PCI Compliance in 3 Steps

The Payment Card Industry Data Security Standard (“PCI DSS”) is an industry-mandated set of requirements created by major credit card brands in order to protect customer cardholder data. Being PCI compliant is required for any entity that stores, processes, transmits, or impacts the security of cardholder data.


PCI compliance can be complex: there are different reporting and validation requirements for various types of PCI merchants and service providers (explained below) depending on how they interact with cardholder data and annual card transaction volumes.


If your company deals with cardholder data, refer to the following sections to learn more about what you need to do to determine your compliance obligations and next steps:

1. Determine if your business is a merchant or service provider

Entities that deal with cardholder data fall into one of two categories: merchant or service provider. A merchant is a business that directly accepts customer payments for goods and services, like an e-commerce or brick and mortar retailer. A service provider may not directly accept payments, but comes into contact with payment data (or could impact the security of another entity’s cardholder data or cardholder data environment); this includes entities like hosting providers, managed security service providers, financial service companies, or payment facilitators.


Both service providers and merchants must be PCI compliant and formally validate their compliance status annually through a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Both the SAQ and ROC assessments require the entity to complete a compliant Attestation of Compliance (AOC); the major difference between the SAQ and ROC is the level of validation and evidence required for compliance. A SAQ is typically performed “in-house” by a qualified internal resource or team, while the ROC must be performed by an external Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).


Which level of validation an entity is required to meet is determined primarily by annual transaction volume, though a bank or the card brand may require an entity to complete a higher level based on perceived risk, a previous breach, or other factors.

2. Determine your level

For merchants

Both merchants and service providers are grouped into different levels that dictate how they must validate compliance. For merchants, there are levels one through four, primarily based on the number of transactions processed each year. A merchant that processes over six million transactions annually is classified as “Level 1” and must complete a Report on Compliance. Merchants below this transaction threshold are classified as Level 2-4 and typically qualify to complete a Self-Assessment Questionnaire.


For service providers

For service providers, there are only two levels: a PCI DSS Level 1 service provider processes over 300,000 transactions per year and is required to complete a Report on Compliance. A service provider that impacts fewer than 300,000 transactions is a Level 2 service provider and typically qualifies to complete a Self-Assessment.


It should be noted that many merchants and service providers that qualify for Self-Assessment (based on transaction volume) often choose to perform the higher level of validation through a ROC; there are multiple reasons why an entity may choose to pursue the more stringent validation process; compliance via ROC is often used to meet internal security requirements, customer requests, or as a sales/marketing differentiator.

3. Complete the requirements for your level

Now that you’ve determined your category (merchant or service provider) and your level within that category, you can determine your compliance obligations and required controls that must be met:

For Level 1 merchants and service providers: ROC and QSA/ISA

For both merchants and service providers, Level 1 entities are required to validate through an external third-party assessor (A QSA) or Internal Security Assessor (ISA, which is essentially a QSA employed at your company). The QSA/ISA will assist the entity in validating the scope of the cardholder environment, and assess the adequacy of relevant controls through a combination of documentation review, technical validation, observation of processes, interviews, and sampling. At the end of the assessment, the QSA/ISA will complete the Report on Compliance and formally document the results in the Attestation of Compliance.

For non-level one merchants and service providers (SAQ)

‍If you are a level two service provider or a level two through four merchant, the process is a bit simpler. Entities that qualify can complete a Self-Assessment Questionnaire and Attestation of Compliance; this process can be done by any qualified resource in your company, though many entities still choose to retain the services of an outside consultant to help them assess their compliance status.


For the SAQs that require it, You need to receive a scan from an ASV each quarter and you need to complete a SAQ to verify that you are adhering to all 12 standards.


Most companies with less than six million annual transactions can use a SAQ to demonstrate compliance. There are eight SAQs to choose from, determined by how your company interacts with cardholder data (eCommerce only vs. in person, for example).  The PCI Security Standards Council (governing body responsible for maintaining various PCI programs) has released detailed guidance for determining your SAQ type. The last page of this document includes a useful flowchart to quickly help you determine your type.

PCI DSS compliance can be a confusing and daunting task at first glance... If you are a current Vanta customer, contact your Customer Success Manager or our team of compliance experts to help guide you through the PCI process. For prospective customers, please reach out to our sales team to learn how Vanta can help you demystify and simplify the PCI compliance process.

PCI Quick Links:

Vanta PCI Blogs

Vanta PCI Guides

PCI Security Standards Council (SSC)

PCI SSC FAQs

SAQ Templates

What’s My SAQ Type?




“Vanta's expert team helped analyze our compliance requirements and shared what was needed to complete a SAQ-D. Because of this, we accelerated our timelines, saved hundreds of hours and thousands of dollars in costs.”

Klas Hesselman
Co-founder  |  Flow Networks
Vanta automates security compliance.
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.