BlogCompliance
May 3, 2026

How to become PCI compliant in three steps

Written by
Vanta
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

The Payment Card Industry Data Security Standard (PCI DSS) is an industry-mandated set of requirements created by major credit card brands in order to protect customer payment account data—including cardholder data and sensitive authentication data such as CVVs and PINs. Being PCI compliant is required for any entity that stores, processes, transmits, or impacts the security of cardholder data and/or sensitive authentication data.

Becoming PCI compliant can be complex: there are different PCI compliance levels, reporting, and validation requirements for various types of PCI merchants and service providers (explained below) depending on how they interact with cardholder data and annual card transaction volumes. First of all, how do you know if you have to be PCI compliant?

As of March 31, 2024, PCI DSS 4.0 is the only active version of the standard. PCI DSS 3.2.1 has been retired. The three-step process below applies to PCI DSS 4.0, which maintains the same merchant/service provider framework but introduces important updates—including stronger password requirements, automated log review for critical systems, and mandatory authenticated vulnerability scanning. If you want a deeper look at what changed, see our overview of PCI DSS 4.0.

Who has to be PCI compliant?

According to the PCI Security Standards Council (PCI SSC) any organization that processes, stores, or transmits payment data like credit card information needs to be PCI compliant. This is done to protect consumers so their payment information isn’t trusted in an unsafe organization.

Is PCI compliance necessary?

The short answer is yes, if you fall within the categories that need to be PCI compliant, it is essential for your business. While PCI DSS isn’t a legal requirement, it is a requirement set by the major banks of the payment industry. If you aren’t PCI compliant, you may be charged thousands in recurring penalty fees. If you're a SaaS company, the stakes are especially high—payment processors and enterprise buyers will often require demonstrated compliance before signing contracts.

 

While there is a cost to PCI compliance, it’s minimal compared to the potential cost of penalties, data breach lawsuits, and loss of business. If your company deals with cardholder data, refer to the following sections to learn more about what you need to do to determine your PCI compliance obligations and next steps.

1. PCI compliance starts with determining if your business is a merchant or service provider 

Entities that deal with cardholder data fall into one of two categories: merchant or service provider. A merchant is a business that directly accepts customer payments for goods and services, like an eCommerce or brick and mortar retailer.

 

A service provider may not directly accept payments, but comes into contact with payment data (or could impact the security of another entity’s cardholder data or cardholder data environment). Payment data may include entities like:

 

  • Hosting providers
  • Managed security service providers
  • Financial service companies
  • Payment facilitators

 

Both service providers and merchants must be PCI compliant and formally validate their compliance status annually through a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Both the SAQ and ROC assessments require the entity to complete a compliant Attestation of Compliance (AOC).

 

The major difference between the SAQ and ROC is the level of validation and evidence required for PCI compliance. A SAQ is typically performed “in-house” by a qualified internal resource or team, while the ROC must be performed by an external Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).

 

Which level of PCI compliance and validation an entity is required to meet is determined primarily by annual transaction volume. A bank or the card brand may require an entity to complete a higher level based on perceived risk, a previous breach, or other factors.

2. Determine your required level of PCI compliance  ‍

PCI compliance for merchants 

Both merchants and service providers are grouped into different PCI compliance levels that dictate how they must validate compliance. For merchants, there are PCI compliance levels one through four, primarily based on the number of transactions processed each year.

 

A merchant that processes over six million transactions annually is classified as “Level 1” and must complete a Report on Compliance. Merchants below this transaction threshold are classified as Level 2-4 and typically qualify to complete a Self-Assessment Questionnaire. 

{{cta_withimage45="/cta-blocks"}} | Disaster Recovery Plan Template

PCI compliance for service providers 

For service providers, there are only two levels of PCI compliance: a PCI DSS Level 1 service provider processes over 300,000 transactions per year and is required to complete a Report on Compliance. A service provider that impacts fewer than 300,000 transactions is a Level 2 service provider and typically qualifies to complete a Self-Assessment.

 

Many merchants and service providers that qualify for Self-Assessment (based on transaction volume) often choose to perform the higher level of validation through a ROC. There are multiple reasons why an entity may choose to pursue the more stringent validation process. Compliance via ROC is often used to meet internal security requirements, customer requests, or as a sales/marketing differentiator. ‍

3. Complete the requirements for your level of PCI compliance ‍

Once you determine if you fall into the merchant or service-provider categories, and your PCI compliance level within, you can determine your compliance obligations and controls. 

What are the 12 PCI DSS requirements?

PCI DSS v4.0.1 is organized around 12 core requirements, grouped into six security goals:

Goal Requirement
Build and maintain a secure network and systems
  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
Protect account data
  1. Protect stored account data
  2. Protect cardholder data with strong cryptography during transmission over open, public networks
Maintain a vulnerability management program
  1. Protect all systems and networks from malicious software
  2. Develop and maintain secure systems and software
Implement strong access control measures
  1. Restrict access to system components and cardholder data by business need to know
  2. Identify users and authenticate access to system components
  3. Restrict physical access to cardholder data
Regularly monitor and test networks
  1. Log and monitor all access to system components and cardholder data
  2. Test security of systems and networks regularly
Maintain an Information Security Policy
  1. Support information security with organizational policies and programs

For Level 1 merchants and service providers: ROC and QSA/ISA 

For both merchants and service providers, Level 1 entities are required to validate through an external third-party assessor (QSA) or Internal Security Assessor (ISA, which is essentially a QSA employed at your company).

 

The QSA/ISA will assist the entity in validating the scope of the cardholder data environment, and assess the adequacy of relevant controls through a combination of:

  • Documentation review 
  • Technical validation
  • Observation of processes
  • Interviews
  • Sampling

 

At the end of the assessment, the QSA/ISA will complete the Report on PCI Compliance and formally document the results in the Attestation of Compliance. 

PCI compliance for non-Level 1 merchants and service providers (SAQ)  

‍If you are a Level 2 service provider or a Level 2-4 merchant, the process to be PCI compliant is a bit simpler. Entities that qualify can complete a Self-Assessment Questionnaire and Attestation of Compliance. This process can be done by any qualified resource in your company, though many entities still choose to retain the services of an outside consultant to help them assess their compliance status. 

 

For the SAQs that require it, you need to receive a scan from an ASV each quarter and you need to complete a SAQ to verify that you are adhering to all 12 requirements. Most companies with less than six million annual transactions can use a SAQ to demonstrate PCI compliance. There are nine SAQs to choose from, determined by how your company interacts with cardholder data (eCommerce only vs. in person, for example). Under PCI DSS 4.0, the SAQ types remain largely consistent but include updated eligibility criteria and new customized approach options. Review the PCI SSC document library to access current SAQ forms.

 

The PCI Security Standards Council has published SAQ documentation and guidance covering all current SAQ types to help you determine which applies to your organization based on how you interact with cardholder data.

Get started with PCI DSS compliance

PCI DSS compliance can be a confusing and daunting task at first glance. If you are a current Vanta customer, contact your Customer Success Manager or our team of PCI compliance experts to help guide you through the PCI process. Interested in streamlining your PCI DSS compliance? See how Vanta automates PCI DSS evidence collection, SAQ completion, and continuous monitoring.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE
Comparisons and reviews
Top 5 OneTrust alternatives
Comparisons and reviews
Top 4 Secureframe alternatives
Vendor Risk Management
GDPR, NIS 2, and DORA converge on one problem: Third-party risk
Product updates
Vanta Delivers: Live from New York
Comparisons and reviews
Top 5 OneTrust alternatives
Comparisons and reviews
Top 4 Secureframe alternatives
Vendor Risk Management
GDPR, NIS 2, and DORA converge on one problem: Third-party risk
Product updates
Vanta Delivers: Live from New York

Table of contents

No titles!

Share this article

Share this article

Related Resources

A black and purple infographic with a blue background.
Security
Blog

What is an access review?

An access review describes the process of monitoring the rights and privileges of everyone who can interact with data and applications.

SOC 2
Events

Product Demo Webinar

See the market-leading compliance automation software in action in this on-demand product demo.

SOC 2
Events

Product Demo: Automating Compliance for SOC 2, ISO 27001, HIPAA, and More

Learn how Vanta’s automation tools can help you streamline compliance, continuously monitor security controls, and scale your risk management program with ease.

SOC 2
Blog

How to identify and close gaps in SOC 2 compliance

If something is missing in your SOC 2 compliance, it’s important to plug the gap as soon as possible. Learn how to uncover SOC 2 issues and keep your business safe.

Related Resources

Compliance
Blog
Compliance risk: A guide to assess and manage it effectively

Learn what compliance risk is and what its most common types are. Find out how to assess and manage your compliance risk and best practices to follow.

Compliance
Blog
Who needs to comply with DORA? All your questions answered

Find out who needs to comply with DORA, by when, and how to get your organization DORA-ready.

DORA compliance checklist
Compliance
Blog
An actionable DORA compliance checklist for financial entities

Learn what DORA's main requirements are and if you need to comply with them.

Compliance
Blog
Understanding AI compliance and its importance for organizations

Understand AI compliance and its importance for your organization.

Compliance
Events
Auditor basics: A 30 minute guide for startups

In this exclusive live event, we'll cover what audits are, and why continuous compliance separates smooth audits from painful ones.

Compliance
Events
Learn how to automate compliance for SOC 2, ISO 27001, and more

Watch on demand to learn how Vanta’s Agentic Trust Platform helps fast-moving startups and security teams get audit-ready fast and stay continuously compliant.

Compliance
Blog
How do you perform quarterly access reviews?

Without periodic access reviews, former employees may retain access to sensitive data after termination. Learn how to perform effective quarterly access reviews.

Compliance
Blog
Government contracting compliance 101: Everything you should know

Understand the regulations and standards government contractors must meet—and the challenges involved.

Compliance
Events
Beyond the Checkbox: Scaling Compliance Across European Regulations

Watch to learn how to scale your compliance program across NIS2, DORA, and the EU AI Act — without duplicating controls or overwhelming your team.

Automated evidence collection for compliance: All you need to know | Vanta
Compliance
Blog
Automated evidence collection for compliance: All you need to know

Explore how automated evidence collection supports continuous, audit-ready documentation.

Compliance
Events
Getting Ready for APRA CPS 230/234 Compliance

Watch this on demand session to learn the most common CPS 234 readiness questions, and undersand how CPS 230 builds on these foundations.

Compliance
Events
Committed to Trust: How Our Customers Turn Promises into Proof

Watch on demand as leaders from GitHub, Modern Treasury, and Vanta’s own GRC team, dig into what it really takes to build trust into the way you work.

Get compliant and build trust—fast

Request a demo
G2 Badge Winter 2026 LeaderG2 Badge Winter 2026 Enterprise LeaderG2 Badge Milestone 'Users Love Us'