Your 12 step checklist to achieve PCI-DSS compliance

The word ‘compliance’ fills most people with dread, evoking images of endless paperwork and more jargon than you can shake a stick at. However, like it or not, compliance isn’t optional; it’s the cost of doing business.

And when it comes to accepting card payments, few compliance challenges are more important, or more complex, than PCI DSS.

If you’re new to PCI compliance, you’re probably asking yourself a lot of questions, like:

• What is PCI compliance?
• Four levels of PCI compliance
• Validating PCI-DSS compliance
• 4 common questions about PCI compliance
• How to be PCI compliant: a 12-step checklist
• How to be PCI compliant with Primer
  

To make compliance a little less scary, we’re offering this 12-step PCI DSS compliance checklist and some tips on making the process easier.

Looking to take control over your payment stack? Book a call with Primer.

What is PCI compliance?

PCI-DSS stands for Payment Card Industry Data Security Standard. It’s a global set of general practices devised by the PCI Security Standards Council to keep cardholder data (such as account numbers, personal information, and other credit card information) secure and out of the hands of cybercriminals.

PCI-DSS was created to bring consistency across the major credit card companies’ security measures. The first version was released in December 2004. As of this writing, the most recent version is Version 4.0.1

In a nutshell, PCI states the technical and operational security requirements needed to protect payment data, prevent security vulnerabilities, and keep your customers safer. This includes criteria like using strong encryption, installing firewalls, antivirus and anti-malware software, and restricting employee access to credit card data.

Let’s take a closer look.  

Read about more ways to keep your customers safe: How Primer gives merchants the tooling to prevent payment fraud

Four levels of PCI compliance

There are four different compliance levels applicable to merchants. You must pick the appropriate level based on the volume of transactions your organization processes annually:

• Level 1 – 6 million+ transactions per year
• Level 2 – 1 to 6 million transactions per year
• Level 3 – 20,000 to 1 million transactions per year
• Level 4 – Less than 20,000 transactions per year

Validating PCI-DSS compliance

Each card network (Visa, Mastercard, American Express, Discover) enforces PCI-DSS in its own way, but all align on the same core standards. Once you determine your level, the next step is to validate your compliance, a critical process that proves you’re meeting those security standards.

There are two main types of validation:

• Report on Compliance (ROC): A formal audit conducted by a Qualified Security Assessor (QSA). This is typically required for Level 1 merchants processing over six million transactions annually. The assessor examines your systems, documents your controls, and issues a signed attestation of compliance. It’s a rigorous process, but one that reassures partners, issuers, and regulators that you take security seriously.
• Self-Assessment Questionnaire (SAQ): A self-evaluation for businesses processing lower volumes. You complete a set of yes/no questions based on your environment and submit it to your acquiring bank or payment provider. It’s less intensive, but still a vital demonstration that you’re maintaining minimum security standards.

Choosing the right validation method isn’t just about meeting obligations; it also affects how much scrutiny your business is under, what kind of data you can handle, and how confidently you can scale. For example, showing ROC validation may be required when onboarding new enterprise partners or expanding internationally.

4 common questions about PCI compliance

1. How much does PCI compliance cost?

According to IBM research, the global average cost of a data breach in 2024 was $4.88 million. It’s clear that PCI compliance should be a priority for every merchant, if it hasn’t already been established.

However, elevating your company’s operational and security procedures to meet the standards can come at a significant cost.

How much, exactly? The cost of being PCI-DSS compliant varies significantly based on several factors. These factors include:

• Your business type
• The size of your organization
• Your existing security culture
• Your organization’s environment
• Whether you have dedicated PCI personnel
• Whether your acquirer covers the cost

2. Is PCI-DSS compliance required by law?

PCI-DSS is not a statutory legal requirement*. However, compliance is contractually mandated by major card networks such as Visa and Mastercard, and enforced through agreements with acquiring banks and payment processors. This means that even in the absence of specific legislation, merchants are still legally bound to comply.

*In the US, certain states have incorporated elements of PCI-DSS into law, including Nevada, Minnesota, and Washington.

3. Why is PCI-DSS critical for my business?

The PCI-DSS standards apply to any organization responsible for the storing, processing, and transmitting cardholder data.

Businesses that engage in any of these activities must adhere to the PCI compliance requirements. Compliance helps protect organizations and their consumers from data breaches and payment card fraud.

4. What are the risks of not complying with PCI?

The risks of not complying with PCI-DSS are serious. A data breach has immediate and potentially long-lasting consequences for your business, including affecting its financial health, cash flow, and reputation.  

If your business doesn’t comply with PCI-DSS, you could face:

• Fines and penalties issued by processors and payment service providers
• Suspension of your credit card payment processing privileges
• Liability for fraud charges
• Legal action from customers affected
• Costs to address the security breach
• Reputational damage leading to loss of revenue

This paints a pretty grim picture. However, it’s essential to remember that the primary goal of PCI compliance is to safeguard your customers’ payment information. Making this your primary goal will help your brand gain credibility and nurture trust in your payment journey.

Offer your customers an extra layer of protection with a solid 3DS strategy: Key questions to ask when building an optimal 3DS strategy

How to be PCI compliant: a 12-step checklist

There are six key goals for PCI-DSS compliance, which are:

• Build and maintain a secure network and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access-control measures
• Regularly monitor and test networks
• Maintain an information security policy

Within these six areas, there are 12 PCI-DSS requirements. Consider this your PCI-DSS compliance checklist:

• Install and maintain network security controls
• Apply secure configurations to all system components
• Protect stored account data
• Protect cardholder data with strong cryptography during transmission over open, public networks
• Protect all systems and networks from malicious software
• Develop and maintain secure systems and software
• Restrict access to system components and cardholder data
• Identify users and authenticate access to system components
• Restrict physical access to cardholder data
• Log and monitor all access to network resources
• Carry out penetration testing of systems and networks regularly
• Create an information security policy

Be sure to review the full PCI-DSS v4.0.1 guidelines to understand the complete set of expectations and ensure your organization stays compliant over time.

PCI compliance: just the starting point

You can use this checklist as a starting point to ensure your business meets the core PCI-DSS requirements. However, remember that compliance isn’t a one-time project. It requires regular testing, monitoring, and updates to maintain system security and minimize the risk of a data breach.

It’s also important to note that these are the minimum requirements. Many businesses opt to go further, especially in high-risk sectors or where customer trust is crucial.

How to be PCI compliant with Primer

While we’ve told you throughout this article how to become PCI compliant. But there’s a shortcut: work with a partner like Primer that solves PCI compliance for your business.

Our Universal Checkout securely captures payment method data and communicates with our PCI Level 1 tokenization service. In short, we transform sensitive customer data into a secure, uniform string called a payment method token.

Using secure payment method tokens paired with a customer ID, Primer’s Vault enables:

• Recurring merchant-initiated payments
• A seamless one-click experience for your customers with Universal Checkout

Learn more about saving payment methods using Primer’s Vault to get a better handle on how this feature delivers a better customer payment journey.

What else do you get with Primer? 

Meeting PCI requirements is just one part of building a high-performing payments setup. With Primer, you also gain access to powerful tools that streamline operations, mitigate risk, and help you scale more efficiently.

Seamlessly connect to PSPs and activate new payment methods

As your business scales, managing multiple payment providers can become time-consuming and fragmented. Primer allows you to connect PSPs, gateways, fraud tools, and local payment methods with just a few clicks. No engineering work is required.

You can activate providers like Adyen and Stripe while offering customer-preferred methods, including digital wallets and Buy Now, Pay Later (BNPL). 

Read more: What is payment orchestration and how can it maximize payment efficiency?

Recover lost revenue with Primer Fallbacks

Every failed payment is a missed opportunity. Soft declines can lead to lost revenue and frustrated customers. That’s why it’s crucial to establish a backup processor. However, this can be resource-heavy to configure and maintain.

Primer Fallbacks removes the engineering demands from the equation. You can configure Fallbacks to automatically retry failed (and recoverable) transactions through another provider of your choice. And because Primer 3DS is agnostic, failed payments can be retried without your customers having to undergo another 3DS challenge. 

Learn more: Why merchants should build a Fallback strategy

Get full visibility with Observability

When you work with multiple PSPs, monitoring performance is often fragmented. Primer’s Observability dashboard provides a unified view of your entire payment stack in real-time.

‍

You can set custom Monitors to alert you when key metrics fall outside your thresholds. Alerts can be delivered by webhook, email, or Slack, helping your team respond quickly and prevent revenue loss.

Improve authorization rates and reduce fraud with network tokenization

Primer replaces raw card numbers with secure, network-issued tokens that update automatically when a customer’s card is reissued or replaced. This reduces failed payments from outdated card details, improves authorization rates, and helps prevent card data exposure in the process.

Read more: How to optimize payments using network tokenization

Add fraud protection without engineering effort

Primer lets you activate leading fraud prevention providers, including Signifyd, Sift, and Riskified, directly within your payment workflows. You can dynamically assess risk before a transaction completes, all without custom integrations or dev time.

Read more: How Primer gives merchants the tooling to prevent payment fraud

Make compliance easy with Primer 

The benefits of working with a PCI compliance expert can far outweigh the cost. Together, we help merchants navigate complex payment problems and facilitate a smoother PCI compliance journey.

Want to learn more about how Primer can help your business? Get in touch with our payment experts.

Frequently Asked Questions (FAQ) about PCI-DSS Compliance

PCI-DSS compliance can be complex, especially if your payments setup involves multiple systems, teams, and vendors. It’s normal to have questions as you work out what applies to your business and how to approach validation and ongoing security.

Here are some of the most common ones merchants ask about PCI-DSS compliance.

What is PCI-DSS compliance, and why is it important?

PCI-DSS compliance means your business follows the Payment Card Industry Data Security Standard, a set of security requirements maintained by the PCI SSC. It matters because it helps protect payment card data and other sensitive data, reduces the risk of unauthorized access to cardholder information, and is commonly required by agreements connected to card brands.

Who needs to be PCI-DSS compliant?

Any business that stores, processes, or supports the transmission of cardholder data may need to comply with PCI-DSS. That can include ecommerce businesses, SaaS platforms with embedded payments, and merchants that accept card payments online or in-person through a POS.

What is the cardholder data environment (CDE), and what does “CDE” mean?

Your cardholder data environment is the people, processes, and technology that store, process, or transmit cardholder data, plus any systems that can impact its security. “CDE” is the common shorthand for that environment. Defining your CDE clearly helps you understand scope, identify key access points, and limit access based on business need.

What are the PCI-DSS compliance levels?

PCI-DSS compliance levels are commonly based on the total number of card transactions your business processes per year. Your level influences the validation method you’ll typically be asked to complete and what documentation is expected.

How do I validate PCI-DSS compliance?

Validation is typically done through a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC), depending on your situation. Some organizations may also need vulnerability scans performed by an approved scanning vendor (ASV), and any findings usually require remediation before you can close out the process.

What are ASV vulnerability scans, and when do I need them?

An ASV is an approved scanning vendor that performs external vulnerability scans against eligible internet-facing systems. These vulnerability scans help identify security gaps that could lead to unauthorized access. If issues are found, the next step is remediation and, in many cases, a re-scan.

What does PCI-DSS say about default passwords and vendor-supplied defaults?

PCI-DSS includes requirements to change vendor-supplied defaults and avoid default passwords on systems that touch, store, or can impact the CDE. The goal is to reduce avoidable weaknesses that hackers commonly exploit.

Does PCI-DSS require multi-factor authentication and unique IDs?

PCI-DSS includes access-control requirements that typically involve assigning each person a unique ID or user ID and strengthening authentication for sensitive access points. Multi-factor authentication is commonly used to reduce the risk of unauthorized access, especially for administrative access or remote access into systems connected to the CDE.

Do I need anti-virus software for PCI-DSS compliance?

PCI-DSS includes requirements to protect systems from malicious software. Depending on your environment and operating systems, that may involve anti-virus software or other controls designed to detect and block malware on systems that could impact the security of payment card data.

What logs do I need, and what are audit trails?

PCI-DSS includes requirements to log and monitor access to systems and data. Audit trails are the records that show who did what, when, and where, often tied back to a user ID. These logs can support investigations, help identify security events, and reduce blind spots in cybersecurity monitoring.

What does PCI-DSS expect around TLS and transmission of cardholder data?

PCI-DSS includes requirements to protect the transmission of cardholder data over open, public networks using strong cryptography. In practice, TLS is commonly used for payment pages, APIs, and system-to-system connections that handle cardholder information.

How can network segmentation help with PCI scope and security?

Network segmentation can reduce PCI scope by separating the CDE from the rest of your network. Done well, it can help limit access to sensitive data, reduce the number of in-scope access points, and make it easier to test security systems and investigate issues.

Are POS systems, routers, and other network devices part of PCI scope?

They can be, depending on how they connect to the CDE and whether they can impact the security of cardholder information. POS devices, routers, and supporting systems are often considered when mapping scope, identifying access points, and planning vulnerability scans and remediation work.

What’s the risk of PCI-DSS non-compliance?

Non-compliance can increase cybersecurity risk and may lead to additional requirements from partners involved in card payments. More importantly, it can leave gaps that increase the likelihood of unauthorized access to payment card data, which can create operational disruption and follow-on work.

What should an incident response plan and risk assessment cover?

PCI-DSS includes requirements around maintaining an incident response plan and performing a risk assessment. In general terms, these help you prepare for security events, define roles and escalation steps, and prioritize remediation when issues are found.

What should I consider for data retention of cardholder information?

PCI-DSS includes requirements aimed at minimizing stored cardholder information. Data retention should be driven by a clear business need, with controls that help reduce exposure by keeping only what’s necessary and limiting access to what’s retained.

‍