The PCI DSS is a set of requirements explaining how to protect you and your customers when taking card payments. These are industry-spanning requirements, so all suppliers taking payments should take the PCI DSS seriously.
When you take card payments, you rely on customer trust in your ability to protect their financial data. With the Payment Card Industry Data Security Standard, established by major card brands, your business can demonstrate adherence to stringent security measures. The protocols of the standard are designed to safeguard transactional data, deter identity fraud and prevent costly security breaches, enhancing your reputation as a trustworthy business.
Our accredited PCI DSS certification service, provided by Panacea Infosec (acquired by SGS in January 2026), confirms your compliance with the 12 key PCI DSS requirements and positions you to manage ongoing security challenges effectively.
Elevate your data protection standards with PCI DSS certification from SGS
- Reduce risk, increase awarenessSignificantly reduce the risk of security incidents.
- Build trust and relationshipsFoster trust among customers, partners and vendors.
- Save time, money and effortEnhance operational efficiency and avoid noncompliance fines.
- Improve your position in the marketplaceBoost brand recognition, gain a competitive edge and access international markets.
- Achieve continuous improvementPursue continual improvement for long-term business sustainability.
Unrivaled PCI DSS expertise and support
As the world leader in inspection, testing and certification, we offer in-depth data security expertise for your business operations. Our comprehensive PCI DSS certification process is tailored to the needs of your organization, regardless of its size or sector. We guide you through every step – from initial gap analysis to continuous compliance maintenance. Our global presence and experience ensure that your data security measures meet international standards, helping you navigate and adapt to the evolving landscape of cyber threats.
FAQ
Visa, MasterCard, Discover Financial Services, JCB International and American Express created the PCI DSS in 2004.
- Secure network
- A firewall must be installed and maintained
- System passwords must be original, not vendor-supplied
- Secure cardholder data
- Stored cardholder data must be protected
- Transmitting cardholder data across public networks must be encrypted
- Vulnerability management
- Antivirus software must be adopted and regularly updated
- Secure systems and applications must be developed and maintained
- Access control
- Cardholder data access must be restricted to a need-to-know basis
- Everyone with computer access must have a unique ID
- Physical access to cardholder data must be restricted
- Network monitoring and testing
- Access to cardholder data and network resources must be tracked and monitored
- Security systems and processes must be regularly tested
- Information security
- An information security policy must be maintained
Your compliance level is based on the annual number of credit/debit card transactions your business processes. The level determines what you must do to maintain compliance.
Level 1: 6 million transactions per year
Level 2: 1-6 million transactions per year
Level 3: 20,000-1 million transactions per year
Level 4: <20,000 transactions per year
An organization that starts taking card payments has 90 days to meet the PCI DSS requirements. After this, you must maintain compliance and show it at least once a year.
- Understand the requirements: familiarize yourself with the 12 certification requirements
- Identify your organization’s needs: determine the requirements relevant to you, based on the four compliance levels
- Locate and map your payment card movements: create a data map outlining your security systems, physical access to network resources and apps interacting with card data in your business. Identify all customer-facing aspects linked to card payments and the various pathways and weaknesses
- Complete a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC): an SAQ helps you double-check self-assessment answers. A ROC is for Level 1 companies undergoing security audits, as they are valid for one year
- Examine your security controls and protocols: the aim is to establish the correct security settings and protocols
- Conduct quarterly scans: routinely check your operations and methods to remain compliant and follow best practices. An Approved Scanning Vendor (ASV) ensures your scans are reliable and meet PCI guidelines
- The risk/audit/security assessment: perform a detailed risk assessment in your payment environment, measuring the complex payment flow
- Conduct a gap analysis: review the PCI DSS requirements to identify gaps before creating a remediation plan to close them quickly
- Conduct an internal PCI DSS audit: your internal expert or a third-party auditor checks your security functionality, reviews documents and determines any noncompliance
- Continuously monitor your system: as the PCI DSS is an ongoing process you must regularly review plans and systems, consider additional reports and involve the relevant people
- Prepare for PCI DSS certification: select an external Qualified Security Assessor (QSA) and what they will evaluate. The audit evaluates your security controls against the applicable requirements in your data environment, including devices, public networks and apps handling cardholder information. They also review your overall security requirements before creating a detailed report
Every organization is different, from its size and type to its information security and cybersecurity measures. Therefore, an organization is judged individually. What you must do to comply depends on your potential security risks.
-
If you cannot prove you are protecting customer cardholder data, the consequences could be severe for both sides, including:
- Lawsuits
- Financial penalties
- Reputational damage
- Customer disillusionment and distrust
- Theft of customers’ money and identities