If your organization processes debit or credit card payments, you’ve likely heard the terms “PCI DSS” or “PCI SSC.” These phrases refer to security measures for sensitive data — specifically, the controls that a retailer or payment processor should have in place to protect payment card data from cybersecurity attacks.

The PCI Data Security Standard (PCI DSS) is an information security standard for companies that handle credit cards from the major card brands. The PCI DSS requirements assure that all companies that process, store, or transmit payment card information maintain secure environments for the cardholders’ data.

Cardholder data includes credit and payment card numbers, account numbers, the cardholder’s name, the credit card’s security code, and expiration date. 

The mere fact that an organization is PCI compliant doesn’t guarantee that the company’s systems are secure. PCI compliance is, however, a significant step in that direction. 

PCI standards are developed by a group known as the PCI Security Standards Council. Abbreviated as the PCI SSC, this group is an independent body supported by the major credit card brands: Visa, Mastercard, American Express, Discover, and JCB, a credit card company based in Japan. 

Although the PCI SSC administers and manages the PCI DSS, the payment brands and acquirers (the acquiring banks or financial institutions that give merchants the right to process credit and debit transactions) are responsible for enforcing compliance. 

What Is PCI Compliance?

Payment card industry (PCI) compliance refers to the technical and operational standards that organizations must follow to comply with the Payment Card Industry Data Security Standard (PCI DSS) and, in doing so, protect and secure cardholders’ payment card data during the processing, storage, and transmission of cardholder data. 

Merchants aren’t required by law or regulation to adopt PCI standards. The major card brands, however, do require PCI compliance if you want to process payments through their brands. At a practical level, then, PCI compliance is required for banks and retailers; you won’t be able to process transactions otherwise.

Benefits of Compliance

PCI compliance preserves your company’s and your customers’ data. Every year, data breaches cost businesses millions of dollars. According to Data Intelligence, the typical data breach in 2022 cost companies an estimated $4.35 million. 

The benefits of PCI compliance include a lower risk of data breaches, the protection of cardholder data, and the avoidance of identity theft. Compliance is a wise business practice since it leads to lower fines when data breaches do happen, promotes an organization’s reputation, and keeps consumers satisfied and confident that they are conducting business with an accountable business.

Difficulties Posed by Non-Compliance

Non-compliance with PCI standards can result in your business losing the privilege of processing credit card transactions. Hence all merchants should follow PCI standards without exception.

Failure to comply with PCI requirements endangers both your consumers and your business. You risk data breaches, lost earnings, and a tarnished image with your consumers.

Worse, if you suffer a breach and aren’t PCI compliant, you can face a financial penalty from $5,000 to $500,000. You might lose your e-commerce transaction privileges for years, or even permanently.

Levels of PCI Compliance

PCI DSS compliance is organized as a series of four levels. Merchants are classified into levels based on their yearly transaction volume. The levels differ slightly by each credit card brand, but compliance requirements for each merchant level are consistent. Generally, the greater the number of transactions you process, the more stringent the security controls you must follow. 

Note that there are four PCI compliance levels for merchants (that is, retailers) but only two levels for processors (banks and other payment firms). 

Compliance involves many of the same steps we see in other cybersecurity frameworks: use of anti-malware or antivirus software, secure firewall configuration, strong system passwords, a vulnerability management program that includes frequent vulnerability scans, strong access control measures both for virtual and physical access that restricts systems and data access to those with a business need, and more.

The PCI compliance levels are as follows.

Level 1. Any merchant processing more than 6 million transactions per year across all channels, or any merchant that has suffered a data breach. Credit card companies can also upgrade any merchant to Level 1 at their discretion.

Level 2. Any merchant processing 1 million to 6 million transactions annually across all channels.

Level 3. Any merchant processing 20,000 to 1 million e-commerce transactions annually.

Level 4. Any merchant (typically a small business) processing fewer than 20,000 e-commerce transactions annually, or any merchant processing up to 1 million regular transactions per year.

The table below illustrates a sample of the different merchant levels by card brand based on transaction counts.

Merchant Levels Visa Mastercard American Express
Level 1  More than 6 million annual transactions More than 6 million annual transactions More than 2.5 million annual transactions
Level 2  1 million to 6 million annual transactions 1 million to 6 million annual transactions 50,000 to 2.5 million annual transactions
Level 3  20,000 to 1 million annual transactions 20,000 to 1 million annual transactions Fewer than 50,000 annual transactions
Level 4  Fewer than 20,000 annual transactions (e-commerce only) All other merchants N/A

PCI Assessment Methods

The method used to assess compliance with PCI requirements differs depending on the type of business a merchant is performing and the merchant’s current compliance level. All merchants must perform some type of annual assessment, but your merchant level determines who performs the assessment and how detailed that evaluation is.

PCI-DSS assessments generally follow one of three methods.

  • Qualified Security Assessor (QSA). QSAs are independent security auditors certified by the PCI Security Standards Council to validate whether an organization complies with PCI DSS. A QSA assesses an organization that handles credit card data against the control objectives of the PCI DSS. 
  • Internal Security Assessor (ISA). An ISA is an assessor internal to the organization being assessed, such as an internal auditor. The ISA has also been certified by the PCI Security Council to perform PCI assessments, but only for his or her specific organization.
  • Self-Assessment Questionnaire (SAQ). SAQs are used by lower-level merchants (with fewer transactions) to self-assess their compliance.  The type of PCI SAQ a company must complete depends on the kind of merchant and how it handles credit card payments (for example, if the merchant outsources payment processing to a PCI DSS-compliant third-party vendor).

Reports on Compliance and Attestation of Compliance

Assessments result in either a Report on Compliance (ROC), an Attestation of Compliance (AOC), or both. The ROC or AOC is provided to the merchant’s credit card acquirer annually to prove the merchant’s compliance with PCI requirements. As with the assessment methods, the proof of compliance method is determined by the merchant level and the requirements of the specific card brand. Higher-level merchants might also need to provide quarterly network vulnerability scans performed by an Approved Scanning Vendor (ASV).

  • Report on Compliance (ROC). ROCs are only required for merchants in level 1, with more than 6 million transactions per year. The ROC is a form issued by the PCI regulatory body.
  • Attestation of Compliance (AOC). An AOC is an attestation by a merchant that it is compliant with the applicable requirements of the PCI-DSS.

The table below provides a sample of these requirements.

Merchant Levels



Level 1 
  • Annual ROC prepared by either a QSA or ISA
  • Quarterly ASV-performed scan
  • AOC  
  • Annual ROC prepared by either a QSA or ISA
  • Quarterly ASV-performed scan
  • AOC
Level 2 
  • Annual SAQ
  • Quarterly ASV-performed scan
  • AOC
  • Annual SAQ
  • Quarterly ASV-performed scan
  • AOC
Level 3 
  • AOC provided to service provider annually
  • Annual SAQ
  • Quarterly ASV-performed scan
  • AOC
Level 4 
  • AOC provided to service provider annually (e-commerce merchants only)
  • Annual SAQ
  • Quarterly ASV-performed scan
  • AOC

Maintain PCI Compliance With ZenGRC

Regardless of your compliance issues, data and cybersecurity must be incorporated into all aspects of your business. Instead of managing your compliance needs using spreadsheets, use ZenGRC to automate documentation and audit management across all your compliance frameworks. ZenGRC’s compliance, risk, and workflow management software is simple.

ZenGRC is packed with various compliance frameworks and standards for easy adoption, such as PCI, HIPAA, and SOC.

One-to-many control mapping simplifies matching internal controls to various standards so that you can oversee PCI DSS compliance alongside other frameworks, making handling compliance easier than before. 

ZenGRC also acts as a single point of truth, assuring that your organization is constantly compliant and audit-ready. Policies and procedures are versioned and easily accessible in the document repository. Workflow management tools include simple monitoring, automatic reminders, and audit trails. Insightful data and dashboards highlight gaps and high-risk areas.

Schedule a demo today to explore how ZenGRC can help you with compliance and vulnerability management.