The 12 Basic Requirements for PCI-DSS Compliance. Are You Up to Date?
This article has been published in collaboration with our good friends over at Payway, one of the world’s premier providers in the payment solutions space.
Navigating the landscape of PCI-DSS compliance can feel overwhelming, but it’s a cornerstone of safeguarding cardholder data and securing business transactions.
This guide aims to demystify the compliance process. We’ll explore the PCI standards, how to determine your compliance level, and the PCI-DSS control objectives and requirements. We’ll also provide a checklist to help you prepare for a compliance audit and review how third-party service providers can impact your compliance scope.
Recommended reading
- What is EMV Bypass Cloning? Are Chip Cards Still Secure?
- Dispute Apple Pay Transaction: How Does The Process Work?
- Terminal ID Number (TID): What is it? What Does it Do?
- PINless Debit | What is PINless Debit Routing Technology?
- What is Payment Routing? How it Works | Static vs. Dynamic
- How Do Credit Card Numbers Work? What do the Numbers Mean?
Understanding PCI-DSS Compliance
Achieving compliance may seem like another challenge to tackle. But, these standards are essential for keeping commerce and business running smoothly.
Adhering to PCI-DSS regulations not only maintains your business’s good standing with card providers, but also helps uphold customer trust and protects your reputation by preventing costly data breaches. Without these standards, less secure systems would jeopardize cardholder data, making seamless transactions impossible.
So, starting from the top: what does PCI compliance mean?
PCI-DSS stands for “Payment Card Industry Data Security Standard” and refers to the security standards set forth by the PCI Security Standards Council. This organization, founded by major credit card brands such as Visa and Mastercard, defines the security standards required to protect customer and business information during and after financial transactions.
Any entity that stores, processes, or transmits cardholder data must comply with these security standards. This is necessary to avoid being barred from accepting card payments by the networks.
How Does PCI-DSS Impact Data Security?
PCI-DSS aims to ensure cardholder information and credentials are kept secure with a baseline level of cybersecurity. These measures reduce fraud and the risk of data breaches across the payment lifecycle.
At its root, PCI-DSS compliance has three main objectives:
- Ensuring cardholders’ data is collected and transmitted securely.
- Ensuring cardholder data is stored securely and protected by encryption, along with ongoing monitoring and security testing.
- Validating that the required security measures are in place via self-assessments, network scans, and on-site assessments, according to your compliance level.
Every organization has different technology, security and payment processing needs. In response, PCI-DSS compliance has four levels of security requirements.
Levels of PCI-DSS Compliance
PCI-DSS compliance levels depend on a business's annual transaction volume, with higher volumes requiring more rigorous verification. Level 1 organizations have the strictest standards, while Level 4 has the least. If a company experiences a data breach, it may be classified as Level 1 and subject to stricter security requirements.
Level 1
Criteria
Over 6 million transactions annually
Requirements
- Annual Report on Compliance (ROC): Filed by a Qualified Security Assessor (QSA) or an internal auditor to detail company’s compliance.
- Quarterly Network Scan: Performed by an Approved Scan Vendor (ASV) to ensure the system is protected against evolving threats.
- Attestation of Compliance for On-site Assessments: Document completed by a QSA that confirms compliance.
Level 2
Criteria
1-6 million transactions annually
Requirements
- PCI-DSS self-assessment questionnaire (SAQ) – Various SAQ documents cater to different scenarios for storing, processing, and transmitting cardholder data by merchants.
- Quarterly network scan by an approved scan vendor (ASV) - Performed by an ASV to ensure the system is safeguarded against emerging and evolving threats.
- Attestation of Compliance – A certification document from a QSA verifies a company's compliance with PCI-DSS standards, with each SAQ linked to a specific AOC form for different business scenarios.
Level 3
Criteria
20,000-1 million transactions annually
Requirements
- PCI-DSS self-assessment questionnaire (SAQ) – Various SAQ documents cater to different scenarios for storing, processing, and transmitting cardholder data by merchants.
- Quarterly network scan by an approved scan vendor (ASV) - Performed by an ASV to ensure the system is safeguarded against emerging and evolving threats.
- Attestation of Compliance – A certification document from a QSA verifies a company's compliance with PCI-DSS standards, with each SAQ linked to a specific AOC form for different business scenarios.
Level 4
Criteria
All other merchants
Requirements
- PCI-DSS self-assessment questionnaire (SAQ) – Various SAQ documents cater to different scenarios for storing, processing, and transmitting cardholder data by merchants.
- Quarterly network scan by an approved scan vendor (ASV) - Performed by an ASV to ensure the system is safeguarded against emerging and evolving threats.
- Attestation of Compliance – A certification document from a QSA verifies a company's compliance with PCI-DSS standards, with each SAQ linked to a specific AOC form for different business scenarios.
PCI-DSS Control Objectives
The PCI-DSS control objectives ensure that all companies handling credit card information maintain essential security standards to prevent data breaches and fraud.
Merchants must understand these objectives because, together, they help reduce the risk of data breaches, financial loss and reputational damage across all payment processes. Compliance helps merchants avoid penalties and continue accepting card payments.
There are 12 fundamental PCI-DSS compliance requirements. These are then grouped into six control objectives, which we’ve outlined below:
PCI-DSS Objective 1 | Build & Maintain a Secure Network & Systems
Establish robust protections to secure network infrastructure and system configurations to prevent data breaches and unauthorized access.
Requirement: Install & Maintain Network Security Controls
Implement and maintain preventative measures like firewalls and intrusion detection systems to protect the network.
Requirement: Apply Secure Configurations to All System Components
Configure operating systems, applications and network devices to minimize vulnerabilities and secure the environment against attackers.
PCI-DSS Objective 2 | Protect Account Data
Protect cardholder data with encryption during transmission over open networks to prevent theft.
Requirement: Protect Stored Account Data
Prevent unauthorized access and use of cardholder data within business systems (data at rest).
Requirement: Protect Cardholder Data With Strong Cryptography
Encrypt data to protect it during transmission across open networks (data in motion). This must be done during transmission over open, public networks.
PCI-DSS Objective 3 | Maintain a Vulnerability Management Program
Safeguard against malware across all systems to ensure software security. Also, perform routine updates to protect against new vulnerabilities.
Requirement: Protect Systems & Networks From Malicious Software
Deploy anti-malware measures and keep them updated to protect against new threats.
Requirement: Develop & Maintain Secure Systems & Software
Ensure all proprietary software is PCI-DSS compliant and regularly update and patch systems to mitigate vulnerabilities.
PCI-DSS Objective 4 | Implement Strong Access Control Measures
Limit access to cardholder data to only those personnel with a legitimate business need and monitor all access to data.
Requirement: Restrict Access to Cardholder Data
Data access is allowed on a business “need-to-know” basis. Make sure that only individuals who need access to sensitive data can access it.
Requirement: Authenticate Access to System Components
Leverage strong authentication methods to verify the identity of anyone accessing sensitive data.
Requirement: Restrict Physical Access to Cardholder Data
Ensure the physical systems storing cardholder data are secure.
PCI-DSS Objective 5 | Regularly Monitor and Test Networks
Continuously monitor networks and log access to cardholder data while regularly testing security systems to identify and eliminate vulnerabilities.
Requirement: Log & Monitor All Access
Maintain detailed logs of all access to track potential security incidents involving any system components or cardholder data.
Requirement: Test Security of Systems & Networks Regularly
Conduct frequent tests to ensure security measures are effective against current threats.
PCI-DSS Objective 6 | Maintain an Information Security Policy
Comprehensive, rigorously enforced data security policies and ongoing education can help maintain a secure environment and prevent data breaches.
Requirement: Support Information Security With Policies & Programs
Develop and maintain organizational programs and policies that address current threats and regulatory requirements. Also, ensure employees understand and implement them.
PCI-DSS Compliance Checklist
With so many objectives and requirements, the idea of preparing for a PCI-DSS compliance audit can feel daunting. That’s especially true if this is your first time pursuing compliance.
Fortunately, the clearly defined requirements and objectives make it easy to plot a clear course to compliance success. Here’s what I’d recommend as your audit approaches:
This timeline provides a practical checklist. But, you should assess your company’s unique compliance and security requirements and rely on your QSA for guidance.
Each step, from the initial engagement with your QSA through the post-assessment remediation and initial reporting, ensures you meet all aspects of PCI-DSS compliance to confirm your organization securely handles cardholder data.
Third-Party Service Providers & PCI-DSS Compliance
Of course, very few businesses handle all their processes without third-party service providers.
Those providers and their security measures can significantly impact your PCI-DSS compliance scope by expanding the areas where cardholder data is accessed, processed and stored. Sure, it’s the third-party provider’s security that’s in question. But, the burden of ensuring payment processes and data storage are secure falls to you.
To ensure your third-party providers remain in compliance, your business should:
- Conduct thorough assessments of each third-party provider and confirm their compliance status.
- Leverage contractual agreements that include specific PCI compliance requirements and responsibilities for the third-party provider.
- Regularly monitor and review the compliance status of third-party providers to ensure their ongoing adherence to PCI-DSS requirements.
- Incorporate your third-party providers’ points of vulnerability into your overall risk management strategy and include them in regular audits and assessments.
Taking these steps will help you better manage the risk associated with third-party providers. That will be key to maintain the robust security practices required to align with PCI-DSS standards.
PCI-DSS & Your Payment Gateway
A PCI-DSS-certified payment gateway can reduce a business's PCI-DSS compliance scope by handling cardholder data transmission.
Ensuring your payment gateway is in line with requirements can streamline the compliance process. It’ll shift a lot of the data security burden from your business to the gateway.
To simplify your compliance scope, choose a payment gateway that:
- maintains compliance with PCI-DSS standards
- offers advanced security features, including tokenization and P2PE
- provides hosted payment pages that keep sensitive data off business systems
- integrates seamlessly with existing systems while upholding security standards
- possesses a long-standing reputation for reliability and excellent support
Keeping sensitive data off your systems will shift the burden of data security from you to the payment processor.

A Phased Approach: PCI-DSS Version 4
In 2022, the PCI Security Standards Council announced the release of PCI DSS 4.0, which includes updated compliance requirements.
Phase 1 of these updates requires organizations to inventory all environments that store or process cardholder data, enhance access security, and conduct a new risk assessment. This phase went into effect in March 2024.
Phase 2, which goes into effect in March 2025, requires businesses to further strengthen their security with:
- more robust firewall configurations to safeguard against network and application-level security vulnerabilities
- a reassessment of encryption protocols and key management practices
- file monitoring systems to track changes and alert administrators to any unauthorized access or modifications to critical files
- enhanced logging systems to improve incident detection capabilities and reduce response times
The phase 2 requirements may feel like an additional extraneous challenge to some. However, these standards ensure cardholder data is better protected throughout the processes required to complete a transaction.
Phase 2 will help you build upon your existing foundation. It’s the key to better safeguard customer data against evolving threats while protecting your business' reputation.
It’s your responsibility to ensure that your systems comply by the March 2025 deadline. However, your third-party service providers will also be responsible for ensuring that their systems meet the phase 2 standards. This will help reduce the overall scope of your compliance requirements.
The Bottom Line
As technology evolves and transaction volumes increase, so does the complexity of data security requirements.
Understanding and implementing the PCI-DSS requirements is critical to maintaining a secure payments infrastructure. It’s up to every part of that system — businesses, third-party providers, banks, and card companies — to ensure security practices are kept in place and current.
To effectively combat these risks and achieve compliance, reduce your compliance scope by choosing third-party providers that are PCI-DSS compliant, and who practice transparent pricing and implement advanced security measures to protect your customers.
FAQs
What is PCI DSS?
The Payment Card Industry Data Security Standard (or PCI-DSS) is a set of 12 information security standards. To be compliant, businesses must adhere to these standards when accepting, transmitting, processing, and storing customer credit card data to prevent loss or fraud.
What is PCI compliance?
Being PCI compliant means adhering to a set of 12 information security protocols outlined by the Payment Card Industry Data Security Standard (or PCI-DSS).
Who is required to be PCI compliant?
Compliance is mandatory for any organization which collects, handles, transmits, and/or stores personal cardholder data. At the same time, not all are held to the same requirements; different compliance levels may have more or less stringent stipulations.
Is PCI compliance required by law?
There are no federal PCI laws mandating or enforcing PCI compliance. However, there are almost always negative repercussions for companies that do not comply with PCI standards.
What happens if you are not PCI compliant?
A non-compliant business that experiences a data breach may receive large fines, fees, and penalties from the credit card networks, among other costs. They may be liable for any fraud that resulted from the breach. They may suffer the closing of their merchant account and possibly lose their card-acceptance privileges altogether.