Skip to main content

On-demand webinar coming soon...


Beginner's guide to PCI DSS compliance

If your organization stores, processes, or transmits cardholder data, you’ll need to be PCI DSS compliant. Here’s how

Katrina Dalao
Sr. Content Marketing Specialist, CIPM
June 13, 2023

People walking across a stone court.

Some of the most publicized credit card data breaches have impacted big brands like Equifax, British Airways, Marriott Hotels, Target, and Capital One. But, in reality, small businesses are equally as vulnerable to cyber risks.  

To help organizations of all sizes protect cardholder data, the Payment Card Industry Data Security Standard (PCI DSS) was established as a global standard to enhance the security of payment account data.

PCI DSS compliance is mandatory for all merchants and service providers, whether you process one or one thousand credit card transactions. 

In this article, we break down everything you need to know about PCI DSS and the steps to proving and maintaining compliance. 

Our latest webinar on PCI DSS walks you through how to streamline and accelerate your road to compliance.


Why was PCI DSS established? 

Let’s start with a bit of background on the PCI DSS framework. While ecommerce dates back to the 1970s, the first versions of the online shopping we know today only emerged in the mid-90s. Amazon and eBay led the way with the launch of their online marketplaces in 1995. Then, once PayPal released its digital payment system three years later, multiple ecommerce sites like Alibaba, IndiaMART, and Etsy began popping up in the years to follow. 

These online transactions came with an unintended downside — the rise of data theft and fraud. Cyber criminals quickly found ways to infiltrate payment systems and steal confidential credit card information. 

Payment brands responded by implementing security standards to protect their cardholder data. Eventually, the “Big Five” — Mastercard, Visa, American Express, Discovery, and JCB — decided to consolidate efforts and formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006.


What is PCI DSS compliance?

The Payment Card Industry Data Security Standards (PCI DSS) was created by the PCI SSC as a guide for entities that store, process, or transmit cardholder data. With established policies and procedures, the PCI DSS sets global standards to secure payment card transactions and protect the personal information of cardholders.

The PCI DSS is not a law, but it applies to all entities involved in the payment card ecosystem. Its compliance is also mandated by most major payment brands. Many jurisdictions, such as Nevada, Minnesota, and Washington, have also elected to incorporate PCI DSS into their regulations. Failure to comply can result in fines, penalties, or card processing restrictions. 


Who needs to be PCI compliant? 

PCI DSS compliance is mandatory for merchants, service providers, and any other organization involved in the payment card ecosystem. 

PCI DSS defines merchants as “any entity that accepts payment cards bearing the logo of a PCI SSC participating payment brand as payment for goods and/or services.”

Service providers encompass a broader spectrum, including any entity “directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.”

An organization can be both a merchant and a service provider. For example, an internet service provider is a merchant that accepts payment cards for monthly bills and is also a service provider if it hosts other merchants as customers.


4 Levels of PCI DSS compliance 

PCI DSS compliance is mandatory for any entity that deals with cardholder data, but not all requirements will be the same. Factors such as the total number of transactions and particular cardholder data environment will determine the organization’s level and exact compliance requirements.

While each payment brand has their own compliance program and classifications, merchants generally fall into one of four levels:

  • Level 1 Merchants: More than 6 million payment card transactions annually
  • Level 2 Merchants: Between 1 million and 6 million payment card transactions annually
  • Level 3 Merchants: Between 20,000 and 1 million payment card transactions annually
  • Level 4 Merchants: Fewer than 20,000 online transactions annually    

Service providers are classified into two levels: 

  • Level 1 Service Providers: More than 300,000 payment card transactions annually
  • Level 2 Service Providers: Less than 300,000 payment card transactions annually

* Payment card transactions includes all in-person and online transactions


What are the requirements of PCI DSS?

The PCI DSS outlines six goals and 12 requirements for entities to enhance the security of cardholder data:  

Build and maintain a secure network and systems

1. Install and maintain network security controls
2. Apply secure configuration to all system components

Protect account data  

3. Protect stored accounts data 
4. Protect cardholder data with strong cryptography during transmission over open public networks 

Maintain a vulnerability management program 

5. Protect all systems and network from malicious software
6. Develop and maintain secure systems and software 

Implement strong access control measures 

7. Restrict access to system components and cardholder data by business need-to-know 
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data  

Regularly monitor and test networks  

10. Log and monitor all access to system components and cardholder data 
11. Test security of systems and networks regularly  

Maintain an information security policy 

12. Support information security with organizational policies and programs

There are additional PCI DSS requirements in Appendix A 

  • Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers
  • Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS POI Terminal Connections 
  • Appendix A3: Designated Entities Supplemental Validation (DESV) 

Note: Every payment brand will also have its own audit requirements.


Who are the professionals involved in PCI DSS?

PCI DSS compliance involves assessing and confirming that the security controls and requirements are sufficiently met by the entity. This involves any of the following PCI SSC qualified industry professionals: 

  • Qualified Security Assessor (QSA): An independent security organization certified by the PCI SSC to assess and validate an entity's adherence to PCI DSS
  • Internal Security Assessor (ISA): An employee sponsored by their company to perform internal assessments, recommend remediation solutions, and act as a liaison with external PCI DSS auditors
  • Approved Scanning Vendor (ASV): An organization qualified to use a set of data security services and tools to determine if a company is compliant with PCI DSS external scanning requirements


How do entities satisfy PCI DSS requirements? 

Validation documents are used to convey an entity’s PCI DSS compliance to acquiring banks or payment brands. 

Acquiring banks, also referred to as “acquirers” or “merchant banks,” are typically financial institutions that processes payment card transactions for merchants. Payment brands are the card agencies (e.g., Visa, Mastercard, American Express) responsible for implementing and enforcing PCI DSS.

Depending on its classification level or number of transactions, entities are either required to undergo a detailed PCI DSS assessment (performed by a QSA) and submit a Report on Compliance or may be eligible to conduct a self-assessment and submit a Self-Assessment Questionnaire. Both documents are accompanied by an Attestation of Compliance, signed by the entity and the QSA (if applicable). 

Quarterly submission of an ASV scan report for network vulnerability scanning may also be required as part of compliance. 

Report on Compliance (ROC): A detailed report that documents the results of a PCI DSS on-site assessment performed by QSA. ROCs are more comprehensive than the Self-Assessment Questionnaires, including information about the entity's cardholder data environment, how each requirement was assessed and validated, and samples selected by the QSA. 

Self-Assessment Questionnaire (SAQ): An alternate validation report for entities that meet the SAQ Eligibility Criteria and are eligible to conduct self-assessments to satisfy PCI DSS compliance. 

SAQs are relatively simpler compared to ROCs and composed of yes-or-no questions. There are nine different SAQs available — eight for merchants and one for service providers — depending on the entity’s environment. 

To determine whether an entity is eligible to complete an SAQ and which SAQ is appropriate, it’s best to contact the acquiring bank or payment brand.

Attestation of Compliance (AOC): A declaration of the results of a PCI DSS assessment or audit, completed and signed by the entity and the QSA (if applicable). AOCs are submitted to the acquiring bank or payment brand, along with the ROC, SAQ, and any other documentation.

The table below shows exactly what’s required for each level of PCI compliance: 


Merchant levels of PCI Compliance    
Merchant Level 1Validation includes an ROC by a QSA, quarterly network scan by an ASV, and an AOC form
Merchant Level 2Mostly includes an SAQ, quarterly network scan by an ASV, and an AOC form
Merchant Level 3

Compliance level determined by payment brand and acquirer 

Mostly includes an SAQ, quarterly network scan by an ASV, and an AOC form

Merchant Level 4

Compliance level determined by payment brand and acquirer

Mostly includes an SAQ, quarterly network scan by an ASV, and an AOC form


Service Provider levels of PCI Compliance    
Service Provider
Level 1
Validation includes an ROC by a QSA, quarterly network scan by an ASV, and an AOC form 
Service Provider
Level 2
Validation includes an SAQ, quarterly network scan by an ASV, and an AOC form


Your PCI DSS compliance journey

As you can see, PCI DSS has hundreds of controls and extensive documentation designed to combat data breaches and theft. However, if you’re just starting on your PCI DSS journey, we recommend focusing on a few key points. Here are the four key milestones and estimated timelines to expect on the path to PCI DSS compliance: 


1. Scoping

  • Determine level of PCI DSS compliance: Merchant Level 1-4, Service provider Level 1-2
  • Determine PCI DSS scope: Cardholder data environment, system components, network segments, card data flows, etc. 
  • Identify applicable SAQ, as applicable

Estimated timeline (without Certification Automation): 2-4 months 

Estimated timeline (with Certification Automation): 1-3 months 

Save an average of one month’s time scoping for PCI DSS compliance, with Certification Automation’s automated scoping wizard that generates required controls, policies, and evidence tasks, and removes duplicative tasks across security frameworks.


2. Self-assessment

  • Perform internal self-assessment
  • Fill out SAQ and identify gaps 
  • Remediate gaps/issues
  • Implement controls
  • Performs ASV scan (vulnerability scan) 
  • Engage and appoint QSA, if needed

Estimated timeline (without Certification Automation): 7-12 months 

Estimated timeline (with Certification Automation): 2-6 months

Reduce your assessment time by an average of six months by relying on Certification Automation’s automated readiness assessments, expert guidance, intuitive workflows, and centralized policy distribution and attestation tracking.


3. Third-party audit

  • QSA performs the review (audit)
  • Issues ROC and AOC, if applicable

Estimated timeline (without Certification Automation): 1-2 months 

Estimated timeline (with Certification Automation): 1-2 weeks

Save as many as three weeks on the audit process with a central system of record that controls user access and enables real-time collaboration throughout the evidence collection process.


4. Monitoring

  • Maintain compliance
  • Adhere to evidence collection interval

Estimated timeline (without Certification Automation): 4 months, annually

Estimated timeline (with Certification Automation): 2 months, annually

Save two months every year that you monitor your PCI DSS compliance by automating up to 36% of evidence collection tasks and reinforcing consistent best security practices across your organization.


The next step to PCI DSS compliance

From the outset, all these PCI DSS controls and compliance requirements can be overwhelming. Just remember that PCI DSS is a standardized framework with a range of tools and actionable steps to protect your cardholder data. 

Determining your organization’s level of compliance and its specific validation documents will help simplify the process. OneTrust Certification Automation also delivers built-in expertise and automated integrations to speed up the process and guide you through the steps of your PCI DSS compliance journey.

With OneTrust Certification Automation, you can build, scale, and automate your security compliance program, reduce your cost of compliance up to 60%, and obtain certifications 50% faster.  

You may also like


Technology Risk & Compliance

5 automation trends to modernize InfoSec compliance

Join our webinar for insights on transforming InfoSec program management. Navigate the complexities of modern security with a flexible, scalable, and cost-effective approach.

February 07, 2024

Learn more


GRC & Security Assurance

Breaking down Europe’s top InfoSec & Cybersecurity frameworks: Tips to evaluate your current state or next steps

In this webinar, we examine the ISO/IEC 27001 and how it compares to other cybersecurity frameworks and regulations such as the SOC 2 and the EU Cybersecurity Act.

September 12, 2023

Learn more


Internal Audit Management

The future of PCI DSS: Prepare your organization for v4.0

Learn the new PCI DSS v4.0 requirements and prepare your organization for compliance in six steps.

July 28, 2023

Learn more


Internal Audit Management

Working toward compliance with PCI DSS v4.0

Learn the key considerations of the PCI DSS v4.0 security standard and plan your next steps towards compliance with this free infographic.

June 16, 2023

Learn more

Data Sheet

Internal Audit Management

Certification Automation external audit management

Take a look at how OneTrust Certification Automation can help streamline your preparation for audits, drive accountability, and track results.

May 17, 2023

Learn more


Ethics Program Management

Policy on development and administration of policies template

Get a head start on your ethics program and create a policy on development and administration of policies with our customizable template.

May 10, 2023

Learn more


Internal Audit Management

How much does SOC 2 cost?

Determine the SOC 2 certification costs for your business and learn how to save time and money at each step.

September 09, 2022

Learn more