PCI Compliancev4.0 GuideQSA-led

What is PCI Compliance? The Complete Business Guide

Everything you need to know about PCI DSS compliance — requirements, merchant levels, costs, and how to protect your business from payment card data breaches. In plain terms: if your business takes card payments, PCI compliance is not optional. Cianaa supports businesses across Asia Pacific, Europe, and North America with QSA-led PCI DSS assessments.

PCI DSS v4.0 · Globally mandated · QSA-led

PCI compliance at a glance

1
Global Mandatory StandardAligned to PCI SSC v4.0 framework
12
Core RequirementsAcross 6 control objectives
4
Merchant LevelsL1 6M+ · L2 1–6M · L3 20K–1M · L4 <20K
The basics

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a globally mandated framework that protects payment card data — built on three pillars that every business handling card payments must understand.

Global Mandatory Standard

PCI DSS applies to every business worldwide that processes payment card data — regardless of size, country, or industry.

12 Core Requirements

PCI DSS v4.0 comprises 12 high-level requirements and 300+ individual controls covering network security, encryption, access control, and monitoring.

4 Merchant Compliance Levels

Businesses are classified into four levels based on annual card transaction volumes, each carrying different validation and reporting requirements.

The stakes

Why PCI Compliance Matters

Failure to comply can result in significant fines, increased transaction fees, reputational damage, and loss of the ability to process card payments altogether.

Average cost of a payment data breach
USD 4.45M

A single payment data breach costs businesses an average of USD 4.45 million (IBM, 2023). PCI compliance is your primary defence against that exposure.

Avoid Fines of Up to USD 100K/Month — non-compliant businesses face monthly fines from their acquiring bank ranging from USD 5,000 to USD 100,000.

Avoid catastrophic fines

Per-month penalties scale with merchant size and non-compliance duration.

Reduce transaction fees

Non-compliant merchants face elevated interchange and processing fees from acquirers.

Protect customer trust

A breach permanently damages brand reputation and customer loyalty.

Maintain ability to process cards

Severe non-compliance can result in your processing privileges being suspended.

Sleep better

Continuous compliance posture means audits, surveillance, and incidents are managed proactively.

The framework

The 12 PCI DSS Requirements Explained

PCI DSS v4.0 organises 300+ controls into six objectives and twelve high-level requirements.

1

Install & maintain network controls

Segment cardholder data with firewalls and network security controls.

2

Apply secure configurations

Replace vendor defaults; harden every in-scope component.

3

Protect stored account data

Encrypt, truncate, or tokenise cardholder data at rest.

4

Encrypt in transmission

Strong cryptography for cardholder data across public networks.

5

Protect from malware

Anti-malware, EDR, and behavioural monitoring on in-scope systems.

6

Develop secure systems

Patch management, secure coding, and code-review processes.

7

Restrict access by need-to-know

Least-privilege access to cardholder data and systems.

8

Identify users & authenticate access

Unique IDs, MFA across all access to CDE.

9

Restrict physical access

Physical safeguards for facilities holding cardholder data.

10

Log & monitor all access

Audit trails, log retention, alerting on suspicious activity.

11

Test security systems regularly

Vulnerability scans, penetration tests, integrity monitoring.

12

Maintain an information security policy

Governance: policies, awareness, risk assessment, incident response.

Sizing it up

PCI Compliance Merchant Levels: Which One Are You?

Your merchant level dictates the validation and reporting required — from a signed Report on Compliance (Level 1) to a Self-Assessment Questionnaire (Level 4).

Level 1

Enterprise

6M+
annual transactions

Annual on-site assessment by a QSA. Quarterly network scan by an ASV. Signed Report on Compliance (RoC).

Level 2

Large

1–6M
annual transactions

Annual SAQ or on-site QSA assessment (card brand dependent). Quarterly ASV scan.

Level 3

Mid-market

20K–1M
e-commerce transactions

Annual Self-Assessment Questionnaire. Quarterly network vulnerability scan by an Approved Scanning Vendor.

Level 4

Small

< 20K
e-commerce transactions

Annual Self-Assessment Questionnaire. Quarterly ASV scan if processing e-commerce transactions.

Complimentary · No obligation

Get a Free PCI Compliance Assessment

30 minutes with a practising QSA who’ll review your current state, identify your merchant level, and map out what compliance actually looks like for your environment — no commitment, no sales pitch.

Gap analysis vs. PCI DSS v4.0
Merchant level determination
SAQ vs. ROC scoping
Indicative cost & timeline
Book Your Free Assessment
QSA-led call 30-min commitment 1 business-day response
FAQ

Frequently Asked Questions about PCI Compliance

Who needs to be PCI compliant?

Any business that stores, processes, or transmits cardholder data. This includes online merchants, physical stores, service providers, and any organisation that touches a credit card number — regardless of size or country.

How long does it take to become PCI compliant?

For most businesses, 8–16 weeks from initial scoping to a signed Report on Compliance. Engagement length depends on your starting posture, environment complexity, and merchant level.

What’s the difference between PCI DSS and PCI 3DS?

PCI DSS covers all cardholder data security across your environment. PCI 3DS (3-Domain Secure) is a specific standard for authentication services that participate in 3DS-protected transactions. Many businesses need both.

Can I do PCI compliance myself?

Only Level 4 merchants (and some Level 2–3 depending on card brand) can self-assess via SAQ. Level 1 merchants require an external QSA. Self-assessment is allowed but a QSA still adds defensibility and identifies blind spots.

What if I fail a PCI audit?

Findings during a QSA assessment don’t mean automatic failure. You’ll receive specific, actionable findings to remediate before the final Report on Compliance is signed. Acquirers may set deadlines but engagement timelines usually allow for resolution.

Get a free PCI compliance assessment

Ready to Achieve PCI Compliance?

Talk to an accredited Cianaa QSA — scope your environment, identify your merchant level, and get a tailored compliance roadmap. Complimentary 30-minute call.