PCI DSS Compliance Made Simple
The Payment Card Industry Data Security Standard protects cardholder data worldwide. Discover what it requires, which level applies to you and how PCI Proxy drastically reduces the scope you need to manage.
- PCI DSS Level 1 Certified Infrastructure
- Annual On-Site QSA Audit
- HSM FIPS 140-2 Level 3 Key Management
- AES-256 Encryption at Rest
- TLS 1.3 for All Data in Transit
- Guaranteed European Data Residency
- SOC 2 Type II Controls
- PCI Scope Reduction up to 95%
Our Compliance Credentials
PCI DSS Level 1 Certification
The highest grade of certification in the payments industry. Annual audit conducted by an accredited QSA.
Guaranteed EU Data Residency
All card data stored exclusively within the European Union. GDPR compliance by design.
FIPS 140-2 HSM Protection
FIPS 140-2 certified hardware security modules protect all cryptographic operations.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the major card schemes - Visa, Mastercard, American Express, Discover and JCB - through the PCI Security Standards Council. First published in 2004, the standard exists to protect cardholder data wherever it is processed, stored or transmitted.
Who Must Comply?
Any entity that accepts, processes, stores or transmits cardholder data must comply with PCI DSS. This includes merchants of all sizes, payment service providers, acquirers, issuers and any third-party service provider that handles card data on behalf of another organisation.
12 Core Requirements
PCI DSS is organised into six objectives and twelve requirements covering firewall configuration, data encryption, access control, vulnerability management, network monitoring and information security policies. Version 4.0 introduced 64 new requirements with full enforcement from March 2025.
Consequences of Non-Compliance
Non-compliance can result in monthly fines of €5,000 to €100,000 from card schemes, increased transaction fees, mandatory forensic audits and, in extreme cases, the loss of the ability to accept card payments.
PCI DSS Levels Explained
Your compliance obligations depend on how many card transactions you process each year. Card schemes define four distinct levels, each with different validation requirements.
| Level | Annual Transactions | Validation Requirements | Typical Entities |
|---|---|---|---|
| Level 1 | >6 million transactions/year | Annual on-site audit by a QSA, quarterly ASV scans | Large retailers, airlines, major PSPs |
| Level 2 | 1–6 million transactions/year | Annual SAQ, quarterly ASV scans | Mid-market e-commerce, hotel chains |
| Level 3 | 20,000–1 million e-commerce transactions/year | Annual SAQ, quarterly ASV scans | Growing online businesses, SaaS platforms |
| Level 4 | <20,000 e-commerce or <1 million other/year | Annual SAQ (recommended), quarterly ASV scans (if applicable) | Small merchants, local businesses, start-ups |
Important: A merchant that suffers a data breach can be elevated to Level 1 regardless of transaction volume. Individual acquirers may also impose stricter requirements at their discretion.
How PCI Proxy Reduces Your Scope
The most effective way to simplify PCI DSS compliance is to remove cardholder data entirely from your environment. PCI Proxy achieves this by intercepting card numbers before they reach your servers and replacing them with non-sensitive tokens.
300+
Controls · SAQ D
Without proxy or outsourcing
~30
Controls · SAQ A-EP
With PCI Proxy API integration
~22
Controls · SAQ A
With PCI Proxy hosted fields
Before PCI Proxy
Full ScopeYour web servers, application servers, databases, internal networks and every connected system are within the cardholder data environment (CDE). All must satisfy every applicable PCI DSS control - typically over 300 for SAQ D.
After PCI Proxy
Minimal CDECard data never enters your infrastructure. Only the PCI Proxy service, managed by a PCI DSS Level 1 certified provider, touches raw PANs. Your systems handle only tokens, dramatically reducing the CDE to near zero.
Up to 90% Scope Reduction
By removing card data from your servers, you move from SAQ D (over 300 controls) to SAQ A or SAQ A-EP (fewer than 30 controls). Lower audit costs, faster compliance cycles and reduced engineering overhead.
Scope Comparison
SAQ Types: Which One Applies?
The Self-Assessment Questionnaire you must complete depends on how card data flows through your systems. Using PCI Proxy changes that flow - and changes your SAQ.
Self-Assessment
SAQ A
7% of SAQ D scope
Applies when cardholder data processing is entirely outsourced to a PCI DSS third party. Your site uses an iFrame or redirect - no card data touches your domain.
Extended Self-Assessment
SAQ A-EP
10% of SAQ D scope
Applies when your web server hosts the payment page and sends card data directly from the browser to a third party. PCI Proxy API integration with JS tokenisation falls here.
Full Questionnaire
SAQ D
Full scope - all systems
The most extensive questionnaire. Applies when cardholder data passes through your servers. Without PCI Proxy, most e-commerce businesses fall here.
GDPR and PCI DSS: The European Overlap
European businesses must satisfy both PCI DSS and GDPR simultaneously. These frameworks overlap in significant ways - and tokenisation simplifies both.
Where They Overlap
Both frameworks align
Data as Personal Data
Names, PANs and metadata qualify as personal data under GDPR Art. 4. Any system processing them requires a legal basis and appropriate technical measures.
Data Minimisation
GDPR Art. 5(1)(c) requires processing only the minimum necessary. PCI Proxy applies this principle: it removes raw card data and retains only non-sensitive tokens.
Breach Notification
GDPR: notify within 72 hours. PCI DSS: immediate incident response. Tokenised data significantly reduces the likelihood of a reportable breach.
Tensions to Navigate
Conflicts to manage carefully
Erasure vs. Retention
GDPR grants the right to erasure. PCI DSS requires transaction logs. Tokenisation resolves this: delete the token-PAN mapping and the data becomes irrecoverable.
Data Residency
Many EU organisations must keep data within EU/EEA. PCI Proxy EU operates exclusively from European data centres - PANs never leave EU jurisdiction.
Third-Party Processing (DPA)
The PCI Proxy provider acts as a GDPR data processor. A Data Processing Agreement defining purposes, sub-processors and audit rights is required.
The common solution: tokenisation simplifies both frameworks. Tokens are not personal data under GDPR, and systems that handle only tokens remain outside the PCI DSS perimeter.
Learn moreThe Cost of Non-Compliance vs. PCI Proxy
The financial impact of managing PCI DSS scope in-house far outweighs the cost of outsourcing card data management. Below is a realistic comparison for a European mid-market merchant.
| Cost Category | In-House Management (SAQ D) High cost · High risk | With PCI Proxy (SAQ A) RECOMMENDED |
|---|---|---|
| Annual Audit / QSA Costs | €30,000 – €150,000 | €3,000 – €8,000 |
| Infrastructure Hardening | €50,000 – €200,000/year | €0 (managed by provider) |
| Breach Liability | €500,000 – €4,000,000+ | Near zero |
| Cyber Insurance Premiums | €15,000 – €60,000/year | €5,000 – €15,000/year |
| Engineering Overhead | 1–3 dedicated engineers | Part-time oversight only |
| Non-Compliance Fines | €5,000 – €100,000/month | €0 (compliant by design) |
Figures based on industry averages for European merchants processing 1–6 million transactions annually. Actual costs vary by organisation size, complexity and jurisdiction.
Frequently Asked Questions
01 Which PCI DSS level applies to my business?
Your PCI DSS level depends on the volume of card transactions you process annually. Level 1 applies to organisations handling more than 6 million transactions per year and requires an on-site audit by a Qualified Security Assessor (QSA). Level 2 covers 1 to 6 million transactions. Level 3 covers 20,000 to 1 million e-commerce transactions. Level 4 applies to merchants below these thresholds. Most small and medium-sized European merchants fall in Level 3 or 4, where a Self-Assessment Questionnaire is sufficient - and PCI Proxy can reduce that SAQ to its simplest form.
02 How does PCI Proxy reduce my PCI DSS scope?
PCI Proxy intercepts card data before it reaches your servers and replaces it with non-sensitive tokens. Because your systems never process, store or transmit raw cardholder data, they remain outside the PCI DSS compliance perimeter. This means most merchants can move from the full SAQ D - covering over 300 individual security controls - to SAQ A or SAQ A-EP, which require fewer than 30 controls. The reduction applies to audit scope, infrastructure requirements and ongoing monitoring obligations.
03 Does GDPR affect PCI DSS compliance in Europe?
Yes. GDPR and PCI DSS overlap in several important areas. Cardholder data - including the primary account number, cardholder name and service code - qualifies as personal data under GDPR. This means you must satisfy both frameworks simultaneously. Key tensions include the right to erasure (GDPR) versus data retention (PCI DSS), data residency requirements for EU processing and breach notification timelines. Tokenisation simplifies both: tokens are not personal data, and deleting the token-PAN mapping effectively erases the underlying data.
Start Simplifying Your PCI Compliance
Talk to our compliance team to understand exactly which SAQ applies to your setup and how quickly you can reduce your scope.