I've spent more hours of my life inside PCI DSS scope than I care to count. Audits, gap analyses, control reviews, midnight conversations with QSAs about whether a blurry screenshot in a Jira ticket counts as cardholder data. And the one thing I keep noticing is this: most people who buy expense management platforms have no idea what PCI DSS actually covers in their context. They see a logo on a vendor's website, they nod, they move on.
So this article is the conversation I'd have with you over coffee if you were about to sign with one of us. No marketing. No jargon. Just the things a CISO would tell you if there was no NDA in the room.
What is PCI DSS, in plain language?
PCI DSS is a rulebook. Twelve requirements, written by the card brands (Visa, Mastercard, Amex, Discover, JCB) and published through the PCI Security Standards Council, telling anyone who touches cardholder data how to handle it without setting their customers on fire.
The current version is PCI DSS v4.0.1, released in June 2024. It's not a small update. v4.0 introduced more than 60 new requirements, and a long list of them flipped from "best practice" to mandatory on March 31, 2025. If your vendor finalized their transition the week before the deadline, that tells you one thing about how they operate. If they were already running the new controls a year earlier, that tells you something else.
Here's the part nobody puts on the marketing page: PCI DSS is a floor, not a ceiling. Passing an audit means you've cleared the bar. It says nothing about how high you actually jumped.
Does PCI DSS apply to expense management platforms?
Yes. But almost certainly not in the way you imagine.
When most people picture PCI scope, they picture a checkout: a customer types their card number into a form, the form hands the number to a payment processor, the processor stores it, and that's where the standard kicks in. That's the e-commerce model. It is not the expense management model.
In our world, employees almost never type a card number into the platform. The data arrives through completely different doors:
- Bank card feeds: automated transaction files pushed daily or weekly from the card issuer to the platform. This is the front door.
- Statement files: periodic statements containing PANs, ingested for reconciliation.
- Uploaded receipts: and this is the door everyone forgets. An employee photographs a paper receipt at a hotel checkout, the card number is printed on it in plain text, and now there's a PAN sitting in your vendor's storage that nobody planned for.
- Manual entries: rare, but it happens when a transaction goes missing and someone fixes it by hand.
Each of these is a different surface, with different controls. A vendor that says "we're PCI compliant" and can't draw you the map of where every PAN lives in their environment is waving a flag they don't fully understand.
What's the difference between PCI DSS, ISO 27001 and SOC reports?
This is the question that trips up almost every buyer I talk to, because the three frameworks live in the same sentences on every vendor website and look interchangeable. They are not.
ISO/IEC 27001 is about governance. It certifies that an organization runs a structured Information Security Management System: policies, risk assessments, internal audits, management reviews. It says nothing specific about payment data. It says everything about whether security is managed like a discipline or like a fire drill.
PCI DSS is about protection. It applies specifically to cardholder data, with prescriptive technical and organizational requirements. Encryption. Access control. Logging. Network segmentation. Vulnerability management. The works.
SOC 1 / SOC 2 / ISAE 3402 are independent assurance reports. SOC 1 and ISAE 3402 focus on controls relevant to financial reporting. SOC 2 focuses on the five trust principles: security, availability, processing integrity, confidentiality, and privacy. They don't certify you. An auditor verifies, in writing, that your controls actually work; not just on paper, but in practice over a defined period.
The serious players in expense management today carry a combination of all three categories.SAP Concur, Ramp, Expensify, Rydoo, Mobilexpense, pick any of us, you'll find ISO 27001, PCI DSS, and at least one independent assurance report in the trust center. The badge soup is becoming the entry ticket. What separates the pack is what you do between the audits.
What are the PCI DSS compliance levels
PCI DSS classifies organizations into merchant levels and service provider levels based on transaction volume. For SaaS vendors, like Mobilexpense handling card data on behalf of customers, the relevant tier is Level 1 service provider, the highest, requiring an annual on-site assessment by a Qualified Security Assessor (QSA) and a full Report on Compliance (ROC). (This level applies to large businesses that process roughly six million credit card transactions annually).
Level 2 service providers can self-assess via a Self-Assessment Questionnaire (SAQ). It's a lighter process. It is also a different conversation when your auditors come asking.
The takeaway: ask your vendor which level they validate at, and ask to see the Attestation of Compliance, not the logo. The AoC is the only document that proves anything. Logos are stickers.
What actually changed with PCI DSS v4.0.1?
Five things matter to most SaaS environments:
Multi-factor authentication everywhere. MFA is no longer reserved for admin access. Any access into the cardholder data environment now requires it. If your vendor's engineers were still SSH'ing into prod with a password in early 2025, that boat has sailed.
Targeted risk analysis. v4.0.1 moves away from prescriptive frequencies ("do X every quarter") toward a model where the organization justifies its own cadence based on risk. More flexibility. Also more responsibility. A vendor that does this seriously will have actual risk analyses to show. A vendor that does it lazily will have a template.
Client-side script protection. Any web page that interacts with cardholder data now needs to inventory and integrity-check the scripts loaded in the user's browser. This is the requirement that catches a lot of teams off guard, because it lives outside the traditional server-side scope.
Stronger logging and monitoring. Broader audit trails, automated review, faster detection. The standard is closing the gap between "we have logs" and "we actually look at them."
Continuous validation. This is the philosophical one. v4.0.1 nudges the whole industry away from "once a year we panic, the rest of the year we relax" and toward an operational model where compliance is a daily rhythm. Whether your vendor took that nudge seriously is something you can hear within five minutes of asking the right question.
How do I actually evaluate my expense management vendor's PCI compliance?
Forget the badge. Ask these five questions, and watch how the vendor reacts as much as what they say:
- What is your PCI scope, exactly? A serious vendor can describe it in two minutes, draw it on a napkin, and tell you which systems are in and which are out. A vendor who says "everything is in scope" is either lying, confused, or about to be very expensive.
- Show me your current AoC and the date of your last assessment. No AoC, no conversation. An expired AoC is worse than no AoC.
- How do you handle PANs that arrive in receipt images? This is the question that separates vendors who understand their own attack surface from vendors who copied a security page from a competitor. There is no good answer that starts with "we don't think about it."
- What did your last internal audit flag, and what did you change because of it? If the answer is "nothing was flagged," that's not a flex. That's a red flag. Real internal audits find things. The question is what you do with them.
- Who is personally accountable for PCI inside your organization? A name. A face. Not "shared with IT" or "owned by the security team." Real ownership is one human who loses sleep over it.
So are all expense management vendors PCI compliant?
The serious ones, yes. SAP Concur, Ramp, Expensify, Rydoo, Mobilexpense: we're all in the game. The badge has become the price of admission, not a competitive advantage. If you're shortlisting a vendor in this space and they don't hold PCI DSS, that's not a shortlist, that's a mistake.
What separates us isn't the logo. It's what happens on the 364 days when no auditor is in the room, and that's not something you can read off a trust center page. You have to ask. And you have to listen to how the answer is given, not just what's in it.
The bottom line
PCI DSS in expense management is its own beast. The data enters through doors that nobody warns you about, the risks are upstream rather than at checkout, and the gap between "certified" and "actually disciplined" is wider than the marketing pages suggest. Ask the questions above. Demand evidence rather than logos. And remember that the certification is the floor : what your vendor builds on top of it is the ceiling.
If a vendor can't tell you the difference, that's already an answer.
Christophe Mazzola is CISO at Mobilexpense, which holds ISO 27001, PCI DSS v4.0.1 (renewed for the second consecutive year) and ISAE 3402 Type 2 certifications.
Share this
/Listing%20Images/The%20rise%20of%20AI%20+%20ML_Listing%20Image.png)
8 Key Things to Consider Before Adopting an Expense Solution in 2026
/Listing%20Images/Higher%20Tax-Free%20Mileage%20Allowance%20From%202023%20in%20the%20Netherlands%20%E2%80%93%201.png)
Best Expense Management Solutions for the Netherlands
.png)
Best Expense Management Solution for the United Kingdom
/Listing%20Images/Internationale%20Rechnung%20erstellen%20listing.png)