PCI

PCI DSS is a contractual standard (not a law) imposed by the card brands on anyone who stores, processes, or transmits cardholder data. Merchant levels 1–4 scale validation rigor by annual transaction volume — level 1 requires an on-site assessment, lower levels a self-assessment questionnaire. The cheapest path to compliance is scope reduction: tokenization and network segmentation keep card data out of most systems, shrinking what must be assessed.