PCI DSS requirements are just one of three regulatory frameworks a merchant in Italy must comply with in 2025. Alongside PCI DSS, GDPR and PSD2 form a complex regulatory landscape where responsibilities overlap, deadlines accumulate, and penalties can compound significantly. This guide maps all three frameworks in a practical way: who is obligated to what, when, and what happens if you are not compliant.
The 2025 regulatory framework: PCI DSS, GDPR and PSD2 compared
The three frameworks operate on different planes but intersect continuously. PCI DSS is a contractual standard imposed by card networks (Visa, Mastercard, etc.) through acquirers: it governs the technical security of card data and applies to anyone accepting, processing or storing card payment data. GDPR is a European regulation with the force of law: it governs the processing of all personal data, including card data that identifies a natural person. PSD2 is a European directive transposed into national law: it governs payment services, account access and Strong Customer Authentication.
The overlaps are concrete. A data breach exposing card data from EU customers simultaneously triggers PCI DSS (forensic investigation and potential network penalties), GDPR (mandatory notification to the supervisory authority within 72 hours and possible penalties up to 4% of global turnover), and PSD2 if the breach concerns payment accounts or authentication data. Each framework has its own enforcement process and its own regulator: managing them in an integrated way is far more efficient than treating them as three separate silos.
Who must comply with what in Europe: sector-by-sector obligations
PCI DSS applies to any entity that accepts card payments: merchants of all sizes, PSPs, acquirers, gateways and processors. There are no exemptions based on company size: even a small e-commerce with 100 transactions per month must satisfy the PCI DSS requirements applicable to their level. The difference between levels concerns the complexity of the obligations, not their presence.
GDPR applies to any company processing personal data of EU residents, regardless of the company's location. For payments, this includes almost every European merchant. PSD2 applies directly to payment service providers (PSPs, banks, e-money institutions), but merchants are indirectly involved in the SCA (Strong Customer Authentication) requirements that their checkout systems must support. A merchant whose payment pages do not support 3DS2 risks transactions being declined by the consumer's bank.
Cumulative penalties and how to avoid them with one solution
The three frameworks' penalties accumulate independently. A single data breach exposing card data from EU customers can trigger: PCI DSS penalties from the network (from €5,000 to €100,000 per month for non-compliance), GDPR penalties from the supervisory authority (up to 4% of global turnover or €20 million), and potential PSD2 penalties if the breach involves regulated payment services. In a real medium-severity scenario, cumulative costs can easily exceed €500,000, not counting reputational damage and customer loss.
The most efficient strategy to cover all three fronts is to centralise card data management on a provider that simultaneously satisfies the technical PCI DSS requirements, GDPR security and data residency requirements, and PSD2 technical specifications for authentication. PCI Proxy EU is PCI DSS Level 1 certified, operates with data located in the EU for GDPR compliance, and supports the 3DS2 authentication flows required by PSD2. A single integration reduces the risk perimeter across all three regulatory fronts.
Frequently asked questions
What are the most urgent regulatory deadlines in 2025?
On the PCI DSS front, the additional requirements of PCI DSS v4 became mandatory on 31 March 2025. Anyone who has not completed the transition from v3.2.1 is already out of compliance. On the GDPR front, there are no specific 2025 deadlines, but the 72-hour breach notification obligation is permanent. On the PSD2 front, SCA requirements for online transactions have been in force since 2021 and continue to be monitored by national banking regulators.
Does a small European merchant need to comply with all three frameworks?
For PCI DSS yes, but with obligations proportional to volume (SAQ instead of RoC). For GDPR yes, if processing data of natural persons (practically always). For PSD2 not directly (it applies to PSPs), but indirectly yes for SCA requirements at checkout. In practice, any European merchant selling online must deal with all three frameworks.
Does PCI Proxy EU also cover PSD2 obligations?
PCI Proxy EU supports the 3DS2 authentication flows required by PSD2 to reduce chargebacks and maximise transaction acceptance rates. Direct coverage of PSD2 obligations concerns PSPs, not merchants, but integration with PCI Proxy EU's vault facilitates the correct implementation of the authentication flows that PSD2 indirectly requires of merchants through their PSPs.
Want to cover PCI DSS, GDPR and PSD2 with a single integrated solution, data in Europe and complete certifications? Discover PCI Proxy EU.