PCI-DSS ComplianceProtecting Customers’ Data Means Merchants are Protecting Themselves, too.

Daniel Nadeau
Daniel Nadeau | January 31, 2025 | 13 min read

This featured video was created using artificial intelligence. The article, however, was written and edited by actual payment experts.

What is PCI-DSS Compliance?

In a Nutshell

The term “Payment Card Industry Data Security Standard” may be unfamiliar, but you’ve likely heard of PCI compliance. PCI DSS is a set of security protocols organizations must follow if they accept credit cards. The rules for compliance are simple, but not necessarily easy. In this post, we answer all your PCI compliance questions.

The 12 Basic Requirements for PCI-DSS Compliance. Are You Up to Date?

Expert Insight

This article has been published in collaboration with our good friends over at Payway, one of the world’s premier providers in the payment solutions space.

Navigating the landscape of PCI-DSS compliance can feel overwhelming, but it’s a cornerstone of safeguarding cardholder data and securing business transactions.

This guide aims to demystify the compliance process. We’ll explore the PCI standards, how to determine your compliance level, and the PCI-DSS control objectives and requirements. We’ll also provide a checklist to help you prepare for a compliance audit and review how third-party service providers can impact your compliance scope.

Understanding PCI-DSS Compliance

Achieving compliance may seem like another challenge to tackle. But, these standards are essential for keeping commerce and business running smoothly.

Adhering to PCI-DSS regulations not only maintains your business’s good standing with card providers, but also helps uphold customer trust and protects your reputation by preventing costly data breaches. Without these standards, less secure systems would jeopardize cardholder data, making seamless transactions impossible.

So, starting from the top: what does PCI compliance mean?

PCI-DSS stands for “Payment Card Industry Data Security Standard” and refers to the security standards set forth by the PCI Security Standards Council. This organization, founded by major credit card brands such as Visa and Mastercard, defines the security standards required to protect customer and business information during and after financial transactions.

Any entity that stores, processes, or transmits cardholder data must comply with these security standards. This is necessary to avoid being barred from accepting card payments by the networks.

Unsure about your compliance status? Start by ensuring that your vendors are compliant.REQUEST A DEMO

How Does PCI-DSS Impact Data Security?

PCI-DSS aims to ensure cardholder information and credentials are kept secure with a baseline level of cybersecurity. These measures reduce fraud and the risk of data breaches across the payment lifecycle.

At its root, PCI-DSS compliance has three main objectives:

  • Ensuring cardholders’ data is collected and transmitted securely.
  • Ensuring cardholder data is stored securely and protected by encryption, along with ongoing monitoring and security testing.
  • Validating that the required security measures are in place via self-assessments, network scans, and on-site assessments, according to your compliance level.

Every organization has different technology, security and payment processing needs. In response, PCI-DSS compliance has four levels of security requirements.

Levels of PCI-DSS Compliance

PCI-DSS compliance levels depend on a business's annual transaction volume, with higher volumes requiring more rigorous verification. Level 1 organizations have the strictest standards, while Level 4 has the least. If a company experiences a data breach, it may be classified as Level 1 and subject to stricter security requirements.

Level 1

Criteria

Over 6 million transactions annually

Requirements

  • Annual Report on Compliance (ROC): Filed by a Qualified Security Assessor (QSA) or an internal auditor to detail company’s compliance.
  • Quarterly Network Scan: Performed by an Approved Scan Vendor (ASV) to ensure the system is protected against evolving threats.
  • Attestation of Compliance for On-site Assessments: Document completed by a QSA that confirms compliance.

Level 2

Criteria

1-6 million transactions annually

Requirements

  • PCI-DSS self-assessment questionnaire (SAQ) – Various SAQ documents cater to different scenarios for storing, processing, and transmitting cardholder data by merchants.
  • Quarterly network scan by an approved scan vendor (ASV) - Performed by an ASV to ensure the system is safeguarded against emerging and evolving threats.
  • Attestation of Compliance – A certification document from a QSA verifies a company's compliance with PCI-DSS standards, with each SAQ linked to a specific AOC form for different business scenarios.

Level 3

Criteria

20,000-1 million transactions annually

Requirements

  • PCI-DSS self-assessment questionnaire (SAQ) – Various SAQ documents cater to different scenarios for storing, processing, and transmitting cardholder data by merchants.
  • Quarterly network scan by an approved scan vendor (ASV) - Performed by an ASV to ensure the system is safeguarded against emerging and evolving threats.
  • Attestation of Compliance – A certification document from a QSA verifies a company's compliance with PCI-DSS standards, with each SAQ linked to a specific AOC form for different business scenarios.

Level 4

Criteria

All other merchants

Requirements

  • PCI-DSS self-assessment questionnaire (SAQ) – Various SAQ documents cater to different scenarios for storing, processing, and transmitting cardholder data by merchants.
  • Quarterly network scan by an approved scan vendor (ASV) - Performed by an ASV to ensure the system is safeguarded against emerging and evolving threats.
  • Attestation of Compliance – A certification document from a QSA verifies a company's compliance with PCI-DSS standards, with each SAQ linked to a specific AOC form for different business scenarios.

PCI-DSS Control Objectives

The PCI-DSS control objectives ensure that all companies handling credit card information maintain essential security standards to prevent data breaches and fraud.

Merchants must understand these objectives because, together, they help reduce the risk of data breaches, financial loss and reputational damage across all payment processes. Compliance helps merchants avoid penalties and continue accepting card payments.

There are 12 fundamental PCI-DSS compliance requirements. These are then grouped into six control objectives, which we’ve outlined below:

PCI-DSS Objective 1  |  Build & Maintain a Secure Network & Systems

Establish robust protections to secure network infrastructure and system configurations to prevent data breaches and unauthorized access.

Requirement: Install & Maintain Network Security Controls

Implement and maintain preventative measures like firewalls and intrusion detection systems to protect the network.

Requirement: Apply Secure Configurations to All System Components

Configure operating systems, applications and network devices to minimize vulnerabilities and secure the environment against attackers.


PCI-DSS Objective 2  |  Protect Account Data

Protect cardholder data with encryption during transmission over open networks to prevent theft.

Requirement: Protect Stored Account Data

Prevent unauthorized access and use of cardholder data within business systems (data at rest).

Requirement: Protect Cardholder Data With Strong Cryptography

Encrypt data to protect it during transmission across open networks (data in motion). This must be done during transmission over open, public networks.


PCI-DSS Objective 3  |  Maintain a Vulnerability Management Program

Safeguard against malware across all systems to ensure software security. Also, perform routine updates to protect against new vulnerabilities.

Requirement: Protect Systems & Networks From Malicious Software

Deploy anti-malware measures and keep them updated to protect against new threats.

Requirement: Develop & Maintain Secure Systems & Software

Ensure all proprietary software is PCI-DSS compliant and regularly update and patch systems to mitigate vulnerabilities.


PCI-DSS Objective 4  |  Implement Strong Access Control Measures

Limit access to cardholder data to only those personnel with a legitimate business need and monitor all access to data.

Requirement: Restrict Access to Cardholder Data

Data access is allowed on a business “need-to-know” basis. Make sure that only individuals who need access to sensitive data can access it.

Requirement: Authenticate Access to System Components

Leverage strong authentication methods to verify the identity of anyone accessing sensitive data.

Requirement: Restrict Physical Access to Cardholder Data

Ensure the physical systems storing cardholder data are secure.


PCI-DSS Objective 5  |  Regularly Monitor and Test Networks

Continuously monitor networks and log access to cardholder data while regularly testing security systems to identify and eliminate vulnerabilities.

Requirement: Log & Monitor All Access

Maintain detailed logs of all access to track potential security incidents involving any system components or cardholder data.

Requirement: Test Security of Systems & Networks Regularly

Conduct frequent tests to ensure security measures are effective against current threats.


PCI-DSS Objective 6  |  Maintain an Information Security Policy

Comprehensive, rigorously enforced data security policies and ongoing education can help maintain a secure environment and prevent data breaches.

Requirement: Support Information Security With Policies & Programs

Develop and maintain organizational programs and policies that address current threats and regulatory requirements. Also, ensure employees understand and implement them.


PCI-DSS Compliance Checklist

With so many objectives and requirements, the idea of preparing for a PCI-DSS compliance audit can feel daunting. That’s especially true if this is your first time pursuing compliance.

Fortunately, the clearly defined requirements and objectives make it easy to plot a clear course to compliance success. Here’s what I’d recommend as your audit approaches:

Calendar

12 Months Before Assessment

Identify your level of compliance and engage with a QSA to initiate the process.

If renewing your certification, confirm your overall compliance scope and ensure that any third-party solutions that reduce your scope stay active until the following assessment.

Calendar

9 Months Before Assessment

Collaborate with your QSA to identify gaps and review the PCI-DSS compliance attestation of your third-party solutions.

If renewing certification, reaffirm that all ASC scans are happening on schedule and that any issues identified during these scans are addressed.

Calendar

6 Months Before Assessment

Confirm that your data security policies are up to date.

Identify questions or concerns and review your requirements and your planned penetration test scope with your QSA.

Establish a timeline and expectations for submitting your Report on Compliance (ROC).

If pursuing certification for the first time, initiate ASV scans at this stage.

Calendar

3 Months Before Assessment

Review your evidence request list and obtain current network flow diagrams.

Officially schedule your validation assessment and determine which personnel must be involved in person and virtually.

Make travel arrangements for those who need to be present in person for the assessment.

Calendar

2 Weeks Before Assessment

Confirm the availability of all required personnel and confirm access to sensitive areas.

Inform managers and supervisors of assessment requirements and share the assessment agenda from the QSA with all relevant parties.

Calendar

During the PCI Validation Assessment

Ensure open coordination and communication among the QSA, security coordinators, and other required personnel.

Review compliance steps with the QSA.

Calendar

Post-PCI Validation Assessment

Within 30 days after your assessment, work with your QSA to identify, understand, and close compliance gaps.

After remediation, your QSA can upload the remediation evidence into the audit portal.

Calendar

30-45 Days After Assessment

Expect to receive a report on the process and outcomes.

After completing all remediation tasks, the audit lead will release the completed SAQ and AOC documents with the report.

This timeline provides a practical checklist. But, you should assess your company’s unique compliance and security requirements and rely on your QSA for guidance.

Each step, from the initial engagement with your QSA through the post-assessment remediation and initial reporting, ensures you meet all aspects of PCI-DSS compliance to confirm your organization securely handles cardholder data.

Third-Party Service Providers & PCI-DSS Compliance

Of course, very few businesses handle all their processes without third-party service providers.

Those providers and their security measures can significantly impact your PCI-DSS compliance scope by expanding the areas where cardholder data is accessed, processed and stored. Sure, it’s the third-party provider’s security that’s in question. But, the burden of ensuring payment processes and data storage are secure falls to you.

To ensure your third-party providers remain in compliance, your business should:

  • Conduct thorough assessments of each third-party provider and confirm their compliance status.
  • Leverage contractual agreements that include specific PCI compliance requirements and responsibilities for the third-party provider.
  • Regularly monitor and review the compliance status of third-party providers to ensure their ongoing adherence to PCI-DSS requirements.
  • Incorporate your third-party providers’ points of vulnerability into your overall risk management strategy and include them in regular audits and assessments.

Taking these steps will help you better manage the risk associated with third-party providers. That will be key to maintain the robust security practices required to align with PCI-DSS standards.

PCI-DSS & Your Payment Gateway

A PCI-DSS-certified payment gateway can reduce a business's PCI-DSS compliance scope by handling cardholder data transmission.

Ensuring your payment gateway is in line with requirements can streamline the compliance process. It’ll shift a lot of the data security burden from your business to the gateway.

To simplify your compliance scope, choose a payment gateway that:

  • maintains compliance with PCI-DSS standards
  • offers advanced security features, including tokenization and P2PE
  • provides hosted payment pages that keep sensitive data off business systems
  • integrates seamlessly with existing systems while upholding security standards
  • possesses a long-standing reputation for reliability and excellent support
Important!

Keeping sensitive data off your systems will shift the burden of data security from you to the payment processor.

Are your providers all Level 1 PCI compliant? If not, you may be liable for data breaches. Chargebacks911 always maintains optimal data security. Talk to us to learn more.REQUEST A DEMO

A Phased Approach: PCI-DSS Version 4

In 2022, the PCI Security Standards Council announced the release of PCI DSS 4.0, which includes updated compliance requirements.

Phase 1 of these updates requires organizations to inventory all environments that store or process cardholder data, enhance access security, and conduct a new risk assessment. This phase went into effect in March 2024.

Phase 2, which goes into effect in March 2025, requires businesses to further strengthen their security with:

  • more robust firewall configurations to safeguard against network and application-level security vulnerabilities
  • a reassessment of encryption protocols and key management practices
  • file monitoring systems to track changes and alert administrators to any unauthorized access or modifications to critical files
  • enhanced logging systems to improve incident detection capabilities and reduce response times

The phase 2 requirements may feel like an additional extraneous challenge to some. However, these standards ensure cardholder data is better protected throughout the processes required to complete a transaction.

Phase 2 will help you build upon your existing foundation. It’s the key to better safeguard customer data against evolving threats while protecting your business' reputation.

It’s your responsibility to ensure that your systems comply by the March 2025 deadline. However, your third-party service providers will also be responsible for ensuring that their systems meet the phase 2 standards. This will help reduce the overall scope of your compliance requirements.

The Bottom Line

As technology evolves and transaction volumes increase, so does the complexity of data security requirements.

Understanding and implementing the PCI-DSS requirements is critical to maintaining a secure payments infrastructure. It’s up to every part of that system — businesses, third-party providers, banks, and card companies — to ensure security practices are kept in place and current.

To effectively combat these risks and achieve compliance, reduce your compliance scope by choosing third-party providers that are PCI-DSS compliant, and who practice transparent pricing and implement advanced security measures to protect your customers.

FAQs

What is PCI DSS?

The Payment Card Industry Data Security Standard (or PCI-DSS) is a set of 12 information security standards. To be compliant, businesses must adhere to these standards when accepting, transmitting, processing, and storing customer credit card data to prevent loss or fraud. 

What is PCI compliance?

Being PCI compliant means adhering to a set of 12 information security protocols outlined by the Payment Card Industry Data Security Standard (or PCI-DSS).

Who is required to be PCI compliant?

Compliance is mandatory for any organization which collects, handles, transmits, and/or stores personal cardholder data. At the same time, not all are held to the same requirements; different compliance levels may have more or less stringent stipulations.

Is PCI compliance required by law?

There are no federal PCI laws mandating or enforcing PCI compliance. However, there are almost always negative repercussions for companies that do not comply with PCI standards.

What happens if you are not PCI compliant?

A non-compliant business that experiences a data breach may receive large fines, fees, and penalties from the credit card networks, among other costs. They may be liable for any fraud that resulted from the breach. They may suffer the closing of their merchant account and possibly lose their card-acceptance privileges altogether.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
triangle shape background particle triangle shape background particle triangle shape background particle
Please share a few details and we'll connect with you!
Revenue Recovery icon
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form