PCI DSS compliance in Italy follows the same global PCI SSC rules, but with some local specifics that every merchant and business must know to avoid costly mistakes. Anyone accepting card payments in Italy has precise obligations towards acquirers, deadlines linked to the transition to PCI DSS v4, and the increasingly relevant issue of data residency in Europe. This guide answers the most common questions directly and practically.
PCI DSS in Italy: regulations, actors and specific obligations
In Italy, PCI DSS is not a state law but a contractual standard imposed by acquirers (such as Nexi, Worldline, Banca Sella and others) on merchants as a condition for accepting Visa, Mastercard, American Express and other network payments. Compliance is verified by the acquirers themselves, who are in turn obligated by the card networks to ensure their merchants meet the standard. Penalties for non-compliance come from the international networks and can include revocation of the right to accept cards.
Obligations vary based on the merchant level, determined by annual transaction volume. Level 1 merchants (more than 6 million Visa/Mastercard transactions per year) must undergo an annual audit conducted by an accredited QSA. Level 2, 3 and 4 merchants can generally complete an SAQ (Self-Assessment Questionnaire) independently, but the type of SAQ depends on the technical architecture used to accept cards.
Real costs of PCI DSS compliance for a business in Italy
Costs vary enormously based on the merchant level and PCI perimeter. For a Level 1 merchant with a broad perimeter, a full QSA audit (Report on Compliance) in Italy costs between €30,000 and €80,000 for the QSA activity alone, to which internal preparation, remediation and penetration test costs must be added. For lower levels, the direct cost of the SAQ is much lower, but still requires technical and organisational preparation that can take weeks of internal work.
Reducing the PCI perimeter through tokenization and CDE outsourcing can move a merchant from a RoC to an SAQ A, with savings that in practice translate to €20,000–€60,000 per year considering both direct audit costs and operational compliance maintenance costs. For SMEs, this reduction is often the difference between a sustainable compliance programme and one that blocks internal resources.
PCI DSS v4 and EU data residency: why it matters
The transition to PCI DSS v4 introduced new requirements on authentication, encryption and continuous monitoring. Many of the requirements that became mandatory from 31 March 2025 concern areas such as password management, file integrity monitoring, and anti-skimming controls for web payment pages. Merchants who have not yet completed the gap analysis against the previous version (v3.2.1) are already out of compliance.
Data residency in Europe has become a concrete issue following the Schrems II rulings and subsequent decisions by data protection authorities. Storing card data outside the EU exposes a company to potential conflicts with GDPR, particularly when the destination country does not guarantee a level of protection equivalent to the European standard. A PCI DSS certified vault with data physically located in Europe, like PCI Proxy EU's, eliminates this grey area and simplifies both PCI and GDPR compliance.
Frequently asked questions
Who monitors PCI DSS compliance in Italy?
Oversight is exercised primarily by Italian acquirers (Nexi, Banca Sella, Worldline Italia and others), who are obligated by international networks to verify the compliance of their merchants. In the event of a data breach, card brands (Visa, Mastercard) initiate their own forensic investigations, which can lead to penalties of up to hundreds of thousands of euros.
How much does a PCI DSS audit cost?
For a Level 1 merchant, a full QSA audit costs between €30,000 and €80,000 for the QSA activity alone. For lower levels, the direct SAQ cost is low, but the total cost includes technical preparation, required penetration tests and any remediation. With tokenization, many merchants can reduce the perimeter and significantly cut these costs.
Can having data outside the EU cause compliance problems?
Yes. After Schrems II, transferring personal data (including card data) to countries without adequate protection guarantees as required by GDPR exposes a company to supervisory authority penalties. A vault with data physically located in Europe eliminates this risk.
Want a PCI DSS solution with data in Europe, ready for v4 requirements and optimised for the European market? Discover PCI Proxy EU.