PCI-DSS (Payment Card Industry Data Security Standard) is mandatory for all institutions that process card data. Levels: 1 (6M+ tx/year) - 4 (20K-1M tx/year). It is applied together with KVKK + 6493 SK in Türkiye.
Levels
| Level | Annual tx | Audit |
|---|---|---|
| 1 | 6M+ | Annual QSA on-site |
| 2 | 1M-6M | Annual SAQ + ASV scan |
| 3 | 20K-1M | Annual SAQ + ASV scan |
| 4 | 20K-1M | Annual SAQ (self) |
12 PCI-DSS requirements
Where to get PCI-DSS audit in Türkiye?
From QSA (Qualified Security Assessor) companies. There are approved QSAs in Türkiye such as KPMG, EY, Deloitte, PwC, Procoders, Tridom. Annual on-site audit ranges from 25-100K USD.
Does it conflict with KVKK?
Does not contradict; complement. PCI-DSS is focused on card data, KVKK is for all personal data. KVKK m.12 data security requirement is easily met thanks to PCI-DSS compliance.
Is Tokenization sufficient?
Tokenization narrows the PCI-DSS scope, but does not eliminate it completely. The infrastructure that produces tokens and maintains mapping remains in the PCI-DSS scope.
What happens in case of violation?
Card association (Visa, MC) penalty: 5K-100K USD/month; Turkish payment integrators may terminate the contract; KVKK article 12/5 violation notification 72 hours. Customer compensation cases are long.
SAQ vs RoC difference?
SAQ (Self-Assessment Questionnaire): Level 2-4. RoC (Report on Compliance): Level 1; Regulated by QSA.
Relevant legislation
- Law No. 6493 — Payment & electronic money; licensing, operating permit.
- BRSA Regulations — Payment institution / EML permission, capital, reporting.
- 5549 SK — MASAK; KYC, STR, regular activity.
- KVKK + GDPR — Data security, cross-border transfer.
- PCI-DSS — Card storage; PCI level 1-4 compliance.