Next named exclusive Trail Blazer in NEW 2024 Radicati DLP Market Quadrant Report Read the Report
Updated: Sep 28, 2023   |   Lauren Koppelman

PCI DSS compliance? Requirements, standards and everything else you need to know about PCI DSS compliance

Go back

Companies that process credit card payments are required to maintain PCI DSS compliance, and failure to abide by these regulations can result in fines and the loss of merchant status, crippling an organization’s ability to do business.

This guide will cover all aspects of PCI DSS compliance, including who it applies to, its requirements, and penalties for non-compliance. It will also look at the changes ahead with PCI v4.0. We will use the terms PCI and PCI DSS interchangeably throughout the guide.

In this article: 

What is PCI DSS?

Person's hand holding out a payment card

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed to protect the privacy and security of cardholder data. PCI DSS was first introduced in December 2004 by major credit card companies to define the standards by which cardholder data should be protected. 

The development of PCI DSS was influenced by the emergence of ecommerce and the increased digital storage of sensitive customer information.

PCI DSS is administered and maintained by the Payment Card Industry Security Standards Council (PCI SSC), which was formed in 2006 by American Express, Discover, JCB International, MasterCard, and Visa, Inc

The Council is tasked with strengthening payment account security by providing standards and supporting services such as education to assist stakeholders in implementing PCI DSS.

A Brief History of PCI DSS Standards

The first PCI DSS standard (Version 1.0), released in December 2004, was based on the Visa Cardholder Information Security Program (CISP). It has undergone multiple revisions over the years, including: 

  • Version 1.1: Released in 2006, v1.1 asked merchants to install firewalls to their systems and review all online applications.
  • Version 1.2: Released in October 2008, v1.2 clarified requirements in previous versions and addressed the evolving threat landscape.
  • Version 1.2.1: Released in August 2009, v1.2.1 also clarified requirements in previous versions and enhanced the standards’ consistency.
  • Version 2.0: Released in 2010, v2.0 aligned the standard with the latest industry best practices, clarified scoping and reporting, and eliminated redundancy in sub-requirements and consolidated documentation. It also introduced flexibility to make the requirements easier for merchants to understand and easier for them to implement.
  • Version 3.0: Released in November 2013, v3.0’s changes included updated penetration testing requirements, introduced the requirement to “maintain an inventory of system components that are in scope for PCI DSS,” and introduced the requirement for more detailed documentation related to vendor vs. merchant responsibilities. V3.0 also required merchants to identify and evaluate evolving malware threats for systems that typically aren’t affected by these threats and implement the principle of least privilege for physical access by on-site employees.  
  • Version 3.1: Released in April 2015, v3.1 was a short-term update meant to retire on October 31, 2016 and designed to give merchants time to adapt to the upcoming v3.2.1 requirements.
  • Version 3.2: Released in 2016, v3.2 went into full effect in 2018. The most notable change in this version was the requirement to incorporate multi-factor authentication for employees who have administrative access to systems that handle cardholder data.

Other changes included detection and reporting requirements for failures of critical security control systems, the requirement to perform penetration testing on segmentation controls every six months, and the requirement to perform quarterly reviews to evaluate employees’ compliance with security policies and procedures, among others. 

  • Version 3.2.1: At the time of writing, PCI DSS v3.2.1 is the current active (and mandatory) version of PCI DSS. PCI DSS Version 4.0 (v4.0) was released in March 2022. 
  • Version 4.0: PCI DSS v4.0 goes into full effect in March 2025. V3.2.1 remains active through March 2024, providing a transitional period allowing companies to adapt to the latest requirements in v4.0. Changes in v4.0 include new risk analysis requirements, governance requirements, more stringent authentication in line with NIST’s Digital Identity Guidelines, and a new customized control approach. 

Who needs to maintain PCI DSS compliance?

All businesses that process credit card payments are required to protect cardholder data by maintaining PCI compliance. This includes virtually any company involved in ecommerce as well as the majority of brick-and-mortar businesses. 

Companies are assigned different PCI merchant levels by the credit card companies that determine the measures they need to take to achieve and demonstrate compliance.

PCI merchant levels and reporting guidelines

PCI merchant levels are defined by payment card processors to distinguish businesses that need to provide different compliance evidence. The levels are determined primarily by the volume of credit card transactions an organization processes in the most recent 52-week period. The credit card acceptance method is also considered when assigning merchant levels.

Each credit card processor defines the PCI merchant levels that apply to businesses processing their cards. Most companies choose to go with four similar levels, although Discover only defines three. We will use Visa’s PCI levels to illustrate how businesses are classified and how reporting requirements are affected by their classification.

  • Level 1 merchants: This level applies to merchants that process over six million Visa transactions annually across all acceptance channels. Visa can also require an organization to comply with Level 1 reporting requirements. 

Every year, Level 1 merchants need to submit a Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or an internal resource if signed off on by an officer of the company.

  • Level 2 merchants: Level 2 merchants process between one and six million Visa transactions per year across all channels. Merchants at this level must complete a Self-Assessment Questionnaire (SAQ) and an Attestation of Compliance (AOC) Form every year.
  • Level 3 merchants: This level is for merchants processing between 20,000 and one million ecommerce Visa transactions per year. They also need to complete an SAQ and an AOC annually.
  • Level 4 merchants: Level 4 is for companies processing less than 20,000 ecommerce transactions and up to one million transactions using any acceptance method. They are required to complete an SAQ or an alternative validation method defined by their acquirer.

In the case of Discover, merchants in Level 4 are consolidated into Level 3. Merchants at levels 2 through 4 can choose to complete the more stringent ROC rather than an SAQ. We will go into the details of ROCs, SAQs, and AOCs later in this guide.

What are the requirements of PCI DSS compliance?

Person holding a payment card to make an online purchase on a laptop

Several hundred specific requirements are included in PCI-DSS. These requirements are grouped into 12 categories that companies must use as a guide to implementing a compliant IT infrastructure. PCI DSS compliance is required whether the company employs an on-premises environment, a cloud infrastructure, or outsources with a third-party service provider.

1. Install and maintain a network firewall to protect cardholder data 

Merchants are required to prevent unauthorized access to the IT environment with a reliable network firewall. The firewall configuration should be reviewed and updated at least bi-annually so that only trusted entities can access network resources. 

Firewalls also need to be installed on employees’ home computers and mobile devices if they are used to access systems containing cardholder data.

2. Change vendor-supplied defaults for system passwords and other security parameters

All vendor-supplied default passwords used on any piece of software or hardware that are used to support the cardholder data environment must be changed. Passwords must be changed before allowing a new device or software component to connect to the regulated environment. 

Cybercriminals often use default passwords in an attempt to gain unauthorized access to IT systems.

3. Protect stored cardholder data

Stored cardholder data needs to be protected at all times. This means encrypting cardholder data at rest and not retaining the information for longer than necessary to address business requirements. 

Purging obsolete cardholder data at least quarterly is also highly recommended.

4. Encrypt the transmission of cardholder data across public networks

Cardholder data must be encrypted before being transmitted over publicly accessible networks like the Internet. Strong cryptography is necessary to guard the security and privacy of cardholder data. 

Companies need to implement current industry standards like IEEE 802.11i  for wireless networks to meet this requirement.

5. Use and regularly update antivirus software or programs

Organizations are required to install and use antivirus and malware protection to ensure the safety of cardholder information. The software should be updated regularly to address newly discovered threats. 

All machines that can access cardholder data need to have this protective software installed, including mobile devices and the computers of remote workers.

6. Develop and maintain secure systems and applications

Secure systems and applications are required throughout a PCI-compliant environment. Hardware and software security patches should be installed as soon as they are available. 

PCI DSS standards must be followed when engaged in code development.

7. Restrict access to cardholder data on a need-to-know basis

Merchants must restrict access to cardholder data to individuals who need it to do their jobs. PCI makes the need to know a fundamental aspect of the standards that are used to control who requests access and the reason access is required. 

Users must be authorized and have a valid business reason to access cardholder data.

8. Assign a unique ID to all individuals with computer access

All users with computer access to the regulated environment need to be assigned a unique ID to be used for monitoring access to cardholder data. The ID can be used to identify the individuals who have accessed or attempted to access systems containing sensitive information.

9. Physical access to cardholder data must be restricted

This requirement needs to be addressed with on-site controls that are monitored and logged. Security personnel or automated systems must be in place that restrict unauthorized personnel from physically accessing systems containing cardholder data

Backup tapes and other media containing sensitive data must be secured and then securely destroyed when the business no longer needs them.

10. Track and monitor access to network resources and cardholder data

Continuous monitoring is required for all networks and systems that can potentially access cardholder data. The objective is to limit access to authorized individuals and detect unauthorized attempts that may indicate the presence of threat actors. 

Network activity must be logged and audit trails maintained for PCI DSS compliance.

11. Test security systems and processes regularly

Merchants are required to test security solutions, systems, and processes regularly to protect the environment from new vulnerabilities. Quarterly internal and external vulnerability scans and file monitoring should also be implemented.

Lastly, discovered vulnerabilities need to be addressed and mitigated as soon as possible.

12. Maintain an information security policy for all personnel

All businesses must implement and maintain a security policy for PCI compliance. The policy should be evaluated and revised yearly. 

All employees and contractors should review the policy annually as part of standard security training as well as training focused on PCI DSS compliance

There are various PCI DSS compliance solutions that can help businesses achieve and maintain compliance.

How do organizations demonstrate PCI DSS compliance?

Closeup image of part of a MasterCard payment card

Organizations are required to demonstrate PCI compliance by submitting the appropriate documentation based on their merchant level. The required documents include Reports on Compliance (ROCs), Self Assessment Questionnaires (SAQs), and Attestations of Compliance (AOCs). Let’s look at the details of each piece of evidence.

Completing a compliance report

ROCs are required of all Level 1 merchants and can be submitted by any level to demonstrate compliance. A full onsite assessment of the IT environment is required to complete an ROC. Three parties work together to complete and submit an ROC.

  • PCI SSC: Merchants must submit completed documentation to the Payment Card Industry Security Standards Council (PCI SSC) annually. The PCI SSC administers the standard and is responsible for approving Qualified Security Assessors (QSAs).
  • Merchant: The audited merchant is required to identify their merchant level and submit the necessary documentation. Levels 2 through 4 can perform a self-assessment or an ROC. If performing an SAQ, they need to be sure to complete the right type based on their business operations.
  • Assessor: A QSA is required for completing and submitting an ROC. The QSA needs to have been approved by the PCI SSC to conduct audits and know how to attest to a merchant’s compliance. QSAs are evaluated annually to ensure they fully understand PCI DSS and can demonstrate their ability to perform assessments.

Currently, organizations need to follow PCI DSS v3.2.1, but this version of the standards will be replaced by PCI DSS 4.0 on March 31, 2024. Merchants can use the PCI DSS V3.2 ROC template to complete the process and can prepare for PCI DSS v4.0 by reviewing the new ROC template.

Completing a self-assessment questionnaire

SAQs are a validation tool designed to assist merchants and service providers in reporting the results of a PCI DSS self-assessment. Multiple types of SAQs are available that address different merchant situations. 

The different SAQs are used to cover specific situations such as where merchants use hardware payment terminals or only process ecommerce transactions.

Organizations may want to verify PCI DSS compliance by engaging a QSA and submitting an ROC to the PCI SSC rather than using an SAQ.

Completing an attestation of compliance (AOC)

A PCI Attestation of Compliance is a certification that specifies an organization’s compliance status. It is completed by a QSA and documents that an entity is implementing best practices to secure and protect cardholder data. It attests to the fact that the organization has completed the appropriate SAQ and that it has been verified by a QSA.

As with SAQs, multiple types of AOCs address different business situations. Merchants should work with a QSA to ensure they are submitting the right type of AOC to demonstrate PCI compliance.

What are the penalties for PCI non-compliance?

Fines and penalties for PCI non-compliance are imposed by payment card companies and banks. The penalties can vary depending on the specific entities imposing the fines. Based on the size of the company and the extent of the compliance violation, fines can range from $5,000 to $100,000 per month.

Fines can be imposed for the number of months that a forensic investigation determines non-compliant practices were in play. They are typically renewed monthly until the violations have been addressed and PCI compliance has been demonstrated. Repeat offenders can be subject to more significant fines.

While large businesses can absorb the fines, small businesses may not be as fortunate. A company can be put out of business if it cannot quickly resolve the non-compliance issues. 
In addition to the financial penalties, there are other risks to a business associated with PCI DSS non-compliance.

  • Legal costs: Customers whose data has been disclosed or compromised may sue the business resulting in extensive legal fees. Credit card companies may also take legal action when non-compliance is discovered.
  • Public relations: Companies found to be non-compliant with PCI due to a data breach risk losing customers due to negative public relations. Consumers will be reluctant to trust an organization that has proven it cannot adequately protect their sensitive personal information.
  • Business impacts: Credit card companies may increase the fees they charge a business for processing payments if they do not comply with PCI. These fees may have to be passed on to customers to maintain a positive bottom line. Increased prices can cause consumers to search for alternatives and potentially put a company out of business.

Changes coming in PCI DSS v4.0

The current version of PCI DSS, v3.2, is slated to be replaced by PCI DSS v4.0 on March 31, 2024. Companies should already be preparing for the changes in v4.0 standards so they can ensure compliance.

PCI-DSS 4.0 retains all of the requirements previously defined for the security standards when processing credit cards. The requirements were redesigned to concentrate on security objectives and better define how controls should be implemented. PCI DSS 4.0 has four main goals:

  • Meeting payment industry requirements: The new standards were developed to ensure PCI DSS continues to meet the requirements of the payment industry in a changing business landscape.
  • Greater flexibility: PCI DSS 4.0 gives companies more flexibility in implementing the required security measures.
  • Continuous security processes: The standards promote continuous security processes to enhance cardholder data protection.
  • Enhanced validation methods: Enhanced validation methods are also defined in PCI DSS 4.0.

Two aspects of cybersecurity are directly addressed by the new requirements in PCI DSS 4.0. The first defines stronger authentication methods that are required to access systems containing or processing cardholder data. This is accomplished by:

  • Implementing multi-factor authentication
  • Requiring stronger passwords that are at least 15 characters in length and are changed at least annually
  • Access privileges must be reviewed at a minimum interval of every six months
Customer handing a payment card to an employee for a POS purchase

The second area of PCI DSS v4.0 that requires substantial changes in how businesses operate concerns the use of encryption to protect cardholder data. The requirement to encrypt data before transmission has been expanded to encompass trusted as well as public networks. This requirement addresses the increased threat of malicious insiders or accidental data disclosure.

Additionally, data discovery to identify unencrypted data resources subject to PCI DSS is required to be performed at least annually.

Deploying a DLP solution to enhance PCI compliance

Deploying a data loss prevention (DLP) solution will benefit organizations that take PCI compliance seriously. A DLP platform can be instrumental in enforcing an organization’s data handling policy that conforms to PCI DSS and protects cardholder data in all states — at rest, in motion, and in use. A DLP solution directly addresses the need to encrypt sensitive data and restrict it from unauthorized use.

The Reveal platform by Next employs cutting-edge technology and next-gen endpoint agents that enforce a data handling policy — without connecting to a separate analysis engine. The tool also provides user training at the point of risk to promote and cultivate a security-conscious culture that supports PCI DSS compliance.

Contact Next to book a demo and learn how this advanced DLP solution increases data security and helps you maintain PCI DSS compliance.

Frequently Asked Questions

Is PCI DSS a law?

PCI DSS is not a law and penalties for non-compliance are not imposed by any governmental body. The standards are administered and enforced by the PCI SSC, payment card processors, and banks. There are no criminal penalties associated with PCI DSS non-compliance.

Does PCI only affect U.S. businesses?

No, PCI DSS does not only affect U.S. businesses. It is a global standard that applies to all companies processing credit card payments no matter where they are located. Global enforcement of the standards is facilitated by the worldwide reach of the financial institutions that support the payment card industry.

Why would a company submit an ROC instead of an SAQ?

A business may elect to submit an ROC rather than an SAQ to ensure they are fully compliant with PCI DSS. The additional requirements necessary to complete an ROC can identify vulnerabilities or areas that need to be addressed to maintain compliance. It’s beneficial for a company to expend the resources to complete an ROC rather than face potential fines for non-compliance.




See how Next protects your employees and prevents data loss