SkarpSkarp
Get the App

Chapter 1 of 8

PCI DSS in Context: What ICT Company Lawyers Must Know First

Introduces PCI DSS, its governance structure, who it applies to, and why it matters specifically for ICT companies providing software, cloud, or managed services that touch payment card data.

15 min readen

1. Why PCI DSS Matters for ICT Company Lawyers

As of early 2026, PCI DSS (Payment Card Industry Data Security Standard) remains the globally dominant private standard for protecting payment card data.

For ICT companies (software vendors, cloud providers, managed service providers), PCI DSS is often not optional in practice, even though it is not a statute or regulation. Instead, it is enforced contractually through:

  • Card brand rules (Visa, Mastercard, Amex, Discover, JCB)
  • Acquirer/processor contracts with merchants
  • Merchant and processor contracts with service providers and sub‑processors (often ICT vendors)

Why ICT lawyers need to care first:

  • You will review or draft MSAs, DPAs, SaaS terms, cloud contracts, and security schedules that embed PCI DSS language.
  • PCI DSS non‑compliance can trigger:
  • Indemnity claims for card brand fines and assessments
  • Termination rights and suspension of services
  • Audit rights and remediation obligations
  • Reputational damage and loss of key customers

Key idea for this module:

You do not need to know every technical control, but you must understand:

  1. What PCI DSS is (and is not).
  2. Who governs it and how it is enforced.
  3. When your ICT client becomes a service provider in PCI DSS terms.
  4. The current version landscape (PCI DSS 4.0 and 4.0.1) and key dates.
  5. How to spot contractual exposure linked to PCI DSS.

2. Governance: Who Actually Owns PCI DSS?

PCI DSS is governed and maintained by the PCI Security Standards Council (PCI SSC), a private body formed by the major card brands.

Key players and their roles:

  • Card brands (schemes) – Visa, Mastercard, American Express, Discover, JCB
  • Define card brand rules for merchants and acquirers
  • Decide penalties, fines, and enforcement when PCI DSS is violated
  • PCI Security Standards Council (PCI SSC)
  • Develops and publishes PCI security standards (PCI DSS, PA-DSS/SSLC, P2PE, etc.)
  • Manages qualification programs for QSAs (Qualified Security Assessors), ASVs, and PCI professionals
  • Publishes guidance, FAQs, and updates
  • Acquiring banks (acquirers)
  • Contract with merchants and are responsible to card brands for the merchant’s compliance
  • Push PCI DSS obligations downstream to merchants and then to service providers (including ICT vendors)

Crucial nuance for lawyers:

  • PCI DSS is not a government regulation.
  • It is a private standard baked into:
  • Card brand operating regulations
  • Acquirer–merchant agreements
  • Merchant–service provider agreements

So, when you see PCI DSS in a contract, you are looking at private law enforcement of an industry standard, not a public statute.

3. Quick Check: PCI DSS as Law vs. Contract

Test your understanding of PCI DSS as a standard versus a statute.

Which statement best describes PCI DSS?

  1. It is a global statute enacted by governments that directly applies to all companies handling card data.
  2. It is a private industry security standard enforced mainly through card brand rules and contracts.
  3. It is a voluntary best‑practice guideline with no contractual or financial consequences.
Show Answer

Answer: B) It is a private industry security standard enforced mainly through card brand rules and contracts.

PCI DSS is a **private industry standard**, developed by the PCI Security Standards Council and enforced primarily through **card brand rules and contracts** (e.g., acquirer–merchant, merchant–service provider). It is not a statute, and non‑compliance can have serious contractual and financial consequences, so option 2 is correct.

4. What PCI DSS Actually Is (and Is Not)

PCI DSS is a comprehensive security standard for any entity that stores, processes, or transmits cardholder data or sensitive authentication data.

Key characteristics:

  • Scope: Protects cardholder data (CHD) and sensitive authentication data (SAD), such as:
  • Primary Account Number (PAN)
  • Cardholder name, expiration date (when linked to PAN)
  • Full track data, CAV2/CVC2/CVV2/CID, PINs/PIN blocks (SAD)
  • Structure: 12 main requirements (e.g., network security, access control, logging, vulnerability management) with detailed sub‑requirements.
  • Applicability: Applies to merchants and service providers that handle card data or impact the security of the cardholder data environment (CDE).

What PCI DSS is NOT:

  • Not a data protection law like GDPR or CCPA/CPRA (though there is overlap in security expectations).
  • Not a cybersecurity framework like NIST CSF or ISO/IEC 27001, although it can be mapped to them.
  • Not optional once you contractually agree to comply with it (e.g., in a merchant–service provider agreement).

As a lawyer, your main task is to:

  • Recognize when PCI DSS is triggered by the services your client provides.
  • Understand which obligations are being imposed (e.g., full PCI DSS compliance vs. specific controls vs. “PCI DSS compliant as applicable to your services”).

5. Who Must Comply: Merchants, Service Providers, and ICT Vendors

PCI DSS applies broadly to entities involved in payment card processing. For ICT lawyers, the key category is service providers.

Core categories:

  • Merchants – Sell goods/services and accept card payments (e‑commerce sites, retail shops, SaaS platforms billing by card).
  • Service providers – Non‑merchant entities that store, process, or transmit card data on behalf of another entity, or that can impact the security of the CDE.

Where ICT companies fit in (typical service provider roles):

  1. Cloud service provider (IaaS/PaaS/SaaS)
  • Hosts a merchant’s payment application or database.
  • Even if the provider cannot see raw card data easily, its infrastructure can impact the CDE’s security.
  1. Payment‑related SaaS vendor
  • Offers subscription billing, tokenization, fraud detection, or recurring payment platforms.
  • May directly process, store, or transmit PANs or tokens.
  1. Managed service provider (MSP/MSSP)
  • Manages firewalls, networks, logging, or security monitoring for a merchant’s CDE.
  • Even without direct access to card numbers, their services are security‑relevant.
  1. Software vendor
  • Provides applications that handle cardholder data (POS software, payment pages, mobile apps with payment flows) or influence how that data is protected.

Example scenario (ICT vendor in scope):

  • A SaaS company hosts a booking platform for hotels.
  • Customers enter card details on the SaaS platform’s web front end.
  • The platform sends card data to a payment gateway, stores limited PAN details for refunds, and logs transactions.

In PCI DSS terms:

  • The hotel is the merchant.
  • The SaaS company is a service provider because it stores and transmits cardholder data on behalf of the merchant.

This means the SaaS company will almost certainly face PCI DSS obligations via contract.

6. Spot the Service Provider: Thought Exercise

Read each scenario and decide whether the ICT company is likely in scope as a PCI DSS service provider. Reflect before checking model answers (mentally or on paper).

  1. Scenario A – Logging‑only MSP

An MSP provides centralized log management and SIEM for a retailer. The retailer’s CDE systems send logs (including security events and some system details) to the MSP. The MSP does not see card numbers in clear text, but its platform and analysts monitor CDE‑related logs.

  • Question: Is the MSP a PCI DSS service provider? Why or why not?
  1. Scenario B – Pure marketing SaaS

A SaaS platform sends promotional emails for an e‑commerce merchant. It only receives customer email addresses and names. No card data, no integration with the checkout page.

  • Question: Is this marketing SaaS a PCI DSS service provider?
  1. Scenario C – Cloud host for payment API

A cloud provider hosts containers and databases that run a payment API used by multiple merchants. Merchants send card data to the API; the provider manages the underlying infrastructure (networks, hypervisors, storage, physical security).

  • Question: Is the cloud provider a PCI DSS service provider?

---

Model answers (for self‑check):

  • Scenario A: Yes, likely in scope as a service provider. Even without direct CHD access, the MSP’s services can impact the security of the CDE, which PCI DSS treats as in‑scope.
  • Scenario B: Likely out of scope for PCI DSS, assuming it never touches CHD or CDE systems and has no connectivity that could affect CDE security.
  • Scenario C: Yes, clearly a service provider, because it hosts systems that store, process, or transmit card data and can materially affect CDE security.

When reviewing contracts, translate this reasoning into questions like: Does my client’s service touch or influence any system that stores, processes, or transmits card data? If yes, PCI DSS obligations are likely.

7. Current Version Landscape: PCI DSS 4.0 and 4.0.1

As of January 2026, the PCI DSS version landscape is:

  • PCI DSS v4.0
  • Published: March 2022
  • Became the primary standard after a transition from v3.2.1.
  • Introduced new concepts like customized approaches, expanded multi‑factor authentication, and more detailed logging and testing requirements.
  • PCI DSS v4.0.1
  • Published: late 2024 (minor revision).
  • Purpose: Clarify text, fix inconsistencies, and address errata without fundamentally changing the 4.0 control set.
  • By 2025–2026, organizations are expected to reference 4.0.1 as the current baseline.

Key timing concepts for lawyers (relative to today):

  • Transition from PCI DSS 3.2.1 to 4.0
  • v3.2.1 formally retired in 2024, after a multi‑year transition period.
  • From 2024 onward, merchants and service providers are assessed against v4.0 (and now 4.0.1).
  • Future‑dated requirements
  • Some v4.0 requirements were initially marked as “best practice” until a later date (e.g., March 2025) and then became mandatory.
  • By early 2026, most of these future‑dated requirements are now fully effective, so contracts may reference them as current mandatory controls.

Practical contract point:

  • When you see a clause like “Service Provider shall maintain compliance with PCI DSS v4.0 (as amended or replaced from time to time)”, understand that this dynamically pulls in updates like 4.0.1 without renegotiation.
  • You should confirm:
  • Which version your client is currently validated against.
  • Whether the customer expects evidence (e.g., Attestation of Compliance (AOC) for v4.0.1).

8. Version and Timing Quiz

Check that you understand the current PCI DSS version landscape.

In early 2026, which statement is most accurate about PCI DSS versions?

  1. PCI DSS 3.2.1 is still the main standard; 4.0 is optional.
  2. PCI DSS 4.0 (and its minor update 4.0.1) has replaced 3.2.1, and organizations are generally assessed against 4.0/4.0.1.
  3. PCI DSS 5.0 has already fully replaced 4.0 and 4.0.1.
Show Answer

Answer: B) PCI DSS 4.0 (and its minor update 4.0.1) has replaced 3.2.1, and organizations are generally assessed against 4.0/4.0.1.

By 2026, PCI DSS **4.0 and its minor revision 4.0.1** have replaced 3.2.1 as the primary assessment standard. 3.2.1 has been retired, and there is no generally adopted PCI DSS 5.0 as of early 2026. So option 2 is correct.

9. How Non‑Compliance Creates Contractual and Financial Exposure

Because PCI DSS is enforced via contracts and card brand rules, non‑compliance can cascade into multiple liabilities.

Typical exposure paths for an ICT service provider:

  1. Breach involving card data
  • A vulnerability in your client’s platform allows attackers to steal card data from a merchant’s CDE.
  • Card brands impose fines, assessments, and recovery costs on the acquirer.
  • The acquirer passes these costs to the merchant under their agreement.
  • The merchant then seeks recovery from your ICT client under:
  • Indemnity clauses
  • Breach of contract (failure to maintain PCI DSS compliance)
  1. Contractual non‑compliance without a breach
  • Your client fails to maintain a valid Attestation of Compliance (AOC) or refuses a required PCI DSS audit.
  • Customer may:
  • Treat this as a material breach.
  • Suspend payment processing or terminate the contract.
  • Demand remediation at your client’s expense.
  1. Allocation of responsibility
  • Poorly drafted contracts may:
  • Make your client responsible for full PCI DSS compliance, even for controls outside its technical control.
  • Impose uncapped liability for card brand fines and assessments.

Key clauses for ICT lawyers to watch:

  • PCI DSS compliance warranty – Scope it to “as applicable to Service Provider’s role and the Services”.
  • Audit and assessment rights – Frequency, cost allocation, and standards (PCI DSS vs. broader security audits).
  • Indemnities – Are card brand fines and assessments included? Are they capped or excluded from liability caps?
  • Incident notification and cooperation – Timelines and obligations in case of suspected card data compromise.

Your role is to ensure PCI DSS obligations are proportionate to what your client actually does and that financial exposure is bounded and commercially reasonable.

10. Contract‑Review Mini Exercise

Imagine you are reviewing a draft MSA for a cloud provider that hosts a merchant’s payment application. The security schedule includes this clause:

> “Service Provider shall be fully responsible for ensuring that Customer and all third parties processing payment cards on Customer’s behalf maintain compliance with the then‑current PCI DSS standard. Service Provider shall indemnify Customer for any and all losses, including all card brand fines and assessments, arising out of any PCI DSS non‑compliance.”

Reflect on the following questions and jot down short answers:

  1. Scope problem: Does this clause make the cloud provider responsible for Customer’s own PCI DSS compliance and that of unrelated third parties? How might you narrow this?
  2. Standard of responsibility: Is the obligation absolute (“fully responsible”) or limited to the provider’s own services and control? How could you rephrase it?
  3. Indemnity breadth: Should the provider indemnify for all card brand fines and assessments, even if caused by the merchant’s misconfiguration or another processor’s failure?
  4. Possible revision: Draft a more balanced alternative clause in one or two sentences.

After thinking it through, compare your ideas to this sample direction (not the only correct answer):

  • Limit responsibility to “Service Provider’s systems and services under its control”.
  • Clarify that the provider will be PCI DSS compliant as applicable to its services, not responsible for the customer’s overall PCI DSS program.
  • Narrow indemnity to fines and assessments to the extent caused by Service Provider’s breach of its PCI DSS obligations or negligence.

11. Key Terms Review

Flip through these cards (mentally) to check your grasp of core PCI DSS concepts for ICT lawyers.

PCI DSS (Payment Card Industry Data Security Standard)
A private, industry‑defined security standard developed by the PCI Security Standards Council to protect payment card data. It is **not a statute**, but is enforced through card brand rules and contracts.
PCI Security Standards Council (PCI SSC)
A private body formed by major card brands that develops and maintains PCI security standards (including PCI DSS) and oversees assessor qualification programs.
Merchant (PCI context)
An entity that accepts payment cards for goods or services. Merchants are directly bound by PCI DSS through acquirer and card brand rules.
Service Provider (PCI context)
A non‑merchant entity that stores, processes, or transmits cardholder data on behalf of another entity, or that can affect the security of the cardholder data environment (CDE). Many ICT vendors fall into this category.
Cardholder Data Environment (CDE)
The people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, and the systems that can impact their security.
Attestation of Compliance (AOC)
A formal document indicating that an entity has been assessed and found compliant with PCI DSS for a given version (e.g., 4.0/4.0.1). Often requested in contracts as proof of compliance.
Card Brand Fines and Assessments
Financial penalties and cost recoveries imposed by card brands (via acquirers) after a card data compromise or PCI DSS violation. Often passed contractually down to merchants and then to service providers.
Future‑dated requirements (PCI DSS v4.x)
Requirements that were initially marked as best practice until a specified date (e.g., March 2025) and then became mandatory. By 2026, most have taken full effect.

12. Final Knowledge Check

One last question to tie the module together.

When is an ICT company **most clearly** in scope as a PCI DSS service provider?

  1. When it provides generic HR software that never connects to payment systems or card data.
  2. When it hosts or manages systems that store, process, or transmit cardholder data, or can materially impact the security of those systems.
  3. Only when it is directly licensed by the PCI Security Standards Council as a service provider.
Show Answer

Answer: B) When it hosts or manages systems that store, process, or transmit cardholder data, or can materially impact the security of those systems.

An ICT company is in scope as a PCI DSS **service provider** when it **stores, processes, or transmits card data on behalf of another entity, or can materially impact the security of the CDE**. It does not need a special PCI SSC license for that status, and purely unrelated systems (like generic HR software) are typically out of scope.

Key Terms

PCI DSS
Payment Card Industry Data Security Standard – a private, contractually enforced standard for protecting payment card data, maintained by the PCI Security Standards Council.
Merchant
An entity that accepts payment cards for goods or services and is directly bound by PCI DSS via acquirer and card brand rules.
Service Provider
In PCI terms, a non‑merchant entity that stores, processes, or transmits cardholder data on behalf of another entity, or that can impact the security of the cardholder data environment.
Cardholder Data (CHD)
Data such as the Primary Account Number (PAN), cardholder name, expiration date, and service code when associated with a card.
Future‑dated Requirements
PCI DSS requirements that were initially best practice and became mandatory after a specified date, particularly during the transition from PCI DSS 3.2.1 to 4.0.
Attestation of Compliance (AOC)
A formal document confirming an entity’s PCI DSS compliance for a specific version, often requested in contracts as evidence.
Card Brand Fines and Assessments
Financial penalties and recovery costs imposed by card brands after a PCI DSS violation or card data breach, typically passed through acquirers and merchants to responsible parties.
Cardholder Data Environment (CDE)
The people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, and related systems that can affect their security.
Sensitive Authentication Data (SAD)
Highly sensitive data used for card authentication, such as full track data, CAV2/CVC2/CVV2/CID, and PINs/PIN blocks, which must not be stored after authorization.
PCI Security Standards Council (PCI SSC)
The private body created by the major card brands that develops and maintains PCI security standards, including PCI DSS.