Security
PCI DSS v4.0
If you store, process, or transmit card data — directly or through an iframe — PCI DSS applies. v4.0 is mandatory; v3.2.1 retired in March 2024.
What it is
Payment Card Industry Data Security Standard, version 4.0.1. A contractually-binding standard from the PCI SSC (Visa, Mastercard, Amex, Discover, JCB) covering 12 requirement domains — network security, encryption, access control, monitoring, vendor management, and policy.
Why it matters
Failure to comply isn't a 'finding' — it's grounds for the card networks to fine your acquirer, who passes the cost (and a multiple) to you. Even pure-iframe checkouts (Stripe Elements, Braintree hosted fields) need SAQ A compliance.
Who it applies to
Every site touching payment card data — including iframes and redirects to payment processors.
How WQI scores it
Web Quality Index considers this standard satisfied when the supporting factor passes.
| # | Factor | Status |
|---|---|---|
| 4 | Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) | live |
Related standards
- See also
- TLS 1.2+ , Security headers , SOC 2
Standards that share factors with this one
Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.
Other references
- regulation PCI SSC — Standards index
- guidance PCI DSS v4.0.1 Quick Reference Guide