The Payment Card Industry Data Security Standard (PCI DSS) is the  financial industry’s defense against cyber threats. It is a set of security mandates designed to protect cardholder data and keep fraudsters at bay. Version 4.x, the latest evolution, became mandatory in March 2024 and introduces new ways to secure payments, giving businesses more flexibility in how they achieve compliance. But there’s a catch: your PCI DSS scope—how deeply you need to comply—is dictated by your chosen payment integration method, as well as the number of card transactions processed each year.

For businesses processing payments through Peach Payments, the integration type directly impacts how much of the compliance burden falls on them versus their payment provider. From minimal involvement to full-scale security operations, let’s break down the three major approaches and their compliance implications.

Redirect to Peach Payments’ Hosted Checkout: The Lightest Compliance Load

How It Works: Customers are redirected to a secure payment page hosted by Peach Payments. Since all sensitive card data is handled externally, merchants deal with the lowest PCI DSS scope.

Merchant Responsibilities:

• Ensure their website is secure by implementing HTTPS and regularly updating plugins and platforms.
• Follow basic security measures, like enforcing strong passwords and access controls.
• Maintain a secure network, including firewalls and intrusion detection systems.
• Be aware of the new future-dated requirements coming into effect on 31 March 2025 and how this impacts the merchant’s scope and responsibilities.

PCI DSS Scope: Minimal. Since cardholder data never touches the merchant’s environment, compliance is simplified. This method is ideal for businesses that want to reduce risk and avoid the heavy lifting of security management.

We also recommend that merchants who use Embedded Checkout complete a SAQ-A Form, which can be found on the PCI Security Standards Council website.

Read more about these types of forms in this blog

Embedded Checkout: Balancing Convenience and Compliance

How It Works: A payment widget is embedded directly into the merchant’s checkout page, allowing customers to pay without leaving the site. Peach Payments handles transaction processing, but some security responsibilities remain with the merchant.

Merchant Responsibilities:

• Securely integrate the payment widget, following Peach Payments’ security best practices.
• Implement strong access controls to restrict system access to authorized personnel only.
• Monitor for tampering and unauthorized changes using change detection mechanisms and log reviews.
• Maintain a secure network with firewalls and regular vulnerability testing.

PCI DSS Scope: Moderate. While merchants don’t handle raw cardholder data, they must ensure their checkout environment is secure. This means additional security measures, such as monitoring for attacks and limiting access to critical systems.

Peach Payments’ Embedded Checkout solution reduces the PCI 4.x scope for merchants (by helping merchants meet the future-dated requirements 6.4.3 and 11.6.1), while offering numerous other benefits such as alternative payment methods and customization capabilities.

Server-to-Server: Full Control, Maximum Compliance

How It Works: Merchants transmit cardholder data directly to Peach Payments via API, giving them full control over the payment experience—but also placing them in the highest PCI DSS scope.

Merchant Responsibilities:

• Encrypt cardholder data at rest and in transit using industry-best encryption techniques.
• Implement tokenization to replace sensitive data with unique identifiers.
• Enforce strict access controls to protect stored cardholder data.
• Maintain a robust security framework with firewalls, intrusion prevention, and regular penetration testing.
• Establish comprehensive security policies, including breach notification procedures and security training for employees.
• Continuously monitor and test security controls.

PCI DSS Scope: Extensive. Merchants handling raw cardholder data must comply with the strictest security requirements, including extensive monitoring, encryption, and policy enforcement. Businesses choosing this route must complete PCI SAQ D and, in some cases, undergo an independent PCI audit.

The March 2025 Deadline: Are You Ready?

The deadline for full PCI DSS v4.0 compliance, including future-dated requirements, is March 2025.  This means that enterprise business would need to have their full PCI DSS 4.x checklist in order before their next audit.

For merchants, the choice of payment integration is as much about security as it is about business strategy. The question isn’t just how you want to accept payments—it’s how much risk you’re willing to take on.

Whatever your choice, one thing is clear: PCI DSS compliance isn’t optional. It’s the foundation of trust in online commerce, and staying ahead of the game isn’t just about meeting regulations—it’s about securing your business and your customers against an ever-changing threat landscape.

The deadline for new PCI requirements is around the corner. Visit this page to learn more.<\/p>