🍰It's no rocket science

Demystifying PCI compliance and it's requirements

In this chapter, we will look at the levels of PCI compliance, key requirements and we will understand why it is not as complex as it seems to be to obtain PCI compliance.

Businesses subject to PCI-DSS must annually demonstrate compliance with the regulation. And PCI-DSS lays out two ways of doing so:

  1. Self-Assessment Questionnaire (SAQ): This is an audit or assessment which can be completed by a business without a independent third-party Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). The person responsible for the payment infrastructure fills out the SAQ. This could be the stakeholder who is the closest to your payment infrastructure - your Dev Ops Manager, or Information Security Officer, or CTO.

  2. Report on Compliance (ROC): An independent third-party QSA or ISA certified by the PCI-SSC will have to perform the audit and share the findings.

Companies that fall into PCI DSS Levels 2-4 are only required to complete a Self-Assessment Questionnaire (SAQ) and submit to the respective payment processor or acquirer. And that would be all !!

Level of PCI compliance

Depending on the number of transactions your business processes, you could be subject to different levels of PCI compliance.

ParameterPCI Level 1PCI Level 2PCI Level 3PCI Level 4

Number of card transactions

Over 6 million

6 million to 1 million

1 million to 20,000

Less than 20,000

Compliance Report

Report on Compliance (ROC)

Self Assessment Questionnaire (SAQ)

Self Assessment Questionnaire (SAQ)

Self Assessment Questionnaire (SAQ)

Assessment type

Independent QSA or ISA

Self assessment

Self assessment

Self assessment

Quarterly network scan by approve QSA





Sources: Mastercard guidelines, Visa Guidelines, PCI SSC document library.

About PCI Requirements and Controls

In general PCI compliance is consolidated into 12 Requirements and 224 controls.

RequirementsNumber of Controls

Requirement 1: Install and maintain a firewall configuration to protect cardholder data


Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters


Requirement 3: Protect stored cardholder data


Requirement 4: Encrypt transmission of cardholder data across open, public networks


Requirement 5: Use and regularly update anti-virus software or programs


Requirement 6: Develop and maintain secure systems and applications


Requirement 7: Restrict access to cardholder data by business need to know


Requirement 8: Assign a unique ID to each person with computer access


Requirement 9: Restrict physical access to cardholder data


Requirement 10: Track and monitor all access to network resources and cardholder data


Requirement 11: Regularly test security systems and processes


Requirement 12: Maintain a policy that addresses information security for all personnel




Simplifying your PCI compliance

Self assess your business for PCI compliance

If you are an online business processing less than 6 million card transactions a month, all that you will have to do is a self assessment of PCI compliance as per SAQ D.

Requirement 9

Lets assume all your software systems are cloud native and do not depend upon on-premise servers. In such case your staff will not be able to physically access any cardholder data and hence your business is exempted from Requirement 9.

That is one PCI Requirement less for your business and 22 controls automatically exempted.

Requirement 3

If you choose not to store card holder data on your servers, you will be exmepted from Requirement 3.

So eventually you are left with 10 PCI Requirements and 182 controls to comply with.

This is the reason behind our recommendation of installing a simple setup without the card vault, if your business processes less than 6 million card transactions

Next step:

πŸ—’οΈCompleting the SAQ

Last updated