PCI Compliance: 2022 Complete Guide

Everything you need to know about PCI in one place
Last updated October 5, 2022 9 min read
Justin McCarthy, author of What is PCI Compliance? 2022 Complete Guide | StrongDM
Written by Co-founder / CTO StrongDM

Summary: Complying with PCI DSS standards is important for all companies that process credit card payments. In this article, you’ll learn what PCI compliance refers to, who needs to be PCI compliant, and how PCI compliance contributes to a company’s cybersecurity stance. By the end of this article, you’ll know the 12 PCI compliance requirements, the different compliance levels, and how to earn PCI DSS certification.

What is PCI Compliance?

PCI compliance—or payment card industry compliance—is the process businesses follow to meet the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS contains 12 requirements that help businesses securely store and manage sensitive customer payment information like credit card data.

Major credit card companies require businesses that process credit card transactions or store cardholder data to follow the PCI data security standard. By meeting the 12 PCI compliance requirements, companies can strengthen their cybersecurity stance and reduce the risk of losing cardholder data in a data breach.

What is PCI DSS Certification?

PCI DSS certification is a way to show that your organization meets the PCI security standards through an audit process completed by a certified Quality Security Assessor (or QSA).

The PCI Security Standards Council, which developed and maintains the current PCI standards, does not issue PCI-compliant companies a formal PCI certificate to show PCI certification, meaning businesses cannot technically become PCI certified. However, when a business passes an external audit conducted by a QSA, the business receives a Report on Compliance (ROC). Businesses submit the ROC to the banks that process their debit and credit card payments to prove the company aligns with PCI regulations.

History of PCI Compliance

As e-commerce and online payments became popular in the late 1990s and early 2000s, leading credit card companies noticed an increase in credit card fraud. Without existing security standards to protect consumer data during credit card processing and transmission, fraudsters easily gained access to sensitive data like credit card numbers and customer addresses.

In 2001, Visa created the first credit card compliance standards—the Cardholder Information Security Program—to ensure companies had sufficient security measures in place to protect cardholders when they made online transactions. Following Visa’s lead, Mastercard, Discover, American Express, and Japan Credit Bureau developed their own security standards soon after.

Since merchants needed to follow the security guidelines for each credit card company they worked with, the different standards often caused confusion. The companies worked together to combine their individual requirements into an overarching set of security standards for the payment industry, releasing the first version of the PCI DSS standard in December 2004.

What is the Payment Card Industry Security Standards Council?

In 2006, security representatives from Visa, Mastercard, Discover, American Express, and Japan Credit Bureau formed the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC is a governing entity that manages and continuously improves the Payment Card Industry Data Security Standards. They also provide guidance on how to prove PCI compliance.

The council also certifies QSA auditors, who uphold the PCI DSS requirements, and Payment Card Industry Forensic Investigators (PIFs), who help companies investigate the cause and impact of data breaches involving lost payment information and PCI issues.

Now, the PCI SSC has extended to include board members from many major financial institutions and prominent merchants. The organization released the latest version of the global PCI requirements, version 4.0, in March 2022.

Importance of PCI Compliance

As the e-commerce industry continues to grow, PCI compliance offers a modern roadmap guiding retailers of all sizes on how to securely process, transfer, and store sensitive customer PCI data. Following the Payment Card Industry Data Security Standard lowers the risk of fraud, reduces the impact of data breaches, and helps companies avoid fines for unintentionally exposing sensitive data.

By mandating PCI compliance, customers can complete online transactions on secure websites and trust that merchants are appropriately protecting their payment information. For cardholders, PCI DSS compliance provides peace of mind that companies are securing their sensitive data against unexpected payments, credit card fraud, and identity theft.

Companies that are not PCI compliant and experience a breach may also face regulatory fines, legal costs, or higher transaction processing fees. Credit card companies may sever their relationship with companies that show ongoing noncompliance.

Who Must Comply with PCI?

Any merchant that accepts card payments and handles payment information—regardless of business size or the volume of transactions—must meet PCI requirements to work with major credit card companies. Handling payment data involves any combination of collecting data, storing it, or transmitting it.

While PCI compliance is not legally required throughout the US, credit card companies may fine companies that do not comply or bar them from accepting payments. Some states like Nevada, Washington, and Minnesota have also created state laws that solidify some or all PCI DSS standards into law.

Many small businesses incorrectly believe that PCI DSS requirements don’t apply to them because they use payment gateways—like Paypal, Stripe, or Square—as PCI integrations to limit their company’s exposure to data and reduce the likelihood of a breach. However, these businesses are still required to be PCI compliant in other ways, even if employees don’t have direct access to credit card data.

Every Retailer Faces PCI Requirements

A common misconception about Payment Card Industry Data Security Standard compliance is that it only applies to online retailers. In reality, PCI compliance applies to anyone who collects payments other than cash or checks. The PCI SSC offers businesses of all types guidance on how to be PCI compliant.

Brick-and-mortar stores and entrepreneurs using mobile credit card readers must follow PCI DSS regulations. Businesses must account for and securely manage all instances of card payment data, including when payment is collected over the phone or written down on an order form.

Benefits of PCI Compliance

Complying with PCI standards benefits businesses, credit card companies, and customers. For businesses, becoming PCI compliant involves implementing straightforward security best practices to protect sensitive payment data, prevent breaches, and increase customer trust. If a business experiences a data breach, PCI compliance ensures data is secure, reducing the likelihood of incurring fees and penalties.

Credit card companies benefit from PCI compliance because improved security standards lead to fewer instances of credit card fraud. By maintaining these high standards for accepting payments, acquiring banks—banks that process debit and credit card transactions on behalf of a merchant—can extend their services to more retailers. Meanwhile, issuing banks—banks that issue credit cards to consumers—can maintain customer trust and fraud payouts.

Major credit card icons are a recognized trust signal for consumers because of PCI compliance, meaning when a customer sees a payment icon on a website, they have more peace of mind when making an online payment. Following a PCI DSS compliance checklist can reduce the risk of a customer's data being compromised, making credit card fraud and identity theft less likely.

Criticisms of PCI Security Standards

Some critics of the compliance requirements claim that compliance with the standard doesn’t inherently make an organization secure. Many organizations fail to maintain the controls put in place to achieve PCI compliance a year after being audited and validated. Verizon found that of the companies that passed their validation assessment in 2019, only 43.4% maintained full compliance in 2020.

Plus, since not every company must complete an external audit with a certified QSA to prove PCI compliance, companies may not be maintaining controls as effectively as they claim. Level 4 companies, which process under 20,000 online payments a year, only need to submit an annualSelf-Assessment Questionnaire to maintain compliance. These companies may not perform the in-depth internal audits larger companies do to ensure compliance.

Other critics report that the involvement of credit card companies in creating the PCI security standards may be a conflict of interest. Some businesses report Visa and Mastercard imposing their own penalties on customers following a data breach, in addition to the fines charged by regulatory agencies.

PCI Compliance and Data Breaches

Companies need sustainable security controls and an effective data management strategy to prevent data breaches. A PCI compliance program helps retailers strengthen their cybersecurity stance by recommending relevant security controls to protect sensitive PCI data.

The impact of becoming PCI compliant is twofold: compliance often decreases the number of successful data breaches a company experiences and reduces the damage inflicted during a breach. Businesses use PCI assessment tools to find gaps in their security controls and minimize breach risk.

Following the PCI DSS requirements reduces vulnerabilities in a company’s security perimeter and makes it easier for companies to detect the first sign of breaches. Plus, the requirements also encourage better data storage practices, so successful hackers have less access to sensitive data.

PCI Compliance Levels

Businesses belong to one of four PCI compliance levels:

  • Level 1: companies that process over 6 million credit card transactions per year, or companies that experienced a breach resulting in data loss within the last year
  • Level 2: companies that process 1-6 million credit card transactions per year
  • Level 3: companies that process 20,000-1 million credit card transactions per year
  • Level 4: companies that process fewer than 20,000 credit card transactions per year

These levels ‌align with the perceived risk each company has of exposing sensitive payment information. If a credit card company determines that an organization poses a high breach risk despite low processing numbers, they may choose to designate the high-risk business as Level 1.

Documentation Requirements for Each PCI Compliance Level

Each compliance level must validate PCI compliance every year by submitting designated paperwork. Documentation types include a Self-Assessment Questionnaire, or SAQ; an Attestation of Compliance, or AoC; an Approved Scanning Vendors vulnerability scan, or ASV scan; and a Report on Compliance, or RoC.

Companies will submit the following documentation to remain compliant:

  • Level 1: an RoC completed by a certified QSA and quarterly ASV scans
  • Level 2: an RoC completed by a certified QSA OR a SAQ and AoC depending on the credit card company requirements, plus quarterly ASV scans
  • Level 3: an SAQ and AoC
  • Level 4: an SAQ and AoC if requested

The 12 PCI Compliance Requirements

The specific expectations and controls necessary for each business are determined by their level. However, despite these differences, there are 12 overarching compliance requirements that every company handling sensitive payment data must follow.

  1. Implement and update controls for network security.
  2. Securely configure all system components.
  3. Safeguard sensitive account information.
  4. Use encryption to store cardholder data.
  5. Fortify systems and networks against malware.
  6. Create and update secure systems or software.
  7. Limit user access to data and systems based on business needs.
  8. Verify user identity and authenticate access.
  9. Reduce physical access to sensitive payment data.
  10. Maintain logs and monitoring of all systems and data.
  11. Regularly test security controls.
  12. Create policies and programs to standardize information security procedures.

The 12 overarching compliance requirements contain 78 specific requirements and 400 test procedures companies must implement to validate alignment with the PCI DSS standard. Some of these actions may overlap with a company’s preexisting data privacy practices—like SOC 2 certification requirements—or security efforts that support regulatory compliance requirements—like HIPAA compliance standards.

Learn more about 12 PCI DSS Compliance Requirements.

PCI DSS Compliance, Explained

Becoming fully PCI compliant—meaning following all 12 requirements—involves implementing many security controls, developing extensive policies, monitoring detailed logs, and maintaining software and systems regularly. For businesses of all sizes, these high standards can pose challenges. Thankfully, companies don’t need to achieve full PCI compliance before they can accept credit card payments.

Most companies progressively work toward PCI compliance by following the PCI SSC’s recommended prioritized approach. The prioritized approach serves as a PCI compliance checklist, breaking down tasks into PCI compliance steps so companies can consistently improve their controls and processes to achieve PCI SSC’s six milestones:

  1. Limit sensitive data retention and remove authentication data.
  2. Prepare for a data breach by safeguarding systems and networks.
  3. Create controls that support secure payment applications.
  4. Limit, verify, and monitor user access to data and systems.
  5. Secure saved sensitive data.
  6. Ensure all necessary controls are in place to protect data and systems.

PCI Compliance Best Practices

Maintaining PCI paperwork and conducting regular audits can be daunting for businesses that don’t regularly integrate information security best practices into business workflows. Security best practices do more than simply reduce compliance fees or breach risk; they also help companies streamline data management and improve their abilities to detect and mitigate threats quickly.

The PCI SSC offers extensive advice on 10 best practices that can help maintain PCI compliance for businesses at all levels. Often, these best practices align with reporting standards and security practices businesses already maintain.

1. Create a sustainable security plan

Build compliance practices, reporting, and monitoring into daily business practices. Regularly conduct internal audits, manage and organize logs and past audits for future access, and test controls throughout the year to avoid overstepping compliance requirements. These practices reduce the workload on your team to prepare reports and run tests right before a yearly audit. Developing and following a PCI audit checklist can help streamline your security plan.

2. Draft and update policies and procedures

While many organizations have data center security controls in place, they may not have detailed and updated procedures and policies that support those controls. That means that if knowledgeable employees leave the business, those security practices may be neglected or applied incorrectly, compromising the company’s compliance with PCI DSS requirements. Creating and updating policies and procedures encourages repeatable security practices.

3. Use metrics to track success

Businesses can use key performance indicators (or KPIs) to track and improve the impact of their security programs. Tracking KPIs and monitoring success against measurable goals can help businesses budget and allocate resources more effectively. Plus, businesses can see the positive impact that implementing security controls has on their bottom line.

4. Assign tasks to designated users

Giving employees ownership over particular security tasks creates stronger accountability, ensuring that teams don’t overlook important compliance tasks. Plus, assigning tasks helps maintain better identity and access management practices by limiting administrative access.

5. Prioritize risk management

PCI DSS compliance is a byproduct of effective risk management and security practices, so it’s important to think beyond compliance requirements and look at the bigger picture to protect a company’s data. Regular risk assessments are essential to help businesses identify security gaps, reduce incidents, and detect threats. While PCI compliance can help strengthen security, it can’t be a company’s sole security strategy.

6. Monitor, test, and improve controls regularly

Security controls for PCI data security standard compliance don’t work with a “set it and forget it” approach. Teams should regularly inspect and update controls to reduce the risk of threats and maintain compliance standards. Frequent testing ensures that each control is the most effective, impactful, and efficient way to protect the company’s data or system. Monitoring controls can help businesses improve their processes and eliminate new threats.

7. Mitigate and manage control failures

When systems are compromised, businesses must review their controls to reduce future failures and prevent potential breaches. Incident response practices should involve monitoring that detects when controls fail so teams can design new controls more effectively.

If a control fails, companies should regain control of an incident as quickly as possible to reduce the impact, update failed controls and restore them back in place, find the root cause of the incident, remediate any impacts, and continuously monitor the new control’s performance. PCI compliance reviews ensure that businesses replace failed controls with more effective security controls.

8. Keep up with security trends

Companies can avoid popular breaches by maintaining ongoing awareness of current security trends and breaches other companies experience—especially companies around the same size and within the same industry. Security teams must stay up to date on the latest social engineering techniques to strengthen controls, anticipate security gaps, and strengthen their overall security posture to protect sensitive data. 

9. Continuously monitor third-party vendors

Many companies outsource payment processing to third-party service providers. While many of these providers maintain the Payment Card Industry Data Security Standard and have Level 1 security practices in place, that doesn’t protect merchants from liability. Retailers should regularly monitor the compliance standards of all the vendors they work with to avoid putting their customers’ data at risk.

10. Constantly reexamine and evolve security practices

As businesses evolve and change, their security practices should, too. Organizational change, new technology, and new threats in the security landscape are constant for many businesses. To reduce the likelihood of exposing sensitive PCI data, businesses must regularly reexamine and strengthen their security posture to align with ever-changing security demands.

Good data hygiene is essential to ensure ongoing PCI compliance

Companies of all sizes benefit from maintaining smart data practices like updating user credentials, using strong passwords, logging user access, and limiting the number of users who can access systems or data. Strong IAM practices can make it easier to detect unauthorized access caused by human error or internal threats.

Additionally, companies should offer regular training opportunities to help employees understand the importance of managing sensitive data and maintaining security practices. This reduces the likelihood that employees will improperly store data, fall victim to phishing schemes, or unintentionally expose cardholder information.

How Much Does PCI Certification Cost?

The costs of maintaining compliance controls and security measures are only part of what businesses should budget for PCI certification. Businesses should also account for audit costs, yearly fees, remediation expenses, and employee training costs in their budgets alongside technical upgrades to meet compliance standards.

External audits to receive an ROC typically cost merchants between $15,000 and $40,000 depending on the size of the company. If companies cannot demonstrate appropriate PCI compliance during the audit, they may need to pay for a repeat audit within the same year after updating controls and security procedures.

For smaller businesses in levels 3 and 4, there is no formal cost to submit SAQ and AOC documentation. However, companies required to submit ASV scans can expect to pay $100-200 a scan per IP address every quarter.

All companies will still pay some amount of PCI fees to credit card processing companies, ranging from $80 to $2,500 per year depending on the company’s size. Companies may also owe their processing company non-compliance fees if they do not submit the appropriate PCI compliance paperwork.

PCI Compliance: Frequently Asked Questions

What does PCI stand for in security?

PCI stands for payment card industry. PCI compliance security processes are put in place by businesses to help keep payment card data safe.

What does PCI DSS stand for?

PCI DSS stands for the Payment Card Industry Data Security Standard.

What is covered by PCI compliance?

The PCI compliance definition describes a security standard that covers 12 requirements all businesses must follow if they collect, handle, transmit, and/or store sensitive payment information and cardholder data. These requirements consist of security standards and controls that help businesses prioritize protecting sensitive data, limit the data they store, and maintain a strong security posture to reduce data breaches.

Who is required to be PCI compliant?

Almost anyone who googles “What is PCI compliance?” will be required to comply with PCI DSS requirements. Every employee with any business that handles sensitive cardholder data must maintain PCI compliance to continue accepting credit card payments. This includes merchants of all sizes—including small businesses and entrepreneurs—and third-party vendors like payment processors.

While all businesses are required to meet some PCI security requirements, they are not all expected to meet the same requirements. Businesses must comply with different standards based on their PCI compliance level.

What happens if you are not PCI compliant?

If a company experienced a data breach and is not compliant with the PCI data security standard, that business may receive large fines, fees, and penalties from the credit card companies they work with. These fines are in addition to fines a company may receive from regulating agencies. Non-compliant organizations will also move from their current PCI level to level 1, which will require them to meet substantially more security requirements to accept payments.

Regular noncompliance may cause credit card companies to disable a company’s merchant account. Without a merchant account, a company can no longer accept credit card payments.

How do I know if I'm PCI compliant?

Companies must validate that they are PCI compliant to credit card companies through external audits or by submitting required documentation. Completing the appropriate Self-Assessment Questionnaire (SAQ) based on your company’s size can provide insight into its PCI compliance status. SAQs are available directly from the PCI Security Standards Council, along with other documents to help businesses with understanding PCI compliance.

Another way to track a company’s PCI compliance is through an external audit conducted by a certified Quality Security Assessor, or QSA. These trained auditors review procedures, test controls, and audit security practices to report on PCI compliance. All Level 1 businesses—including high-risk organizations that have previously experienced data breaches that compromised sensitive PCI data—must submit audit results as part of the PCI process.

How often do you need to pass PCI compliance?

Businesses must demonstrate ongoing compliance with PCI standards every year to continue accepting credit card payments. These businesses should submit yearly documentation to the major credit card companies as requested to keep their merchant accounts in good standing. Depending on the size of the company, they may also need to submit quarterly scans to show their vendors remain PCI compliant.

Some companies may not be required to provide this documentation if they do not process enough payments within a year; however, these businesses should still complete a SAQ for their records.

Is PCI compliance required by law?

While there are no federal PCI laws that mandate or enforce PCI compliance, court precedent from past data privacy cases has effectively made PCI compliance required for all businesses. Additionally, some US states have enacted laws that make PCI compliance requirements enforceable by the state government.

While failure to follow a PCI compliance requirements checklist may not result in federal legal action, companies that expose cardholder data often face other regulatory compliance issues that subject them to legal difficulties. Plus, credit card companies can choose to penalize companies that do not comply with PCI standards by revoking their merchant accounts and preventing them from accepting credit card payments.

When do you need to become PCI compliant?

Businesses must show they are working toward full PCI compliance within a year of beginning to accept credit card payments. Merchants wondering “Do I need to be PCI compliant?” can learn everything about how to become PCI compliant from the resources provided by the PCI SSC.

What is PCI data?

PCI data—also known as payment card information data—is sensitive cardholder information including customer names, credit card numbers, addresses, and other personally identifiable information. When PCI information is compromised, customers are at risk for credit card fraud and identity theft.

What is a PCI compliance fee?

Credit card processors often charge merchants yearly PCI compliance fees for supporting PCI requirements. If businesses do not provide processors or credit card companies with the correct paperwork to validate PCI compliance, processors may also charge merchants monthly non-compliance fees.

How are PCI compliance and SOC 2 certification similar?

Both PCI and SOC 2 standards provide companies with recommended operational and compliance controls they should implement to protect sensitive customer data. While SOC 2 certification is optional, many companies that accept credit card payments and must comply with PCI DSS requirements also pursue SOC 2 certification.

Generally, PCI compliance standards are more strict than SOC 2 report requirements. However, creating policies and procedures for SOC 2 certification can help companies on their journey to full PCI compliance.

How StrongDM Simplifies PCI Compliance

Auditing requirements to validate compliance with the Payment Card Industry Data Security Standard are often time-consuming and labor-intensive for Security, Compliance, DevOps, and other teams across an organization. Businesses need detailed documentation and monitoring to streamline the auditing process. That’s where StrongDM comes in.

StrongDM’s People-First Access Platform makes it easy to manage every aspect of your company’s user access management and comply with access-based PCI requirements. IAP gives companies complete control over their access management from one easy-to-use platform. With StrongDM, companies can define which users can access which systems, ensure users adhere to security policies, and safely provide vendors access to relevant systems.

StrongDM also helps companies maintain and monitor detailed logs on user access and activity. It also automatically records every user session, producing logs that offer auditors and internal teams insight into a company’s access management controls. With logs of all usage across the company’s entire IT infrastructure, companies can provide the details needed for audits without wasting time manually compiling that information into reports.

Protect Payment Data with the Right Tools

Online shopping has become standard for modern consumers. Offering credit card payments is essential for merchants to support their customers, and PCI compliance helps companies develop the security controls needed to keep cardholders’ data safe.

Thankfully, keeping up with PCI regulations doesn’t have to be difficult. StrongDM’s People-First Access Platform simplifies PCI compliance and checks access management off your PCI checklist. By helping businesses limit data exposure with access management support, merchants can swipe credit cards with confidence.

Ready to learn more? Book a free No BS demo of StrongDM today.


About the Author

, Co-founder / CTO, originally developed empathy for Operations as a founding and pager-carrying member of many operations and data teams. As an Executive, he has led Engineering and Product in high-throughput and high-stakes e-Commerce, financial, and AI products. Justin is the original author of strongDM's core protocol-aware proxy technology. To contact Justin, visit him on Twitter.

StrongDM app UI showing available infrastructure resources
Connect your first server or database in 5 minutes. No kidding.