Some of the most publicized credit card data breaches have impacted big brands like Equifax, British Airways, Marriott Hotels, Target, and Capital One. But, in reality, small businesses are equally as vulnerable to cyber risks.  

To help organizations of all sizes protect cardholder data, the Payment Card Industry Data Security Standard (PCI DSS) was established as a global standard to enhance the security of payment account data.

PCI DSS compliance is mandatory for all merchants and service providers, whether you process one or one thousand credit card transactions. 

In this article, we break down everything you need to know about PCI DSS and the steps to proving and maintaining compliance. 

Our latest webinar on PCI DSS walks you through how to streamline and accelerate your road to compliance.

Why was PCI DSS established? 

Let’s start with a bit of background on the PCI DSS framework. While ecommerce dates back to the 1970s, the first versions of the online shopping we know today only emerged in the mid-90s. Amazon and eBay led the way with the launch of their online marketplaces in 1995. Then, once PayPal released its digital payment system three years later, multiple ecommerce sites like Alibaba, IndiaMART, and Etsy began popping up in the years to follow. 

These online transactions came with an unintended downside — the rise of data theft and fraud. Cyber criminals quickly found ways to infiltrate payment systems and steal confidential credit card information. 

Payment brands responded by implementing security standards to protect their cardholder data. Eventually, the “Big Five” — Mastercard, Visa, American Express, Discovery, and JCB — decided to consolidate efforts and formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006.

What is PCI DSS compliance?

The Payment Card Industry Data Security Standards (PCI DSS) was created by the PCI SSC as a guide for entities that store, process, or transmit cardholder data. With established policies and procedures, the PCI DSS sets global standards to secure payment card transactions and protect the personal information of cardholders.

The PCI DSS is not a law, but it applies to all entities involved in the payment card ecosystem. Its compliance is also mandated by most major payment brands. Many jurisdictions, such as Nevada, Minnesota, and Washington, have also elected to incorporate PCI DSS into their regulations. Failure to comply can result in fines, penalties, or card processing restrictions. 

Who needs to be PCI compliant? 

PCI DSS compliance is mandatory for merchants, service providers, and any other organization involved in the payment card ecosystem. 

PCI DSS defines merchants as “any entity that accepts payment cards bearing the logo of a PCI SSC participating payment brand as payment for goods and/or services.”

Service providers encompass a broader spectrum, including any entity “directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.”

An organization can be both a merchant and a service provider. For example, an internet service provider is a merchant that accepts payment cards for monthly bills and is also a service provider if it hosts other merchants as customers.

4 Levels of PCI DSS compliance 

PCI DSS compliance is mandatory for any entity that deals with cardholder data, but not all requirements will be the same. Factors such as the total number of transactions and particular cardholder data environment will determine the organization’s level and exact compliance requirements.

While each payment brand has their own compliance program and classifications, merchants generally fall into one of four levels:

• Level 1 Merchants: More than 6 million payment card transactions annually
• Level 2 Merchants: Between 1 million and 6 million payment card transactions annually
• Level 3 Merchants: Between 20,000 and 1 million payment card transactions annually
• Level 4 Merchants: Fewer than 20,000 online transactions annually    

Service providers are classified into two levels: 

• Level 1 Service Providers: More than 300,000 payment card transactions annually
• Level 2 Service Providers: Less than 300,000 payment card transactions annually

* Payment card transactions includes all in-person and online transactions

What are the requirements of PCI DSS?

The PCI DSS outlines six goals and 12 requirements for entities to enhance the security of cardholder data:  

Build and maintain a secure network and systems

1. Install and maintain network security controls
2. Apply secure configuration to all system components

Protect account data  

3. Protect stored accounts data 
4. Protect cardholder data with strong cryptography during transmission over open public networks 

Maintain a vulnerability management program 

5. Protect all systems and network from malicious software
6. Develop and maintain secure systems and software 

Implement strong access control measures 

7. Restrict access to system components and cardholder data by business need-to-know 
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data  

Regularly monitor and test networks  

10. Log and monitor all access to system components and cardholder data 
11. Test security of systems and networks regularly  

Maintain an information security policy 

12. Support information security with organizational policies and programs

There are additional PCI DSS requirements in Appendix A 

• Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers
• Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS POI Terminal Connections 
• Appendix A3: Designated Entities Supplemental Validation (DESV) 

Note: Every payment brand will also have its own audit requirements.

Who are the professionals involved in PCI DSS?

PCI DSS compliance involves assessing and confirming that the security controls and requirements are sufficiently met by the entity. This involves any of the following PCI SSC qualified industry professionals: 

• Qualified Security Assessor (QSA): An independent security organization certified by the PCI SSC to assess and validate an entity's adherence to PCI DSS
• Internal Security Assessor (ISA): An employee sponsored by their company to perform internal assessments, recommend remediation solutions, and act as a liaison with external PCI DSS auditors
• Approved Scanning Vendor (ASV): An organization qualified to use a set of data security services and tools to determine if a company is compliant with PCI DSS external scanning requirements

How do entities satisfy PCI DSS requirements? 

Validation documents are used to convey an entity’s PCI DSS compliance to acquiring banks or payment brands. 

Acquiring banks, also referred to as “acquirers” or “merchant banks,” are typically financial institutions that processes payment card transactions for merchants. Payment brands are the card agencies (e.g., Visa, Mastercard, American Express) responsible for implementing and enforcing PCI DSS.

Depending on its classification level or number of transactions, entities are either required to undergo a detailed PCI DSS assessment (performed by a QSA) and submit a Report on Compliance or may be eligible to conduct a self-assessment and submit a Self-Assessment Questionnaire. Both documents are accompanied by an Attestation of Compliance, signed by the entity and the QSA (if applicable). 

Quarterly submission of an ASV scan report for network vulnerability scanning may also be required as part of compliance. 

Report on Compliance (ROC): A detailed report that documents the results of a PCI DSS on-site assessment performed by QSA. ROCs are more comprehensive than the Self-Assessment Questionnaires, including information about the entity's cardholder data environment, how each requirement was assessed and validated, and samples selected by the QSA. 

Self-Assessment Questionnaire (SAQ): An alternate validation report for entities that meet the SAQ Eligibility Criteria and are eligible to conduct self-assessments to satisfy PCI DSS compliance. 

SAQs are relatively simpler compared to ROCs and composed of yes-or-no questions. There are nine different SAQs available — eight for merchants and one for service providers — depending on the entity’s environment. 

To determine whether an entity is eligible to complete an SAQ and which SAQ is appropriate, it’s best to contact the acquiring bank or payment brand.

Attestation of Compliance (AOC): A declaration of the results of a PCI DSS assessment or audit, completed and signed by the entity and the QSA (if applicable). AOCs are submitted to the acquiring bank or payment brand, along with the ROC, SAQ, and any other documentation.

The table below shows exactly what’s required for each level of PCI compliance: 

Your PCI DSS compliance journey

As you can see, PCI DSS has hundreds of controls and extensive documentation designed to combat data breaches and theft. However, if you’re just starting on your PCI DSS journey, we recommend focusing on a few key points. Here are the four key milestones and estimated timelines to expect on the path to PCI DSS compliance: 

1. Scoping

• Determine level of PCI DSS compliance: Merchant Level 1-4, Service provider Level 1-2
• Determine PCI DSS scope: Cardholder data environment, system components, network segments, card data flows, etc. 
• Identify applicable SAQ, as applicable

Estimated timeline (without Certification Automation): 2-4 months 

Estimated timeline (with Certification Automation): 1-3 months 

Save an average of one month’s time scoping for PCI DSS compliance, with Certification Automation’s automated scoping wizard that generates required controls, policies, and evidence tasks, and removes duplicative tasks across security frameworks.

2. Self-assessment

• Perform internal self-assessment
• Fill out SAQ and identify gaps 
• Remediate gaps/issues
• Implement controls
• Performs ASV scan (vulnerability scan) 
• Engage and appoint QSA, if needed

Estimated timeline (without Certification Automation): 7-12 months 

Estimated timeline (with Certification Automation): 2-6 months

Reduce your assessment time by an average of six months by relying on Certification Automation’s automated readiness assessments, expert guidance, intuitive workflows, and centralized policy distribution and attestation tracking.

3. Third-party audit

• QSA performs the review (audit)
• Issues ROC and AOC, if applicable

Estimated timeline (without Certification Automation): 1-2 months 

Estimated timeline (with Certification Automation): 1-2 weeks

Save as many as three weeks on the audit process with a central system of record that controls user access and enables real-time collaboration throughout the evidence collection process.

4. Monitoring

• Maintain compliance
• Adhere to evidence collection interval

Estimated timeline (without Certification Automation): 4 months, annually

Estimated timeline (with Certification Automation): 2 months, annually

Save two months every year that you monitor your PCI DSS compliance by automating up to 36% of evidence collection tasks and reinforcing consistent best security practices across your organization.

The next step to PCI DSS compliance

From the outset, all these PCI DSS controls and compliance requirements can be overwhelming. Just remember that PCI DSS is a standardized framework with a range of tools and actionable steps to protect your cardholder data. 

Determining your organization’s level of compliance and its specific validation documents will help simplify the process. OneTrust Certification Automation also delivers built-in expertise and automated integrations to speed up the process and guide you through the steps of your PCI DSS compliance journey.

With OneTrust Certification Automation, you can build, scale, and automate your security compliance program, reduce your cost of compliance up to 60%, and obtain certifications 50% faster.