What Is PCI Compliance?

The Payment Card Industry (PCI) cybersecurity compliance standard exists to protect debit and credit cardholder data from unauthorized access via data breaches, ransomware, and other security breaches. The standard encompasses all of the IT and operational controls that organizations must implement to protect credit card data.

The Payment Card Industry Data Security Standard (PCI DSS) was created to address the proliferation of data breaches involving payment cards. It is enforced by the PCI Security Standards Council, an independent body created by major card brands Visa, American Express, MasterCard, Discover, and JCB.

PCI DSS control objectives and compliance requirements affect any business that handles payment processing, storage, or transmission of credit card data electronically, most often this is eCommerce and Retail businesses.

Reduce PCI DSS
Scoping — and Risk

Why is PCI Compliance Important?

Protecting cardholder information from data breaches isn’t just important to customers, but also for merchants, because if debt or credit card data is stolen, the merchant can face legal action and penalties.

For example, say a business ignores PCI compliance and stores cardholder data in a location with weak information security controls, and that information is then stolen in a data breach. Not only can the customer take legal action to recoup his or her financial loss, but the PCI Security Standards Council can also levy large penalties on that business.

Compliance protects your organization from suffering a loss that can have devastating financial repercussions. It can also ensure that your business is well-protected, boosting your organization’s credibility and instilling greater trust among customers and business partners.

PCI DSS Requirements at a Glance

PCI DSS is a set of security controls that organizations must implement to maintain a secure environment for cardholder data. It originally launched in 2006 and has gone through several revisions since then. The latest version is PCI DSS 4.0.

The levels of PCI compliance include:


For merchants that process more than 6 million card transactions annually.

These organizations are required to undergo an external audit performed by a Qualified Security Assessor (QSA)


For merchants that process 1 MILLION to 6 MILLION transactions annually


For merchants that process 20,000 to 1 MILLION transactions annually


For merchants that process FEWER THAN 20,000 transactions annually

Organizations in PCI Levels 2 through 4 can complete a self-assessment questionnaire (SAQ) instead of an external audit.

Principal PCI DSS Requirements


Requirement – Build and Maintain a Secure Network and Systems

  • Install and maintain network security controls.
  • Apply secure configurations to all system components.

Requirement – Protect Cardholder Data

  • Protect stored account data.
  • Protect cardholder data with strong cryptography during transmission over open, public networks.

Requirement – Maintain a Vulnerability Management Program

  • Protect all systems and networks from malicious software.
  • Develop and maintain secure systems and software.

Requirement – Implement Strong Access Control Measures

  • Restrict access to system components and cardholder data by business.
  • Identify users and authenticate access to system components.
  • Restrict physical access to cardholder data.

Requirement – Regularly Monitor and Test Networks

  • Log and monitor all access to system components and cardholder data.
  • Test security of systems and networks regularly.

Requirement – Maintain an Information Security Policy

  • Support Information Security with organizational policies and programs.

Learn how self-assessments streamline PCI compliance

watch on-demand

The Challenges of Obtaining PCI Compliance

Achieving PCI compliance will require your organization to embed defined security measures and data protection protocols into every aspect of your business. This will require validation of your existing security controls and auditing of all your sensitive data so you can identify gaps in your IT security.

As your business grows, maintaining a compliance management program will get more complex. Spreadsheets you might have used from your early days as a small business will become unmanageable, costing your program manager hours in lost productivity and significantly increasing the chance for non-compliance.

RiskOptics Has Your PCI Compliance Solution

Powered by our fully integrated and automated solutions, our compliance tool equips you with a strong foundation for IT compliance, enabling you to monitor your program over time to ensure you remain compliant and avoid non-compliance penalties.

With ZenGRC, key stakeholders, employees, and your PCI compliance managers have access to a single source of truth that covers all of your current and future compliance risks across all cybersecurity and privacy frameworks relevant to your business, whether they be PCI DSS, GDPR, HIPAA, ISO or others.

ZenGRC PCI Capabilities

  • User-friendly dashboard with real-time metrics on prioritized risks
  • Pre-built evidence request templates and automated evidence collection can help streamline your compliance audits
  • A central repository for all audit-ready documentation
  • Universal Control Mapping to fulfill multiple requirements with a single control
  • Interconnectivity between threats, vulnerabilities, risks, and controls for greater insight and monitoring
  • Risk management functionality for providers and their related services
Ready to see ZenGRC in action?

Frequently Asked Questions

PCI DSS control objectives and compliance requirements are legally enforceable. While they are not required by law, the PC Security Standards Council can require businesses to follow PCI standards if they want to handle credit card transactions and revoke that access when a business fails to meet the standard’s requirements.

So as a practical matter, any business that handles payment processing, storage, or transmission of credit card data electronically, regardless of its size or the volume of its transactions, is subject to PCI DSS compliance.

PCI DSS is a security standard created to address and curb the prevalence of data breaches that involve payment credit or debit cards.

PCI is a data security standard created by the credit card industry. Any company that processes, stores, or transmits credit card data is obligated to comply with this standard. Alternatively, ISO 27001 is an international standard that provides the framework for an information security management program for any type of organization. More to the point, ISO 27001 certification is optional.

PCI data includes cardholder data such as:

  • Name
  • Account number
  • Card expiration date
  • CVV or security code

It also includes authentication data, such as the magnetic-stripe, chip, and pin data.

  • STEP 1: Determine your PCI level (1-4).
  • STEP 2: Complete a self-assessment questionnaire or evaluation by a Qualified Security Assessor (QSA).
  • STEP 3: Build and maintain an IT security program that protects cardholder data and meets the guidelines specified in the PCI control objectives.
  • STEP 4: Apply for formal attestation of compliance with the PCI Security Standards Council, as applicable for service providers such as scanning vendors and point-to-point encryption assessors.

Cybersecurity risk analysis allows your organization to identify your sensitive data, understand your risks and devise a strategy to protect that data and mitigate those risks. This type of analysis is also a great opportunity for an organization to take an inventory of systems and resources and ensure that each is safeguarded by the proper security controls.

For smaller organizations at levels 2 through 4, with a self-assessment questionnaire, vulnerability scanning, IT security development, and remediation of risk, you could be looking at costs of $10,000 to $20,000.

A large enterprise, on the other hand, typically needs on-premise auditing, vulnerability scanning, penetration testing, training, IT security development, and risk remediation. That organization might incur costs of $70,000 to $100,000 for PCI compliance.