PCI DSS

The Payment Card Industry Data Security Standard governs the handling of cardholder data; any AI vendor that processes, stores, or transmits payment card data must comply.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a security framework administered by the PCI Security Standards Council (Visa, Mastercard, American Express, Discover, JCB). Version 4.0 became mandatory March 2024; version 4.0.1 is current as of 2026. Compliance is required of any entity that processes, stores, or transmits cardholder data, with the level of validation (self-assessment questionnaire vs. on-site assessment) depending on transaction volume.

AI and PCI scope

AI vendors enter PCI scope when prompts, model outputs, or training data include cardholder data — which can happen unintentionally when documents passed to a RAG system contain card numbers, or when an AI assistant logs conversation transcripts containing payment details. The safest posture is to scope AI processing OUT of cardholder data by not sending payment data to the AI in the first place; the second-safest is full PCI DSS compliance for the AI infrastructure. Mixed-mode "the AI sometimes sees card data" is the worst position because it inherits PCI scope without the controls.

What buyers should verify

Ask: do you have a current PCI DSS Attestation of Compliance, what level (1-4), what was the assessment date and assessor, what is the scope of the assessment (which services are covered), and what is your policy on handling cardholder data that may enter the system through user prompts. Vendors that don't process payments often have NOT pursued PCI DSS and that's fine — but you'll want explicit contractual commitments that cardholder data should not flow through their system.