What merchant level am I?

Merchant levels are determined by your annual volume of card transactions across all channels. Level 1 applies to merchants processing over 6 million transactions annually. Level 2 covers 1 to 6 million transactions. Level 3 applies to e-commerce merchants with 20,000 to 1 million transactions. Level 4 covers e-commerce merchants with fewer than 20,000 transactions and all other merchants with up to 1 million transactions. Your acquiring bank ultimately determines your level and may impose stricter requirements based on risk factors.

What is the difference between an SAQ and a QSA assessment?

A Self-Assessment Questionnaire (SAQ) is a self-validation tool for merchants and service providers who are eligible to assess their own compliance. There are multiple SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE) based on how you process payments. A QSA assessment is a formal on-site evaluation conducted by a PCI-certified Qualified Security Assessor, resulting in a Report on Compliance (ROC). Level 1 merchants are required to have a QSA assessment, while lower levels may self-assess using the appropriate SAQ.

How much does PCI DSS compliance cost?

Costs vary dramatically based on merchant level, scope, and current maturity. Small merchants using SAQ A (outsourced payment processing) may spend as little as $20,000. Mid-size organizations with moderate CDEs typically spend $50,000 to $200,000 including gap assessment, remediation, tooling, and the assessment itself. Level 1 merchants with complex environments and QSA requirements can spend $200,000 to $500,000 or more. Ongoing costs include quarterly ASV scans, annual penetration testing, and reassessment fees.

What are the 12 PCI DSS requirements?

The 12 requirements are organized into six goals. Build and Maintain a Secure Network: (1) Install and maintain network security controls, (2) Apply secure configurations. Protect Account Data: (3) Protect stored account data, (4) Encrypt transmissions over open networks. Maintain a Vulnerability Management Program: (5) Protect against malware, (6) Develop secure systems. Implement Strong Access Controls: (7) Restrict access by need to know, (8) Identify users and authenticate access, (9) Restrict physical access. Monitor and Test Networks: (10) Log and monitor access, (11) Test security regularly. Maintain a Security Policy: (12) Support information security with policies.

How often is PCI DSS validation required?

PCI DSS validation is required annually through either a QSA assessment (Level 1) or SAQ completion (Levels 2-4). Additionally, quarterly external vulnerability scans by an Approved Scanning Vendor are required for all merchants. Annual penetration testing is required for most merchants. Internal vulnerability scans must be conducted quarterly and after any significant changes. Your acquiring bank may impose additional validation requirements based on your risk profile or following a data breach.

What happens if we are not PCI DSS compliant?

Non-compliance with PCI DSS can result in significant financial and operational consequences. Card brands can levy fines ranging from $5,000 to $100,000 per month against your acquiring bank, which will pass those costs to you. In the event of a data breach while non-compliant, you may be liable for card replacement costs, forensic investigation expenses, and fraud losses. Your acquirer may increase your transaction fees, impose additional compliance requirements, or terminate your merchant account entirely. Beyond financial penalties, a card data breach causes severe reputational damage and potential loss of customer trust.

Your Step-by-Step Guide to PCI DSS Compliance

PCI DSS

The Complete PCI DSS Compliance Checklist

PCI DSS protects cardholder data wherever it is processed, stored, or transmitted. This checklist walks you through the 12 requirements, from scoping your cardholder data environment to completing your assessment and submitting your Attestation of Compliance.

Get Expert Help

Understanding PCI DSS

What Is PCI DSS — and Why Does It Matter?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

PCI DSS was created by the major credit card companies (Visa, MasterCard, American Express, Discover, and JCB) to increase controls around cardholder data and reduce credit card fraud.

Compliance with PCI DSS is required for any organization that handles payment card data, regardless of size or number of transactions, and is enforced by the payment card brands and acquiring banks.

Requirements

Merchant Levels

256+

Sub-controls

Your Roadmap

The 8-Step PCI DSS Compliance Checklist

Click each step to expand the details. Work through them in order — each step builds on the previous one.

Step 1

1 week

Determine Merchant Level

Understand your validation requirements based on transaction volume

Your PCI DSS merchant level is determined by the number of card transactions you process annually. The level dictates whether you need a full QSA assessment or can self-assess using an SAQ. Getting this right upfront avoids wasted effort and ensures you meet your acquirer's requirements.

Key Actions:

Determine your annual transaction volume across all payment channels (e-commerce, in-store, MOTO)

Identify your merchant level: Level 1 (>6M), Level 2 (1-6M), Level 3 (20K-1M e-commerce), Level 4 (<20K e-commerce)

Confirm your validation requirements with your acquiring bank, as they may impose stricter requirements

Determine if you are also a service provider, which has separate classification levels

Identify the appropriate SAQ type if self-assessment applies (SAQ A, A-EP, B, B-IP, C, C-VT, D, P2PE)

Document your merchant level determination and validation approach for your compliance records

Helpful Resources:

Learn about PCI DSS Get expert PCI guidance

Step 2

2-3 weeks

Define Cardholder Data Environment

Scope the systems and networks that handle card data

The cardholder data environment (CDE) includes all people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. Accurate scoping is critical because it determines which systems must meet PCI DSS requirements.

Key Actions:

Identify all locations where cardholder data is stored, processed, or transmitted

Map network diagrams showing all connections into and out of the CDE

Identify all system components within the CDE including servers, databases, applications, and network devices

Determine connected-to and security-impacting systems that are in scope even if they do not directly handle card data

Evaluate scope reduction opportunities through network segmentation, tokenization, or P2PE

Document the CDE scope with data flow diagrams and a complete inventory of in-scope components

Helpful Resources:

Get help with CDE scoping

Step 3

2-4 weeks

Conduct Gap Assessment

Evaluate your current state against all 12 PCI DSS requirements

A gap assessment compares your current security controls and practices against the 12 PCI DSS requirements and their sub-controls. This reveals where you are compliant, where gaps exist, and what remediation is needed before your formal assessment.

Key Actions:

Evaluate each of the 12 PCI DSS requirements and their sub-controls against your current environment

Document compliance status for each requirement: in place, in place with remediation, or not in place

Identify compensating controls where you cannot meet a requirement as stated

Prioritize remediation efforts based on risk severity and implementation complexity

Create a detailed remediation plan with timelines, resource assignments, and milestones

Estimate the budget required for remediation including technology, consulting, and staff time

Helpful Resources:

Schedule a PCI gap assessment PCI DSS v4.0 Standard

Step 4

4-8 weeks

Implement Network Security Controls

Build and maintain a secure network architecture

PCI DSS Requirements 1 and 2 focus on network security controls and secure configurations. Proper network segmentation reduces your CDE scope, and hardened configurations eliminate default vulnerabilities that attackers commonly exploit.

Key Actions:

Install and maintain network security controls (firewalls, WAFs) between the CDE and untrusted networks

Implement network segmentation to isolate the CDE from the rest of your corporate network

Change all vendor-supplied default passwords and remove unnecessary default accounts

Harden system configurations using industry-accepted standards (CIS Benchmarks, DISA STIGs)

Restrict inbound and outbound traffic to only that which is necessary for cardholder data processing

Document all network security rules with business justifications and review them at least every six months

Helpful Resources:

Get network security guidance

Step 5

4-8 weeks

Implement Access Controls & Encryption

Protect stored cardholder data and restrict access

PCI DSS Requirements 3, 4, 7, 8, and 9 address data protection, encryption, and access control. These requirements ensure that cardholder data is protected at rest and in transit, and that access is limited to individuals with a legitimate business need.

Key Actions:

Encrypt stored cardholder data using strong cryptography with documented key management procedures

Implement encryption for cardholder data transmitted over open, public networks (TLS 1.2 or higher)

Restrict access to cardholder data to only those personnel whose job requires it (need-to-know)

Implement unique user IDs for all users with access to system components in the CDE

Deploy multi-factor authentication for all administrative access and remote access to the CDE

Restrict physical access to cardholder data and CDE infrastructure with visitor logs and access controls

Helpful Resources:

Discuss access control implementation

Step 6

3-6 weeks

Vulnerability Scanning & Penetration Testing

Test your defenses and remediate vulnerabilities

PCI DSS Requirements 5, 6, and 11 require ongoing vulnerability management, secure development practices, and regular security testing. These requirements ensure that you find and fix vulnerabilities before attackers can exploit them.

Key Actions:

Deploy anti-malware solutions on all systems commonly affected by malware and ensure they are updated regularly

Implement a vulnerability management program with regular patching of critical security updates

Conduct quarterly external vulnerability scans by an Approved Scanning Vendor (ASV)

Perform quarterly internal vulnerability scans and rescan after any significant changes

Conduct annual penetration testing of both the external perimeter and internal network segmentation

Establish secure software development practices including code reviews and application security testing

Helpful Resources:

Get vulnerability management help

Step 7

4-12 weeks

Complete SAQ or Engage QSA

Choose and complete your formal validation method

Based on your merchant level, you will either complete a Self-Assessment Questionnaire or engage a Qualified Security Assessor for a formal Report on Compliance. Both paths require demonstrating compliance with all applicable PCI DSS requirements.

Key Actions:

For Level 2-4 merchants: select the correct SAQ type based on your payment processing method

For Level 1 merchants: engage a PCI-qualified QSA firm to conduct the on-site assessment

Gather all required evidence including policies, configurations, scan results, and access logs

Prepare system descriptions, network diagrams, and data flow diagrams for the assessor

Address any areas where compensating controls are needed and document them with the required worksheet

Coordinate assessment logistics including site access, staff interviews, and evidence staging

Helpful Resources:

Get QSA engagement support PCI DSS framework details

Step 8

2-3 weeks

Submit Attestation of Compliance

Finalize and submit your compliance documentation

The Attestation of Compliance (AOC) is the formal document confirming your PCI DSS compliance status. It is submitted to your acquiring bank and card brands. Maintaining compliance is an ongoing obligation with quarterly scans and annual revalidation.

Key Actions:

Complete the Attestation of Compliance form corresponding to your SAQ type or Report on Compliance

Submit the AOC and supporting documentation to your acquiring bank

Establish a calendar for ongoing compliance activities: quarterly ASV scans, annual penetration tests, and annual reassessment

Implement continuous monitoring to detect and respond to security events affecting the CDE

Plan for PCI DSS v4.0 requirements that become mandatory, ensuring future-dated requirements are addressed

Document lessons learned and update your compliance program for the next assessment cycle

Helpful Resources:

Get ongoing compliance support

Feeling overwhelmed? You don't have to do this alone.

Get Expert Help Learn More About PCI DSS

Budget Planning

What PCI DSS Compliance Actually Costs

Transparent cost ranges so you can plan and budget. Costs vary based on organization size, current security posture, and environment complexity.

Typical Cost Range

$20K - $500K

Including preparation, tooling, and assessment fees

Timeline to Compliance

3-18 months

Depending on current maturity and scope

Audit & Assessment

PCI DSS validation method depends on your merchant level. Level 1 merchants require an annual on-site assessment by a Qualified Security Assessor (QSA). Levels 2-4 may self-assess using the appropriate Self-Assessment Questionnaire (SAQ). All levels require quarterly network vulnerability scans by an Approved Scanning Vendor (ASV).

Independent verification of your compliance

Costs People Forget

GRC platform licensing

Compliance management and evidence collection tools

Security tooling

SIEM, EDR, vulnerability scanning, encryption tools

Internal staff time

Hundreds of hours across IT, security, and leadership

Ongoing maintenance

Annual reviews, continuous monitoring, recertification

The ROI of Compliance

The cost of non-compliance far exceeds the investment in getting certified. Consider what's at stake:

Win new business and contracts that require certification

Reduce breach risk and avoid costly incident response

Build trust with customers, partners, and stakeholders

Avoid regulatory penalties and reputational damage

Streamline operations with mature security processes

The question isn't whether you can afford compliance — it's whether you can afford not to have it.

How We Can Help

Don't Navigate PCI DSS Alone

Illumen specializes in helping organizations achieve PCI DSS compliance — from initial assessment through certification. We meet you wherever you are in the journey.

Gap Assessment

Know exactly where you stand against requirements

Remediation

Close gaps with expert guidance and support

Documentation

Policies, procedures, and evidence packages

Schedule a Free Consultation Explore PCI DSS Services

FAQ

Frequently Asked Questions

Common questions about PCI DSS compliance and certification.

What Is PCI DSS — and Why Does It Matter?

PCI DSS was created by the major credit card companies (Visa, MasterCard, American Express, Discover, and JCB) to increase controls around cardholder data and reduce credit card fraud.

Compliance with PCI DSS is required for any organization that handles payment card data, regardless of size or number of transactions, and is enforced by the payment card brands and acquiring banks.

Requirements

Merchant Levels

256+

Sub-controls

Don't Navigate PCI DSS Alone

Illumen specializes in helping organizations achieve PCI DSS compliance — from initial assessment through certification. We meet you wherever you are in the journey.

Gap Assessment

Know exactly where you stand against requirements

Remediation

Close gaps with expert guidance and support

Documentation

Policies, procedures, and evidence packages