Skip to main content
devinsta — design and development agency
Free consult
E-commerce

PCI DSSPayment Card Industry Data Security Standard

A security standard that any business handling card payments must comply with. Sets controls for storing, processing and transmitting cardholder data.

· Reviewed by senior engineers

PCI DSS (Payment Card Industry Data Security Standard) is the set of security requirements every business that accepts card payments must comply with. It is enforced by the card brands (Visa, Mastercard, Amex, Discover, JCB) via the merchant's acquiring bank, with self-assessment questionnaires for smaller merchants and formal audits for larger ones.

The practical question is scope. Anywhere cardholder data passes through your systems is in-scope, which means controls on networks, applications, logs, access management and personnel. The cheapest path is to keep cardholder data out of your systems entirely by using a tokenising payment gateway — Stripe, Adyen, Braintree, Shopify Payments — that hosts the card fields and gives you back a token instead of a PAN.

The pitfall is accidentally pulling card data into scope through a custom integration. Saving the last four digits in your database is usually fine; piping a full PAN through a webhook handler is a PCI nightmare even if you didn't mean to. Frequent culprits: server logs, customer support tools, screen-share sessions.

Devinsta architects payment integrations to minimise PCI scope by default. Hosted fields, redirect flows, server-to-server tokens. The cheapest PCI audit is the one you don't need because your systems never see a card number.

Related services

Related terms

← Back to glossary