PCI DSS Compliance

PCI DSS compliance, less work for you

Q: Which PCI DSS level applies to my business?

It depends on how many card transactions you process each year. If you process a lot (over 6 million), you are Level 1 and need an on-site audit. If you are smaller, a SAQ questionnaire is usually enough. We help you figure out which one you need.

Q: How do you help us do less PCI?

You send us card data, we tokenise it and store it in the vault. Card numbers never land on your servers — you work only with tokens. That takes you from over 300 controls (SAQ D) to fewer than 30 (SAQ A or SAQ A-EP).

Q: Does GDPR affect PCI DSS compliance in Europe?

Yes. In Europe you must comply with both PCI DSS and GDPR. Card data is also personal data. With tokenisation you store only tokens — that simplifies both obligations.

If you accept card payments, you must comply with PCI DSS. We vault card data on your behalf: you work with tokens and completing the questionnaire becomes much simpler.

Your PCI workload −95% scope

Without PCI Proxy SAQ D

300+ checks

With PCI Proxy SAQ A

22 checks

You keep only tokens

What we bring to the table

You inherit our certification: card data stays in our vault, not on your servers.

PCI DSS Level 1

The highest level. Independent auditors review our vault every year.

EU data centres only

Card data never leaves Europe. Helpful for GDPR too.

Encryption and HSM

Data encrypted at rest and in transit. Keys protected in certified hardware.

In brief

What is PCI DSS?

It is the security standard for anyone accepting card payments (Visa, Mastercard and other schemes). It protects card data wherever it is collected, stored or transmitted.

Rules

Levels

Goal

Protect card data, always.

Who must comply?

Anyone who accepts, processes or stores card data: online shops, platforms, call centres, PSPs. Also those who handle payments on behalf of others.

12 core rules

Firewalls, encryption, access control, monitoring and policies. Many rules — the fewer systems touch card data, the less work for you.

If you don't comply

Fines, higher fees or losing the ability to accept card payments. A data breach costs far more than getting compliant.

Compliance Levels

The 4 PCI levels

How much work you need to do depends on how many card transactions you process each year. More transactions, more controls (up to an on-site audit for high volumes).

Level	Annual Transactions	Validation Requirements	Typical Entities
Level 1	>6 million transactions/year	Annual on-site audit + quarterly scans	Large retailers, airlines, major PSPs
Level 2	1–6 million transactions/year	Annual SAQ, quarterly ASV scans	Mid-market e-commerce, hotel chains
Level 3	20,000–1 million e-commerce/year	Annual SAQ, quarterly ASV scans	Growing online businesses, SaaS platforms
Level 4	<20,000 e-commerce or <1 million other/year	Annual SAQ (recommended), quarterly ASV scans (if applicable)	Small merchants, local businesses, start-ups

Good to know: after a data breach you can be moved to Level 1 even if you process low volumes. Your acquirer may also require extra controls.

Less scope for you

How we reduce your workload

The simplest way to do less PCI is to keep card data off your servers. You send us card data, we tokenise it: you store only the token.

300+

Controls · SAQ D

If you manage everything yourself

~30

Controls · SAQ A-EP

With our API

Controls · SAQ A

With hosted fields

Without us

Full scope

Sites, apps, databases and networks that touch card data must satisfy hundreds of controls. Often over 300 in the SAQ D questionnaire.

With PCI Proxy

Minimal scope

Card data never enters your servers. We are PCI DSS Level 1 certified and vault the card number. You handle only tokens.

Up to 95% less

Move from SAQ D (300+ controls) to SAQ A or A-EP (fewer than 30). Fewer audits, fewer dedicated engineers, less risk.

How much you need to complete

Without PCI Proxy (SAQ D) 300+ controls

With API (SAQ A-EP) ~30 controls

With hosted fields (SAQ A) 22 controls

We are PCI DSS Level 1 certified

Self-Assessment

Which SAQ questionnaire do you need?

The SAQ is the questionnaire you complete to demonstrate compliance. It depends on how card data flows through your systems. With us, the path gets simpler.

⭐ Recommended

Self-Assessment

SAQ A

22 controls

7% of SAQ D scope

For those using our hosted iFrame fields: card data never passes through your site. It is the lightest path.

Ideal with hosted fields

Extended Self-Assessment

SAQ A-EP

~30 controls

10% of SAQ D scope

If the payment page is on your site but card data goes directly to us via API or JavaScript. A few more controls than SAQ A.

With API or SDK integration

Full Questionnaire

SAQ D

300+ controls

Full scope — all systems

The longest questionnaire. Required when card data passes through your servers. Without us, many e-commerce businesses end up here.

Without PCI Proxy

In Europe

PCI DSS and GDPR together

In the EU you must comply with both. Card data is also personal data. With tokens you simplify PCI and privacy.

Where they align

Same priorities

Card data = personal data

Name, card number and expiry fall under GDPR. You must protect them as sensitive data.

Less data, less risk

GDPR requires keeping only what is necessary. We remove the card number from your systems and leave only the token.

Breaches and notifications

If you do not store card data, a breach on your servers is far less serious. Less stress for you and your customers.

Things to coordinate

Needs attention

Deletion vs retention

GDPR grants the right to erasure. PCI requires transaction logs. With tokens you can delete the mapping and make the data irrecoverable.

Data in the EU only

Many European businesses must keep data in the EU. We operate only from European data centres: card data never leaves the Union.

Contract with us (DPA)

Under GDPR we are a data processor when we vault card data for you. A written agreement on purpose and security is required.

In short: you work with tokens. We vault card data. PCI and GDPR become more manageable.

Learn about tokenisation

Cost Analysis

What PCI costs alone vs with us

Managing all PCI internally costs far more than entrusting card data to us. Indicative example for a typical European merchant.

Cost Category	In-House (SAQ D) High cost · High risk	With PCI Proxy (SAQ A) RECOMMENDED
Annual audit	€30,000 to €150,000	€3,000 to €8,000
Infrastructure security	€50,000 to €200,000/year	€0 (we handle it)
Data breach risk	€500,000 to €4,000,000+	Near zero
Cyber insurance	€15,000 to €60,000/year	€5,000 to €15,000/year
Dedicated team	1–3 engineers	Light oversight
Non-compliance fines	€5,000 to €100,000/month	€0 (compliant by design)

Indicative figures for European merchants with 1–6 million transactions per year. Actual costs depend on size and sector.

FAQ

Frequently Asked Questions

01 Which PCI DSS level applies to my business?

It depends on how many card transactions you process each year. Over 6 million puts you at Level 1 (on-site audit). Below that threshold a SAQ questionnaire is usually enough. Most European SMEs are Level 3 or 4. With us you can move to the simplest SAQ.

02 How do you help us do less PCI?

You send us card data, we tokenise it and store it. Card numbers never land on your servers — you work only with tokens. That takes you out of the heaviest PCI perimeter and moves you from SAQ D (300+ controls) to SAQ A or A-EP (fewer than 30).

03 Does GDPR affect PCI DSS compliance in Europe?

Yes. In Europe you must comply with PCI DSS and GDPR together. Card data is personal data. GDPR adds rights (erasure, EU residency, breach notification). With tokens on your systems and card data in our vault, both obligations become simpler.

Want to know which SAQ you need?

Get in touch: we help you understand your PCI level and how much you can simplify with PCI Proxy.