PCI DSS stands for Payment Card Industry Data Security Standard. It is a mandatory standard for any organization that accepts, processes or stores payment card data. The standard was jointly developed by Visa, Mastercard, American Express, Discover and JCB. Every entrepreneur opening an online store today should know its basics — otherwise their merchant accounts can get shut down.
Why PCI DSS exists
Card data is the most valuable prize for cybercriminals. A single card number on the black market sells for 5 to 100 dollars, and corporate dumps go for thousands. PCI DSS was created specifically to reduce that risk. The standard includes 12 core requirements: network security, data encryption, access control, monitoring, regular testing and a security policy. Each requirement consists of sub-points and is verified by an auditor.
Four merchant levels
PCI DSS splits merchants into four levels based on annual transaction volume. Level 1 — over 6 million transactions per year, the strictest requirements and a mandatory on-site audit. Level 2 — between 1 and 6 million, with a simplified self-assessment. Level 3 — e-commerce between 20 thousand and 1 million. Level 4 — the smallest merchants, under 20 thousand a year. Most online stores in Uzbekistan fall under Level 4, but that does not exempt them from the rules.
SAQ — Self-Assessment Questionnaire
Small and medium merchants get a self-assessment form. SAQ-A — when all payments go through an external provider and no card data is entered on the site. SAQ-A-EP — when the site redirects but still serves the checkout page. SAQ-D — when card data is entered directly on the site. The integration recommended by Sayt.uz usually fits under SAQ-A, which is the easiest and safest option.
Tokenization and P2PE
The best way to shrink PCI DSS scope is to not store card data at all. Tokenization replaces the card number with a random token, while the real number remains only with the payment provider. Point-to-Point Encryption encrypts the card right after swipe, and decryption happens only at the final endpoint. Together these two technologies let you skip most of the audit and drastically reduce risk.
Sayt.uz in practice
Sayt.uz payment gateways work directly with Payme, Click and Uzcard — no byte of card data is stored on the customer site. This automatically falls under PCI DSS Level 4 SAQ-A and removes 95 percent of audit obligations from the customer. The Sayt.uz infrastructure itself holds Level 1 certification and is audited annually by external auditors. As of 2026, more than 1450 of our customers use the payment module, with monthly module activation starting at 120 thousand soum.