Framework Guide · PCI-DSS
PCI-DSS (Payment Card Industry Data Security Standard)
The floor for anyone handling cardholder data.
Who needs it: Merchants, service providers, and SaaS platforms that store, process, or transmit cardholder data.
Overview
PCI-DSS v4.0 sets 12 core requirements across six goals. Your level (1–4) is set by transaction volume and dictates the assessment path — from self-assessment questionnaires to full onsite QSA audit.
Timeline
3–9 months depending on merchant level and existing controls.
Typical cost
$5k (Level 4 SAQ) to $150k+ (Level 1 onsite QSA assessment).
What it covers
How Scarlet Risk helps
Scope reduction
Map the cardholder data environment and shrink your PCI footprint.
Control monitoring
Continuous checks against PCI-DSS v4.0 requirements.
SAQ prep & QSA-ready evidence
The right paperwork for your merchant level.
Frequently asked
What's my PCI level?
Level 1: >6M transactions/year. Level 2: 1M–6M. Level 3: 20k–1M e-commerce. Level 4: everything else. Each brand (Visa, MC, etc.) publishes its own thresholds.
Does using Stripe eliminate PCI scope?
Using a hosted payment page or Stripe Elements can reduce scope to SAQ-A, but you still have PCI obligations. Iframes and direct card capture push you into broader SAQs.
How is PCI-DSS 4.0 different?
v4.0 (mandatory March 2025) adds targeted risk analysis, expanded MFA, customized approach options, and stronger e-commerce script controls.
Ready to shortcut PCI-DSS?
Scarlet Comply and our on-demand reports collapse months of prep into hours.
