StandardsInternational (applies to all merchants)In force PCI DSS v4.0 — March 31, 2024

PCI DSS

Payment Card Industry Data Security Standard (PCI DSS v4.0)

Mandatory security standard for every Canadian business that accepts cards

Overview

PCI DSS is a mandatory technical and operational security standard for any organization that stores, processes, or transmits payment card data. Any Canadian merchant — from an e-commerce startup to a national retailer — must comply with PCI DSS. Non-compliance can result in fines, increased transaction fees, and loss of card acceptance privileges.

Authority

PCI Security Standards Council

Jurisdiction

International (applies to all merchants)

Effective date

PCI DSS v4.0 — March 31, 2024

Applicability

Who must comply with PCI DSS?

Any merchant or service provider that stores, processes, or transmits cardholder data — regardless of size. Canadian merchants are subject to PCI DSS through their payment processor agreements. E-commerce businesses, restaurants, retailers, and SaaS platforms with in-app payments all must comply.

Compliance scope

Your organization collects personal information

You operate in the applicable jurisdiction

Commercial activities are involved

You use or disclose personal data

Not sure if PCI DSS applies? Run a free assessment →

Requirements

Key obligations under PCI DSS

Network Security

Install and maintain firewalls, segment your cardholder data environment from other networks, and change vendor default passwords.

Protect Cardholder Data

Encrypt cardholder data at rest and in transit. Never store the full CVV or magnetic stripe after authorization.

Vulnerability Management

Maintain anti-malware, patch all systems regularly, and conduct quarterly vulnerability scans.

Access Control

Restrict access to cardholder data on a need-to-know basis. Assign unique IDs to every person with computer access.

Monitoring & Testing

Log all access to network resources and cardholder data. Conduct annual penetration testing on your CDE.

Information Security Policy

Maintain a security policy addressing all PCI DSS requirements. Review it annually and communicate it to all staff.

Enforcement

Penalties & enforcement

Maximum penalty

$5,000–$100,000/month until compliant (from card brands)

Enforced by: Visa, Mastercard, Amex (through acquirer agreements)

Notable case

Heartland Payment Systems was fined $145M after a breach affecting 130M cards — the largest at the time

How Canuckt keeps you penalty-free:

PCI DSS-PIPEDA gap analysis showing how your payment data protection obligations overlap with Canadian privacy law

Cardholder data environment (CDE) inventory tool to scope your PCI DSS compliance requirements

Breach response template that satisfies both PCI DSS incident response and PIPEDA breach notification requirements

Vendor questionnaire for payment processors and third-party payment service providers

Frameworks that often overlap with PCI DSS

Standards

ISO 27001

The international gold standard for information security

Privacy

PIPEDA

Canada's federal private-sector privacy law

Financial

FINTRAC

Canada's AML/CFT compliance framework

Run a free PCI DSS gap assessment

Answer 47 questions, get a scored gap report, and see exactly what you need to do to comply with PCI DSS — in under 3 hours. Free forever.

Start free assessment

No credit card

Results in hours

Canadian data residency