PCI DSS is the security standard mandating how merchants and payment processors must protect cardholder data. Compliance is required by the card networks (Visa, Mastercard, Amex) and enforced through merchant agreements; non-compliance can result in fines, increased transaction fees, or loss of card acceptance. The FTC enforces related unfair-practice rules under 15 U.S.C. § 45. See ftc.gov/tips-advice/business-center/guidance/complying-credit-card-act and the PCI Security Standards Council at pcisecuritystandards.org.
PCI DSS (Payment Card Industry Data Security Standard) is a private-sector security framework developed by the PCI Security Standards Council — founded by Visa, Mastercard, American Express, Discover, and JCB. It defines 12 technical and operational requirements for any entity that stores, processes, or transmits cardholder data (credit/debit card numbers, CVVs, PINs). The 12 core requirements cover: (1) install and maintain firewalls; (2) avoid vendor-supplied default passwords; (3) protect stored cardholder data (encryption, tokenization); (4) encrypt transmission over open networks; (5) protect systems against malware; (6) develop and maintain secure systems; (7) restrict access to cardholder data on a need-to-know basis; (8) assign unique IDs to system users; (9) restrict physical access to cardholder data; (10) track and monitor all network access; (11) regularly test security systems; (12) maintain an information security policy. Compliance levels are tiered by transaction volume: Level 1 (>6 million transactions/year) requires annual on-site audits by a Qualified Security Assessor (QSA); Levels 2-4 (fewer transactions) use Self-Assessment Questionnaires (SAQs). Non-compliant merchants face fines of $5,000–$100,000/month from acquiring banks, chargeback liability shifts, and potential termination of card acceptance. The FTC has brought enforcement actions against companies with inadequate payment data security under Section 5 of the FTC Act (15 U.S.C. § 45). See ftc.gov for FTC data security guidance.
PCI DSS is not a federal statute — it is a contractual requirement imposed by card networks through merchant agreements. However, several states (e.g., Minnesota, Nevada, Washington) have enacted laws that reference PCI DSS as the cardholder data security standard, creating statutory liability for non-compliance. The FTC also treats inadequate data security as an unfair practice under 15 U.S.C. § 45.
If you accept credit or debit cards in any form — in-store, online, or by phone — you are contractually obligated to comply with PCI DSS through your merchant agreement. Most small businesses qualify as Level 4 merchants and can self-certify using a Self-Assessment Questionnaire (SAQ). Using a fully hosted payment page (Stripe, Square) limits your PCI scope to the simplest SAQ-A.
Non-compliant merchants bear full liability for fraudulent charges on compromised cards (card replacement costs, fraud reimbursement, forensic investigation costs). Compliant merchants may still face costs but have limited liability protection. Fines range from $5,000 to $100,000/month during non-compliance. The card networks can also terminate your ability to accept card payments.