What is PCI DSS?

The Payment Card Industry Security Standards Council establishes technical and operational requirements to secure payment information. All retailers and organizations that process, handle, or distribute such info must follow the PCI DSS international standard. American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., the major payment card brands that formed the Council, all follow the PCI set of guidelines, which are mandatory for their respective stakeholders.

The PCI DSS refers to any entity that stores, manages, or transmits cardholder data. It refers to the technical and operational system components found in or linked to cardholder information. Just a few examples include retailers, banks, distributors, developers, and point-of-sale vendors. If your company accepts or handles credit cards, the PCI DSS must be followed.

What are the requirements for PCI DSS?

The PCI DSS is a worldwide data privacy standard that must be adopted for any company of any scale that accepts credit cards. It outlines common-sense protection measures that are aligned with industry best practices.

There are twelve specifications in the PCI DSS:

  1. Secure your system with firewalls
  2. Passwords and preferences should be configured
  3. Keep cardholder information secure
  4. Ensure that data about cardholders is transferred safely over public networks that are open to the public
  5. Anti-virus software should be updated regularly
  6. Systems should be updated regularly
  7. Access to cardholder data should be limited to those who have a business need to know.
  8. Each individual with computer access should be given a unique ID
  9. Physical access to the workplace and cardholder data should be limited
  10. Logging and log monitoring should be implemented
  11. Vulnerability scans and penetration checks should be performed
  12. Conduct documentation and risk assessments

Why should you be PCI DSS compliant?

PCI enforcement is not only a legal obligation to deter identity fraud, but it also provides best practices for identifying, preventing, and resolving data breaches. PCI compliance often prevents a company from an event of a data breach in which cardholder data is exposed.

If your organization fails to maintain standards and a data breach occurs as a result of PCI non-compliance, the card networks will levy a fine. Penalties for non-PCI enforcement are serious. Merchants and payment processors that aren’t PCI compliant could face penalties ranging from $5,000 to $100,000 a month, depending on a number of factors.

How to achieve compliance?

The PCI Security Standards Council defines the main security standards, but each payment card company has its own enforcement program. Your acquiring financial institution should be contacted with specific enforcement queries.

Qualified Assessors

The Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) certification programs are provided by the Council. QSAs are businesses that help organizations evaluate and validate compliance with the PCI DSS by assessing the protection of their payment processing systems. 

Self-Assessment Questionnaire

The “SAQ” is a PCI DSS compliance validation tool for merchants and service providers who are not expected to conduct on-site assessments. For various business circumstances, different SAQs are required.

The requirements necessary to validate compliance are defined by the number of annual transactions, possible harm, and visibility introduced into the payment system.

PCI DSS Compliance levels

Based on the annual volume of credit or debit card transactions a firm handles, PCI compliance is classified into four levels. The classification level specifies what an organization must do to stay in compliance.

Level 1: Merchants who perform more than six million real-world credit or debit card transactions each year are eligible. An external audit by a Qualified Security Assessor (QSA) is required of them. To demonstrate compliance, the auditor will provide an RoC (Report on Compliance) to the organization’s acquiring bank. In addition, companies must submit a PCI scan by an Approved Scanning Vendor (ASV) once per quarter.

An assessment by a QSA (Qualified Security Assessor) or an ISA (Independent Security Assessor) is part of the external audit. They’ll conduct an on-site assessment of your company to: 

  • Validate the scope of the assessment;
  • Examine your paperwork and technical data;
  • Check to see if the PCI DSS standards have been met;
  • Provide assistance and direction throughout the compliance process; and
  • Assess compensatory controls.

Level 2: This level pertains to businesses that process between one and six million credit or debit card transactions per year in the real world. They must conduct an annual assessment using a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance (AoC) to the acquiring bank. On a quarterly basis, a PCI scan might be required.

Level 3: Merchants who process between 20,000 and one million e-commerce transactions each year are subject. They must undertake an annual assessment using a Self-Assessment Questionnaire (SAQ) and submit it to the acquiring bank along with an Attestation of Compliance (AoC). A PCI scan may be required on a quarterly basis.

Level 4: This level pertains to merchants who conduct fewer than 20,000 e-commerce transactions or up to one million in-person transactions per year. A yearly assessment must be done and submitted to the acquiring bank, along with an Attestation of Compliance (AoC), and a quarterly PCI scan may be required.

Centraleyes is here to assist individuals that need assistance with their PCI DSS compliance obligations. 

Centraleyes can make the PCI DSS compliance procedure easier for you. It might be overwhelming for business owners, but with the right partner, you can streamline the process and save time for your team.

Regardless of your payment arrangement, Centraleyes offers all you need from start to finish, including all self-assessment questionnaires (SAQ).

The Centraleyes platform delivers streamlined, automated data collection and analysis, prioritized remediation guidance, and real-time customized scoring to meet the PCI DSS requirements.

In addition, Centraleyes provides a built-in PCI DSS questionnaire and has mapped it back to its control inventory allowing it to share data across multiple frameworks through the platform, which creates time savings, money savings, and more accurate data.

Read more:


Related Content


What is the HITECH Act? The Health Information Technology for Economic and Clinical Health (HITECH) Act…

What is the CPRA Act?

The California Privacy Rights Act (CPRA) is a state-wide data privacy law that governs how businesses…

IRS publication 1345

What is IRS p1345? The IRS publishes guidance documents in relation to taxes. This handbook is…
Skip to content