PCI DSS Compliance: Everything You Need to Know

‍PCI DSS covers the security standards that businesses must comply with when processing card payments. It is built around 12 core requirements, and failure to comply can result in fines, restrictions, and reputational damage.

Below, we explore what PCI DSS requirements entail, predetermined compliance levels, how to validate data security, and associated costs. We also explore factors specifically affecting ecommerce, and tips on getting compliant.

What Is PCI DSS Compliance?

PCI DSS (Payment Card Industry Data Security Standard) compliance governs how businesses handle cardholder data. Its security measures ensure businesses enforce strict access controls, vulnerability management, policy integration, and network protection.

Compliance is governed by the PCI SSC (PCI Security Standards Council), and is required by payment brands and processors (e.g., Visa, Mastercard, Discover, and Amex) and acquiring banks.

Compliance is not a legal requirement, but processors may apply fees, fines, and restrictions if rules are not followed - and businesses of all sizes must adhere.

Failure to comply puts businesses at heightened risk from cyber attacks, customer data leakage, and loss of business.

PCI DSS rules were initially established in 2004, and as of the time of publication of this blog, V4.0.1 is the current version of standards.

The 12 PCI DSS Requirements

PCI DSS compliance is split into 12 different requirements, grouped under six key control objectives. These objectives require businesses to maintain secure networks, protect data, manage vulnerabilities, implement robust access controls, test systems regularly, and uphold information security policies.

PCI compliant businesses must:

• Build and maintain a secure network:
  
  • Install and maintain network security controls
  • Apply secure configurations to all system components
    

• Protect cardholder data:
  
  • Protect stored account data
  • Protect cardholder data with strong cryptography during transmission over open, public networks

• Maintain a vulnerability management program:
  
  • Protect all systems and networks from malicious software
  • Develop and maintain secure systems and software

• Implement strong access controls:
  
  • Restrict access to system components and cardholder data by business need to know
  • Identify users and authenticate access to system components
  • Restrict physical access to cardholder data
    ‍
• Regularly monitor and test networks:
  
  • Log and monitor all access to system components and cardholder data
  • Test the security of systems and networks regularly

• Maintain an information security policy:
  
  • Support information security with organizational policies and programs

We provide more detail in our deep dive to all PCI compliance requirements.

Validation, Assessment, and Reporting Methods

Businesses validate PCI DSS compliance through SAQs (Self-Assessment Questionnaires), AOCs (Attestations of Compliance), and ROCs (Reports on Compliance). Smaller firms typically only need to complete SAQs and AOCs, with all the necessary quarterly vulnerability scans.

Here’s a short glossary:

• SAQs: Self-Assessment Questionnaires allow smaller firms to report their own compliance checks. There are nine types of SAQs based on how payments are handled.
• AOCs: Attestations of Compliance are declarations that a business has taken steps to comply with PCI DSS requirements.
• ROCs: Reports on Compliance are required for Level 1 merchants and service providers and may also be required for some Level 2 merchants depending on their acquirer or card brand. They are completed by recognized Qualified Security Assessors (QSAs), who carry out on-site audits.
• ASV Scans: Scanning with an Approved Scanning Vendor is required for most merchants at least four times a year. Level 1–3 merchants must complete quarterly scans; Level 4 requirements may vary by acquirer.
• Penetration testing: Intensive vulnerability analysis is required for Level 1 merchants and service providers, and for some Level 2 merchants.

We explore PCI DSS certification in more detail in our guide.

PCI DSS Compliance Levels and Merchant Types

Businesses are split into one of six PCI DSS compliance levels based on yearly card transaction volumes. These levels determine how much scrutiny and validation is required.

PCI DSS defines four compliance levels for merchants, and two for service providers. If you run a small ecommerce operation and handle fewer than 20,000 card transactions yearly, for example, you are classed as a Level 4 merchant.

Knowing your compliance level is vital to ensure you budget accordingly for any tools and resources required.

PCI DSS for small business, as an example, typically requires SAQs, AOCs, and vulnerability scans.

Here’s a quick breakdown of compliance levels and expectations, with more information in our deep dive on compliance levels.

Steps to Achieve PCI DSS Compliance

To achieve PCI DSS compliance from a standing start:

1. Identify the compliance level that applies to your business and choose the right SAQ for your payment method(s).
2. Define your Cardholder Data Environment (CDE) by determining which systems handle, process, and store card information.
3. Using the 12 PCI DSS requirements, assess your setup for potential compliance gaps.
4. Remediate these gaps and record any steps you take to do so.
5. Follow the validation and reporting process - for example, complete your relevant SAQ.
6. Run ASV scans and/or penetration tests, if required, and record the results.
7. Complete and submit an SAQ and AOC to your payment processor/brand. Repeat this process yearly (and scan quarterly).

PCI DSS Compliance for E-commerce and Specific Platforms

When handling e-commerce card payments, PCI DSS requirements may vary depending on your specific online environment. For example, you may need to choose a specific type of SAQ, or your e-commerce platform may handle PCI scope in a certain way.

SAQ A (lowest scope)

• Applies when you completely outsource the payment process to a PCI-compliant third party.
• The customer is redirected or embedded (iframe) to a payment page that the merchant does not control.
• The merchant’s site cannot affect how card data is captured or transmitted.
• Example: a full-page redirect to something like Stripe Checkout or PayPal hosted page, with no custom scripting touching payment fields.

SAQ A-EP (higher scope)

• Applies when your website can influence the payment page or flow, even if card data is ultimately sent to a third party.
• This includes:
  
  • Hosting the payment page yourself (even if it posts directly to a processor)
  • Using JavaScript that controls or interacts with payment fields
  • Any setup where your site could be compromised and skim card data before it reaches the processor
• Key idea: your environment is “in the path” of the payment, even indirectly.

If, however, you rely on a third-party platform, PCI scope may already be covered. For example, WooCommerce and Magento stores are not PCI compliant by default, whereas Shopify and Square storefronts generally are:

“Shopify is certified Level 1 PCI DSS compliant. This compliance extends by default to all stores powered by Shopify.”

Shopify

Always vet any third-party integrations, such as plugins and payment gateways, on their PCI compliance before adoption.

Challenges and Costs Associated with Compliance

Achieving PCI compliance carries necessary costs that vary based on a business’s compliance level. For example, a smaller business as a Level 4 merchant will face much lower costs compared to a Level 1, which may need to budget for five-to-six figures.

The true cost of PCI compliance is typically driven by:

• Regular ASV scanning (up to $300 per IP address)
• Penetration testing (starting at around $3,000)
• Employee training (starting at around $50 per seat)
• QSA assessments (typically five-figure sums)
• Remediation (highly variable depending on challenges and scope)

Common challenges may also increase the cost that businesses pay. For instance, errors made in scoping and defining the CDE, missed systems and environments (e.g., shadow IT), and adaptations required to meet V4 changes. Failing to vet and assess third-party vendors and partners, too, can result in additional time and money expenditure.

Penalties and Risks of Non-Compliance

Failure to comply with PCI DSS results in escalating fees, fines, restrictions, and potential loss of business.

Non-compliant businesses may face:

• Monthly fees applied by payment processors
• Fines from payment brands and acquirers
• Restrictions on card acceptance and certain processing rights
• Damage to reputation and loss of business

Best Practices and Tips for PCI DSS Compliance

Beyond PCI compliance basics, we recommend a few additional steps to thoroughly protect your cardholder data:

• Document absolutely everything - from policies, to access rules and logs, to scan results, training records, and actions taken
• Don’t treat compliance as a yearly exercise - embed card data security standards into your continuous operations
• Reduce your scope as much as possible to reduce compliance requirements and costs (e.g., by using hosted payment pages and tokenization)
• Build and assess a complete inventory of vendors and annually check their PCI compliance
• Between each annual assessment, run internal security audits
• Pay close attention to the most recent changes to PCI DSS V4.0.1 - in particular, to new requirements around authentication and phishing protection

We also recommend using our PCI DSS compliance checklist, regardless of your current security standards.

Assessing and maintaining PCI DSS compliance doesn’t have to be painstaking. Take a tour of SecureTrust PCI Manager today and start making card security more efficient and continuous.

Frequently Asked Questions

Let’s close our guide with some of the most common questions we receive about PCI compliance.

Is PCI DSS compliance legally required?

No, PCI DSS compliance is not legally required, but non-compliance can lead to penalties and restrictions from payment processors. A non-PCI compliant business is also at higher risk of data breaches.

How long does it take to become PCI compliant?

It can take anywhere from days to months to become fully PCI compliant, depending on your starting position, CDE scope, and the tools you use to achieve compliance.

What is the difference between PCI DSS compliance and certification?

PCI DSS compliance refers to meeting the security requirements defined by the PCI SSC for handling cardholder data. PCI DSS certification is not an official term used by the standard; instead, organizations validate compliance in different ways depending on their size and transaction volume. Most merchants complete a Self-Assessment Questionnaire (SAQ) and, if required, quarterly network scans. Larger organizations typically undergo a formal assessment conducted by a Qualified Security Assessor (QSA), resulting in a Report on Compliance (ROC) and an Attestation of Compliance (AOC).

Does PCI DSS compliance prevent data breaches?

PCI DSS compliance can help to reduce the risk of data breaches by supporting a stronger, more proactive cybersecurity posture. However, a business must continue to monitor for security gaps and take steps to ensure data is fully protected.