PCI-DSS compliance is mandatory for card-processing fintech; negligence = serious sanction + no insurance.
Levels
- Level 1: 6M+ transactions per year.
- Level 2: 1-6M.
- Level 3: 20K-1M e-commerce.
- Level 4: <20K e-commerce.
Basic requirements
- Secure network + firewall.
- Card data encryption.
- Access control + log.
- Regular pen-test + audit.
KVKK parallel
- Card data is kept as private data.
- Explicit consent + storage process.
Frequently asked
Is it enough not to hide the card number?
With tokenization, the risk is reduced, but compliance is still required.
Is PCI-DSS 4.0 mandatory?
Yes, 2024-2025 transition is complete.
If I outsource (Stripe etc.) what is the responsibility?
Shared; The main responsibility is still the operating party.
Relevant legislation
- Law No. 6493 — Payment & electronic money; licensing, operating permit.
- BRSA Regulations — Payment institution / EML permission, capital, reporting.
- 5549 SK — MASAK; KYC, STR, regular activity.
- KVKK + GDPR — Data security, cross-border transfer.
- PCI-DSS — Card storage; PCI level 1-4 compliance.
Legal notice: This article is for general information purposes; A meeting with a lawyer is required for a concrete case.