PCI DSS Compliance for E-Commerce and Fintech in India: Guide
PCI DSS compliance in India is mandatory for every business that stores, processes, or transmits credit card, debit card, or prepaid card data. The Payment Card Industry Data Security Standard (PCI DSS) is a global security framework enforced by Visa, Mastercard, RuPay, and other card networks. For Indian e-commerce businesses, fintech companies, and payment service providers, non-compliance means fines up to $100,000 per month, loss of card acceptance privileges, and full liability for data breach losses. With PCI DSS version 4.0 now fully enforced since March 31, 2025, and RBI tightening digital payment security requirements, the compliance bar has moved higher. This guide covers the 12 PCI DSS requirements, the 4 compliance levels, SAQ types, certification costs in India, and how Indian regulations intersect with PCI standards.
- PCI DSS applies to all Indian businesses handling card payments, from small e-commerce stores to large fintech platforms
- 12 security requirements are organized into 6 goals covering network security, data protection, vulnerability management, access control, monitoring, and security policy
- Compliance levels (1 to 4) are determined by annual card transaction volume; Level 4 SAQ costs ₹50,000 to ₹3 lakh while Level 1 QSA audit costs ₹10 lakh to ₹30 lakh
- PCI DSS v4.0 is fully enforced from March 31, 2025, with new requirements for multi-factor authentication, e-commerce skimming prevention, and customized validation
- RBI mandates security audits for payment aggregators and gateways under its 2020 and 2021 guidelines, referencing PCI DSS-equivalent standards
- Using a payment gateway reduces PCI DSS scope but does not eliminate compliance obligations entirely
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards created by the PCI Security Standards Council (PCI SSC) to protect cardholder data during and after financial transactions. The PCI SSC was founded in 2006 by five major card brands: Visa, Mastercard, American Express, Discover, and JCB. Any organization worldwide that accepts, processes, stores, or transmits payment card information must comply with PCI DSS, regardless of size or transaction volume.
The standard is not a law passed by any government. It is a contractual requirement imposed by the card networks through acquiring banks. When a merchant signs a card acceptance agreement with a bank, that agreement includes a clause requiring PCI DSS compliance. Violate it, and the card brands can fine the acquiring bank, which passes those fines directly to the merchant, sometimes with additional charges. In practice, this contractual enforcement mechanism is more effective than most government regulations because it hits where it hurts: the ability to accept card payments at all.
PCI DSS v4.0 is maintained by the PCI Security Standards Council (PCI SSC) at www.pcisecuritystandards.org. In India, the Reserve Bank of India mandates equivalent payment security controls through its Master Directions on Digital Payment Security Controls (2021) and the Payment and Settlement Systems Act, 2007.
PCI DSS 4.0: What Changed and Why It Matters
PCI DSS version 4.0 replaced the long-standing version 3.2.1. Released in March 2022, version 4.0 had a transition period where both versions were accepted. That transition ended on March 31, 2024, making v4.0 the only active standard. A second set of future-dated requirements became mandatory on March 31, 2025. If your business validated compliance against v3.2.1 and has not updated, you are no longer compliant.
The biggest shift in v4.0 is philosophical. Previous versions followed a rigid, checklist-based approach: do exactly this, in exactly this way. Version 4.0 introduces a customized approach alongside the traditional defined approach. The customized approach lets organizations meet the security objective of each requirement using alternative controls, as long as they can prove the alternative achieves the same level of protection. This is a significant change for mature security teams that have controls exceeding the minimum but structured differently than the standard prescribed.
Key Changes in PCI DSS 4.0
| Area | PCI DSS 3.2.1 | PCI DSS 4.0 |
|---|---|---|
| Validation Approach | Defined approach only | Defined approach + Customized approach |
| Multi-Factor Authentication | Required for remote access only | Required for all access to cardholder data environment |
| Encryption | Required for public network transmission | Required for both public and internal network transmission |
| E-Commerce Security | Basic web application protection | Automated scripts detection to prevent skimming attacks |
| Risk Assessments | Annual risk assessment | Targeted risk analysis for each applicable requirement |
| Password Requirements | Minimum 7 characters | Minimum 12 characters (or 8 if system cannot support 12) |
| Security Awareness | Annual training | Training must include phishing and social engineering awareness |
| Log Reviews | Daily log review | Automated mechanism to detect and alert on anomalies |
All future-dated requirements in PCI DSS v4.0 became mandatory on March 31, 2025. If your last assessment was against v3.2.1, you must complete a new assessment against v4.0 immediately. Continued use of v3.2.1 assessments is not accepted by any card brand.
The 12 PCI DSS Requirements (Organized by 6 Goals)
The 12 PCI DSS requirements are the core of the standard. They are organized into 6 broad security goals, each containing 2 requirements. Every business handling card data must address all 12, though the depth of implementation varies by compliance level and the specific SAQ applicable to your business model. Understanding the structure helps you plan your compliance roadmap and budget effectively.
| Goal | Req # | Requirement | What It Means in Practice |
|---|---|---|---|
| Build and Maintain a Secure Network and Systems | 1 | Install and maintain network security controls | Configure firewalls and network segmentation to isolate cardholder data environment |
| 2 | Apply secure configurations to all system components | Change all vendor-supplied default passwords, remove unnecessary services and protocols | |
| Protect Account Data | 3 | Protect stored account data | Encrypt stored cardholder data, mask PAN when displayed, implement data retention limits |
| 4 | Protect cardholder data with strong cryptography during transmission | Use TLS 1.2+ for all data in transit over public and internal networks | |
| Maintain a Vulnerability Management Program | 5 | Protect all systems and networks from malicious software | Deploy anti-malware on all systems, keep definitions current, perform periodic scans |
| 6 | Develop and maintain secure systems and software | Patch vulnerabilities within defined timelines, follow secure coding practices, review custom code | |
| Implement Strong Access Control Measures | 7 | Restrict access to system components and cardholder data by business need to know | Role-based access control; no access to card data unless job function requires it |
| 8 | Identify users and authenticate access to system components | Unique user IDs for all personnel, multi-factor authentication for CDE access, minimum 12-character passwords | |
| 9 | Restrict physical access to cardholder data | Physical access controls for data centers, secure destruction of media containing card data | |
| Regularly Monitor and Test Networks | 10 | Log and monitor all access to system components and cardholder data | Centralized logging with automated alert mechanisms, daily log reviews, 12-month log retention |
| 11 | Test security of systems and networks regularly | Quarterly ASV scans, annual penetration testing, wireless access point detection | |
| Maintain an Information Security Policy | 12 | Support information security with organizational policies and programs | Documented security policy reviewed annually, security awareness training, incident response plan |
For e-commerce businesses in India, Requirements 6 (secure coding) and 11 (regular testing) tend to demand the most effort. Payment page scripts, third-party integrations, and API endpoints all fall under these requirements. If your Pvt Ltd company runs an online store, these two requirements will likely consume the largest share of your PCI DSS compliance budget.
Start with ISO 27001 for Your Security Foundation
ISO 27001 certification covers 60% to 70% of PCI DSS security controls. Build your information security management system first, then layer PCI DSS-specific requirements on top. Starting at ₹15,000.
Get ISO 27001 CertificationPCI DSS Compliance Levels: Which One Applies to You?
Your PCI DSS compliance level determines how you validate compliance: through a Self-Assessment Questionnaire (SAQ) or a full Qualified Security Assessor (QSA) audit. The level is based on your annual volume of card transactions across all channels (online, in-store, phone orders). Card brands define the thresholds, and your acquiring bank assigns the level based on your reported transaction volume.
| Level | Annual Card Transactions | Validation Method | Estimated Cost (India) |
|---|---|---|---|
| Level 1 | Over 6 million | Annual on-site QSA audit + quarterly ASV scan | ₹10 lakh to ₹30 lakh |
| Level 2 | 1 million to 6 million | Annual SAQ + quarterly ASV scan | ₹3 lakh to ₹8 lakh |
| Level 3 | 20,000 to 1 million (e-commerce) | Annual SAQ + quarterly ASV scan | ₹1.5 lakh to ₹5 lakh |
| Level 4 | Fewer than 20,000 (e-commerce) or up to 1 million (total) | Annual SAQ + quarterly ASV scan (recommended) | ₹50,000 to ₹3 lakh |
Most Indian e-commerce startups and small businesses fall under Level 4. If your D2C brand processes 500 card transactions a month, you are firmly in Level 4 territory. Do not let the word "compliance" intimidate you into thinking this requires a six-figure expenditure. Level 4 compliance through SAQ A (if you fully outsource payment handling) is the most straightforward path and can be completed in 4 to 8 weeks.
Large payment aggregators, fintech companies processing millions of transactions, and banking institutions fall under Level 1, which requires a full on-site assessment by a QSA. This is the most rigorous and expensive validation method, but it is proportionate to the risk these organizations carry.
Based on our experience helping businesses with compliance certifications, the most common mistake is over-classifying your compliance level. A Level 4 merchant completing SAQ D (the most comprehensive questionnaire) when SAQ A would suffice wastes ₹2 lakh to ₹5 lakh in unnecessary assessment costs. Confirm your SAQ type with your acquiring bank before starting the compliance process.
Who Needs PCI DSS Compliance in India?
The simple rule: if your business touches card data at any point, PCI DSS applies. "Touching" includes storing card numbers in a database, processing card transactions through your server, transmitting card data to a payment processor, or even having a web page where a customer types their card number, even if it is in an iframe hosted by the payment gateway.
E-Commerce Businesses
Every online store that accepts card payments needs PCI DSS compliance. This includes Private Limited Companies running D2C websites, marketplace sellers using custom payment integrations, subscription-based services charging cards monthly, and SaaS platforms billing with stored card credentials. If you use a hosted payment page (Razorpay, PayU, or CCAvenue checkout page), your scope is reduced to SAQ A, but compliance is still required. If your site has a custom-built payment form that touches card numbers before sending them to the processor, you are looking at SAQ D and a significantly larger compliance burden.
Fintech Companies and Payment Aggregators
Payment gateways, payment aggregators, lending platforms that disburse to cards, and any fintech that processes or stores card data must comply. RBI's guidelines for Payment Aggregators and Payment Gateways (released in 2020, updated in 2024) explicitly require these entities to undergo annual security audits, and PCI DSS is the recognized standard for card-related security. Most fintech companies processing over 6 million transactions annually fall under Level 1, requiring a full QSA audit.
Banks and NBFCs
Card-issuing banks, acquiring banks, and NBFCs offering card-based products (credit cards, prepaid cards) are subject to PCI DSS as both issuers and acquirers. RBI mandates additional security requirements for these entities under its Master Directions on Digital Payment Security Controls.
POS Terminal Operators and Retailers
Physical retail businesses using POS (Point of Sale) terminals that accept card swipes, chip inserts, or contactless tap payments need PCI DSS compliance. The specific SAQ depends on the terminal type and integration model. Standalone terminals from PCI-validated providers have the simplest compliance path (SAQ B), while integrated POS systems connected to business networks require SAQ C or D.
Many Indian e-commerce businesses assume that using Razorpay or PayU means they have zero PCI DSS obligations. This is incorrect. While the payment gateway handles card data processing, your website still needs to comply with specific requirements covering how the payment page is loaded, how scripts are managed, and how access to your administrative systems is controlled. The scope is reduced, not eliminated.
Self-Assessment Questionnaire (SAQ) Types
The SAQ is how most Indian businesses validate PCI DSS compliance. Instead of paying ₹10 lakh or more for a QSA audit, Level 2 to 4 merchants complete the appropriate SAQ, which is a structured questionnaire covering the PCI DSS requirements applicable to their specific card data handling model. Picking the right SAQ saves time, money, and frustration. Picking the wrong one means either answering questions that do not apply to you or, worse, missing requirements that do.
| SAQ Type | Applies To | Card Data Handling | Number of Requirements |
|---|---|---|---|
| SAQ A | E-commerce merchants using fully hosted payment page (redirect or iframe) | No direct contact with card data; all processing by PCI-compliant third party | 22 questions |
| SAQ A-EP | E-commerce merchants whose website controls the payment page delivery but does not receive card data | Website elements affect payment page security; card data goes directly to processor | 139 questions |
| SAQ B | Merchants using standalone dial-out POS terminals (no electronic card data storage) | Imprint-only or standalone terminal; no electronic cardholder data storage | 41 questions |
| SAQ C | Merchants with payment application systems connected to the internet | Payment application processes card data but business does not store it electronically | 160 questions |
| SAQ D (Merchant) | All merchants not qualifying for SAQ A, A-EP, B, or C | Stores, processes, or transmits cardholder data on own systems | 329 questions |
| SAQ D (Service Provider) | Service providers handling cardholder data | Stores, processes, or transmits cardholder data on behalf of other entities | 345 questions |
For most Indian e-commerce businesses using Razorpay, PayU, CCAvenue, or Cashfree with a hosted checkout or redirect model, SAQ A is the correct choice. It has the fewest questions (22) and the lowest compliance cost. The moment your website has JavaScript that can affect the payment page or your server-side code touches card data before sending it to the processor, you move to SAQ A-EP or SAQ D, and the compliance effort multiplies by 5x to 10x.
Ensure Your Business Compliance is Up to Date
PCI DSS is one part of your overall compliance responsibilities. From annual filings to security certifications, IncorpX handles your complete compliance calendar.
View Compliance ServicesPCI DSS Certification Process in India
PCI DSS is technically a validation, not a certification (you cannot get a "PCI DSS certificate" in the way you get an ISO certificate). However, the industry commonly uses the term "certification" to refer to successfully completing the validation process. Here is the step-by-step process for both SAQ and QSA paths.
Step 1: Determine Your Compliance Level and SAQ Type
Contact your acquiring bank to confirm your compliance level based on annual transaction volume. Identify the applicable SAQ type based on how your business handles card data. If you are unsure whether your integration model qualifies for SAQ A or requires SAQ A-EP, your payment gateway provider or a PCI consultant can help make the determination.
Step 2: Define Your Cardholder Data Environment (CDE)
Map every system, network segment, application, and process that stores, processes, or transmits cardholder data. Include all connected systems that could impact the CDE's security. This scoping exercise is critical because it determines which systems must meet PCI DSS requirements. Poor scoping is the number one reason compliance projects go over budget.
Step 3: Conduct a Gap Analysis
Compare your current security controls against the applicable PCI DSS requirements. Document gaps between what you have and what the standard requires. For Level 4 merchants on SAQ A, this gap analysis is typically straightforward (1 to 2 weeks). For Level 1 organizations heading into a QSA audit, the gap analysis phase takes 4 to 8 weeks and often reveals deficiencies in logging, access control, and encryption practices.
Step 4: Remediate Identified Gaps
Fix the gaps found in Step 3. Common remediation activities include upgrading TLS versions, implementing multi-factor authentication, deploying file integrity monitoring, establishing formal security policies and procedures, configuring centralized logging, and setting up an incident response plan. Remediation is where most of the budget goes, especially for Level 1 organizations.
Step 5: Complete the SAQ or QSA Assessment
For Levels 2 to 4: Complete the applicable SAQ honestly, attach supporting evidence, and submit it along with an Attestation of Compliance (AOC) to your acquiring bank. For Level 1: Schedule the on-site QSA assessment. The QSA will review policies, inspect systems, interview staff, test controls, and produce a Report on Compliance (ROC). A typical Level 1 QSA on-site assessment takes 5 to 15 working days.
Step 6: Complete Quarterly ASV Scans
Engage an Approved Scanning Vendor to perform external vulnerability scans on your internet-facing systems. Scans must be completed quarterly and produce a passing result. If the scan identifies vulnerabilities, remediate them and re-scan until the result is clean. ASV scans are required for all compliance levels.
Step 7: Submit Compliance Documentation
Submit your completed SAQ and AOC (or ROC and AOC for Level 1) to your acquiring bank and, if required, directly to the card brands. Maintain all compliance evidence for at least 12 months as it will be needed during the next annual validation cycle.
Based on our experience with compliance projects, the single most effective way to accelerate PCI DSS validation is to minimize your scope. If you are an e-commerce business, use a hosted payment page and qualify for SAQ A. If you are a fintech, implement tokenization to reduce the number of systems in your CDE. Every system you remove from scope is one fewer system that needs firewalls, logging, access controls, and testing.
Cost of PCI DSS Compliance in India
PCI DSS compliance costs in India vary significantly based on your compliance level, current security maturity, and the complexity of your cardholder data environment. Here is a realistic breakdown based on current market rates from Indian QSA firms and security consultants.
| Cost Component | Level 4 (SAQ A) | Level 4 (SAQ D) | Level 1 (QSA Audit) |
|---|---|---|---|
| Gap Analysis | ₹15,000 to ₹40,000 | ₹50,000 to ₹1.5 lakh | ₹2 lakh to ₹5 lakh |
| Remediation (Security Controls) | ₹10,000 to ₹50,000 | ₹1 lakh to ₹5 lakh | ₹3 lakh to ₹15 lakh |
| SAQ/QSA Assessment | ₹15,000 to ₹50,000 | ₹1 lakh to ₹3 lakh | ₹5 lakh to ₹12 lakh |
| Quarterly ASV Scans (4 per year) | ₹20,000 to ₹60,000 | ₹40,000 to ₹1 lakh | ₹60,000 to ₹2 lakh |
| Annual Penetration Testing | Not required for SAQ A | ₹1 lakh to ₹3 lakh | ₹2 lakh to ₹5 lakh |
| Total (Year 1) | ₹50,000 to ₹2 lakh | ₹3 lakh to ₹13 lakh | ₹10 lakh to ₹30 lakh+ |
| Annual Renewal (Year 2+) | ₹30,000 to ₹1 lakh | ₹2 lakh to ₹8 lakh | ₹6 lakh to ₹18 lakh |
The cost difference between SAQ A and SAQ D for a Level 4 merchant is stark: ₹50,000 versus ₹3 lakh or more. This is precisely why scope reduction matters so much. Moving from a custom payment integration (SAQ D) to a hosted checkout page (SAQ A) can save a small e-commerce business ₹2 lakh to ₹10 lakh annually. For fintech companies at Level 1, the QSA audit cost is a significant line item, but the alternative (non-compliance fines of $5,000 to $100,000 per month) makes the investment straightforward.
Businesses that already hold ISO 27001 certification typically save 30% to 40% on PCI DSS compliance costs because many security controls (access management, logging, incident response, risk assessment) overlap between the two standards. If you are planning both certifications, pursuing ISO 27001 first is the more cost-effective sequence.
PCI DSS vs ISO 27001: How They Compare
PCI DSS and ISO 27001 are the two security standards Indian businesses encounter most frequently. They are not competitors; they complement each other. But understanding the differences helps you decide which to pursue first and how to budget for both.
| Parameter | PCI DSS | ISO 27001 |
|---|---|---|
| Scope | Cardholder data only | All information assets |
| Mandated By | Card brands (Visa, Mastercard, RuPay) | Voluntary (client/market driven) |
| Framework Type | Prescriptive (12 specific requirements) | Risk-based (Annex A controls selected based on risk assessment) |
| Certification Body | QSA (for Level 1) or self-assessment | Accredited certification body (e.g., BSI, TUV, Bureau Veritas) |
| Renewal Cycle | Annual validation + quarterly scans | 3-year certification with annual surveillance audits |
| Number of Controls | 12 requirements with 250+ sub-requirements | 93 controls in Annex A (ISO 27001:2022) |
| Cost in India | ₹50,000 to ₹30 lakh (depending on level) | ₹1.5 lakh to ₹10 lakh (depending on organization size) |
| Government Recognition | Referenced by RBI for payment entities | Recognized by CERT-In, MeitY, SEBI, and government procurement |
| Overlap | Covers network security, access control, encryption, logging, policy | Covers the same areas but in a broader context for all data types |
| Best For | Businesses handling card payments | All businesses wanting a formal information security framework |
The practical overlap between PCI DSS and ISO 27001 is roughly 60% to 70%. Access control, logging and monitoring, encryption, incident response, risk assessment, and security policy requirements exist in both standards. If you implement ISO 27001 first, a significant portion of PCI DSS requirements are already addressed. The remaining PCI DSS-specific items (cardholder data masking, PAN storage rules, ASV scans, specific authentication requirements) are then layered on top as targeted additions rather than built from scratch.
Build Your Security Framework with ISO 27001
ISO 27001 forms the foundation for PCI DSS, SOC 2, and HIPAA compliance. One certification, multiple compliance benefits. IncorpX provides end-to-end ISO certification services.
Start ISO CertificationIndian Regulatory Context: RBI and Payment Security
PCI DSS exists as a global card industry standard, but Indian businesses must also understand the domestic regulatory layer. The Reserve Bank of India has issued multiple directives on digital payment security that intersect with, supplement, and in some cases go beyond PCI DSS requirements.
RBI Master Directions on Digital Payment Security Controls (2021)
Issued in February 2021, these directions apply to all regulated entities (banks, NBFCs, payment system operators) that offer digital payment products. The Master Directions require a board-approved information security policy, regular security audits by CERT-In empanelled auditors, incident reporting to RBI within 6 hours of detection, and controls for mobile banking, internet banking, and card-based transactions. While the directions do not name PCI DSS explicitly, the security control requirements for card-based transactions are equivalent to PCI DSS standards.
RBI Guidelines for Payment Aggregators and Payment Gateways (2020)
Released in March 2020 and updated subsequently, these guidelines mandate that payment aggregators obtain RBI authorization and maintain minimum net worth requirements (₹15 crore for existing PAs, ₹25 crore for new applicants). Security requirements include PCI DSS compliance (explicitly referenced), annual security audits by CERT-In empanelled auditors, data storage only in India, and implementation of a comprehensive information security policy. Payment gateways, while not directly regulated under this framework, are required to follow equivalent security standards by their partner payment aggregators.
Payment and Settlement Systems Act, 2007 (PSS Act)
The PSS Act is the primary legislation governing payment systems in India. It gives RBI the authority to authorize and regulate payment system operators. Under the PSS Act, RBI can issue directions to any system participant regarding technology standards, security controls, and operational requirements. Non-compliance with RBI directions issued under the PSS Act can result in authorization revocation, fines, and criminal penalties.
Card-on-File Tokenization (RBI Circular, 2022)
RBI mandated that merchants cannot store actual card data (card-on-file) from October 1, 2022 onwards. All stored card data must be replaced with tokens issued by the card network. This directive directly reduces PCI DSS scope for merchants because tokenized data is not considered cardholder data under PCI DSS. If your business implemented RBI's tokenization mandate, your PCI DSS compliance burden is already lighter than it was before October 2022.
For e-commerce businesses that also need GST registration, note that the same compliance infrastructure (documented policies, audit trails, access controls) that supports PCI DSS also helps during GST audits where digital record integrity is evaluated. Building compliance systems with a unified approach saves effort across multiple regulatory obligations.
Common PCI DSS Compliance Mistakes
Compliance failures rarely happen because a business deliberately ignored security. They happen because of misunderstandings, shortcuts, and overlooked details. Here are the mistakes that Indian businesses make most frequently during PCI DSS compliance, along with how to avoid each one.
- Choosing the wrong SAQ type: A merchant using a JavaScript-based payment form on their own domain selects SAQ A instead of SAQ A-EP. The result: an incomplete assessment that does not cover the actual risks. Always confirm your SAQ type with your acquiring bank and payment gateway provider before starting the assessment
- Ignoring scope creep: Your CDE was well-defined 12 months ago. Since then, the development team added a new API endpoint, connected a CRM to the payment database, and gave the marketing team access to transaction reports. Each change potentially expanded your PCI DSS scope without anyone notifying the compliance team. Quarterly scope reviews are essential
- Treating compliance as an annual event: PCI DSS is a continuous obligation. The quarterly ASV scans, daily log reviews, and ongoing access control management are requirements that must be maintained year-round, not just during the annual assessment period. Organizations that "go dark" between assessments face painful catch-up periods and frequent failures
- Default credentials on internal systems: Requirement 2 specifically mandates changing all vendor-supplied defaults. Database admin passwords left at "admin123," default SNMP community strings, and factory-set router passwords are findings that appear in nearly 40% of first-time QSA audits
- Inadequate logging: Requirement 10 requires logging of all access to cardholder data, with automated anomaly detection and 12-month retention. Many businesses have logging enabled but do not review logs, do not alert on anomalies, and do not retain logs for the required duration. This is a frequent assessment failure point
- Skipping the internal vulnerability scan: External ASV scans are well-known, but Requirement 11 also requires internal vulnerability scans quarterly. Internal scans are often skipped or deprioritized because they are not submitted to the acquiring bank, but a QSA will check for them during a Level 1 audit
- No incident response plan: Requirement 12 requires a documented incident response plan that is tested at least annually. "We'll figure it out when it happens" is not a plan. The response plan must include specific roles, communication procedures, containment steps, evidence preservation, and notification timelines
- Not updating for PCI DSS 4.0: Organizations that validated against v3.2.1 and have not updated their controls for v4.0 requirements (enhanced MFA, e-commerce script monitoring, 12-character passwords, targeted risk analysis) are no longer compliant. The v4.0 future-dated requirements became mandatory on March 31, 2025
Based on our experience advising businesses on security compliance, the most cost-effective approach for Indian startups and SMEs is a three-layer strategy: first, minimize PCI DSS scope by using hosted payment pages and tokenization; second, build foundational security through ISO 27001; and third, complete PCI DSS validation against the reduced scope. This sequence typically reduces total compliance costs by 30% to 50% compared to attempting PCI DSS alone without scope reduction.
PCI DSS Compliance Checklist for Indian Businesses
Whether you are a Startup India-registered company launching your first e-commerce product or an established fintech firm processing millions of transactions, this checklist covers the essential steps for PCI DSS compliance in India.
- Confirm compliance level: Verify with your acquiring bank whether you are Level 1, 2, 3, or 4 based on your annual card transaction volume
- Identify your SAQ type: Map your payment integration model to the correct SAQ (A, A-EP, B, C, or D). If in doubt, consult your payment gateway provider
- Define your CDE scope: Document every system, network segment, application, and process that touches cardholder data, plus all connected systems
- Conduct a gap analysis: Compare your current controls against the PCI DSS requirements applicable to your SAQ type. Document every gap
- Remediate gaps: Implement required security controls: firewalls, encryption, MFA, access controls, logging, anti-malware, and secure coding practices
- Draft required documentation: Information security policy, data retention policy, incident response plan, network diagrams, and access control procedures
- Train staff: Security awareness training covering phishing, social engineering, password hygiene, and data handling procedures. Document the training
- Engage an ASV: Schedule your first quarterly external vulnerability scan and remediate any findings
- Complete the SAQ or schedule QSA audit: Fill out the SAQ with supporting evidence, or coordinate the on-site QSA assessment for Level 1
- Submit AOC/ROC to acquiring bank: Provide your Attestation of Compliance (and ROC for Level 1) to your acquiring bank and card brands as required
- Establish ongoing compliance processes: Quarterly ASV scans, annual penetration testing, continuous log monitoring, regular access reviews, and annual reassessment
Summary
PCI DSS compliance in India is a non-negotiable requirement for any business that accepts card payments. The 12 requirements across 6 security goals provide a comprehensive framework for protecting cardholder data, and PCI DSS v4.0 has raised the bar with stronger authentication, expanded encryption, and enhanced e-commerce protections. For most Indian e-commerce businesses and startups at Level 4, compliance through SAQ A costs ₹50,000 to ₹2 lakh and takes 4 to 8 weeks. For Level 1 fintech firms and payment aggregators, the QSA audit investment of ₹10 lakh to ₹30 lakh is a fraction of the potential non-compliance penalties. Start by reducing your PCI DSS scope through hosted payment pages and tokenization, build your security foundation with ISO 27001 certification, and then validate PCI DSS against the reduced scope. Your card data security is a business enabler, not just a compliance checkbox.
Secure Your Business with ISO 27001 Certification
ISO 27001 covers 60% to 70% of PCI DSS requirements and is recognized by RBI, SEBI, and enterprise clients. IncorpX provides end-to-end certification support starting at ₹15,000.
Get ISO 27001 Certified
