PCI DSS | What It Is and How to Comply

As a PCI QSA company, IT Governance has everything you need to achieve PCI compliance, including help with scoping, RoCs, SAQs and ASV scans. To get a tailored quote, call us now on 44 1474 556685 or request a call using our contact form.

Speak to an expert

For more information about the PCI DSS and what your organisation needs for compliance, please get in touch with one of our experts using the icons below. 

What is the PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.

The Standard is a result of a collaboration between the major payment brands and is administered by the PCI SSC (Payment Card Industry Security Standards Council).

The latest iteration of the PCI DSS – version 4.0 – was released at the end of March 2022.

Read the full text of PCI DSS v4.0 on the PCI Security Standards Council website.

Merchants and service providers have a two-year transition period to update their security controls to conform to the new version of the Standard. Version 3.2.1 will be retired on 31 March 2024.

Read the full text of PCI DSS v3.2.1 on the PCI Security Standards Council website.

IT Governance is a PCI QSA (Qualified Security Assessor) company. 

View our full range of PCI DSS consultancy services

Who has to comply with the PCI DSS?

All merchants and service providers that process, transmit or store cardholder data must comply with the PCI DSS.

  • Merchants accept debit or credit card payments for goods or services. Note that the PCI DSS applies to merchants even if they have subcontracted their payment card processing to a third party.
  • Service providers are directly involved in processing, storing or transmitting cardholder data on behalf of another entity.

Some organisations can be both a merchant and a service provider. For instance, an organisation that provides data processing services for other merchants will also be a merchant if it accepts card payments.

Speak to a PCI DSS expert

Our services can support you at each stage of your organisation’s PCI DSS compliance project. Call our team on +0330 800 7000, or request a call using the form below. Our experts are ready and waiting with practical advice. 

Contact us

Benefits of PCI DSS compliance

Payment security is essential for every organisation that stores, processes or transmits cardholder data.

According to UK Finance’s Fraud the Facts 2019 report, unauthorised financial fraud losses totalled £844.8 million in 2018, a year-on-year increase of 16%.

The Standard provides specific, actionable guidance on protecting payment card data. This guidance can be applied to organisations of any size or type that use any method of processing or storing data.

Penalties for non-compliance with the PCI DSS

The PCI DSS is a standard not a law, and is enforced through contracts between merchants, acquiring banks that process payment card transactions and the payment brands.

Each payment brand can fine acquiring banks for PCI DSS compliance violations. In turn, acquiring banks can withdraw the ability to accept card payments from non-compliant merchants.

Compliance obligations for merchants also increase significantly in the event of a breach.

Moreover, cardholder data breach or theft is also a breach of the EU GDPR (General Data Protection Regulation). Data breaches risk heavy penalties under the Regulation: up to €20 million or 4% of annual global turnover – whichever is greater.

Learn more about GDPR compliance

The 12 PCI DSS requirements

The PCI DSS specifies 12 requirements that are organised into six control objectives.

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data.

Learn more about PCI DSS Requirement 1  

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Learn more about PCI DSS Requirement 2 


Protect cardholder data

3. Protect stored cardholder data.

Learn more about PCI DSS Requirement 3 

4. Encrypt transmission of cardholder data across open, public networks.

Learn more about PCI DSS Requirement 4 


Maintain a vulnerability management programme

5. Use and regularly update anti-virus software or programs.

Learn more about PCI DSS Requirement 5 

6. Develop and maintain secure systems and applications.

Learn more about PCI DSS Requirement 6 


Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know.

Learn more about PCI DSS Requirement 7 

8. Assign a unique ID to each person with computer access.

Learn more about PCI DSS Requirement 8 

9. Restrict physical access to cardholder data.

Learn more about PCI DSS Requirement 9 


Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data.

Learn more about PCI DSS Requirement 10 

11. Regularly test security systems and processes.

Learn more about PCI DSS Requirement 11 


Maintain an information security policy

12. Maintain a policy that addresses information security for employees and contractors

Learn more about PCI DSS Requirement 12 

How to become PCI DSS compliant

Merchants and service providers can show they meet PCI DSS requirements by doing an audit of their CDE (cardholder data environment) against the Standard's applicable requirements.

The types of audit are:

The type of audit you must undergo, and your exact PCI compliance requirements will vary depending on your merchant or service provider level. This level is based on the number of card transactions processed per year.

Generally, the criteria applied will be based on those set by Visa and Mastercard, the predominant payment card brands.

PCI DSS: merchant validation criteria

Level

Criteria

Annual validation criteria

1

Merchants that process more than 6 million transactions per year, or those whose data has previously been compromised.

  • RoC conducted by a QSA or ISA.
  • Quarterly scan by an ASV.

2

Merchants that process 1 million to 6 million transactions per year.

  • RoC conducted by a QSA or ISA, or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
  • Quarterly scan by an ASV.

3

Merchants that process 20,000 to 1 million transactions per year.

  • SAQ signed by a company officer.
  • Quarterly scan by an ASV (dependent on SAQ completed).

4

Merchants that process fewer than 20,000 transactions per year.

  • SAQ signed by a company officer.
  • Quarterly scan by an ASV (dependent on SAQ completed).

PCI DSS: service provider validation criteria

Level

Criteria

Annual validation criteria

1

Service providers that process, transmit and/or store more than 300,000 transactions per year.

  • RoC conducted by a QSA or ISA.
  • Quarterly scan by an ASV.

2

Service providers that process, transmit and/or store fewer than 300,000 transactions per year.

  • RoC conducted by a QSA or ISA, or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
  • Quarterly scan by an ASV.

Level-1 organisations

Level-1 organisations must have an external audit performed annually by a QSA and submit an RoC to their acquiring banks to prove their compliance.

The QSA will:

  • Validate the scope of the assessment;
  • Review all documentation and technical information provided;
  • Determine whether the Standard has been met;
  • Provide support and guidance during the compliance process;
  • Be onsite for the duration of the assessment as required;
  • Adhere to the PCI DSS assessment procedures;
  • Evaluate compensating controls; and
  • Produce the final RoC.
PCI DSS Audits – Preparing for success

Free green paper: PCI DSS Audits – Preparing for success

Download this paper to better understand the PCI DSS audit process and learn about our step-by-step approach to preparing for audit success.

Download now

List of PCI DSS SAQs

Level-2, -3 or -4 organisations can use an SAQ, comprising yes/no questions, to assess their level of cardholder data security. There are nine different questionnaires available.

SAQ

Description

A

Card-not-present merchants, all cardholder data functions fully outsourced.

A-EP

Partially outsourced e-commerce merchants using a third-party website for payment processing.

B

Merchants with only imprint machines or only standalone, dial-out terminals – no electronic cardholder data storage.

B-IP

Merchants with standalone, IP-connected PTS point-of-interaction (POI) terminals – no electronic cardholder data storage.

C-VT

Merchants with web-based virtual payment terminals – no electronic cardholder data storage.

C

Merchants with payment application systems connected to the Internet – no electronic cardholder data storage.

D for Merchants

All other SAQ-eligible merchants not included in the descriptions for SAQ types A to C above.

D for service providers

All service providers defined by a payment brand as eligible to complete an SAQ.

P2PE

Merchants using hardware payment terminals in a PCI SSC-listed P2PE solution only – no electronic cardholder data storage.

PCI DSS Compliance – Simplifying your requirements and SAQ submissions

Learn more about PCI SAQs in our free paper

This paper provides an overview of the benefits of PCI DSS compliance, how to reduce your compliance scope, and how to choose the right SAQ under PCI DSS v4.0.

Download now

Assessing the security of your cardholder data

Many organisations use a three-step process to achieve PCI DSS compliance:

  • PCI DSS Gap Analysis – typically the first step for understanding an organisation’s compliance status. It compares the Standard’s requirements with the organisation’s current arrangements, identifies any compliance gaps and produces a prioritised plan to achieve full PCI DSS compliance.
  • PCI DSS Remediation – actioning the plan based on the gap analysis to reduce the project's scope where possible and close any remaining compliance gaps.
  • PCI DSS Audit – having finished implementing the action plan, an assessor will review your CDE and controls to ensure and record proof that you are PCI DSS-compliant.
  • Watch our free introductory webinar to the PCI DSS

    For further information and a better understanding of the PCI DSS, why not listen to our free webinar? You will get expert advice from one of our QSAs, who will explain how the PCI DSS applies to your organisation.

    The webinar covers:

    • What the PCI DSS is;
    • An introduction to the 12 requirements;
    • How to define your PCI DSS compliance level;
    • Your PCI validation requirements;
    • Why it is important to comply; and
    • The penalties for non-compliance.

    Watch now

    Discover our range of bestselling PCI DSS products and services

    As a QSA company, IT Governance provides services to support you at each stage of your organisation’s PCI DSS compliance project.

    We can help with reducing your CDE scope, conducting a gap analysis or risk assessment, and testing your systems and processes for security vulnerabilities.

    View our range of bestselling products and services to find out how we can help you become PCI compliant today.

    Save 25%
    on Cloud
    training