Understanding PCI DSS is crucial for businesses that process, store or transmit cardholder data. This guide breaks down the essentials, covering everything from compliance levels and requirements to the latest v4.0.1 changes. 

Keep reading to find out more about this security standard and how you can demonstrate PCI compliance. 

What Is PCI DSS?

The Payment Card Industry Security Standard, known as PCI DSS, is a set of global standards designed to protect cardholder data. Whether you store, process or transmit cardholder data, you are expected to take PCI compliance seriously. 

The PCI DSS was developed by five major credit card companies: MasterCard, Visa, American Express, Discover and JCB. Led by the PCI Security Standards Council (PCI SSC), this standard aims to enhance payment data security and minimise risks like credit card fraud and identity theft. 

Who Needs to Comply with PCI?

PCI DSS is for all entities that process, store or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). These types of account data are defined below:

• Cardholder data includes primary account number (PAN), cardholder name, service code and expiration date. 
• Sensitive authentication data consists of the card verification code, PINs and full track data, which are encoded in the magnetic stripe or chip used for payment authentication. 

The entities handling this data are classified as either merchants or service providers. For the PCI DSS, these categories mean:

• Merchant – An entity that accepts payment cards in transactions for goods or services. Merchants include online retailers, brick-and-mortar stores, restaurants and supermarkets. 
• Service provider – An entity that processes, stores and transmits CHD or SAD on behalf of another business entity. These include payment service providers, independent sales organisations and payment getaways. 

Third-party organisations, like managed service providers, also need to comply with the PCI, as the services provided could impact or control the account data security. 

What Are the 4 Levels of PCI Compliance? 

The number of transactions you process annually determines your PCI DSS compliance level. Your specific requirements also depend on whether you are a merchant or a service provider.

The payment brands behind the PCI DSS have different tiers for compliance, but overall, merchants fall within one of four levels:

• Level 1: Merchants processing over 6 million card transactions per year.
• Level 2: Merchants processing 1 to 6 million card transactions per year.
• Level 3: Merchants processing 20,000 to 1 million card transactions per year.
• Level 4: Merchants processing less than 20,000 card transactions per year.

For service providers, there are only two levels, which include:

• Level 1: Service providers store, process or transmit more than 300,000 card transactions per year.
• Level 2: Service providers store, process or transmit under 300,000 card transactions per year.

The more transactions you process, the higher the risk of losing control of your data security. As such, level 1 merchants and service providers must meet rigorous compliance practices to protect CHD and/or SAD. 

Do We Need to Implement PCI DSS v4 Now? 

Yes. The PCI DSS v4 took effect on April 1st, 2024. However, only 13 of the 64 new requirements were mandatory at the time. The remaining 51 requirements were viewed as ‘best practices’ until they became mandatory on March 31st, 2025. 

Today, the latest version is PCI DSS v4.0.1, which is now in effect. 

In 2022, the PCI SSC published v4, which is a significant update from v3.2.1, which came into effect in 2018. The latest standard takes into account the increasing adoption of new technologies like cloud computing, adding additional methods to maintain payment security. 

The council later published v4.0.1 in June 2024, which includes minor changes addressing formatting, typographical errors and improved clarity around specific requirements. 

To learn more about these changes, listen to episode 72 of Data Protection Made Easy or read our previous blog. 

What Are the PCI DSS Requirements?

The PCI DSS has twelve operational and technical requirements businesses must follow to protect cardholder data. These requirements are as follows:

1. Install and manage network security controls.
2. Implement secure settings across all system components.
3. Safeguard all stored account data.
4. Encrypt cardholder data with strong cryptography during transit over public networks.
5. Defend systems and networks from malware.
6. Engineer and maintain secure software and systems.
7. Limit access to system components and cardholder data based on essential business requirements.
8. Verify user identities and authenticate access to system components.
9. Control physical access to cardholder data.
10. Maintain comprehensive logs and monitor access to system components and cardholder data.
11. Conduct routine security assessments of systems and networks.
12. Reinforce information security with organisational policies and networks. 

You may need significant resources to meet these requirements. However, how much this will cost will depend on your scope. To find this out, you’ll need to conduct a PCI DSS audit scope, which can reduce compliance costs and the risks around payment card data.    

How Do You Validate PCI Compliance? 

Merchants and service providers can demonstrate their PCI compliance by completing an annual audit of their cardholder data environment (CDE). Your level as a merchant or service provider will determine which audit you do and the PCI requirements you must meet. 

Merchants

For level 3 and 4 merchants, you must complete a self-assessment questionnaire (SAQ) and receive quarterly scans from an approved scanning vendor (ASV). 

There are eight different SAQs – the one you choose depends on what type of merchant you are. For example, SAQ A is for e-commerce or mail/telephone order merchants that outsource all payment processing,  

Level 2 merchants will typically be required to complete the same but may need to do a Report of Compliance (RoC), which specific payment brands require. A Quality Security Assessor (QSA) or Internal Security Assessor (ISA) must conduct the RoC. Level 1 merchants will need to undergo a RoC and quarterly vulnerability scans. 

Service Providers

Similar to merchants, level 2 service providers must also complete a yearly SAQ and receive quarterly ASV scans. Level 1 service providers must have an external audit (RoC) completed by a QSA or ISA to prove their compliance. Quarterly ASV scans are also mandatory. 

Achieve PCI DSS Compliance with Our Expert QSAs

With the full PCI DSS v4.0.1 requirements now in force (March 2025), are you confident your compliance is up to date? Our dedicated Quality Security Assessors are here to help. 

We can guide you through SAQs, complete RoCs and provide the ongoing support you need for PCI compliance. Speak with our team today to find out how we can help your business.