Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you request to download our free implementation guide, we use your name, company name (which is optional) and your email address to email you a link to download the requested document. We may also email you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

Reveal Menu

A step-by-step guide to PCI DSS compliance

As the festive season approaches and more shoppers are buying online, it’s important to be compliant when selling online. It’s likely that you’re reading this because you have been made aware that you need to comply to PCI DSS, and you’re wondering where to start. Below we explain the what, where and how of PCI DSS compliance so you know exactly how to comply.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was created by the Payment Card Industry Security Standards Council (PCI SSC) which is governed by the following Payment Brands:

  • MasterCard
  • VISA
  • American Express
  • JCB
  • Discover Financial Services

Who needs to comply to PCI DSS?

PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Any organization involved in payment card processing which includes the storing, processing or transmitting of cardholder data (CHD) is usually contractually required to be PCI DSS compliant. Failure to do so could result in penalty fines to the organization.

What are the requirements for PCI DSS?

PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. These requirements are broken down into 12 areas:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Protect all systems against malware and regularly update anti-virus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need to know.
  8. Identify and authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Track and monitor access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all staff.

How to decide your merchant and service provider level?

All merchants and service providers are categorized into different levels depending on the volume of card payment transactions the organization processes per year. There are four levels into which an organization can be categorized, with level 1 being the highest and level 4 being the lowest.

The volume of transactions per year that determines the categorization level of your organization also varies between the payment brands (Visa, MasterCard, American Express, Discover, and JCB). Therefore, it is highly recommended you confirm your organization’s transaction volume and categorization level with your acquiring bank. Once you have determined your level you will know what validation methods are required for your PCI DSS compliance.

How to become PCI DSS compliant?

Once you have aligned your business policies and procedures to become compliant to the PCI DSS framework, either by working with a consultant, using a CertiKit toolkit or doing it yourself, you will then submit the appropriate documentation to your acquiring bank.

How you submit your compliance is dependent on your merchant level:

  • If your organization falls with the definition of Level 1 for merchants and service providers, you are required to submit compliance documents produced by a Qualified Security Assessor (QSA). They will then produce a report on compliance detailing the 12 requirements.
  • Lower level organizations may only require a Self-Assessment Questionnaire (SAQ) to be completed and submitted. SAQs are validation tools designed to assist organizations in self-evaluating their compliance with PCI DSS.

Do you want to know more?

We hope that has cleared up some common questions about PCI DSS compliance. If you are looking to know more, you can download our free detailed implementation guide straight to your email. This helpful guide will go through the twelve requirements in detail and outline the framework to get you started.

Over 3000 businesses have purchased our toolkits


This was the most comprehensive tool kit we found. The main selling point was the fact that they are laid out in a clear logical order, precisely following the order of the ISO 27001:2013 standard.

Operations Assistant
Enterprise Insurance Company Plc

View all Testimonials