This website uses cookies. View our cookie policy

PCI DSS: Are you taking payment security seriously?

A short introduction to the PCI DSS and how it applies to your business or organisation.

If you are a business that takes credit or debit card payments, no matter how big or small you are, you will need to comply with the Payment Card Industry Data Security Standard (PCI DSS). The regulations are there to protect your business as well as your customers.


Did you know?*

  • of organisations that suffered a breach were not compliant with the Standard.


  • of organisations achieved PCI DSS compliance at the interim assessment.


  • is the average percentage of controls not in place for companies failing their interim assessment.

* Verizon 2017 Payment Security Report


Payment card security matters

With the new General Data Protection Regulation (GDPR) soon affecting any company that does business in the EU, the penalties for taking inadequate security precautions around payment card data are about to get worse.

In the event a company fails to protect personal information, which includes payment card data, the fine is up to €20 million or 4% of annual global turnover – whichever is greater.

Although PCI DSS compliance is improving, research shows that even among the companies that pass validation, nearly half fall out of compliance within a year. This could be because of one or more of the following:

  • A change to the PCI DSS (the latest version is 3.2), or the interpretation of the PCI DSS.
  • New software/technology that was not implemented with PCI DSS controls in mind.
  • A process or policy that is in need of modification.
  • Organisation, personnel or vendor changes.
  • A system that was not tested during the previous assessment.


By creating the PCI DSS, the companies set out to provide a unified, industry-wide standard

Unveiled in 2004, the PCI DSS is the result of collaboration between the major credit card brands: American Express, Discover, JCB, Mastercard and Visa. Originally, each of the card companies implemented its own security programme.

The PCI DSS was developed to encourage and enhance cardholder data security, and to facilitate the broad adoption of consistent data security measures globally. As a general guideline, any merchant or service provider that stores, processes or transmits cardholder data is required to comply with the Standard. Organisations that fail to comply are likely to get less beneficial commercial terms (and may even be refused service), and those that suffer a breach and are found to have fallen out of compliance are likely to face significant fines.


Understanding a business’s PCI DSS level

PCI DSS compliance requirements vary depending on the number of card transactions a business accepts. The following merchant levels apply (criteria are from Visa and Mastercard):

PCI Level 1

6 million + transaction per year

PCI Level 2

1 million - 6 million transactions per year

PCI Level 3

20,000 - 1 million e-commerce transactions

PCI Level 4

Fewer than 20,000 e-commerce transactions per year (VISA). All other merchants (MasterCard)


PCI DSS validation requirements for merchants and service providers:

Quarterly ASV scanning

Yearly SAQ

Annual on-site QSA audit


For merchants:


For organisations processing fewer than 6M Visa or Marstercard transactions annually

For organisations processing more than 6M Visa or Mastercard transactions annually


For service providers:


For organisations processing fewer than 300K Visa or Mastercard transactions annually

For organisations processing more than 300K Visa or Mastercard transactions annually


Audit and RoC

Only Level 1 merchants are required to submit an RoC to verify whether required policies, procedures and controls are in place. The RoC is a security audit assessing your organisation’s ability to protect cardholder data. The audit includes interviews, an analysis of policies and procedures, and validation of technical controls pertaining to the cardholder data environment. The RoC must be completed annually by a QSA to verify compliance with relevant controls. Find out more >>


Self-assessment questionnaire (SAQ)

Merchants at other levels can self-audit and submit an SAQ. The SAQ is a validation tool for qualifying merchants and service providers that are neither required to undergo an on-site data security assessment nor submit an RoC. The purpose of the SAQ is to help organisations self-evaluate their compliance with the PCI DSS. Use our table to identify which SAQ you need to complete, and whether a vulnerability assessment mechanism is required.




PCI DSS requirements

Build and maintain a secure network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management programme

  • Requirement 5: Protect all systems against malware and regularly update antivirus software or programs
  • Requirement 6: Develop and maintain secure systems and applications

Implement strong access control measures

  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data

Regularly monitor and test networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

Maintain an information security policy

  • Requirement 12: Maintain a policy that addresses information security for all personnel


The 12 requirements of the PCI DSS

For further information, read our page that outlines the PCI DSS’ 12 requirements and explains how to achieve and maintain compliance with each.

Find out more >>


Protect profits by managing payment card risk

We believe the most effective way forward is not to view the PCI DSS as an impending compliance burden, but to use it as originally intended: as an information security baseline that provides the opportunity to reduce risk.

We provide services to support both small and enterprise business PCI DSS activities throughout all stages – from building a PCI DSS programme to performing ongoing assessments aimed at improving your security posture.


Identify the right SAQ to achieve full compliance with the PCI DSS

PCI DSS SAQs can make compliance easier for organisations with lower transaction volumes, but it’s helpful to have the guidance of PCI DSS experts to make sure your responses are in line with each requirement.

Streamline your policy documentation requirements

The PCI DSS Documentation Toolkit provides you with all the policies, procedures and work instructions you need to achieve compliance with the Standard. Containing an extensive list of policies appropriate for the PCI DSS, the toolkit can save you hours of work and expensive consultancy fees.

Assess your current PCI DSS compliance posture and produce a roadmap to achieve compliance with the Standard

Our QSAs can review your in-scope systems and networks to provide a detailed report about the areas that need attention. You will also receive a plan to bridge the gap between your current security posture and full compliance with the Standard.

Confirm that the controls required by the PCI DSS are in place and effective

PCI DSS compliance, especially for RoCs and some SAQs, requires internal and external vulnerability scans, and regular penetration tests. Regular testing is fundamental to making sure that an organisation is prepared for the full range of attacks that companies face.

Reduce the time and cost needed to achieve compliance

PCI DSS remediation can be both time consuming and resource intensive. Our QSAs can develop a well-structured remediation plan to help fix areas of non-compliance and accelerate the retesting process.

A fully documented RoC that is accepted by your business partners

A PCI DSS RoC is required by organisations with large transaction volumes, and must be conducted by a QSA who will issue a formal report to the Payment Card Industry Security Standards Council (PCI SSC) to attest that your organisation is in full compliance.


Key resources


Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us