Card-brand consortium (Visa, Mastercard, Amex, Discover, JCB). Enforced via merchant contracts and acquirer relationships.
PCI DSS
PCI DSS (Payment Card Industry Data Security Standard)
Applies to
Any merchant or service provider that stores, processes, or transmits cardholder data. Scope reduction is the entire game.
Creates urgency when
Annual self-assessment or QSA audit cycle, breach involving cardholder data, or merchant-level upgrade that triggers tighter requirements.
Evidence burden
12 control families. The PCI scope (everything in the cardholder-data environment) drives the cost; reducing scope reduces audit pain more than any other lever.
Buying-committee effect
Pulls in the head of payments, the QSA, and finance. The CISO is often consulted, not the buyer.
GTM angle
Scope-reduction sells. "We make less of your environment in-scope" is the winning frame; "we help you pass the audit" is the runner-up.