What Is PCI Compliance?

The Payment Card Industry (PCI) cybersecurity compliance standard exists to protect debit and credit cardholder data from unauthorized access via data breaches, ransomware, and other security breaches. The standard encompasses all of the IT and operational controls that organizations must implement to protect credit card data.

PCI DSS (formally known as the Payment Card Industry Data Security Standard) was created to address the proliferation of data breaches involving payment cards. It is enforced by the PCI Security Standards Council, an independent body created by Visa, American Express, MasterCard, Discover, and JCB.

PCI DSS control objectives and compliance requirements affect any business that handles payment processing, storage, or transmission of credit card data electronically, most often this is eCommerce and Retail businesses.

Reduce PCI DSS
Scoping — and Risk

Why is PCI Compliance Important?

Protecting cardholder information from data breaches isn’t just important to customers, but also for merchants, because if debt or credit card data is stolen, the merchant can face legal action and penalties.

For example, say a business ignores PCI compliance and stores cardholder data in a location with weak information security controls, and that information is then stolen in a data breach. Not only can the customer take legal action to recoup his or her financial loss, but the PC Security Standards Council can also levy large penalties on that business.

Compliance protects your organization from suffering a loss that can have devastating financial repercussions. It can also assure that your business is well-protected, boosting your organization’s credibility and instilling greater trust among customers and business partners.

PCI DSS Requirements at a Glance

PCI DSS is a set of security controls that organizations must implement to maintain a secure environment for cardholder data. It originally launched in 2006 and has gone through several revisions since then. The latest version is PCI DSS 3.2.1.

The levels of PCI compliance include:


For merchants that process more than 6 million card transactions annually.

These organizations are required to undergo an external audit performed by a Qualified Security Assessor (QSA)


For merchants that process 1 MILLION to 6 MILLION transactions annually


For merchants that process 20,000 to 1 MILLION transactions annually


For merchants that process FEVER THAN 20,000 transactions annually

Organizations in PCI Levels 2 through 4 can complete a self-assessment questionnaire (SAQ) instead of an external audit.

PCI Compliance Checklist


Control No. 1 – Build and Maintain a Secure Network and Systems

  • Install and maintain a firewall configuration to protect cardholder data
  • Conduct proper password management and security parameters (for example, replacing default passwords with complex, secure passwords).

Control No. 2 – Protect Cardholder Data

  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.

Control No. 3 – Maintain a Vulnerability Management Program

  • Protect all systems against malware and update antivirus software or programs regularly.
  • Develop and maintain secure systems and applications.

Control No. 4 – Implement Strong Access Control Measures

  • Restrict access to cardholder data on a need-to-know basis.
  • Identify and authenticate access to system components.
  • Restrict physical access to cardholder data.

Control No. 5 – Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

Control No. 6 – Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel.

Learn how self-assessments streamline PCI compliance

watch on-demand

The Challenges of Obtaining PCI Compliance

Achieving PCI compliance will require your organization to embed defined security measures and data protection protocols into every aspect of your business. This will require validation of your existing security controls and auditing of all your sensitive data so you can identify gaps in your IT security.

As your business grows, maintaining a compliance management program will get more complex. Spreadsheets you might have used from your early days as a small business will become unmanageable, costing your program manager hours in lost productivity and significantly increasing the chance for non-compliance.

Reciprocity Has Your PCI Compliance Solution

Powered by our fully integrated and automated ZenGRC platform, our compliance tool equips you with a strong foundation for IT compliance, enabling you to monitor your program over time to ensure you remain compliant and avoid non-compliance penalties.

With ZenGRC for Compliance, key stakeholders, employees, and your PCI compliance managers have access to a single source of truth that covers all of your current and future compliance risks across all frameworks relevant to your business, whether they be PCI DSS, PCI SSC, GDPR, HIPAA, ISO or others.

ZenGRC PCI Capabilities

  • User-friendly dashboard with real-time metrics on prioritized risks
  • Pre-built templates can help you with your compliance audits
  • A central repository for all audit-ready documentation
  • Universal Control Mapping to fulfill multiple requirements with a single control
  • Insight into team member progress at fulfilling PCI requirements
  • Tracking functionality for outstanding service provider requirements
Ready to see ZenGRC in action?

Frequently Asked Questions

PCI DSS control objectives and compliance requirements are legally enforceable. While they are not required by law, the PC Security Standards Council can require businesses to follow PCI standards if they want to handle credit card transactions and revoke that access when a business fails to meet the standard’s requirements.

So as a practical matter, any business that handles payment processing, storage, or transmission of credit card data electronically, regardless of its size or the volume of its transactions, is subject to PCI DSS compliance.

PCI DSS is a security standard created to address and curb the prevalence of data breaches that involve payment credit or debit cards.

PCI is a data security standard created by the credit card industry. Any company that processes, stores, or transmits credit card data is obligated to comply with this standard. Alternatively, ISO 27001 is an international standard that provides the framework for an information security management program for any type of organization. More to the point, ISO 27001 certification is optional.

PCI data includes cardholder data such as:

  • Name
  • Account number
  • Card expiration date
  • CVV or security code

It also includes authentication data, such as the magnetic-stripe, chip, and pin data.

  • STEP 1: Determine your PCI level (1-4).
  • STEP 2: Complete a self-assessment questionnaire or evaluation by a QSA.
  • STEP 3: Build and maintain an IT security program that protects cardholder data and meets the guidelines specified in the PCI control objectives.
  • STEP 4: Apply for formal attestation of compliance with the PCI Security Standards Council

Cybersecurity risk analysis allows your organization to identify your sensitive data, understand your risks and devise a strategy to protect that data and mitigate those risks. This type of analysis is also a great opportunity for an organization to take an inventory of systems and resources and ensure that each is safeguarded by the proper security controls.

For smaller organizations at levels 2 through 4, with a self-assessment questionnaire, vulnerability scanning, IT security development, and remediation of risk, you could be looking at costs of $10,000 to $20,000.

A large enterprise, on the other hand, typically needs on-premise auditing, vulnerability scanning, penetration testing, training, IT security development, and risk remediation. That organization might incur costs of $70,000 to $100,000 for PCI compliance.