Blogs

What Does PCI Stand For? A Beginner’s Guide to Payment Security

author
Chris Brown
Published
September 4, 2025

PCI stands for Payment Card Industry. And the Payment Card Industry Data Security Standard (PCI DSS), a series of important security requirements, helps merchants and service providers keep their data protected against sophisticated hacking threats and loss.

The PCI DSS is at the heart of global payment card security, providing guidance to payment processors, merchants, and service providers on how to protect cardholder data amid an ever-changing threat landscape.

In this guide, we explore what PCI DSS stands for, why compliance is so important, and how you can meet its requirements.

What Does PCI DSS Stand For?

PCI DSS stands for Payment Card Industry Data Security Standard. It’s a series of 12 requirements that card brands and processors agree upon to keep cardholder data as secure as possible against fraud, hacking, and loss.

Overseen by the PCI SSC (the Payment Card Industry Security Standards Council), these rules aren’t legally binding or government-enforced, however, they help merchants and service providers keep to data protection agreements and honor contracts with their customers.

As such, our team personally recommends that card-handling businesses always follow PCI DSS guidelines—it is always better to be safe than sorry.

The PCI SSC represents the world’s biggest payment brands and card processors, such as Visa, American Express, Mastercard, and JCB.

The Importance of PCI DSS compliance

It’s vital to keep any cardholder data secure, and being PCI DSS compliant ensures you take the right steps to do so. Failure to comply with the PCI DSS may lead to a loss of customer trust, reputation, and revenue.

Further risks of avoiding PCI DSS compliance include facing penalties or service restrictions imposed by payment card brands, and paying for customers’ legal costs and lawsuit fees in the event of a breach.

Data breaches can be devastating to companies of all sizes – it’s not only a reputation hit, but also a heavy cost:

“The global average breach cost dropped to USD 4.44 million from USD 4.88 million in 2024, a 9% decrease and a return to 2023 cost levels.”
IBM, Cost of a Data Breach Report 2025

While IBM states that the costs of breaches may be dropping, this is still a huge and unnecessary expense. PCI DSS, therefore, doesn’t just apply to large corporations, but also to smaller businesses that process relatively few payment card transactions every year.

It’s a key reason why we’ve made SecureTrust PCI Manager so accessible to all business owners. You don’t have to be a CEO of a large conglomerate or a sole entrepreneur to benefit from PCI DSS recommendations.

Regardless of how many transactions you take and the details you hold, adhering to PCI DSS standards ensures you’re as protected as possible.

What Are the PCI DSS Requirements?

The 12 PCI DSS requirements stipulate that you must uphold network security, use secure configurations, encrypt cardholder data at rest and in transit, run anti-malware protection, develop security policies, restrict access to sensitive data, implement authentication controls, log and monitor access, and regularly test your security processes.

Here’s a quick breakdown of each requirement.

Requirement Examples
1. Uphold network security Set up firewalls and VPNs (virtual private networks) to secure traffic movement
2. Use secure configurations and access controls throughout Use unique passwords and change default configurations for all systems
3. Protect the data you store Encrypt, mask, and hash cardholder data so it cannot be read
4. Encrypt data in transit Use secure gateways and data encryption to ensure information cannot be stolen while payments are made
5. Protect your infrastructure against malware Run reputable antivirus and anti-malware software scans and update protection regularly
6. Maintain secure systems and software Regularly update all components and remove obsolete or unnecessary systems
7. Restrict who can access cardholder data Only allow access to cardholder data if a user has an explicit reason to need to – offer minimal access and consider zero-trust
8. Build strict authentication measures Use multi-factor authentication and biometrics to verify users
9. Improve and uphold physical security Secure cardholder data on physical devices with cameras, physical access controls, and logging
10. Log all access requests Log and track every request made to read cardholder data and document where requests come from
11. Regularly test your infrastructure Run vulnerability scans and penetration tests to sniff out weaknesses that could leak data
12. Create and maintain security policies Develop a comprehensive but accessible security policy everyone must read, and review it at least yearly

Understanding PCI DSS Compliance Levels

PCI DSS compliance levels split merchants and service providers into one of up to four categories, mostly based on how many payment card transactions they process each year.

These compliance levels determine which businesses need to complete a full assessment by an independent Qualified Security Assessor (QSA) and which are eligible to submit a self-assessment questionnaire, or SAQ.

The four specific levels can vary depending on the payment card brand or processor. To demonstrate, here are the levels for merchants (as generally followed by payment card brands):

Compliance Level Merchant Qualification Action Needed
   
Level One   
- Processes more than six million card transactions yearly

- Has suffered an attack resulting in data compromise
Annual on-site assessment by a QSA, resulting in a Report on Compliance (ROC)
Level Two Processes between one and six million card transactions yearly Annual SAQ

OR

An on-site assessment at acquirer or payment card brands request.
Level Three Processes between 20,000 and one million card transactions yearly Annual SAQ
Level Four Doesn’t fall under any of the above Annual SAQ

Here are the two levels available to service providers:

Compliance Level Service Provider Qualification Action Needed
Level One All:
- Staged Digital Wallet Operators
- Third-Party Processors
- Token Service Providers
- Digital Activity Service Providers
- AML/Sanctions Service Providers
- 3-D Secure Service Providers
- Payment Facilitators and Data Storage Entities that process more than 300,000 card transactions annually
Annual on-site assessment by a QSA, resulting in a Report on Compliance (ROC)
Level Two All:
- Payment Facilitators and Data Storage Entities that process 300,000 or fewer transactions annually
- Terminal Servicers
A yearly SAQ

Businesses that must complete annual ROC assessments will receive recommendations on how to improve their cybersecurity standards for the year ahead.

Those entities completing SAQs must answer multiple-choice questions and demonstrate how they protect cardholder data. They also need to verify their answers through an Attestation of Compliance (AOC). An SAQ and AOC are often reviewed by a qualified assessor, for the additional assurance provided to the merchant or service provider that they have indeed correctly completed their SAQ and AOC.

PCI DSS Compliance vs. PCI DSS Certification

There is no such thing as "PCI DSS certification." This is a common misconception in the industry.

Being PCI DSS compliant means your business follows the PCI DSS requirements—typically verified through a Self-Assessment Questionnaire (SAQ) or full independent assessment resulting in a Report on Compliance (ROC) and Attestation of Compliance (AOC). PCI DSS compliance validation, on the other hand, involves formal verification by a Qualified Security Assessor (QSA) after an in-depth review.

Independent validation is usually required for larger organizations or those at higher compliance levels (Level 1 merchants). Most small to mid-sized businesses only need to demonstrate compliance through self-assessment. However, both paths share the same goal: protecting cardholder data and reducing the risk of costly breaches.

It's important to note that PCI DSS compliance does not provide legal safe harbor—organizations remain liable for breaches and associated costs even when fully compliant.

How to Become and Stay PCI DSS Compliant

The core steps to becoming and staying PCI DSS compliant include recording where cardholder data is stored, checking your compliance level and completing an assessment, following recommendations offered, and regularly reviewing and testing your security standards.

You should always submit to a PCI DSS Assessment or complete an SAQ if your payment processor or other finance partner officially requests it. Regardless, assessments and SAQs can help you to understand your cybersecurity position.

Here’s a quick breakdown of the key steps to the PCI DSS compliance process:

Compliance Step In Brief
1. Record where cardholder data is stored Get a clear idea of where and how you store cardholder data to prepare for self-assessment or independent assessment by a QSA resulting in a ROC
2. Check your compliance level Consult your payment brand or processor to determine your level of compliance, and if are eligible to complete an SAQ or whether you must complete a full assessment by a QSA resulting in a ROC
3. Consult PCI SSC guidelines Read the PCI SSC’s documentation and take steps to ensure you follow the 12 PCI DSS requirements as closely as possible
4. Undertake an audit or complete an SAQ as required Complete a PCI DSS assessment to gain insight into how your security standards align with the PCI DSS, and take action to follow recommendations (such as tightening access controls and updating software)
5. Regularly test and scan your systems Run vulnerability scans and penetration tests several times a year (or after each major change to your infrastructure)

To stay PCI DSS compliant, you must establish clear security policies, regularly test for weaknesses in your infrastructure, and train all personnel in line with standards expected by the PCI DSS. It’s also wise to set up a process to monitor that all the above steps are followed and that you follow PCI DSS to the letter.

Conclusion

Though not a legal requirement, PCI DSS is extremely important for companies of all sizes that handle cardholder data. Without its recommendations, securing your data can become needlessly complex—and, if any gaps are left open, you might risk sensitive data falling into the wrong hands.

To ensure you stay PCI DSS compliant—without the headaches and excess time spent away from your business—rely on SecureTrust PCI Manager to keep all your data security worries in check.

author

Senior Product Marketing Manager

SecureTrust

More Blogs

Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.
View All Blogs
September 3, 2025
What is an SAQ (Self-Assessment Questionnaire)?
February 19, 2020
Clarifying Quarterly External Scans
March 25, 2020
The PCI Charter