Barclays uses cookies on this website. Some cookies are essential to provide our services to you. Other cookies help us to analyse how you use the site, so we can improve your experience on our site. Cookies are stored locally on your computer or mobile device. Please select 'Accept all' to consent to cookies, or select ‘Reject all’ to reject all but essential cookies’, or select 'Manage cookies' to change your preferences. For more information visit our cookie policy.

Are all PCI DSS requirements mandatory or can I leave some out as "nice to have"?

The 12 PCI DSS requirements are mandatory. However, you can determine which controls are relevant to you depending on how you take payments (i.e. telephone, face-to-face, via the internet, or through a third party). And by selecting the correct Self-Assessment Questionnaire (SAQ) for your business, it will help determine which controls you need to apply to your cardholder data environment.