What PCI DSS compliance level is my business?

Your level is determined by annual transaction volume. Level 1: over 6 million. Level 2: 1–6 million. Level 3: 20,000–1 million e-commerce. Level 4: fewer than 20,000 e-commerce or up to 1 million total. Your acquiring bank can confirm your exact level.

How much does PCI DSS compliance cost?

Level 4 merchants completing an SAQ may spend $5,000–$25,000 annually. Level 1 merchants requiring a ROC typically invest $50,000–$200,000+. Non-compliance penalties range from $5,000 to $100,000 per month from payment brands.

How often do I need penetration testing and vulnerability scans for PCI DSS?

External ASV scans quarterly. Internal vulnerability scans quarterly. Penetration testing annually and after significant changes. Segmentation testing every six months for service providers. PCI DSS 4.0 adds authenticated internal scans and continuous monitoring requirements.

What happens if my business is not PCI DSS compliant?

Non-compliance can result in monthly fines ($5,000–$100,000), increased processing fees, and termination of card acceptance. If breached while non-compliant, you face forensic costs, card reissuance fees ($3–$10 per card), regulatory fines, and lawsuits.

What is the difference between SAQ and ROC?

SAQ is a self-validation tool for Level 2–4 merchants with multiple types depending on how you accept payments. ROC is a comprehensive assessment by a QSA required for Level 1 merchants. ROC is more thorough and provides the highest assurance level.

All Compliance Frameworks

PCI DSS 4.0 is now fully enforced — all organizations must comply

PCI DSS Compliance & Payment Security Services

Protect cardholder data and achieve PCI DSS compliance with penetration testing, vulnerability scanning, and continuous monitoring. Serving retailers, financial institutions, and any business that processes payments. Headquartered in McKinney, TX and serving organizations nationwide.

What PCI DSS Requires

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect cardholder data. Any organization that stores, processes, or transmits credit card information must comply — regardless of size or transaction volume. PCI DSS 4.0, now fully enforced, introduces stricter requirements for authentication, encryption, and continuous security monitoring.

PCI DSS is organized around 12 core requirements spanning six categories: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access controls, regularly monitor and test networks, and maintain an information security policy.

Non-compliance can result in fines from $5,000 to $100,000 per month from payment brands, increased transaction fees, and ultimately the loss of your ability to accept credit card payments — a business-ending consequence for most organizations.

Compliance Levels

Level 1 6M+ transactions/year — Annual ROC + quarterly ASV scans
Level 2 1M–6M transactions — Annual SAQ + quarterly ASV scans
Level 3 20K–1M e-commerce transactions — Annual SAQ + quarterly ASV
Level 4 <20K e-commerce or <1M total — Annual SAQ + quarterly ASV

The 12 PCI DSS Requirements

1 Install and maintain network security controls (firewalls)

2 Apply secure configurations to all system components

3 Protect stored account data with encryption

4 Protect cardholder data with strong cryptography during transmission

5 Protect all systems and networks from malicious software

6 Develop and maintain secure systems and software

7 Restrict access to system components by business need-to-know

8 Identify users and authenticate access to system components

9 Restrict physical access to cardholder data

10 Log and monitor all access to system components and cardholder data

11 Test security of systems and networks regularly

12 Support information security with organizational policies and programs

Key PCI DSS 4.0 Changes

PCI DSS 4.0 represents the most significant update to the standard in years. Key changes include a shift toward customized approaches alongside defined approaches, enhanced MFA requirements for all access to the cardholder data environment, and stronger protections against e-commerce skimming attacks.

Organizations must now implement targeted risk analysis for each requirement, automated log review mechanisms, and internal vulnerability scans authenticated with credentials. The new standard also requires detection and protection mechanisms for payment page scripts to combat Magecart-style attacks.

SAQ vs. ROC

Self-Assessment Questionnaire (SAQ) — Shorter compliance validation for Level 2–4 merchants. Multiple SAQ types (A, A-EP, B, C, D) depending on how you accept payments.

Report on Compliance (ROC) — Comprehensive assessment required for Level 1 merchants, performed by a Qualified Security Assessor (QSA). Covers all 12 requirements in detail.

How We Help You Achieve PCI DSS Compliance

Our services directly satisfy PCI DSS requirements

Penetration Testing (Req 11.3)

PCI DSS Requirement 11.3 mandates annual penetration testing of the cardholder data environment. Our pen tests are conducted by certified testers following PCI-approved methodologies, with findings mapped directly to PCI requirements. We test both external and internal network segments, and validate segmentation controls.

Learn about pen testing

Managed SOC (Req 10)

Requirement 10 mandates logging and monitoring all access to network resources and cardholder data. Our managed SOC provides continuous log monitoring, automated alerting, and incident response — satisfying both Requirement 10 and the PCI DSS 4.0 mandate for automated log review mechanisms.

Learn about managed SOC

Compliance Audits & GRC

Our CyberOne platform maps your controls against all 12 PCI DSS requirements, identifies gaps, and generates remediation plans. Whether you need SAQ assistance or full ROC preparation, we provide the gap analysis and evidence collection to streamline compliance.

Learn about compliance services

CyberOne Platform

Track your PCI DSS compliance posture in real time. CyberOne consolidates vulnerability scan results, penetration test findings, policy documentation, and evidence collection into a single dashboard — making assessor engagements faster and less disruptive.

Learn about CyberOne

PCI DSS Compliance FAQ

Common questions about PCI DSS and payment security

Ready to Get Started with PCI DSS Compliance?

Schedule a free PCI DSS assessment. We’ll determine your compliance level, identify gaps, and build a roadmap to protect your payment environment.

Schedule Your Free PCI Assessment