PCI compliance refers to an entity implementing the data security standards promulgated by the Payment Card Industry (PCI). The PCI Data Security Standard (DSS) applies to organizations involved with payment card processing, including merchants, processors, acquirers, issuers, and service providers that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
If your entity is a merchant that is involved in processing payment card transactions, then the standards apply to your entity, and your entity should be compliant with the PCI DSS in order to protect sensitive cardholder account data (CHD and/or SAD). While the PCI DSS is not required by federal law, several states have made PCI DSS a requirement or other similar protections, and set a minimum level of data security requirements for applicable entities. Court precedent suggests that adherence to PCI DSS is expected to limit liability for negligent data breach, identity theft, data loss, or data misuse. Non-compliance with PCI DSS subjects the entity to severe consequences that may result in penalties, fines, lawsuits, civil liability, damaged brand reputation, and loss of business.
What is PCI DSS Compliance?
The PCI DSS is a set of six (6) objectives achieved by meeting twelve (12) requirements for entities that accept, process, transmit, or store payment card information. In 2004, the principal payment card companies banded together to identify minimum levels of security required to be in place to prevent theft of cardholder data and to prevent and reduce credit card fraud. The Payment Card Industry Security Standards Council (PCI SSC) was formed a couple of years later, in 2006, as the governing body tasked to continue to shape and evolve PCI DSS to keep up with changing technologies and environments. The current version of PCI DSS is 4.0.1, which was released in June 2024 and went into effect in January 2025.
What are the Four Levels of PCI DSS Compliance?
There are four (4) levels of PCI DSS compliance that define the type of required annual assessment needed to maintain compliance. These are primarily based upon how many payment card transactions are processed by the entity in a year, as follows:
- Level 1: >6 million annual transactions
- Requires an annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), quarterly network scans by an Approved Scanning Vendor (ASV), annual penetration test, and completion of the Attestation of Compliance (AOC) Form.
- Level 2: Between 1- 6 million annual transactions
- Requires annual completion of the appropriate PCI Self-Assessment Questionnaire (SAQ); quarterly network scans by an ASV; annual penetration test, and completion of the AOC Form.
- Level 3: Between 20,000 and 1 million annual transactions
- Requires annual completion of the appropriate PCI SAQ; quarterly network scans by an ASV; and completion of the AOC Form.
- Level 4: <20,000 annual transactions
- Requires annual completion of the appropriate PCI SAQ; quarterly network scans by an ASV; and completion of the AOC Form.
Note that if a data breach is experienced that compromises cardholder data, the required level of PCI DSS compliance may be elevated to compensate for the increased risk. While some merchants are not required to have an annual ROC by a QSA, they may decide to do so to improve their brand reputation and credibility and to make sure their data is secure. Payment card data is under persistent threat from attackers. Therefore, businesses that want to utilize payment card data to transact their business sales transactions have a vested interest in protecting this data. Compliance verification requirements, as noted above, are submitted to interested parties (e.g., acquiring bank, etc.) by the entity as part of their agreement with them.
Some of the largest data breaches include familiar companies such as Marriott, Equifax, Home Depot, and Target. Compliance with the PCI DSS standard helps to reduce data security risk and the most common causes of payment card data breaches by addressing critical data security controls.
What Are the PCI DSS Requirements?
These six (6) objectives and twelve (12) requirements set by PCI DSS include technical and operational controls that help to protect cardholder payment card data. A high-level summary of the six (6) objectives and twelve (12) requirements follows. The six (6) objectives and twelve (12) requirements are taken directly from the PCI security standards website, PCI DSS version 4.0.1.
Objective 1: Build & Maintain a Secure Network & Systems
In today’s interconnected digital landscape, the integrity, confidentiality, and availability of information depend on robust security practices. Building and maintaining secure networks and systems is essential to protect against evolving cyber threats, safeguard sensitive data, and ensure operational continuity. This requires a layered security approach that includes network security controls such as firewalls, strong password requirements, and secure configurations to system components.
Requirement 1: Install & Maintain Network Security Controls
Firewalls should be configured to secure your network and protect cardholder data. Firewall and router configurations should be built and maintained that restrict traffic, inbound and outbound, from untrusted networks so that only authorized traffic is allowed and all other traffic is denied by default. Firewalls are devices that control computer traffic into and out of the entity’s network, including into sensitive internal networks. Direct public access to the sensitive cardholder data environment (CDE) should be prohibited.
Requirement 2: Apply Secure Configurations to All System Components
Vendor-supplied defaults should be modified. Prevent access to internal networks through the exploitation of default system settings and passwords by modifying vendor default passwords or settings upon deployment. Default accounts should be disabled before installing the system on the internal network. Strong password protections should be implemented, such as enforcing passwords with minimum length and complexity, regularly changing passwords, as well as utilizing multifactor authentication (MFA) where possible. Standard configuration settings for all system components should be developed and updated when new vulnerabilities become known.
Objective 2: Protect Account Data
Protecting account data is a critical component of overall information security. User accounts often serve as gateways to sensitive systems and information, making them prime targets for unauthorized access and cyberattacks. Effective protection of account data involves limiting access to only authorized individuals, encrypting data at rest, and encrypting data in transit. By prioritizing account data security, organizations can prevent data breaches, preserve user trust, and maintain compliance with industry standards.
Requirement 3: Protect Stored Account Data
Entities that possess cardholder data, whether printed, processed, transmitted, or stored in any manner, have the responsibility to prevent its unauthorized use. The data may be truncated, masked, or encrypted to render the data at rest wherever it is located unusable except to those individuals with an authorized business need under the principle of least privilege. Strong access control should be implemented to prevent unauthorized access. Data should be retained no longer than necessary for business needs and disposed of securely. Printed sensitive information should be maintained in locked filing cabinets or shredded when no longer needed.
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Entities transmitting cardholder data across open public networks must encrypt the data in transit by utilizing strong industry best practices for encryption to protect the cardholder data from interception and unauthorized use.
Objective 3: Maintain a Vulnerability Management Program
A well-maintained vulnerability management program is essential for identifying, assessing, and mitigating security weaknesses across an organization’s systems and infrastructure. As threats continuously evolve, timely detection and remediation of vulnerabilities help reduce the risk of exploitation and support compliance with security standards. A vulnerability management program involves protection from malicious software, regular scanning, risk prioritization, patch deployment, and continuous monitoring to ensure a proactive defense posture. By integrating vulnerability management into daily operations, organizations strengthen their overall cybersecurity resilience.
Requirement 5: Protect All Systems & Networks from Malicious Software
The Home Depot data breach in 2014 was attributable to its point-of-sale systems being infected with malware. The entity needs to protect all systems against malicious software to reduce the risk of exploitation by malware. Anti-malware software should be installed on all systems, including workstations and servers. The software should be kept up-to-date and current. Implementation of controls to prevent and protect personnel against phishing attacks further mitigates the risk of malicious harm.
Requirement 6: Develop & Maintain Secure Systems & Software
Systems and applications should be securely maintained at all times. Security patches should be installed in a timely manner upon their release (e.g., monthly) in order to keep systems and applications healthy and to minimize known vulnerabilities from being exploited to gain unauthorized access to sensitive cardholder data.
Objective 4: Implement Strong Access Control Measures
Implementing strong access control measures is fundamental to safeguarding sensitive information and critical systems. Access controls ensure that only authorized individuals can view or interact with specific resources, reducing the risk of data breaches, insider threats, and unauthorized activity. This includes enforcing principles such as least privilege, role-based access, multi-factor authentication, vendor management, and regular access reviews. By establishing robust access control policies and procedures, organizations can enhance security, protect business integrity, and maintain compliance with industry standards.
Requirement 7: Restrict Access to System Components & Cardholder Data by Business Need to Know
The Marriott data breach in 2018 was attributable to unauthorized access to the network. Under the principle of least privilege, logical and physical access to cardholder data should be provided based on a need-to-know basis for the user to perform their job duties. Access should be revoked in a timely manner upon termination (e.g., within 24 hours).
Requirement 8: Identify Users & Authenticate Access to System Components
Users should have a unique identification (ID) allowing accountability for their actions on critical system components or with cardholder data. Securing access with strong authentication factors, such as MFA, should be in place, particularly for administrative and remote access.
Requirement 9: Restrict Physical Access to Cardholder Data
The Target data breach in 2013 was attributable to hackers gaining access through a third-party vendor to its point-of-sale payment card readers. Physical access to cardholder data or systems, including paper or electronic media, should be appropriately restricted to only those individuals requiring such access based upon their job function in order to limit unauthorized access or removal of data. This includes access granted to contractors, consultants, and other vendors or guests. Facility access should be controlled to limit only authorized entry and revoked in a timely manner upon termination or when no longer needed.
Objective 5: Regularly Monitor & Test Networks
Regularly monitoring and testing networks is essential for maintaining a secure and resilient IT environment. Continuous monitoring helps detect unusual activity and potential security threats in real time, while periodic testing—such as vulnerability assessments and penetration tests—validates the effectiveness of existing defenses. These practices enable organizations to identify weaknesses, respond swiftly to incidents, and ensure that security controls remain effective against evolving threats. A proactive approach to network monitoring and testing strengthens overall cybersecurity posture and supports compliance with industry standards.
Requirement 10: Log & Monitor All Access to System Components & Cardholder Data
By logging and monitoring access to network resources and cardholder data, entities are able to track user activity, allowing forensic analysis of the logs in case unauthorized access is detected, and help to minimize the impact of a data compromise. Without these audit trails, it is difficult to identify and trace events that have occurred. Logs of critical activity should be reviewed regularly to identify anomalies and suspicious activity in a timely manner. Logs should be protected, and access to them properly restricted.
Requirement 11: Test Security of Systems & Networks Regularly
The Equifax data breach in 2017 was attributable to an application vulnerability on one of their websites. Internal and external network vulnerability scans should be performed regularly (e.g., quarterly) to detect new vulnerabilities so that they may be timely remediated. Penetration tests by an independent third party should be conducted at least annually. Performing regular vulnerability scanning and penetration testing helps to make sure security is maintained over time. Critical issues identified should be prioritized based on risk and remediated in a timely manner to prevent unauthorized access. Regular evaluation of an entity’s security posture makes sure that controls continue to operate effectively in changing environments.
Objective 6: Maintain an Information Security Policy
Maintaining a comprehensive information security policy is vital for defining and enforcing an organization’s approach to protecting data, systems, and resources. An information security policy serves as a foundational framework that outlines security objectives, roles and responsibilities, acceptable use, and compliance requirements. Regular updates and reviews ensure the policy remains aligned with evolving threats, technological advancements, and changing environments. By upholding a well-defined and current information security policy, organizations promote a culture of security awareness and accountability across all levels.
Requirement 12: Support Information Security with Organizational Policies and Programs
An Information Security Policy should be documented and accessible to all employees so that they are aware of their responsibilities related to security and protecting cardholder data. The policy should be reviewed and updated at least annually or more often if needed for any needed modifications so that it remains pertinent and incorporates any regulatory, system, or environmental changes. Users of the policy should be adequately trained on the policy so that it is understood by everyone. Further, security awareness training helps to inform personnel of common threats to exploit payment card data so that the entity’s personnel are effective in being its first line of defense.
How To Become PCI DSS Compliant
Depending upon the entity’s PCI DSS compliance level, the entity may perform a self-assessment or be required to engage a QSA. If a self-assessment is considered adequate for the entity, a SAQ is completed by the entity that covers the PCI DSS requirements. If a self-assessment is not considered adequate, a ROC will be required, that is conducted by an independent QSA. A QSA is qualified by the PCI SSC to conduct PCI DSS assessments and perform PCI compliance testing. The ROC will report on the results of the QSA’s assessment regarding the entity’s processes and controls in place for compliance with the PCI DSS requirements.
Frequently Asked Questions About PCI Compliance
These are some of the most common questions being asked regarding PCI and compliance.
What Does PCI Stand For?
PCI stands for Payment Card Industry.
Why is PCI Compliance Important?
Complying with PCI DSS is critical to protect cardholder data and/or sensitive authentication data, prevent data security breaches, and reduce fraudulent activity.
What Does PCI DSS Compliance Mean?
An entity that has implemented the data security standards promulgated by the Payment Card Industry Security Standards Council (PCI SSC) and has met its compliance verification requirements based on its compliance level for its annual volume of payment card transactions.
Who Needs to Be PCI Compliant?
Any company that stores, processes, or transmits cardholder data and/or sensitive authentication data.
Is PCI Compliance Required by Law?
No. However, compliance would be stipulated under the terms of contractual agreements in place with card networks and merchant account providers, or payment service providers.
Your Next Steps for PCI Compliance
If your entity accepts, processes, transmits, or stores payment card data, the PCI DSS standards apply to your entity. Compliance with PCI DSS is a continuous process of assessing potential vulnerabilities that could expose cardholder data, remediating vulnerabilities identified, and reporting on compliance results. The PCI DSS came into being to assist the payment card industry in preventing theft of cardholder data and to reduce the potential for fraud.
As a Qualified Security Assessor, Linford and Company assists organizations with PCI DSS compliance, among other services including SOC 2 audits, SOC 1 audits, ISO/IEC 27001:2022, HIPAA audits, HITRUST assessments, and FedRAMP certification. If you would like to learn more about Linford and Company and the full list of our service offerings, please don’t hesitate to contact us.
This article was originally published on 9/11/2019 and was updated on 6/11/2025.
Becky McCarty has over 20 years of experience in internal controls, audit, and advisory services. She specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. Becky completed a Bachelor’s degree in Business Administration (Accounting) and a Master of Science degree in Management Information Systems. She worked 6 years with KPMG LLP commencing in 1999, worked several years in the energy industry, and joined Linford & Co., LLP in 2018. Becky also served 9 years on the Board of Directors for a home healthcare nonprofit. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC compliance efforts based on their objectives and/or applicable trust services criteria.