This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

United Kingdom

Select your regional store:


The PCI DSS (Payment Card Industry Data Security Standard)

The Payment Card Industry Data Security Standard (PCI DSS) is administered by the PCI Security Standards Council (PCI SSC) to decrease payment card fraud across the Internet and increase credit card data security. Organisations that store, transmit or process cardholder data must comply with the PCI DSS.

IT Governance Ltd is an authorised PCI Qualified Security Assessor (QSA), supplying the full range of PCI compliance and assessment products and services. Call us today on +44 (0)845 070 1750.

PCI compliance and assessment products and services

↙ ↘

Introduction to the PCI DSS

The currently applicable version of the PCI DSS is version 3.1. Version 3.0 was published in November 2013 and updated to version 3.1 in April 2015 – Download version 3.1 here.

Read more about the changes introduced in version 3.1 here.

The changes help companies make the PCI DSS part of their business-as-usual activities by introducing more flexibility and an increased focus on education, awareness and security as a shared responsibility.

Find out more about PCI DSS v3.1 here >>

Organisations can expect to be assessed against the changes introduced by v3 and v3.1 at their next assessment or audit. As an approved QSA company, IT Governance is ideally positioned to help organisations transition to v3.1.

Visit our PCI Consultancy page, call us on +44 (0)845 070 1750, or email

Applicability of the PCI DSS

The PCI DSS applies to any organisation that processes, transmits or stores cardholder data.

If you are a merchant, the PCI DSS applies to you. Even if you have subcontracted all PCI DSS activities to a third party, you have the responsibility for ensuring all contracted parties are compliant with the Standard.

If you are a service provider, including a software developer, the PCI DSS applies to you if you process, transmit or store cardholder data, or your activities affect the security of the cardholder data as it is being processed, transmitted or stored.

IT Governance can advise on the applicability of the PCI DSS to your organisation.

Scope of the PCI DSS

The PCI DSS can apply across the whole of your organisation, or to a subset of your organisation if you have correctly compartmentalised the processing, transmission or storage of cardholder data.

The Standard applies to all people, processes and technologies that are involved in the processing, transmission or storage of cardholder data. It does not just cover electronic systems, but also extends to paper records, such as receipts, mail order forms, etc., and recordings of phone conversations if they capture cardholder data read out to call centre operators. IT Governance can advise on scoping the cardholder data environment within your organisation.

PCI DSS compliance requirements

The Standard requires all applicable merchants and member service providers (MSPs) who are involved with the storage, processing or transmitting of cardholder data to:

  • build and maintain a secure IT network;
  • protect cardholder data;
  • maintain a vulnerability management program;
  • implement strong access control measures;
  • regularly monitor and test networks;
  • maintain an information security policy.

PCI DSS compliance criteria and PCI levels

Compliance is driven from the payment brands (Visa, American Express, MasterCard, etc.) downwards. The payment brands require compliance from acquiring banks and, consequently, all of their merchants as well. As part of the process, merchants will ask their service providers to be compliant.

The criteria that a merchant or service provider has to meet are set by the individual payment brands. Each payment brand has its own compliance programme and sets criteria for compliance based on the volume of transactions made by a merchant or service provider. In general, there are four merchant levels and two levels of service provider, but this varies by payment brand.

The 12 requirements of the PCI DSS

Find out about the 12 requirements and how to achieve and maintain compliance with each of them.

Achieving compliance with the PCI DSS

Compliance with the PCI DSS is demonstrated by the merchant or service provider successfully completing an audit of the cardholder data environment against the Standard. The type of audit depends on the compliance requirements of the payment brand and the level of the merchant or service provider as defined by the payment brand. The types of audit are:

Getting started

The PCI DSS compliance process can take anywhere from a day to many weeks, depending on what is uncovered by the vulnerability assessment scan and the audit. Organisations that currently have a good level of information security are likely to achieve compliance more quickly than those that do not. The starting point for all organisations that need to comply is to download the Payment Card Industry Data Security Standard, and to consider a vulnerability assessment service or vulnerability scan, both of which can be conducted by IT Governance.

Another good point of reference is to get your own copy of the PCI DSS A Pocket Guide.

Those wishing to develop their understanding of the PCI DSS may also be interested in our PCI Foundation and PCI Implementation training pathway.

PCI compliance requirements – IT Governance services

As a rule of thumb, the criteria below are based on those from Visa and MasterCard, as these are the predominant payment brands that card merchants will process. IT Governance provides the following services in each of the various compliance categories:

Merchants/ Service providers Quarterly* external vulnerability scan (ASV) Quarterly* internal vulnerability scan Annual** penetration test

(Level 2)
Quarterly wireless network analysis Annual Web application vulnerability scan₁
  Req. 11.2.2 Req. 11.2.1 Req. 11.3 Req. 11.1 Req. 6.6
ROC Yes Yes Yes   Yes Yes
SAQ D for Merchants Yes Yes Yes   Yes Yes
SAQ D for Service Providers Yes Yes Yes   Yes Yes
SAQ C Yes Yes Yes # Yes Yes
SAQ C-VT          
SAQ P2PE-HW          
SAQ B          
SAQ B-IP Yes        
SAQ A-EP Yes Yes Yes  +   Yes
SAQ A          
Purchase the required test


* Or after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
** Or after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment).
# Only required for testing network segmentation if any is present.
+ Only external penetration test required.
Or after any change to the application. Applicable if developing own applications or using a 3rd party non-PCI-certified web application.

IT Governance’s penetration testing table explains the differences between the different levels of tests.

PCI Enforcement

Find out what the consequences are of non-compliance with the PCI DSS.

PCI Security Standards Council resources

Comprehensive resources from the PCI Security Standards Council.

The PCI Report on Compliance

A Report on Compliance (ROC) is a form that must be completed by all qualifying merchants and service providers undergoing a PCI DSS audit. The ROC is used to verify that the organisation being audited is compliant with the PCI DSS. The ROC must be filled out by the PCI Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) who has audited the organisation. The form is then submitted to the merchant's acquiring bank for acceptance. Once the merchant's acquiring bank has accepted the ROC, it sends the document on to the payment brand for compliance verification.

Payment brand PCI compliance programmes

While the PCI DSS is a common standard, each payment brand has its own compliance programme. Note that there may be regional variations for Visa (e.g. USA and Canada), while MasterCard has a single global standard, and that acquiring banks (not the payment brands) are usually responsible for enforcement. All detailed compliance enquiries should therefore be directed to one's acquiring bank. Here are the PCI DSS compliance programs for each of the five founding members of the PCI SSC:

The PCI DSS and ISO/IEC 27001

While the PCI DSS was not written to map specifically to ISO 27001, COBIT® or any other existing framework, it sits clearly within the ISO 27001 framework and organisations that have implemented an ISO 27001-compliant information security management system (ISMS) should also be able to demonstrate their conformance to the PCI standard with minor additional work.

Subscribers can access additional guidance on using ISO 27001 as a PCI DSS management framework: Nine Steps to Success describes how ISO 27001 can be implemented to provide an overarching best-practice information security management framework that will encompass the requirements of the PCI DSS.

Verified by Visa and MasterCard SecureCode (payer authentication service/3D-Secure)

Verified by Visa (VbV) is a security protocol introduced by Visa in 2005 for Internet-based transactions only (i.e. not for mail order or telephone purchases). VbV provides additional security for both the shopper and the merchant by enabling the cardholder to input a password to validate their transaction. While a cardholder may proceed with a transaction even if they have not entered a password, the mere availability of VbV shifts the chargeback liability from the merchant to the card issuer. MasterCard has a similar scheme, called SecureCode, which applies to MasterCards and Maestro cards.

For full details of Visa VbV, go to

For full details of MasterCard SecureCode, go to

To discuss your PCI DSS requirements, call us today on +44 (0)845 070 1750.

BUY Books

PCI DSS A Pocket Guide

Buy now

live chat support software