Card-brand consortium (Visa, Mastercard, Amex, Discover, JCB). Enforced via merchant contracts and acquirer relationships.

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard)

Applies to

Any merchant or service provider that stores, processes, or transmits cardholder data. Scope reduction is the entire game.

Creates urgency when

Annual self-assessment or QSA audit cycle, breach involving cardholder data, or merchant-level upgrade that triggers tighter requirements.

Evidence burden

12 control families. The PCI scope (everything in the cardholder-data environment) drives the cost; reducing scope reduces audit pain more than any other lever.

Buying-committee effect

Pulls in the head of payments, the QSA, and finance. The CISO is often consulted, not the buyer.

GTM angle

Scope-reduction sells. "We make less of your environment in-scope" is the winning frame; "we help you pass the audit" is the runner-up.