Payment Card Industry Standard

PCI DSS Compliance

The Payment Card Industry Data Security Standard protects cardholder data wherever it is processed, stored, or transmitted across the payment ecosystem.

Start PCI Assessment View 12 Requirements

Requirements

Security controls

Card brands

Visa, MC, Amex, etc.

Merchant levels

Based on volume

4.0

Latest version

Released March 2022

Who Must Comply with PCI DSS?

Any organization that stores, processes, or transmits cardholder data must comply with PCI DSS.

Merchants

E-commerce websites
Retail stores
Restaurants & hospitality
Subscription services

Service Providers

Payment processors
Hosting providers for merchants
Managed security services
Tokenization services

Financial Institutions

Card issuing banks
Acquiring banks
Payment facilitators
Payment gateways

Compliance Validation: Compliance level depends on transaction volume. Level 1 merchants (6M+ transactions/year) require annual on-site assessment by a QSA.

12 PCI DSS Requirements

Organized into six control objectives

Build and Maintain a Secure Network

1Install and maintain network security controls

2Apply secure configurations to all system components

Protect Account Data

3Protect stored account data

4Protect cardholder data with strong cryptography during transmission

Maintain a Vulnerability Management Program

5Protect all systems and networks from malicious software

6Develop and maintain secure systems and software

Implement Strong Access Control Measures

7Restrict access to system components by business need-to-know

8Identify users and authenticate access to system components

9Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10Log and monitor all access to system components and cardholder data

11Test security of systems and networks regularly

Maintain an Information Security Policy

12Support information security with organizational policies and programs

Merchant Compliance Levels

Validation requirements vary based on annual card transaction volume.

Level 1

6M+ transactions/year

Annual ROC by QSA + quarterly network scans

Level 2

1M-6M transactions/year

Annual SAQ + quarterly network scans

Level 3

20K-1M transactions/year

Annual SAQ + quarterly network scans

Level 4

<20K transactions/year

Annual SAQ + quarterly scans (recommended)

How Dependra Helps with PCI DSS

Manage third-party service provider compliance and protect your cardholder data environment.

Inventory all service providers in your CDE
Track vendor PCI DSS compliance status
Monitor Attestation of Compliance (AOC) dates
Identify PCI-compliant payment solutions
Assess vendor security controls
Generate documentation for PCI audits

Start PCI Assessment

6 PCI Level 1 service providers

2 AOCs expiring this quarter

Related Standards & Regulations

SOC 2

Service organization controls

ISO 27001

Information security management

DORA

Digital operational resilience

GDPR

EU data protection regulation

Official Resources

PCI Security Standards Council

Official PCI SSC website

PCI DSS v4.0 Document Library

Standards and guidance documents

PCI DSS Quick Facts

Full Name: Payment Card Industry Data Security Standard
Managed By: PCI SSC
Current Version: 4.0 (March 2022)
v4.0 Mandatory: March 31, 2025
Type: Industry Standard

Ready for PCI DSS Compliance?

Protect cardholder data and meet payment card industry requirements.

Start PCI Assessment View Demo