserve Bank of India. The RBI insists on PCI DSS compliance as a condition for that licence. You can find an independent cross-reference by looking at the RBI’s authorised PA list.
- Step 4: Check the Security or Legal Pages on the Platform: Check the platform for PCI DSS trust seals or compliance badges by visiting the security, trust or legal pages. If a badge is clickable, it must resolve to a valid verification page and not to a static image.
- Step 5: Check the Technical Documentation: Review the platform's developer documentation and legal disclosures. A legitimate provider will specify what encryption protocols they use to protect data in transit (e.g., TLS 1.2 or TLS 1.3) and how their tokenisation system keeps raw card numbers off your servers.
⚠️ COMMON MISCONCEPTION
RBI registration and PCI DSS compliance are for two different purposes. An RBI licence is a necessity for operating as a payment aggregator in India. PCI DSS relates to the protection of cardholder data using security standard protocols. A good payment platform should be able to meet both requirements, as one does not substitute the other.
Do freelancers and service exporters need PCI DSS certification?
No. If you collect international payments through a fully hosted, PCI DSS-certified aggregator, the platform handles all card data on its infrastructure. You never see or store card numbers, so your business does not need an independent certification.
What is the difference between PCI DSS compliance and PCI DSS certification?
What happens if your payment platform is not PCI DSS compliant?
How often do you need to renew PCI DSS compliance?
Which PCI DSS compliance level applies to small businesses?
What does PCI DSS stand for?
What is an Attestation of Compliance (AOC) and why does it matter?
Is PCI DSS compliance mandatory under Indian law?
What is the Self-Assessment Questionnaire (SAQ)?
