PCI DSS as a Service is one of the most widely adopted compliance models in Europe, but also one of the most misunderstood. Many merchants think that delegating compliance to a provider means transferring all responsibility. The reality is different: some PCI DSS responsibilities always remain with the merchant by law, regardless of how many components are outsourced. Knowing exactly where this line falls is essential to avoid surprises during an audit or following a data breach.
What PCI DSS as a Service is and what it actually covers
PCI DSS outsourcing in the technical sense means delegating management of the CDE (Cardholder Data Environment) to a PCI DSS Level 1 certified provider. The provider assumes responsibility for all technical and organisational controls relating to their perimeter: card data encryption, cryptographic key management with a certified HSM, security monitoring, penetration testing, security updates and documentation for the annual audit. The merchant does not need to certify these components: the provider's certification covers that part of the infrastructure.
With tokenization as a service in Europe, the merchant's PCI perimeter shrinks dramatically. Business systems receive only tokens, not PANs, so they exit the PCI perimeter for components that do not touch card data. This allows the merchant to complete an SAQ A instead of a full Report on Compliance, with time and cost savings that in practice translate to tens of thousands of euros per year. The provider also manages updates to the current version of the standard (currently PCI DSS v4), ensuring the delegated perimeter always remains compliant.
What you can never delegate: the merchant's residual responsibility
Even with the most complete as-a-service model, some responsibilities always remain with the merchant. User access management to their own systems, internal security policies, staff training on security risks, monitoring of their own application logs and management of security incidents that concern their own infrastructure (even if it contains no card data) are all areas that cannot be delegated to an external provider.
In the event of a data breach involving card data held by the provider, contractual and legal liability towards final customers remains with the merchant as data controller under GDPR. The provider answers for their own part, but the merchant cannot free themselves from responsibility towards their customers. This is why contracts with PCI DSS providers must include clear clauses on liability, breach notifications and insurance guarantees.
Cost comparison: DIY vs PCI DSS as a Service
A merchant managing their own CDE internally faces significant fixed and variable costs. On the fixed side: dedicated infrastructure (servers, HSM, certified firewalls), specialised security staff (at least one full-time security engineer), annual QSA audit (between €30,000 and €80,000 for Level 1), semi-annual penetration tests (from €5,000 to €20,000 per engagement). On the variable side: remediation costs for every gap found during audits, infrastructure updates required by new standard requirements.
With the as-a-service model, the cost reduces to a monthly or per-transaction fee that scales with volumes. Auditing your own reduced perimeter (typically an SAQ A) requires a few hours of internal work instead of weeks. There is no infrastructure to manage, no specialised staff to hire and no remediation costs for the delegated perimeter. For most European companies with fewer than 6 million annual transactions, the break-even versus DIY is reached within the first month of use.
Frequently asked questions
With PCI DSS as a Service do I still need to complete the SAQ?
Yes, but in a much simpler way. With a scope reduced by tokenization, most merchants can complete an SAQ A, which is the shortest and least demanding questionnaire, applicable when no card data passes through the merchant's systems. Completion takes a few hours instead of the weeks required for more complex SAQs.
Does the as-a-service model also work for Level 1 merchants?
Yes. Even a Level 1 merchant can significantly reduce their perimeter by delegating the CDE. The audit remains mandatory (RoC with QSA), but the perimeter to be audited is much smaller. Many Level 1 merchants use the as-a-service model precisely to simplify and reduce the annual audit costs.
How long does it take to activate the service?
Technical integration of PCI Proxy EU typically takes 3–10 business days for a team experienced in REST APIs. The process includes signing the contract, accessing the sandbox for testing, production integration and functional verification. No additional infrastructure is required from the merchant.
Want to delegate the technical part of PCI DSS compliance while retaining only the responsibilities that legally remain with the merchant? Discover PCI Proxy EU.