PCI-DSS Compliance
PCI-DSS is the contractual security standard for any business that accepts, processes, stores, or transmits credit card data.
Overview
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls mandated by the major card networks (Visa, Mastercard, Amex, Discover) for any entity that handles cardholder data. PCI-DSS v4.0, released in 2022, introduced enhanced requirements around multi-factor authentication, client-side security, and e-skimming protection — directly targeting Magecart-style attacks that compromise checkout pages. Non-compliance does not result in government fines directly, but card networks levy penalties on acquiring banks ($5,000–$100,000/month), which are passed to merchants. After a breach, forensic investigation costs, card replacement fees, and civil litigation typically exceed the fines.
Who This Applies To
- Any e-commerce checkout collecting card numbers, CVVs, or expiry dates
- Custom or hosted checkout pages integrating with payment gateways
- Subscription billing platforms storing card-on-file data
- Point-of-sale systems integrated with e-commerce platforms
- Third-party payment scripts loaded on checkout pages (even via tag manager)
Your Obligations
Network Security & Segmentation
Cardholder data environments must be isolated from general business networks. A flat network where the POS system shares a segment with office Wi-Fi is an automatic PCI failure.
Strong Access Controls & MFA
PCI-DSS v4.0 mandates multi-factor authentication for all access to the cardholder data environment. Shared admin passwords are explicitly prohibited.
Script Integrity on Checkout Pages
New in PCI-DSS v4.0: all payment page scripts must be authorized, their integrity verified (e.g., via Subresource Integrity), and changes reviewed quarterly to prevent Magecart skimming attacks.
Encryption of Stored Data
Primary Account Numbers (PANs) must never be stored in plaintext. If you store card data for subscription billing, tokenization via an approved payment processor is the only compliant approach.
Annual Assessments & SAQ
Depending on transaction volume, merchants must complete a Self-Assessment Questionnaire (SAQ) or undergo a Qualified Security Assessor (QSA) audit annually. Shopify Plus and similar hosted checkouts can reduce scope significantly.
Real Enforcement Cases
These are not hypothetical risks. The following cases represent actual regulatory enforcement actions and civil litigation — each with documented penalties.
Target Corporation
Attackers infiltrated Target's network through an HVAC vendor, compromised 40 million credit cards and 70 million customer records. Target paid $18.5M in a multistate AG settlement, $67M to Visa, $39M to Mastercard, and $10M in class action damages. Total costs exceeded $202 million.
British Airways
A Magecart attack injected a 22-line JavaScript skimmer onto British Airways' checkout page, harvesting 500,000 passengers' card details over two months. The UK ICO levied a £20 million GDPR fine. PCI forensics found BA's payment page failed script integrity controls that are now mandatory under PCI-DSS v4.0.
Heartland Payment Systems
The largest card breach in history at the time. Attackers exploited an SQL injection vulnerability to install packet sniffers on Heartland's payment processing network, capturing 130 million card numbers. Heartland paid $145 million in settlements and lost its card processing privileges temporarily.
Wawa (Gas Stations & Convenience Stores)
Malware sat undetected on Wawa's payment systems for nine months, compromising 'potentially all' of its 850 US locations. The FTC and multistate AGs settled for $12M. The case underscored the risk of delayed breach detection — a control explicitly addressed by PCI-DSS v4.0 real-time monitoring requirements.
Is your e-commerce store exposed?
Deskulpt engineers audit your current technology stack against PCI-DSS Compliance requirements, identify gaps, and produce a prioritised remediation roadmap. No retainer required to start.
Book Your Free PCI-DSS Checkout Security Review →