🛡️ STATUS BADGE: 🟢 ELIGIBLE (Self-Hosted)
Executive Summary: What is it?
The Payment Card Industry Data Security Standard (PCI DSS) is a global security framework mandated by the card networks (Visa, Mastercard, Amex, Discover) for any organization that stores, processes, or transmits cardholder data. Version 4.0 became the sole enforced standard in March 2024, replacing v3.2.1. Critically, PCI DSS certifies the merchant environment, not the software itself — no tool ships as "PCI certified." What software can do is reduce how much of your environment falls within scope.
CFO / Business Impact: What does it cost/risk?
- Non-Negotiable for Payments: Any organization accepting card payments must comply. Non-compliance risks merchant account termination, fines from card networks ($5,000–$100,000/month), and full liability for breach costs — there is no opt-out.
- Scope is the Lever: The strategic finance decision is not "how do we comply" but "how do we minimize scope." An isolated payment vault (SAQ-A path) keeps cardholder data entirely off your infrastructure, reducing compliance burden from a full QSA audit to a self-assessment questionnaire.
Technical Reality: How does it work?
- Scope Tiers: Compliance requirements scale with how much cardholder data touches your systems. SAQ-A (tokenized, off-site) is the minimum burden; Level 1 (>6M transactions/year) requires an annual on-site audit by a Qualified Security Assessor (QSA).
- Cardholder Data Environment (CDE): PCI DSS v4.0 requires segmenting the CDE from the rest of your network. Self-hosted payment orchestrators with an isolated vault component (e.g., Hyperswitch's vault architecture) achieve this by ensuring raw card data never enters the main application database.
- Key Controls: Encryption of cardholder data at rest (AES-256) and in transit (TLS 1.2+), RBAC with MFA on all CDE access, tamper-evident audit logging, and quarterly vulnerability scans by an Approved Scanning Vendor (ASV).