New: Autonomous AI risk intelligence is live — your compliance program in 12 minutes. Get started →

Framework Guide · PCI-DSS

PCI-DSS (Payment Card Industry Data Security Standard)

The floor for anyone handling cardholder data.

Who needs it: Merchants, service providers, and SaaS platforms that store, process, or transmit cardholder data.

Overview

PCI-DSS v4.0 sets 12 core requirements across six goals. Your level (1–4) is set by transaction volume and dictates the assessment path — from self-assessment questionnaires to full onsite QSA audit.

Timeline

3–9 months depending on merchant level and existing controls.

Typical cost

$5k (Level 4 SAQ) to $150k+ (Level 1 onsite QSA assessment).

What it covers

Secure networkCardholder data protectionVulnerability managementStrong access controlMonitoring & testingInformation security policy

How Scarlet Risk helps

  • Scope reduction

    Map the cardholder data environment and shrink your PCI footprint.

  • Control monitoring

    Continuous checks against PCI-DSS v4.0 requirements.

  • SAQ prep & QSA-ready evidence

    The right paperwork for your merchant level.

Frequently asked

What's my PCI level?

Level 1: >6M transactions/year. Level 2: 1M–6M. Level 3: 20k–1M e-commerce. Level 4: everything else. Each brand (Visa, MC, etc.) publishes its own thresholds.

Does using Stripe eliminate PCI scope?

Using a hosted payment page or Stripe Elements can reduce scope to SAQ-A, but you still have PCI obligations. Iframes and direct card capture push you into broader SAQs.

How is PCI-DSS 4.0 different?

v4.0 (mandatory March 2025) adds targeted risk analysis, expanded MFA, customized approach options, and stronger e-commerce script controls.

Ready to shortcut PCI-DSS?

Scarlet Comply and our on-demand reports collapse months of prep into hours.

Other frameworks