Frameworks

PCI DSS Compliance

Understanding PCI DSS requirements for businesses that handle payment card data. Learn about the 12 requirements and compliance levels.

Updated December 14, 20257 min read
PCI DSSPayment SecurityCredit CardsCompliance

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for any organization that accepts, processes, stores, or transmits credit card information.

The current version, PCI DSS v4.0, was released in March 2022 and becomes mandatory in 2025.

Who Must Comply?

If your business handles payment cards in any way, PCI DSS applies:

  • Merchants accepting card payments
  • Service providers processing payments for others
  • Payment processors and gateways
  • SaaS companies storing cardholder data
  • Any business touching card data

The 12 PCI DSS Requirements

Build and Maintain a Secure Network

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components

Protect Account Data

  1. Protect stored account data
  2. Protect cardholder data with strong cryptography during transmission

Maintain a Vulnerability Management Program

  1. Protect all systems against malware
  2. Develop and maintain secure systems and software

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need-to-know
  2. Identify users and authenticate access
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Log and monitor all access to network resources and cardholder data
  2. Test security of systems and networks regularly

Maintain an Information Security Policy

  1. Support information security with organizational policies and programs

Compliance Levels

Your compliance level depends on transaction volume:

Level Annual Transactions Requirements
1 6+ million Annual on-site audit (QSA)
2 1-6 million Annual SAQ, quarterly scans
3 20K-1 million e-commerce Annual SAQ, quarterly scans
4 Under 20K e-commerce Annual SAQ, quarterly scans

Self-Assessment Questionnaires (SAQ)

Most small businesses use SAQs for compliance:

  • SAQ A: Card-not-present, fully outsourced
  • SAQ A-EP: E-commerce with third-party payment page
  • SAQ B: Imprint or dial-out terminals only
  • SAQ C: Payment application systems
  • SAQ D: All others (most comprehensive)

Key Changes in PCI DSS v4.0

  • Customized approach — More flexibility in meeting requirements
  • Enhanced authentication — MFA now required for all access
  • Targeted risk analysis — Define frequencies based on risk
  • Service provider requirements — Stronger third-party oversight

How CyberPolicify Helps

PCI DSS documentation can be overwhelming. CyberPolicify simplifies compliance:

  • Generate policies mapped to all 12 requirements
  • Create procedures for common PCI scenarios
  • Track controls with gap analysis dashboards
  • Prepare for assessments with organized evidence

Secure your payment environment efficiently.

Framework readiness

Generate documentation mapped to frameworks

Generate PCI DSS PoliciesRun a Gap Check

Start with policies and procedures aligned to the framework, then close gaps with a clear plan.