PCI DSS: What it is, requirements and compliance levels

Key takeaways:

• PCI DSS is a set of security standards designed to protect cardholder data for any business that accepts, stores, or processes payments.

• Compliance is divided into four levels based on transaction volume, with different validation requirements and processes for each.

• Partnering with a Level 1 PCI DSS-certified payment processor like Airwallex reduces the scope of your compliance responsibilities, simplifies security management, and helps you stay protected with less effort.

If you run an eCommerce business, accepting credit card payments is fundamental – but it also comes with a serious responsibility: protecting your customers’ sensitive information. 

Data breaches in retail and eCommerce are increasingly common, and a large share of those incidents involve the theft of personal and payment-related data. In fact, nearly half of all breaches in the retail industry involve customer information such as names, email addresses, and payment details¹.

In this article, we break down PCI DSS: what it is, what it means for your business, and how platforms like Airwallex can simplify compliance, helping you keep your customers’ data secure without adding unnecessary complexity.

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all businesses accepting, storing, processing, or transmitting cardholder data maintain a secure environment. 

It was created in 2004 by five major credit card companies – Visa, Mastercard, American Express, Discover, and JCB – to protect cardholder information and reduce credit card fraud.

Why is PCI DSS important in digital finance?

In digital finance, PCI DSS matters because it helps businesses keep payment card information safe and transactions secure. Following these standards lowers the risk of data breaches, protects customers’ personal and financial details, and builds a strong foundation of trust and security for your operations.

Who must comply with PCI DSS?

If you accept, store, or process credit or debit card information, you're required to be PCI DSS compliant. The level of compliance required varies based on the volume of card transactions processed.

What are the levels of PCI DSS compliance?

PCI DSS divides businesses into four compliance levels based on the number of card transactions they process over the past 12 months. 

Each card network – Visa, Mastercard, American Express, Discover, and JCB – runs its own PCI DSS compliance program, with slightly different requirements depending on transaction volume. For example, here’s a quick overview showing how Visa structures its PCI DSS compliance standards²:

Below is a closer look at what each PCI DSS level means for Visa, and the specific validation requirements for your business: 

PCI DSS Level 1

Level 1 applies to merchants processing over 6 million Visa transactions annually across all channels, or global merchants that any Visa region has identified as Level 1.

Here are the validation requirements for Level 1:

• Annually:

  • Undergo a Report on Compliance (ROC) assessment by a Qualified Security Assessor (QSA), or by a certified Internal Security Assessor (ISA) who has completed PCI SSC ISA training.

  • Submit an Attestation of Compliance (AOC) form.

• Quarterly:

  • Perform a network scan using an Approved Scanning Vendor (ASV).

PCI DSS Level 2

Level 2 applies to merchants processing between 1 million and 6 million Visa transactions annually across all channels.

Here are the validation requirements for Level 2:

• Annually:

  • Complete a Self‑Assessment Questionnaire (SAQ).

  • Submit an AOC form.

• Quarterly:

  • Perform a network scan with an ASV.

PCI DSS Level 3

Level 3 applies to merchants processing between 20,000 and 1 million online Visa transactions annually.

Here are the validation requirements for Level 3:

• Annually:

  • Complete an SAQ.

  • Submit an AOC form.

• Quarterly:

  • Perform a network scan with an ASV.

PCI DSS Level 4

Level 4 applies to merchants processing fewer than 20,000 online Visa transactions annually, and all other merchants processing up to 1 million Visa transactions annually across channels.

Here are the validation requirements for Level 4: 

• Annually:

  • An SAQ is recommended.

  • Specific compliance validation requirements are set by your acquirer (your acquiring bank or payment provider).

• Quarterly (if applicable):

  • Perform a quarterly network vulnerability scan with an ASV, if your business transmits cardholder data over the internet or if your acquiring bank requires it.

What are the 12 core requirements of PCI DSS?

PCI DSS is built around 12 technical and operational requirements, which are grouped into six main goals. These goals provide a framework for protecting cardholder data and maintaining a secure environment. 

Here’s how the PCI Security Standards Council³ breaks them down:

Goal 1: Build and maintain a secure network and systems

• Network security controls: Install and maintain firewalls and other network security measures to protect cardholder data.

• Secure configurations: Apply secure settings to all system components to reduce vulnerabilities.

Goal 2: Protect account data

• Safeguard cardholder data: Store and handle all cardholder data securely.

• Encryption: Use strong encryption to protect cardholder data when transmitted over public or open networks.

Goal 3: Maintain a vulnerability management programme

• Malware protection: Implement measures to defend systems and networks from malicious software.

• Secure systems and software: Develop and maintain secure applications and system components.

Goal 4: Implement strong access controls

• Limit access: Grant access to cardholder data and systems only on a need-to-know basis.

• User monitoring: Assign unique IDs and monitor user activity to ensure accountability.

• Physical access controls: Restrict physical access to systems and locations that store or process cardholder data.

Goal 5: Regularly monitor and test networks

• Track access: Monitor and log all access to network resources and cardholder data.

• Security testing: Regularly test security systems and processes to identify and fix vulnerabilities.

Goal 6: Maintain an information security policy

• Organizational policies: Establish and enforce security policies for employees and contractors to support a culture of data protection.

How to validate PCI DSS compliance

Validating PCI DSS compliance is about more than following rules – it’s about proving your business handles cardholder data securely. The process varies depending on how many card transactions you process each year and the level your business falls into.

What's the difference between compliance and validation?

Meeting the 12 PCI DSS requirements means your business is compliant. Validation, on the other hand, is the process of showing evidence that you meet those requirements. How you go about validation depends on your business’s compliance level.

Self-Assessment Questionnaire (SAQ)

Businesses at Levels 2, 3, or 4 validate compliance by completing an annual Self-Assessment Questionnaire (SAQ). The SAQ is a guided checklist covering the PCI DSS requirements that apply to your business, helping you identify any gaps and confirm where you stand.

Report on Compliance (ROC)

Level 1 businesses process the highest volume of transactions, and they must undergo a more rigorous audit. A Qualified Security Assessor (QSA) or certified Internal Security Assessor (ISA) conducts the audit, resulting in a Report on Compliance (ROC) that provides a detailed review of your security posture.

The role of assessors and vendors

You'll often work with two key external parties during validation:

• Qualified Security Assessor (QSA): A QSA is an independent security professional certified by the PCI Security Standards Council to perform on-site PCI DSS assessments and produce ROCs.

• Approved Scanning Vendor (ASV): An ASV is a company certified to conduct external vulnerability network scans, which you'll need to do quarterly to spot and fix security weaknesses.

Once your validation is complete, you'll receive an Attestation of Compliance (AOC), a document that shows you're compliant with the relevant PCI DSS standards.

What happens if you're not PCI DSS compliant?

Failing to comply with PCI DSS can have serious consequences. You may face hefty fines from payment card brands, increased liability in the event of a data breach, damage to your reputation, and a loss of customer trust. 

Non-compliance can also put your payment processing at risk, which is especially problematic if most of your customers pay by card.

Overcoming the complexities of PCI DSS compliance

Achieving PCI DSS compliance can be challenging. The standards are strict, and keeping up with monitoring and reporting takes significant time and effort.

However, by understanding the core principles, building a culture of security, and using the right tools, businesses can reduce the complexity and cost of compliance. Partnering with a PCI DSS-certified payment processor like Airwallex can further simplify the process, helping you maintain strong security without overburdening your team.

How Airwallex simplifies PCI DSS compliance

As a Level 1 PCI DSS-certified payments provider, Airwallex helps you meet compliance requirements more easily. By processing payments through Airwallex, you benefit from a secure infrastructure and the support of a dedicated security team.

With Airwallex, you can:

• Protect data in transit and at rest: Keep customer information safe with advanced encryption technologies.

• Maintain confidentiality with tokenisation: Secure personal and financial details by replacing sensitive data with tokens.

• Prevent fraud in real time: Provide a seamless, secure experience for your customers with ongoing fraud protection.

• Access expert security support: Rely on a team of security specialists focused on maintaining the highest level of protection for your business.

Frequently asked questions (FAQs)

What does PCI DSS stand for?

PCI DSS stands for Payment Card Industry Data Security Standard. Five major credit card providers – Visa, Mastercard, American Express, Discover, and JCB – established it in 2004 to create a unified set of security standards for protecting cardholder data.

How much does PCI DSS compliance cost?

The cost of PCI DSS compliance varies widely depending on your business size, transaction volume, and chosen validation method, but it typically ranges from a few hundred to tens of thousands of dollars per year. Small businesses completing a SAQ may pay for minimal tools or consulting, while larger Level 1 businesses undergoing an annual audit with a QSA face higher fees for assessments, remediation, and ongoing security monitoring. 

How long does it take to become PCI DSS compliant?

The time required to achieve PCI DSS compliance depends on your business size, complexity, and current security posture, but most organisations can expect the process to take anywhere from a few weeks to several months. Smaller businesses completing a SAQ may become compliant in a matter of weeks, while larger Level 1 businesses undergoing a full audit with a QSA often need several months to implement controls, fix vulnerabilities, and complete validation.

What's the difference between being PCI DSS compliant and working with a certified payment processor?

Being PCI DSS compliant means you meet the required security standards. A certified payment processor, like Airwallex, is a service provider that has undergone a rigorous audit to prove its own compliance at the highest level (Level 1). 

When you use a PCI DSS-certified payment processor, the processor’s secure infrastructure and certification reduce your compliance burden, and in many cases, you don’t need to go through the full validation process yourself. This lets you protect customer data while focusing on running your business.

Do I still need to be PCI compliant if I use a payment processor like Airwallex?

Using a PCI DSS-certified payment processor like Airwallex means most of the heavy lifting is handled for you, so there’s much less you need to do yourself. However, you still need to take care of a few responsibilities, such as how you collect, store, or transmit payment information within your own systems. This way, you stay compliant while benefiting from the processor’s secure infrastructure.

Sources:

1. https://www.shopify.com/enterprise/blog/retail-cybersecurity

2. https://corporate.visa.com/en/resources/security-compliance.html

3. https://listings.pcisecuritystandards.org/documents/pci_ssc_quick_guide.pdf

This publication does not constitute legal, tax, or professional advice from Airwallex, nor does it substitute seeking such advice, and makes no express or implied representations / warranties / guarantees regarding content accuracy, completeness, or currency. If you would like to request an update, feel free to contact us at [[email protected]]. Airwallex (Singapore) Pte. Ltd. (201626561Z) is licensed as a Major Payment Institution and regulated by the Monetary Authority of Singapore.