A Little History
Before PCI DSS, every credit card company had its own security program. Visa had CISP, Mastercard had SDP, Amex had DSOP — and it was a mess. Merchants didn’t know which rules to follow. Security was inconsistent. Fraud was exploding.
In 2004, Visa, Mastercard, Amex, Discover, and JCB finally came together and said: enough. They formed the PCI Security Standards Council (PCI SSC) and created one standard: PCI DSS — the Payment Card Industry Data Security Standard.
It wasn’t perfect, but it gave the industry a starting point to get serious about securing cardholder data.
Who Has to Care About PCI DSS
If you store, process, or transmit credit card data — you’re in.
It doesn’t matter if you’re a one-person Shopify store or a global SaaS platform. If you touch cardholder data in any way, PCI DSS applies to you.
Two main groups:
- Merchants: Companies taking credit card payments directly from customers.
- Service Providers: Companies that handle payments or data on behalf of other companies. (Most SaaS companies fall into this bucket.)
No one gets a free pass. You’re either compliant — or you’re a risk.
How Compliance Actually Works
Here’s the simple breakdown:
-
Self-Assessment Questionnaire (SAQ): You answer questions yourself. You promise you’re doing the right thing. Best for smaller companies or low-risk setups.
-
Report on Compliance (RoC): A QSA (Qualified Security Assessor) audits you, top to bottom. You don’t just say you’re compliant — you prove it. Required for larger merchants or service providers.
RoC is the full deep dive. SAQ is the lighter version.
If you’re big, if you’re handling card data directly, or if you’re a SaaS platform holding payment info — you’re probably headed for a RoC.
RoC vs AoC
This trips people up all the time:
| Type | Purpose | Who It’s For |
|---|---|---|
| RoC (Report on Compliance) | Full audit report. 300+ pages. Internal document for auditors and internal teams. | QSA, security teams |
| AoC (Attestation of Compliance) | Executive summary that says, “We passed.” What you give to customers, banks, and partners. | External stakeholders |
If someone asks you for your “PCI certificate,” they mean your AoC — not your RoC.
QSA vs SAQ: Picking Your Path
| Path | Description | When to Use |
|---|---|---|
| QSA Audit (RoC) | Hire a PCI-certified auditor to do a full-blown review. Expensive, painful, but required if you handle lots of card data. | You’re storing or processing credit card data directly. |
| Self-Assessment Questionnaire (SAQ) | Do it yourself. Easier, faster, cheaper — if you qualify. | You’re using hosted payment solutions and never touch card data. |
Pro tip:
If you store card numbers or touch them directly — expect to need a RoC.
If you’re redirecting to Stripe or Braintree — you can usually stick with an SAQ.
Merchant vs Customer
Customers have no PCI responsibilities. They expect merchants and service providers to handle it.
Merchants and service providers?
- You’re on the hook.
- You’re the one paying fines if something goes wrong.
- You’re the one explaining a breach to regulators and customers.
How SaaS Companies Should Look at PCI DSS
If you’re running a SaaS company, there are two plays:
1. Stay Light
- Offload as much card data processing as you can to Stripe, Adyen, Braintree, etc.
- Never touch the card data.
- Stay on the simplest SAQ you can (ideally SAQ A).
2. Own It
- If your product processes, stores, or transmits cardholder data, you can’t hide.
- Build to PCI DSS standards.
- Undergo annual audits (RoC).
- Get your AoC ready for every deal cycle and security questionnaire.
There’s no middle ground here. Either you’re in-scope light — or you’re carrying the full PCI burden.
Real Talk: SaaS and PCI Today
In 2025, customers expect you to have PCI dialed in even if you don’t process cards directly.
Example:
You’re a SaaS platform selling subscriptions. Stripe handles your payments.
Your customers still ask you for your PCI AoC.
Why? Because if their customers are trusting you, they need to make sure you’ve done your part — even if it’s just securing the login page, API endpoints, and admin access to payment settings.
If you’re serious about SaaS, PCI DSS isn’t optional anymore.
It’s table stakes.
Key Takeaways
- PCI DSS isn’t a government certification. It’s an industry standard.
- You don’t get “certified PCI.” You become compliant — and prove it with an AoC.
- RoC is for auditors. AoC is for customers.
- If you touch card data directly, prepare for a RoC and real work.
- If you offload payments properly, SAQs are your best friend.
- SaaS companies need to plan for PCI compliance early — or eat it later.
Your Move
If you’re building SaaS and payments are anywhere on the roadmap, start mapping out your PCI story now — before sales or partnerships start asking for it.
Trust me — designing around it early is way easier than scrambling later.