Skip to main content

The PCI SSC created the PCI-DSS to protect credit card data. Merchants, service providers, and organizations that handle credit card data are required to obtain PCI-DSS certification.

To follow the PCI-DSS, you need to do six main steps.

1. Identify the card brands and payment types

Identify the card brands and payment types that your organization accepts, processes, stores, or transmits.

  • Identify the number of transactions your organization processes each year.
  • Identify the type of network infrastructure you have in place.
  • Identify the type of cardholder data you handle.

2. Review the PCI-DSS requirements

Review the PCI-DSS requirements and make sure your organization is compliant. The PCI-DSS requirements are divided into six categories:

3. Self-assess your organization’s compliance

Conduct a self-assessment of your organisation’s PCI-DSS compliance. Use the Self-Assessment Questionnaires (SAQs) provided by PCI SSC.

Download PCI-DSS 4.0 Self-Assessment Questionnaires (SAQs)

4. Engage a Qualified Security Assessor (QSA)

If necessary, you may engage a Qualified Security Assessor (QSA) to assess PCI-DSS compliance. If your organisation processes more than 6 million transactions per year or if your acquiring bank requires it, you need to engage a QSA to perform an onsite PCI-DSS compliance assessment.

5. Submit a Report on Compliance (ROC)

Submit a Report on Compliance (ROC) to your acquiring bank or payment brand. The ROC is a report that details your organization’s compliance with the PCI-DSS requirements. If you have engaged a QSA to conduct an on-site assessment, the QSA will prepare the ROC on your behalf.

6. Maintain compliance with the PCI-DSS requirements

A company needs to maintain PCI-DSS Compliance at all times and to confirm it on an annual basis. This may include conducting regular self-assessments, engaging a QSA to conduct an on-site assessment, and submitting a ROC to your acquiring bank or payment brand on a regular basis.