How ZeroPath Works
Back to Blog

What is PCI Compliance? Does your business need PCI Compliance?

PCI compliance refers to security standards protecting cardholder data during transactions. It includes standards like PCI DSS for handling card data, PCI PTS for payment terminals, and PCI 3DS for online fraud prevention. Businesses must determine their specific needs, like whether they store card information or use physical readers.
Insights

5 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-15

What is PCI Compliance? Does your business need PCI Compliance?

If you are ever collecting your customers' card data or outsourcing that task to services like Stripe, PayPal, Square, etc, you have likely heard of PCI compliance.

What is PCI Compliance?

Payment Card Industry (PCI) compliance refers to a set of security standards that protect cardholder data at all stages of acceptance, processing, storage, and transmission. It’s not just one security standard but an umbrella term that includes:

PCI DSS: For any company storing, processing, or sending card data. If you accept cards, PCI DSS is the leading standard you need to follow.

PCI PTS: For manufacturers of payment terminals (like card readers). The hardware device you use to enter your PIN at a store (like a card reader) must be PCI PTS compliant.

PCI PIN: For businesses that process PIN transactions. If you handle customer PINs, you need to follow PCI PIN rules.

PCI P2PE: For anyone encrypting card data from the terminal to the payment processor. To ensure card data remains safe from end to end, use PCI P2PE.

PCI 3DS: For companies using 3D Secure to stop online fraud. If your site requires additional authentication when you make a payment, that’s PCI 3DS.

Now, depending on what a company does, it might need to comply with different standards.

The PCI Security Standards Council, comprising major credit card companies such as Visa, Mastercard, American Express, Discover, and JCB, has developed these standards. Not complying with them can result in hefty fines, increased transaction fees, or even the loss of the ability to process card payments. Some states, such as Nevada, have also incorporated PCI DSS into law, but for most, it remains a contractual obligation.

Note: Most of the time, when people say “PCI compliance,” they’re talking about PCI DSS , because that’s the standard that applies to most businesses.

Does your company need PCI Compliance?

Whether you need PCI compliance or not is dependent on various factors.

  • Does your company store the card information directly? Or outsource it to payment providers?
  • Does the company use a physical card reader in its stores?
  • Even though you may not see your customer’s card details, you may still need to follow PCI compliance standards to some extent.

In practice, it looks something like this:

  1. Retail Chain: Let’s say you’re building a payment system for a retail chain:

    • Your company must be PCI DSS compliant because you handle cardholder data.
    • The POS software you use must be PA-DSS compliant.
    • The card readers in your stores must be PCI PTS compliant.
    • If you use end-to-end encryption, you may also need to follow PCI P2PE guidelines.

  2. Online travel booking: Now, let’s say you’re building a website like Expedia or MakeMyTrip, where users can book flights, hotels, and rental cars.

    • PCI DSS: Because you collect, process, and store cardholder data from customers booking travel online.
    • PA-DSS: The payment gateway must be PA-DSS compliant. If you use a third-party payment application (like a checkout widget or embedded payment form), that software must be PA-DSS compliant to ensure it handles card data securely.
    • PCI PTS: If you offer in-person bookings at airport kiosks, the card readers must be PCI PTS compliant. For customers who pay at a physical kiosk, the hardware used to read their cards must be compliant.
    • PCI P2PE: If you use point-to-point encryption for card data from the kiosk to your servers, you need PCI P2PE compliance. The compliance ensures the encryption of card data from the moment it's swiped at the kiosk until it reaches your payment processor.
    • PCI 3DS: If you support 3D Secure for online payments, you must be PCI 3DS compliant. When a customer is prompted for an OTP or biometric authentication while making an online payment, your system must handle that data per PCI 3DS standards.
    • PCI PIN: If you process PIN-based debit transactions at kiosks, you must be PCI PIN compliant. This covers the secure handling and encryption of PINs entered by customers.

This might feel like a lot of work to get a simple end-to-end business running, and in fact, it is. However, in day-to-day operations, you use different providers and abstractions to simplify a lot of compliance work. For example, you can use a third-party payment processor (such as Stripe or PayPal), which shifts much of the PCI burden to them; however, you still need to ensure that your integration is secure.

While there are numerous PCI compliance standards, the most standard one is PCI-DSS, which is required by almost every company dealing with payments in some form or another. If you're in the same boat, here's our guidance on PCI-DSS and how you can achieve PCI-DSS compliance .

ZeroPath also helps teams achieve PCI-DSS compliance security standards, and if it's something on your roadmap, it might be worth shifting security left in the SDLC from the very beginning and using AI-native SAST like ZeroPath to simplify and automate your security .

Detect & fix
what others miss

Get startedBook a demo