Did you know? All Video & Audio API plans include a $100 free usage credit each month so you can build and test risk-free. View Plans ->

PCI DSS Compliance

Businesses that handle online payments or billing data, such as SaaS vendors and e-commerce merchants, may be subject to PCI DSS compliance. These rules set the baseline for secure payment processing and protect cardholder data across systems.

What Is PCI DSS Compliance?

PCI DSS compliance means your business follows certain security rules that keep cardholder data safe when you store, process, or send it. The Payment Card Industry Security Standards Council (PCI SSC), a group formed by major card brands like Visa, Mastercard, and American Express, formed these standards.

These rules apply to:

  • Online stores
  • Digital marketplaces that let sellers accept payments
  • Physical retail outlets
  • Third-party vendors, like payment gateways, cloud service providers, content delivery networks, and customer support platforms
  • Financial institutions and processors

SaaS products must also comply if they manage or pass payment information through their platform, whether via built-in features or through APIs.

No matter the size of your company, you're subject to compliance. Even a single card transaction in a year puts your business within the scope of PCI DSS.

How Does PCI DSS Compliance Work?

Here's how businesses can get PCI DSS compliance:

1. Determine Your Merchant Level

Start by knowing what your merchant level is. This depends on how many card transactions your business processes each year.

Level 1: Over 6,000,000 total transactions annually

Level 2: Between 1,000,000 and 6,000,000 total

Level 3: Between 20,000 and 1,000,000 online transactions

Level 4: Fewer than 20,000 online or up to 1,000,000 other transactions

Your level decides how you'll need to prove your compliance. If you process more, you must go through more formal validation steps.

2. Understand the 12 PCI DSS Requirements

PCI DSS outlines 12 core requirements grouped under six major goals, such as keeping networks secure and using encryption. We'll break these down in the next section.

3. Conduct a Vulnerability Scan

If you manage cardholder data on your own servers and are a Level 2, 3, or 4 merchant, you'll probably need to run quarterly scans, which an Approved Scanning Vendor (ASV) can do for you. The scan checks your systems for any weak spots hackers could use to access payment data.

4. Complete Compliance Documentation

Level 1 merchants need to go through an official audit. A Qualified Security Assessor (QSA) reviews your setup and confirms that you meet the requirements. Once confirmed, the QSA will hand over a detailed Report on Compliance (ROC) and a certificate.

However, if you fall under Levels 2 to 4, you can usually complete a Self-Assessment Questionnaire (SAQ). This questionnaire reflects your business type and how you handle payments.

The next step is to submit the following to your bank or processor: 

  • SAQ or ROC (depending on your merchant level)
  • Attestation of Compliance (AOC), which is a formal statement affirming that you've completed the required PCI DSS controls
  • Vulnerability scan reports (if applicable)

5. Conduct Ongoing Monitoring and Maintenance

Compliance doesn't end once you submit your paperwork. You'll need to re-evaluate it every year.

Keep logs, monitor your systems for suspicious activity, and stay ready to respond quickly if anything goes wrong with proper incident response plans.

Benefits of PCI DSS Compliance 

When you follow PCI DSS standards, you build strong walls around some of the most sensitive data you handle: your customers' card information. This lowers the risk of a breach and shows people you take their privacy seriously, which builds long-term trust.

Adhering to this regulation also simplifies compliance with many others. If you're aligned with rules like the General Data Protection Regulation (GDPR), Privacy Shield Certification, and healthcare-specific rules such as the Business Associate Agreement (BAA) for handling Protected Health Information (PHI), you'll find a lot of overlap.

And when it's time for audits or vendor reviews, having your security controls in place gives you a head start. You'll spend less time scrambling and more time collaborating with vendors who care as much about data security as you do.

What Are the 12 PCI DSS Requirements? 

To comply with PCI DSS, businesses must meet 12 key requirements, grouped under six overarching goals, which are:

  • Build and maintain a secure network and systems.
  • Protect cardholder data.
  • Maintain a vulnerability management program.
  • Implement strong access control measures.
  • Regularly monitor and test networks.
  • Maintain an information security policy.

These requirements are the foundation of the PCI DSS standard and represent the minimum security controls for protecting cardholder data across systems, networks, and processes.

Let's look at the 12 requirements.

1. Install and Maintain a Firewall To Protect Cardholder Data

A firewall watches what comes in and out of your network and decides what's allowed.

This requirement ensures you have a first line of defense in place and that it stays updated as your systems evolve.

Key points to note:

  • Define clear firewall rules to allow only the traffic you need and block everything else by default.
  • Keep firewall software and firmware updated to defend against the latest threats. 
  • Limit access to the area where cardholder data is stored or processed (called the Cardholder Data Environment (CDE)) only to authorized users and systems. Segment your network to isolate the CDE from the rest of your infrastructure. For example, don't let your public-facing web server talk directly to the database that stores cardholder data.
  • You must control connections between trusted parts of your network and non-trusted ones (like the internet or a guest Wi-Fi zone).
  • Protect hybrid endpoints, like laptops, that connect both to the CDE and outside networks. Use extra layers like endpoint detection or zero-trust rules to reduce the risk of compromise.

2. Apply Secure Configurations to All System Components

Hackers often exploit factory-default passwords and settings to break into systems. To block this, businesses should:

  • Replace all default credentials.
  • Remove unnecessary software and accounts or turn off unused services.
  • Make sure your team defines, understands, and follows a clear process for securing every system, including wireless networks.

3. Keep Stored Account Data Safe

Payment data includes both cardholder info and sensitive authentication data (SAD). You must protect this information wherever you store, send, or process it.

Be sure to:

  • Never store SAD (like CVVs or PINs) after authorization.
  • Limit the storage of account data to what's truly needed.
  • Mask or encrypt Primary Account Numbers (PANs).
  • Restrict who can view or copy the full PAN.
  • Manage cryptographic keys securely throughout their entire lifecycle.

4. Encrypt Transmission of Cardholder Data Across Open, Public Networks

When card data travels over public or untrusted networks, it becomes vulnerable. Attackers often target poorly configured systems or outdated encryption.

You must:

  • Always use strong encryption when sending PAN, whether over email or chat.
  • Protect the entire session or the data itself before sending.
  • Use proven technologies like Transport Layer Security (TLS) to secure data in transit. For example, if you're building a PCI-compliant chat app, you must enforce end-to-end encryption using protocols like TLS to safeguard that data, even if it's only in transit for a few seconds.
  • Make sure your team understands and implements encryption requirements.

5. Protect All Systems Against Malware and Regularly Update Antivirus Software

Malware can sneak in through emails, downloads, USBs, or unsafe websites. Once inside, it can steal, lock, or corrupt your data.

To stay safe:

  • Define processes to protect systems and networks, and make sure that everyone understands them.
  • Use strong anti-malware tools and keep them up to date. Modern Endpoint Detection and Response (EDR) tools or Extended Detection and Response (XDR) platforms can help you detect malware faster.
  • Block known phishing attacks.
  • Scan all systems regularly to detect vulnerabilities quickly. 

6. Develop and Maintain Secure Systems and Applications

Unpatched systems give attackers an easy way in. Install updates and security patches as soon as they're available, especially for public-facing apps and tools inside the CDE.

You should:

  • Create secure development and update processes.
  • Build custom apps using secure coding practices.
  • Fix vulnerabilities as soon as they show up.
  • Protect any web-facing apps from common attacks.
  • Follow strict procedures when making any system changes.

7. Restrict Access to Cardholder Data by Business Need-To-Know

Not everyone needs full access to everything. To protect sensitive cardholder data, only give grant access to the systems and info your team members truly need for their job.

Here's how to do it:

  • Define who can access what and why. For example, a customer support agent may need to see the last four digits of a card number to verify a user, but they don't need full access to the payment system.
  • Use role-based access controls, where access to data and systems is granted based on a user's job role.
  • Apply the principle of least privilege, which means giving the lowest level of access necessary to perform a role without extra permissions.

8. Identify and Authenticate Access to System Components

To keep cardholder data safe, every person who touches your systems needs their own ID. This way, you know exactly who did what and when.

You should:

  • Assign a unique user ID to each employee, contractor, or admin.
  • Use strong passwords and keep user accounts updated throughout their entire lifecycle.
  • Use Identity and Access Management (IAM) tools such as Okta or directory services like Microsoft Active Directory to enforce secure login processes, apply multi-factor authentication (MFA), and quickly disable accounts when someone leaves.
  • Limit access from shared or default accounts. People should log in as themselves, not as a generic "admin."

This requirement only applies to people who can access internal systems; it doesn't apply to customers making payments.

9. Restrict Physical Access to Cardholder Data

You must protect the physical spaces where you store or process payment data. To do this, you need to have mechanisms in place to restrict the facilities where the data is stored.

You can: 

  • Use badges, locks, or biometrics to control who enters secure areas.
  • Log and approve all visits from vendors, contractors, or maintenance staff.
  • Store physical media (like printed reports or backup drives) securely and destroy them when no longer needed.
  • Keep an eye on Point-of-Interaction (POI) devices. Prevent malicious actors from swapping or tampering with them.

10. Track and Monitor All Access to Network Resources and Cardholder Data

It's difficult to fix what you can't trace. Good logging helps you catch issues early and respond quickly.

Remember to: 

  • Implement audit logs so that you can detect anomalies (like a failed login or a strange data request) and support forensic analysis if needed.
  • Protect audit logs from being changed or deleted. Only a few trusted people should manage them.
  • Use consistent time settings across systems to piece together events accurately.
  • Set alerts for when critical systems fail so you can respond before an issue gets out of hand.

11. Regularly Test Security Systems and Processes.

Businesses must regularly test their defenses to stay safe because even the strongest systems grow vulnerable over time.

Also, take care to: 

  • Run internal and external vulnerability scans often.
  • Perform penetration testing to simulate real-world attacks and close any gaps you find.
  • Monitor for unauthorized wireless access points, as these often go unnoticed and can become easy entry points.
  • Detect unexpected file changes or suspicious network activity and respond quickly.
  • Watch for changes to payment pages and shut down anything you didn't authorize.

Note: You must run external vulnerability scans at least every three months through a PCI ASV. To pass, your scan report must show no vulnerabilities with a CVSS base score of 4.0 or higher and no issues that violate PCI DSS configurations or features.

Not sure where to start? Ask your acquiring bank. They may recommend PCI ASVs. You can then compare options and choose one that fits your needs.

12. Maintain a Policy That Addresses Information Security for All Personnel

Every team, vendor, and system needs to align with your security policies, and you must make sure that the rules are clear and up-to-date.

Additionally, you also need to: 

  • Maintain a written security policy that guides how you protect sensitive data.
  • Define your PCI DSS scope clearly and update it as your systems evolve.
  • Set acceptable use rules (a guide of dos and don'ts) for company devices and tech.
  • Train staff continuously; awareness shouldn't stop after onboarding.
  • Screen new hires to reduce the chance of insider threats.
  • Vet Third-Party Service Providers (TPSPs) who support your PCI compliance.

Frequently Asked Questions

What Four Things Does PCI DSS Cover?

PCI DSS covers four core areas to protect cardholder data:

  1. Security Management: Policies and procedures that govern how your organization handles sensitive information.

  2. Network Architecture: Ensuring your systems, firewalls, and configurations are set up securely.

  3. Access Control: Restricting who can view or interact with cardholder data, both digitally and physically.

  4. Monitoring and Testing: Ongoing audits, vulnerability scans, and system logging to detect and respond to threats.

Who Needs To Be PCI Compliant?

Any organization that accepts, processes, stores, or transmits credit card data must comply with PCI DSS. Even if you process only one credit card transaction per year, PCI DSS still applies. The level of compliance effort varies based on your transaction volume, but the responsibility never goes away.

Is PCI DSS Compliance Legally Required?

No, PCI DSS isn’t a law. But if your business accepts, processes, stores, or transmits card payments, compliance is mandatory under your contract with payment brands like Visa, Mastercard, and your acquiring bank. You can’t accept cards without it.

What Are the Consequences of Non-Compliance?

If you are not compliant, you may face fines (often passed to you by the payment processor), higher transaction fees, or lose the ability to accept card payments. If a breach occurs, you could be held liable and face investigations.

What Is The Benefit of Using a Third-Party Service Provider for Payment Processing?

A compliant TPSP can take the burden off your shoulders. If they tokenize or process payments on your behalf, you don’t need to touch the raw card data. That means fewer PCI DSS rules apply to you.

For example, instead of building secure storage for PANs, you can simply rely on your provider’s infrastructure, saving you time, cost, and complexity. Just make sure you choose a provider listed as PCI DSS compliant and keep a formal agreement that outlines their responsibilities.