If you are a company that processes debit or credit card payments online or in person, you may have heard of “PCI DSS” or the “PCI SSC.” These terms are related to security controls for sensitive data – specifically, the controls a retailer or payments processor should have to ward off cybersecurity threats and keep payment card data protected.

But what exactly is PCI DSS? What are the security requirements of PCI? How can you know whether you need to comply with these information security standards?

What Does PCI DSS Refer to?

The Payment Card Industry Data Security Standard (PCI DSS) was established by the PCI Security Standards Council (PCI SSC). The standard applies globally to any organization that stores, processes, or transmits payment card information. Regardless of size, a business must be PCI DSS compliant to avoid fines and continue to accept payment cards for transactions.

The PCI Security Council’s members include financial institutions, credit card companies, and issuers such as American Express, Discover Financial Services, JCB International, Visa, and Mastercard. Cardholder data (CHD) includes the primary account number (PAN) as well as the cardholder’s name, credit card expiration date, or service code.

PCI also requires businesses that collect sensitive authentication data to be compliant. Sensitive authentication data generally includes card validation codes, tracking data from a magnetic stripe or card chip, PINs, PIN blocks, or any payment card data used to authenticate cardholders or authorize payment transactions.

Some businesses might be intimidated by the PCI data security standard, but the requirements are scaled based on an organization’s transaction volume and how the data is handled. The practical upshot: if you are a small business that doesn’t store card numbers and credit card data, PCI doesn’t have to be scary.

What Does PCI DSS Cover?

PCI requirements define the physical access, anti-virus software, security systems, public networks, and network resource controls necessary to maintain compliance. The PCI SSC established four PCI compliance levels, dependent on the number of card transactions a merchant handles each year.

For example, a Level 4 merchant has less than 1 million transactions annually, and therefore only needs to perform a self-assessment questionnaire (SAQ) each year. In contrast, a Level 1 merchant processes more than 6 million transactions and must have an external audit and on-site evaluation by a QSA (qualified security assessor) or ISA (internal security assessor), in addition to the SAQ.

Any point-of-sale technology (including websites), line-busting technology, or WLAN used to store, process, or transmit cardholder data falls under PCI requirements. If a business outsources the PCI DSS requirements to a third party, the merchant must assure that the third party meets PCI standards and stays in continuous compliance with the standard.

Likewise, e-commerce merchants must use PCI-validated third parties when they choose to outsource payment processing. Additionally, these merchants need to assure that no electronic storage, processing, or transmission of cardholder data remains on their systems or premises.

There are eight versions of the SAQ questionnaire. Merchants choose which questionnaire to complete based on how they process card transactions. For instance, merchants that use imprint machines have a different questionnaire from e-commerce merchants.

The most straightforward SAQ questionnaire is only 22 questions; it applies to e-commerce merchants that fully outsource card processing. Of course, the merchants need to assure that they are working with a PCI-compliant third party, and the third party will be subject to a more extensive questionnaire.

The most detailed questionnaire consists of 329 questions and requires vulnerability scan and penetration testing evidence. It applies to e-commerce merchants that store card data electronically and to service providers. Service providers are the third parties that process, store, or transmit cardholder data on behalf of another entity.

What Are the Three Main Steps of PCI Compliance?

Although PCI DSS compliance may seem overwhelming, the requirements can be reduced to three core elements that guide a continuous process of data protection measures. To avoid non-compliance, it’s imperative to assess, remediate, and report on a continuous basis.


A risk assessment helps to identify the risks and vulnerabilities that may affect the cardholder data, either in its processing, transmission, or storage. It should describe the IT infrastructure related to this information and determine the flow of sensitive data from start to finish of the transaction process.


Remediation tries to resolve vulnerabilities and to mitigate risks within the organization. This stage includes prioritizing risks and vulnerabilities, defining the patching process for software and operating systems (OS), modifying unsafe practices, deploying access control measures, and verifying the effectiveness of mitigation activities.


The reporting component consists of the annual SAQ and audit based on the merchant’s volume of transactions. Merchants that process more than 1 million transactions per year must also submit a report on compliance (RoC) to the banks that process their payments. Finally, all PCI-compliant businesses must complete the Attestation of Compliance.

ZenGRC Can Help With Your PCI DSS Compliance

Regardless of the compliance concerns you face, data and cybersecurity must be integrated into all company activities. Standards such as PCI DSS are not designed to burden organizations. Rather, they’re meant to help secure networks and web applications to protect us from hackers and the repercussions of a data breach.

Instead of using spreadsheets to manage your compliance requirements, adopt ZenGRC to streamline evidence and audit management for all of your compliance frameworks. ZenGRC’s compliance, risk, and workflow management software is intuitive and simple to use.

ZenGRC is preloaded with various compliance frameworks and standards for quick implementation, including PCI, HIPAA, SOC, and so forth. One-to-many control mapping streamlines mapping internal controls to multiple standards so that you can manage PCI DSS compliance simultaneously with other frameworks. Compliance management has never been easier.

It is a single source of truth that assures your organization is always compliant and audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.

Contact us for a demo to see how ZenGRC can streamline compliance and vulnerability management.