News & Blog

PCI DSS: What is it, and how can I be compliant?

As online shopping became a staple with the advent of the internet era, the avenues for payment card fraud spiked dramatically.

David Donnan, Director

10 July 2025
2295X1200 Social Media [ All ] Linkedin PCIDSS Notext

As the issue escalated, payment card companies established a set of policies and guidelines to safeguard cardholders from having their payment data misused. This new standard was called PCI DSS.

 

What is PCI DSS?

The Payment Card Industry Data Security Standard (or PCI DSS for short) is an internationally recognised security standard which sets out the global guidelines and minimum requirements for companies on how to protect consumer payment data. Created by 5 major credit card companies in 2005 (Visa, Mastercard, Discover, JCB and American Express) as a response to the increasing threat of payment data theft online, the main purpose of the standard is to safeguard and secure sensitive cardholder data, including card numbers, issue/expiry dates, CVV numbers and cardholder addresses. PCI DSS is administered by the PCI Security Standards Council.

What Components Make Up PCI DSS?

PCI DSS outlines 12 core requirements, split into 6 control objectives aimed at protecting cardholder information. These are:

Build and Maintain a Secure Network

  • Install and maintain firewall
  • Avoid vendor-supplied defaults for system passwords.

Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open/public networks.

Maintain a Vulnerability Management Program

  • Use and regularly update antivirus software
  • Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes.

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for employees and contractors.

What are the benefits of PCI DSS compliance?

PCI DSS compliance offers a huge range of benefits to businesses that handle credit or debit card transactions. Beyond avoiding penalties, it will strengthen company security, improve consumer trust, and enhance your operational efficiency.

Benefits can include:

Improved Data Security

  • PCI DSS sets clear, industry-accepted standards for protecting cardholder data
  • By following the aforementioned controls, you greatly reduce the risk of data breaches and cyberattacks.

Regulatory and Contractual Compliance

  • Many payment processors and acquiring banks require PCI DSS compliance
  • Being compliant helps you meet contractual obligations, and in some jurisdictions, it also supports legal compliance with data protection laws.

Increased Customer Trust

  • Consumers are more likely to do business with companies that take data security seriously
  • Promoting PCI compliance can enhance your reputation and build customer loyalty.

Minimised Financial Liability

  • In the event of a breach, compliant businesses may be seen more favourably by investigators or insurers
  • PCI compliance can limit liability and help with faster recovery from incidents.

Operational Improvements
Implementing PCI DSS often leads to better:

  • Access controls
  • Network monitoring
  • System documentation.

These improvements can boost efficiency and reduce IT downtime.

Better Vendor and Partner Relationships

  • Being PCI compliant can make it easier to work with other vendors or partners that have their own compliance requirements
  • It shows your business is responsible in the payment ecosystem.

Global Acceptance

  • As mentioned earlier, PCI DSS is recognised globally
  • Compliance can ease international business and partnerships, especially in the e-commerce sector.

Who Needs to Comply with PCI DSS?

If you store, process or transit cardholder data, you must be PCI DSS compliant. From corner shops to conglomerates, secure payment information is paramount in all aspects of commerce. This includes:

  • Merchants: Businesses that accept payment cards must adhere to PCI DSS (e.g Online retailers, restaurants, physical stores, non-profits that accept card payments, or any business using card payments in person, over the phone, or online)
  • Service Providers & Third Party Vendors: Companies that store, trasmit or process payment card data on behalf of another business need to comply with PCI DSS (e.g Payment processors like Visa or Paypal, cloud services and web hosting companies that store client payment data, and software companies that maintain software apps which handle payment data, including point-of-sale vendors)
  • Subcontractors with Access to Cardholder Data: Any subcontractor who has access to cardholder data (even if they don't directly process or store it) must also be PCI DSS compliant. (This includes IT service providers and outsourced customer support teams)
  • Financial Institutions & Acquiring Banks: Banks that issue cards or acquire merchant accounts must also adhere to PCI DSS, especially in ensuring the merchants they work with are compliant.

How do I achieve PCI DSS compliance?

Before understanding how to achieve PCI DSS certification, it is worth noting that the regulations are split into four different compliance levels, which are:

Level 1 (Highest Level)

  • Criteria: Merchants processing over 6 million Visa or Mastercard transactions annually (regardless of channel), or any merchant that has suffered a data breach or is deemed Level 1 by a card brand
  • Validation Requirements: Annual Report on Compliance (RoC) by a Qualified Security Assessor (QSA) or internal auditor if signed by an officer.

Quarterly network scans by an Approved Scanning Vendor (ASV) and Attestation of Compliance (AOC).

Level 2

  • Criteria: Merchants processing 1 million to 6 million transactions annually (per card brand)
  • Validation Requirements: Annual Self Assessment Questionnaire (SAQ), quarterly network scans by an ASV, and an AOC.

Level 3

  • Criteria: Merchants processing 20,000 to 1 million e-commerce transactions annually
  • Validation Requirements: Annual SAQ, quarterly network scans by an ASV and an AOC.

Level 4

  • Criteria: Merchants processing fewer than 20,000 e-commerce transactions annually, or fewer than 1 million overall transactions
  • Validation Requirements: SAQ and network scans may be required by the acquiring bank. Requirements vary depending on the acquirer's policies.

 

Now that we've covered the different levels of certification, let's break down how certification can be achieved.

 

Determine your PCI DSS Level

Identify your merchant or service provider level (Level 1-4 for merchants) and outline the validation requirements your business needs to achieve certification (through an SAQ or a full audit with a QSA).

 

Conduct a Gap Assessment

Compare your existing security practices to the 12 current PCI DSS requirements, which were laid out earlier. Assess where your current security vulnerabilities fall short of the criteria needed to achieve PCI DSS compliance and set out an action plan to improve your security in the affected areas.

 

Remediate Identified Issues

Fix any gaps identified during the self-assessment. These could include:

  • Configuration updates
  • Software patches
  • Access control improvement
  • Sensitive data encryption
  • Implementation of logging and monitoring.

 

Ensure that all the changes that you make are documented when it comes to validating your company's security.

Determine your Validation Requirement

For merchants requiring PCI DSS Level 2-4 certification, you are required to submit a Self-Assessment Questionnaire (SAQ), whereas Level 1 merchants and some service providers need to provide a Report on Compliance (RoC), making it crucial to document and report on all the fixes and changes made to your business's security information.

 

Complete the SAQ or RoC

Once all your documentation is updated, it's time to complete the SAQ (if you're a Level 2-4 merchant). Depending on how your business handles card data, a different SAQ will require completion. You can find out which questionnaire you'll need on the PCI DSS website.

Make sure you answer the questions carefully and accurately, and provide your supporting documents where needed. As well as this, ensure that the Attestation of Compliance (AoC) is completed, which is found within the SAQ.

If your business is doing an RoC, you will need to hire a Qualified Security Assessor (QSA). Their job is to:

  • Perform a full audit of your systems and controls
  • Interview company personnel
  • Review your documentation
  • Test your security posture.

The QSA will also produce a formal RoC document and AoC.

Keep Your Website Secure Through Quarterly & Annual Tests

Depending on your setup, you'll also need:

  • Quarterly vulnerability scans by an Approved Scanning Vendor (ASV)
  • Annual penetration testing (internal and external)
  • Application security testing (if applicable)
  • System and network security controls in place and tested.

 

Submit your Validation

Once the above has been completed, send the following to your acquirer or payment processor:

  • Completed SAQ or RoC
  • Attestation of Compliance
  • Quarterly ASV scan reports
  • Penetration test reports.

Some companies may also request evidence documentation or conduct their own reviews.

Maintain Continuous Compliance

Compliance is annual, but security is always ongoing. Be sure to manage and update your documentation, upskill and train employees, audit your security measures, as well as track changes to systems and data flows.

Also, ensure that your organisation's quarterly scans and annual revalidation are done on time.

What Are The Risks of Not Being PCI DSS Compliant?

If your company handles financial data but does not make a commitment to securing sensitive payment data, the consequences can be severe. This can include:

Data Breaches
Non-compliant systems are more vulnerable to cyberattacks. Hackers can steal cardholder data, leading to financial theft, identity fraud, and huge exposure of sensitive customer information.

Hefty Fines and Penalties
Card brands (such as Visa or Mastercard) can fine your acquiring bank, which will then pass the cost down to you. These fines can range from £5,000 to £100,000+ per month, depending on the size of the company, the violations committed and the duration of said violations.

Legal Liability
You may face civil lawsuits, regulatory investigations, government investigations or damage liability suffered by affected customers or businesses in the event of a cybersecurity breach.

Increase Costs
In the event of a security incident, you'll likely pay for:

  • Forensic investigation and audit fees
  • Incident response and data recovery costs
  • Credit monitoring for affected customers
  • Higher transaction fees or security requirements from your processor.

Loss of Payment Processing Privileges
Acquiring banks can terminate your card processing practices. Getting reinstated is difficult and expensive, and processors could refuse to work with you.

Reputation Damage
Loss of customer trust can be long-term, in some cases, permanent. If the media covers your company's data breach, your brand can be severely harmed, losing existing customers and making it harder to gain new ones.

Business Disruption
Post security breach, your organisation's systems may be shut down or isolated during an investigation. You'll likely have to go through a remediation process, halting normal business operations. Compliance enforcement actions can create ongoing scrutiny and oversight.

Secure Your Sensitive Payment Data with Igentics

PCI DSS compliance is not optional if your business handles payment data. Ensuring your company falls in line with security regulations not only keeps your brand protected but also maintains customer trust and makes your business a more attractive company to work with.

At Igentics, we work alongside our partners to ensure all client payment data is kept as secure as possible, keeping up to date with relevant guidelines and implementing the most advanced security practices to maintain smooth business operation.

You might also like