Payment Card Industry Data Security Standard

What is PCI DSS?

  • Globally recognised and adopted, the Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that helps you to manage and process card payments safely and securely.
  • Quickly understand obligations you need to meet when processing and storing cardholder data by using the PCI DSS requirements list.
  • Show customers and give them the confidence that you take robust precautions to preserve their personal and financial data by ensuring your operations are PCI DSS compliant.

Make an enquiry


Do I need to be PCI DSS compliant?

  • There's no legal obligation for merchants accepting card payments to comply with the PCI DSS Requirements, however many of your rivals are already bolstering their security, and increasing customer confidence in their operations.
  • It will help you fulfil your obligations under relevant data privacy laws and regulations such as The Data Privacy Act, 1988 and The General Data Protection Regulations (GDPR).
  • You may have a contractual responsibility to be PCI DSS compliant with your card payment service provider and in doing so, avoid potential withdrawl of services, monetary penalties and fee increases.

What do I need to be PCI DSS compliant?

Use our 4 steps to PCI DSS compliance framework to manage your compliance programme. It clearly lays out the process you take your organisations through, helps you identify what falls in scope, gaps to address, and the 12 core PCI DSS requirements to meet. You then submit your PCI Self Assessment Questionnaire (SAQ) or Report On Compliance (ROC) to your service provider, and review regularly to maintain compliance.

1. Scope

Identify the systems and processes that fall within scope of PCI DSS.

2. Gap Assessment

Understand and address gaps in systems and processes security.

3. Submission

Submit Self Assessment Questionnaire or Report On Compliance

4. Regular Review

Schedule frequent review of systems and process security.
The 12 PCI DSS requirements

Do I need to complete a PCI DSS Self Assessment Questionnaire (SAQ) or a Report on Compliance (ROC)?

  • The payment card industry uses four merchant level rankings; 1-4 to determine the level of risk. They help you determine the security measure to take and if an SAQ or ROC if required.
  • The table below shows the current PCI DSS merchant levels and the security validation and assessment required by MasterCard and Visa. Each card processor will have their own requirements, however use them as a general guide.

4 Merchant Level Rankings

Level One

PCI Level 1 6,000,001 or more annual transactions

- Onsite Assessment
- ROC and ASV Scan Report
Level Two

PCI Level 2 1.001m to 6m annual transactions

- Self-Assessment
- SAQ and ASV Scan Report
Level Three

PCI Level 3 20,001-1m annual transactions

- SAQ and ASV Scan Report
- Determined by Payment Brand or Acquirer
Level Four

PCI Level 4 20,000 or less

- SAQ and ASV Scan Report - Determined by Payment Brand or Acquirer

How do I stay PCI DSS compliant?

  • Maintain your PCI DSS compliance status by frequently testing security systems and processes. Usually, these take form as penetration tests and Approved Scanning Vendor (ASV) scans.
  • The frequency of these will depend on which Self-Assessment Questionnaire (SAQ) you are required to complete, or the level identified in you Report On Compliance (ROC).


Annual Penetration Testing

To prevent unauthorised access and other malicious activity both internally and externally, penetration testing attempts to identify and exploit system and network vulnerabilities. An external and internal penetration test should be performed at least annually, and whenever there is a significant change made to your system, by a qualified resource. Learn More >


Quarterly ASV Scanning

This is a scan to validate a system conforms to the external scanning requirements of PCI DSS Requirement 11.

Get in touch

Get our
updates direct
to your inbox.