Skip to main content
Gruv.ai logo

How Platform Operators Should Plan PCI DSS Level and Cost

By Gruv Editorial Team
Contributor
Updated on
22 min read
How Platform Operators Should Plan PCI DSS Level and Cost - hero image

Quick Answer

Map card-data touchpoints first, then confirm your validation route with the acquirer before locking architecture. PCI DSS level labels (1-4) are only a starting signal; cost is driven by CDE scope, ownership, and evidence workload. Build low-, medium-, and high-complexity budget scenarios, assign security, engineering, and finance or ops owners, and run a 90-day plan with hard gates for control design, live evidence capture, remediation priority, and retest booking. If volume is near 1 million or 6 million transactions, prepare for the heavier path early.

What Drives PCI DSS Level and Cost for Platforms#

PCI DSS planning for a marketplace or embedded-payments team is an operating-model decision, not just a compliance label. It can shape what you build versus delegate, how quickly you can ship payment features, and how much ongoing security work lands with product, engineering, and finance.

PCI DSS is the card-industry framework for protecting payment data. Any business that handles card payments is required to maintain PCI compliance, and merchants are grouped into 4 compliance levels based on annual card transaction volume. That gives you direction, but it does not produce a one-line budget. Effort can range from a short questionnaire to a much heavier security program, and cost can vary widely by business size, transaction volume, and security requirements. This article gives you three outputs:

  • A likely PCI level path based on what is broadly known about transaction-volume-based levels.
  • A practical annual cost envelope based on real cost drivers, not a generic average.
  • A 90-day execution sequence for product, engineering, and finance to test assumptions early and reduce rework, as a planning tool, not a guarantee.

Before you trust any estimate, confirm two basics: your annual card transaction profile and where card data is handled today. If either is unclear, level, cost, and launch planning can drift.

Some points are clear. PCI DSS has 12 core requirements, there are 4 compliance levels, and non-compliance can lead to fines, breaches, and reputational damage. PCI is also ongoing, not something you pass once. Only 14.3% of organizations maintained compliance in 2023, which underscores that the initial assessment is only the start.

Other points are less settled. In public guidance, marketplace and embedded-payments designs do not always map cleanly to one practical path. The same excerpts also do not provide a universal platform-specific pricing answer or establish one fixed Level 4 interpretation across all real-world setups. Where guidance is firm, this article is explicit. Where it is unclear, it says so plainly.

Related: Cross-Border Payments Guide for Platform Operators: Rails Costs Compliance and Speed Compared.

Build the right mental model before you budget#

The quickest way to misbudget PCI is to focus on the level label before you understand scope. Level labels matter, but your compliance effort is often driven more by how much Cardholder Data Environment, or CDE, scope your architecture creates.

PCI DSS is the baseline of technical and operational requirements for protecting payment account data. In practice, scope can include systems that store, process, or transmit cardholder data and systems that can affect its security. That is why "we do not store cards" is not enough on its own.

Scope is the cost engine#

If your design keeps cardholder data out of your systems, validation burden and ongoing compliance effort usually decrease. If you directly handle card data, expect more control ownership and more evidence to maintain compliance.

Before you draft a budget, run a scoping check that answers three things clearly:

  • Locate all flows of PAN and sensitive authentication data.
  • Remove storage that is not strictly required.
  • Segment networks so the CDE stays tightly isolated.

Those checks usually tell you more about likely compliance effort than a level label alone.

Budget for recurrence, not a one-off#

Treat PCI DSS v4.0 as an ongoing operating expense. Compliance means proving that your people, processes, and technology protect cardholder data to the required level. It is not a one-time event.

Before you lock in architecture choices, confirm program details with your payment brands or acquirer. The core standard is consistent, but related compliance programs can vary enough to change how you plan.

Map your platform model to a likely PCI level path#

Use a two-pass planning approach. First, use annual transaction volume to estimate a directional PCI level path. Then test that estimate against your platform model, because architecture and operating boundaries can affect how confident that first read really is.

The known part is straightforward: assessment approach can depend on volume, and many smaller merchants are commonly handled through SAQ-oriented paths, often discussed directionally as Levels 2 to 4. The less-settled part is exact platform mapping, including how acquirers and programs treat edge cases.

Compare common platform patterns side by side#

Platform patternWhat is usually known earlyWhat is usually unknown until acquirer/assessor reviewPlanning implication
Merchant of Record (MoR)-leaningPrimary ownership boundaries may be clearer earlyExact level treatment and final validation path for your specific setupDocument boundaries and evidence ownership early
Direct processor integrationInternal ownership and architecture complexity can grow quicklyWhether complexity pushes you into a heavier assessment path soonerPlan for more preparation and cross-team control ownership
Hybrid third-party service provider patternMixed internal and third-party responsibilities are commonControl boundaries and validation expectations across partiesBuild a clear responsibility matrix before assessment starts

Directional level/path reference (planning only)#

Annual volume bandLikely PCI Level directionExpected assessor pathConfidence level
Lower annual volumeSmaller-merchant bands, often Levels 2 to 4SAQ is often usedMedium
Mid annual volumeMay remain in smaller-merchant bands or move upwardSAQ may still apply; confirm with acquirerMedium
Higher annual volumeProgram-specific, may move beyond smaller-merchant treatmentAssessor review becomes more likelyLow to medium
Very high annual volumeHigher-scrutiny treatment is more likelyPlan for more formal validation preparation, then confirm final path in writingMedium

Use this as a routing aid, not a final ruling. A PCI DSS assessment is still a formal assessment against PCI requirements, whether your path is SAQ-led or assessor-led.

What to confirm before you lock the model#

Before you treat a platform model as settled, get three things in writing, or as close to it as possible:

  1. Validation guidance from your acquirer or processor for your current volume, projected growth, and operating model.
  2. SAQ- or ROC-aligned documentation and evidence readiness for your in-scope environment.
  3. A responsibility matrix across internal teams and third-party providers, because compliance has to be maintained across the organization.

If you are close to a threshold, plan for the higher-burden path early so volume or complexity changes do not force a late reassessment.

For the PCI DSS 4.0 changes that affect platform operators, see PCI DSS 4.0 for Platform Operators: What Changed and What to Do Next.

Build a cost envelope your CFO and product lead can trust#

A single benchmark number is usually false precision. PCI DSS compliance is important and operationally complex, and costs can vary widely based on business size, transaction volume, and security requirements. A useful budget shows assumptions, not just a headline total.

Use three scenarios instead of one number#

Build low-, medium-, and high-complexity scenarios, then tie each one to business size, transaction volume, and security requirements.

ScenarioBusiness sizeTransaction volumeSecurity requirements
Low complexitySmaller business assumptionsLower transaction volumeLighter security requirements
Medium complexityMid-range assumptionsMid-range assumptionsMid-range assumptions
High complexityLarger business assumptionsHigher transaction volumeHeavier security requirements

The point is not to guess the exact bill. It is to make the assumptions visible before finance locks a number and product makes timeline commitments. If those inputs are still unclear, budget the next-higher scenario until your assumptions are stable.

Break costs into owned line items#

Your budget gets more credible when every cost line has an owner. Split the estimate into named lines such as:

  • Business size assumptions: How organization size can change effort.
  • Transaction volume assumptions: How expected volume can move cost up or down.
  • Security requirements assumptions: How stricter requirements can increase effort.
  • Unknown pricing inputs: Keep exact fee totals as unknown until they are confirmed.

Track the drivers that move spend#

Cost driverWhat increases spendWhat reduces spendWhat you should not cut
Business sizeLarger business-size assumptionsRight-sized assumptions based on current operationsClear assumptions
Transaction volumeHigher transaction-volume assumptionsStable or lower volume assumptionsVolume tracking
Security requirementsMore demanding security requirementsSimpler, well-defined requirementsClarity on security requirements

Treat specific dollar amounts as unknown until these drivers are confirmed. A fixed-budget assumption is risky when these drivers can move this much.

For a step-by-step walkthrough, see What Is PCI DSS Compliance and Do You Need It?.

Choose architecture tradeoffs that reduce compliance drag#

The core architecture choice is about ownership, not vendor labels. Decide how much payment handling you need to control now versus later. If your near-term priority is speed and potentially lower compliance overhead, minimize direct card-data steps first, then add control only where the product case is strong.

PCI guidance is clear that responsibilities and scope get harder to manage as organizations grow and third-party relationships become more interconnected. That is why you need clear boundaries and ownership from the start.

What each model changes in practice#

PatternWhere payment handling sitsPCI/CDE scope implicationMain upsideMain constraint
Direct card handlingMore payment interaction stays in your app and integrationsMore of your environment may fall into tighter scoping and ownership workGreater direct ownership of payment-handling decisionsCan increase internal coordination and evidence burden
Third-party service provider patternA provider operates more of the payment flowYour direct touchpoints may be narrower when boundaries are clean and documentedCan reduce direct ownership of some payment-flow stepsRequires clear contracts, integration boundaries, and role clarity
Merchant of Record (MoR) patternThe MoR takes on more transaction-facing responsibilitiesScope and burden outcomes are model-specific and must be validated in your exact setupCan consolidate more transaction-facing responsibilities with one providerTradeoffs depend on provider terms and your operating model

Control versus speed is the real tradeoff#

More control usually means more PCI DSS ownership. Less direct handling can reduce early coordination overhead, but only if your architecture and contracts actually match that intent.

Business requirements still matter. They shape product and operating complexity, but they do not by themselves determine PCI level, assessor path, or final scope outcomes.

What to verify before you commit#

Before you sign or build, verify the parts that most often create rework later:

  • Map exactly where card data enters, moves, and could be exposed.
  • Document ownership under Roles, Responsibilities, and Ownership, including exception paths.
  • Confirm compliance agreements and expectations across your providers, acquirers, and channels.

Use a simple RACI. If ownership for key operating tasks and evidence collection is unclear, the architecture is not actually simpler yet.

For a practical view of how PCI DSS fits with SOC 2 and ISO 27001 for payment platforms, see Global Payment Compliance Certifications: PCI DSS SOC 2 ISO 27001 for Payment Platforms.

Prepare for assessment and validation without rework#

Validation delays usually come from avoidable problems: unclear ownership, late scope decisions, and evidence collection that starts too late. Once the architecture is set, the job is to make validation predictable.

A PCI DSS assessment is a formal examination of your environment against 12 requirements, and it serves as proof for card brands, acquiring banks, and customers. Treat preparation as ongoing operational work, not a last-minute document sprint.

Name owners before you name deadlines#

Deadlines help only after accountability is clear. A lightweight owner model can be enough:

  • Security owner: Interprets PCI DSS control intent, tracks gaps, and handles assessor-facing control questions.
  • Engineering owner: Implements controls in the scoped environment and keeps them effective through releases.
  • Finance or ops owner: Coordinates with acquirers, processors, and service providers, and keeps validation and reporting timelines on track.
  • Executive sign-off: Approves risk acceptance, funding, and unresolved issues before formal assessment.

This is a practical operating model, not a claim that PCI DSS 4.0 mandates these exact roles. The point is to prevent gaps between control design, implementation, and evidence collection.

Bring in a QSA when the path is unclear#

If your validation path is unclear, bring in a Qualified Security Assessor early. PCI SSC guidance explicitly calls out scope definition, SAQ use, reporting, and QSA selection as assessment-prep activities.

Early QSA input can be especially useful when payment flow crosses your app, hosted infrastructure, and third-party providers. Focus on scope boundaries, where payment data may touch, provider responsibilities, and how controls operate in business-as-usual processes, not just on paper.

Do not assume vendor involvement automatically narrows your burden. PCI guidance notes that risk can extend beyond merchant-owned systems to service-provider and acquirer-operated systems, so boundaries need to be validated explicitly.

Use four checkpoints that force real readiness#

A few hard gates are better than many soft status checks. Use these checkpoints to force real readiness:

CheckpointWhat must be true
Control design completePCI DSS scope is documented, owners are named, and scope-affecting design decisions are closed
Evidence capture liveDated evidence is being collected from normal operations now, not planned for later reconstruction
Remediation backlog prioritizedGaps are ranked by validation impact, scope impact, and risk
Retest window bookedReassessment capacity is scheduled before fixes land, so remediation does not stall

Do not let these turn into status labels. A common failure mode is lax security that leaves card data exposed. Keep scope documentation current, book retest capacity early, and treat any mid-cycle scope change as a trigger to recheck ownership and evidence immediately.

Assemble the evidence pack before auditors ask for it#

Evidence work should start before validation starts. PCI DSS is an ongoing operating practice, not a one-time exercise. Continuous monitoring, regular assessments, and documented controls only help if you can show proof when asked.

Start with proof of scope and ownership#

Your first evidence pack should make two things obvious: where cardholder data can touch your environment and who owns each control area. A practical operator pack should clearly show:

  • Where cardholder data is accepted, processed, stored, or transmitted
  • Which teams own each control area
  • Records from continuous monitoring and regular assessments

This is an operating baseline, not a PCI SSC-mandated checklist. If scope and ownership are unclear, every later control discussion slows down.

Keep contractual context with the evidence it affects#

PCI is enforced contractually by card brands and acquiring banks, so keep external obligations next to the control evidence they affect. If your acquirer or processor sends validation requests, deadlines, or escalation notices, store them with the related control records.

Treat card-brand and acquirer context as part of that responsibility chain. It makes it easier to show what your team did internally and what was required externally to avoid higher transaction fees or loss of card-processing privileges.

Keep adjacent certifications as support, not scope proof#

If you maintain adjacent certification materials, keep them as supporting context rather than primary PCI scope evidence. For PCI validation, your card-data boundaries and control operation records still need to stand on their own.

A useful checkpoint is simple: if a control cannot be shown with dated evidence, flag it as an assessment risk and close the gap early. It is cheaper to handle that before validation, when delays can turn into higher fees or card-processing risk.

Run a 90-day execution sequence for product, eng, and ops#

A 90-day cycle is a practical operating cadence to stabilize scope, ownership, evidence, and validation path. It is not a promise that PCI DSS is always fully completed in one quarter.

DaysMain focusKey activities
1 to 30Lock scope and level assumptionsTreat everything as in scope until verified otherwise; document segmentation boundary decisions; test level assumptions against real transaction data
31 to 60Implement highest-risk controls and prove they operateKeep a current scope view, a ranked remediation list with owners, a draft evidence map for the likely SAQ or ROC path, and scheduled external scans where ASV scanning applies
61 to 90Package evidence and execute the formal pathComplete pre-assessment review and evidence packaging; execute the expected path, such as an annual ROC by a QSA or an annual SAQ, depending on program requirements; set the post-assessment operating cadence

In days 1 to 30, lock scope and level assumptions#

Start with scope and level assumptions, because both drive timeline and cost. For scoping, use the conservative rule: treat everything as in scope until verified otherwise, including systems that can affect CDE security. If you plan to reduce scope through segmentation, document those boundary decisions now so they can be verified later.

In parallel, test your level assumptions against real transaction data. Visa merchant levels use a 12-month transaction window. Planning discussions often reference Visa thresholds such as over 6 million annual transactions (Level 1), 1 million to 6 million (Level 2), 20,000 to 1 million e-commerce (Level 3), and less than 20,000 e-commerce (Level 4). Use this as planning input, but confirm final validation expectations with your acquirer and applicable payment brands.

In days 31 to 60, implement highest-risk controls and prove they operate#

The middle of the cycle should focus on controls that matter most for validation readiness and card-data risk. Judge readiness against evidence, not status meetings. If a control has no dated proof, treat it as not ready.

Mid-cycle checkpoints should include a current scope view, a ranked remediation list with owners, a draft evidence map for your likely SAQ or ROC path, and scheduled external scans where ASV scanning applies. Keep scan timing tight. Where required, passing ASV external scan evidence is expected at least once every three months.

In days 61 to 90, package evidence and execute the formal path#

The final month is for pre-assessment review, evidence packaging, and formal execution of your expected path, for example an annual ROC by a QSA or an annual SAQ, depending on program requirements. By this point, scope decisions should already be stable.

Before you close the cycle, set the post-assessment operating cadence so controls and evidence collection continue on schedule, including quarterly scan activity where applicable.

Stop the line if scope moves#

If scope changes mid-cycle, re-baseline your timeline and budget immediately. New payment flows or new connections that can affect CDE security can invalidate earlier assumptions about scope, ownership, and validation path.

Not every scope change forces a full reassessment in every program. But it should trigger a planning reset, and a compromise event should be escalated quickly if it could trigger acquirer or payment-brand level changes.

Before you lock days 61-90, pressure-test your ownership model and scope assumptions against this Merchant of Record overview.

Avoid the failure modes that blow up timeline and spend#

Late spikes in timeline and spend usually come from weak readiness, not bad luck. The repeat offenders are late starts, scope mistakes, overlooked controls, and last-minute evidence collection.

Watch for CDE drift#

CDE drift can quickly disrupt audit readiness. Your Cardholder Data Environment includes card-data systems and any connected systems or networks that could affect them. So if product or infrastructure changes touch payment-adjacent paths, scope can expand and leave important components untested if you do not re-check boundaries.

Use a hard checkpoint for each major payment-related change: revalidate scope, update your evidence plan, and confirm testing coverage. As an ongoing readiness control, run PCI penetration testing at least annually and after major changes. This helps surface exploitable weaknesses that automated scans can miss.

Do not leave readiness ambiguous#

Unclear scope and evidence expectations can lead to disorganized preparation when validation starts. If your team cannot quickly state which controls are in scope and what evidence is expected, treat that as an active risk to timeline and budget.

A simple control-and-evidence map with a recurring review cadence is often enough to make gaps visible before deadlines.

Reject the annual scramble#

The annual scramble is usually a process failure, not a timing problem. Teams start late, misread scope, and then scramble for documentation and evidence near the audit window.

The practical fix is to treat PCI DSS as an ongoing framework: keep evidence collection live, tie checks to real system changes, and reset plans when scope shifts.

Handle country and program variation without overpromising#

Do not make final architecture commitments based on market or program assumptions alone. Keep one stakeholder view that separates what is confirmed from what is still pending. Use three labels and keep them current:

Diagram showing Handle country and program variation without overpromising for How Platform Operators Should Plan PCI DSS Level and Cost.
  • Confirmed: Validated internally, for example CDE scope and PCI control ownership.
  • Vendor-stated: Claimed by a provider but not yet verified for your launch path.
  • Pending partner confirmation: Items like market coverage or program availability that are not approved yet.

If your launch also depends on non-PCI operational gates, track those alongside PCI planning as separate blockers so unresolved dependencies do not delay go-live.

Before you choose a provider or expansion path, run light diligence that tests present capability:

  • Evaluate practical fit, including global reach and local expertise.
  • Ask sales or compliance contacts to clarify current market or program coverage.
  • Request a live demo of the working payment flow.
  • Treat mockups, wireframes, or roadmap-only answers as delivery risk.
  • If capabilities are missing, confirm custom-integration timeline and added cost before committing.

For call-center vendors that handle payment data, require verified PCI DSS Level 1 status with current proof. In that context, Level 1 is presented as non-negotiable and tied to ongoing audit and testing expectations, so pause commitments if the answer is "later."

Conclusion#

The practical goal is not passing PCI DSS once. It is choosing a payments architecture and operating cadence that you can sustain as volume grows and scope changes.

That can make costs and timelines more predictable. There is no single fixed PCI price, and cost is driven by your transaction profile, business size, and how card data is accepted, transmitted, or stored. Published ranges can help with planning context, but they are not a quote. Small organizations may see figures like $5,000 to $20,000, while large organizations may see $50,000 to $200,000.

If you can reduce direct handling of cardholder data, do that first. PCI obligations begin when you accept payment card data, and added touchpoints can increase scope and validation effort.

Before your next payments milestone, document your current CDE boundary, mark where card data is accepted, stored, processed, or transmitted, and assign an owner for each scope-driving area. If you cannot explain that boundary clearly on paper, your cost estimate may be too optimistic.

The validation path is where many teams get surprised. Merchant levels are tied to annual transaction volume. Level 1 starts above 6 million transactions per year and requires an annual on-site Report on Compliance plus quarterly external scans by an Approved Scanning Vendor. If you are nearing thresholds like 1 million or 6 million transactions per year, plan for the heavier path early. But do not assume merchant thresholds map cleanly to every platform role, because merchant and service-provider classifications use different level structures.

One final red flag is relying on labels instead of evidence. A vendor being PCI compliant does not automatically prove your integration is low scope, and a guessed level does not help if your acquirer expects a different validation path. For mixed models, pressure-test your likely path with your acquirer or assessor before a major release.

If you want one next-action list, keep it short:

  • Freeze and document the current CDE boundary.
  • Confirm where payment card data first enters your flow.
  • Assign accountable owners across security, engineering, and finance or ops.
  • Compare current and next-12-month volume against likely level thresholds.
  • Set a pre-release review point so scope changes trigger a re-check, not a fire drill.

Treat this as an operating decision with recurring validation work, not a one-time certification event, and you are more likely to reduce compliance surprises and product delays.

If you want to confirm market/program coverage and compliance gates before committing architecture, talk to Gruv.

Frequently Asked Questions

What PCI level do platform operators usually need?

Start by confirming scope based on whether you store, process, or transmit cardholder data, then align with what your acquiring bank or payment processor expects for validation. If you fully outsource payment processing, SAQ A may fit. If your website hosts elements that can affect card security, SAQ A-EP may apply.

Can two platforms with similar volume have very different PCI costs?

Yes. Similar payment volume can still lead to very different validation and remediation effort because PCI costs depend on multiple factors.

What usually drives the biggest cost increases?

Costs can rise when cardholder-data scope expands or remediation needs grow. Third-party providers that access, receive, or transmit cardholder data are also expected to be PCI compliant, so unclear ownership can create rework during validation.

Can we reduce PCI cost without increasing risk?

Sometimes, depending on implementation and scope. Using a PCI-compliant processor can simplify your requirements, but it does not make your platform compliant by itself. You still need to validate your integration and maintain your own compliance records.

Do SOC 2 or ISO 27001 replace PCI DSS?

No. SOC 2 and ISO 27001 do not substitute for PCI DSS requirements.

How should we budget in year one?

Use a base budget plus remediation contingency, because PCI spend depends on multiple factors and some costs appear only after scope and controls are evaluated. Keep budget checkpoints tied to validation work, remediation work, and readiness to provide attestation documents if your acquirer or processor requests them.

Gruv Editorial Team

Researched and edited by the Gruv editorial team. Gruv builds cross-border billing, payouts, and finance-operations software for global businesses.

Sources

  1. academia.edu/84409154/PCI_DSS_An_Integrated_Data_Security...trusted
  2. cfo.asu.edu/cfo-pdf-site-maptrusted
  3. cppa.ca.gov/meetings/materials/20250724_item5_fsor_app_a...trusted
  4. middlebury.edu/sites/default/files/2025-01/PCI-DSS-v4_0_1.pdftrusted
  5. scholar.dsu.edu/context/theses/article/1481/viewcontent/Awag...trusted
  6. sec.gov/Archives/edgar/data/1580560/0001193125260675...trusted
  7. treasury.uillinois.edu/UserFiles/Servers/Server_338/File/mcs_1Prepa...trusted
  8. txdot.gov/content/dam/docs/division/itd/cybersecurity/...trusted

Educational content only. Not legal, tax, or financial advice.

Related Posts

PCI DSS 4.0.1 Scope and Evidence Priorities for Platform Operators
Deep Dives28 min read

PCI DSS 4.0.1 Scope and Evidence Priorities for Platform Operators

If you're working through **pci dss 4.0 for platform operators**, start from PCI DSS [**v4.0.1**](https://blog.pcisecuritystandards.org/just-published-pci-dss-v4-0-1) because it is the active version. PCI SSC published v4.0.1 on **11 Jun 2024** as a limited revision that did **not** add or remove requirements, and v4.0 was retired on **31 December 2024**. Use v4.0.1 when you set scope, assign owners, and prepare assessment evidence.

pci dss 4 0evidence priorities1 scope and evidence
Read
How Platform Operators Choose Cross-Border Payout Rails by Corridor
Foundational Guides30 min read

How Platform Operators Choose Cross-Border Payout Rails by Corridor

The hard part is not choosing one "best" rail. It is choosing the right rail for each corridor and payout type, where cost, speed, access, and transparency pull in different directions. For any route, the practical question is simple: for this country pair, payout size, and recipient experience, which path gives you acceptable delivery, controllable cost, and audit-ready evidence?

cross-border payoutspayment corridorsswift
Read
How to Evaluate PCI DSS, SOC 2, and ISO 27001 for Payment Platforms
Deep Dives27 min read

How to Evaluate PCI DSS, SOC 2, and ISO 27001 for Payment Platforms

Certifications and regulatory authorisation answer different risk questions, so treat them as separate checks in payment-platform due diligence. For onboarding or renewal, focus on three things: what boundary is attested, who assessed it, and whether the activity also needs separate legal permission. This guide is for compliance, legal, finance, and risk owners evaluating `PCI DSS`, `SOC 2`, and `ISO/IEC 27001` without confusing them with UK regulatory status.

pci dsssoc 2iso 27001
Read