Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

With so many different security frameworks and standards that apply to different industries and businesses, it can be difficult to even know where to begin. Which ones do you need to use, at what levels, and when? Two frameworks in particular are closely related and important for many businesses, and thus are the cause of a lot of confusion. We wanted to address that confusion today. Those two are PCI DSS and SOC 2.

PCI DSS controls are no longer just a compliance checkbox — they’re a mandatory security baseline that stands between your customers’ card data and sophisticated cybercriminals who are faster, smarter, and better-funded than ever before. According to the Nilson Report, global card fraud losses exceeded $33 billion in 2022 and are projected to surpass $38 billion by 2027.

While we talk a lot about governmental cybersecurity here on the Ignyte blog, programs like FedRAMP and CMMC are not the most common kind of security you’re likely to encounter. That honor goes to PCI DSS. PCI DSS is a security framework we all engage with on a near-daily basis. It’s the security framework used around the world to secure payment card information, and it’s extremely important for trust, safety, and the security of customer information.

PCI DSS compliance levels categorize merchants and service providers based on annual card transaction volume, determining their validation requirements. Merchants fall into four levels, with Level 1 requiring the most rigorous assessment through a Qualified Security Assessor, while Levels 2 through 4 typically complete self-assessment questionnaires. Service providers follow a separate two-tier system.

Maintaining a secure external attack surface is no longer just about finding vulnerabilities; it’s about proving your resilience to partners, auditors, and regulatory bodies. Today, we are excited to announce Detectify’s PCI ASV Scanning, delivered in partnership with Clone Systems.

PCI-DSS is one of the most widely used security frameworks around the world. Unlike frameworks like FedRAMP or CMMC, PCI-DSS is a global security standard, not a standard issued by the US Government. It’s the Payment Card Industry Data Security Standard, and it’s required for any business or entity that handles cardholder or authentication data. Merchants, payment providers, gateways, banks; they all need it.

Here on the Ignyte blog, we talk a lot about general information security frameworks like ISO 27001 and government frameworks like CMMC and FedRAMP. But that doesn’t mean that’s all we understand. One of the most broadly used security standards in the world is PCI DSS. The Payment Card Industry Data Security Standard is the standard that must be upheld by any and all entities that handle, process, or store cardholder data and authentication data for payments.

The skimmer doesn’t go inside the iframe. It doesn’t need to. In every significant payment page compromise of the last decade, the malicious code sat on the merchant’s page, outside the payment component entirely, watching form submissions, intercepting keystrokes, reading values before they ever reached the provider’s sandbox. This is the architecture SAQ A-EP merchants live in.

PCI DSS compliance is a mandatory, revenue-critical requirement for fintech companies that touch cardholder data—directly or indirectly. This guide is written for fintech founders, CISOs, CTOs, and security leaders building or scaling payment-enabled platforms in the US and globally. If your fintech stores, processes, or transmits cardholder data, PCI DSS compliance for fintech companies is not optional—it is a baseline operating requirement. With PCI DSS v4.0.x now fully in force.