Compliance frameworks
How to become PCI compliant in three steps

How to become PCI compliant in three steps

Be PCI compliant in three steps

The Payment Card Industry Data Security Standard (“PCI DSS”) is an industry-mandated set of requirements created by major credit card brands in order to protect customer cardholder data. Being PCI compliant is required for any entity that stores, processes, transmits, or impacts the security of cardholder data.

Becoming PCI compliant can be complex: there are different PCI compliance levels, reporting, and validation requirements for various types of PCI merchants and service providers (explained below) depending on how they interact with cardholder data and annual card transaction volumes. First of all, how do you know if you have to be PCI compliant?

Who has to be PCI compliant?

According to the PCI Compliance Security Standard Council, any organization that processes, stores, or transmits payment data like credit card information needs to be PCI compliant. This is done to protect consumers so their payment information isn’t trusted in an unsafe organization.

Is PCI compliance necessary?

The short answer is yes, if you fall within the categories that need to be PCI compliant, it is essential for your business. While PCI DSS isn’t a legal requirement, it is a requirement set by the major banks of the payment industry. If you aren’t PCI compliant, you may be charged thousands in recurring penalty fees. 


While there is a cost to PCI compliance, it’s minimal compared to the potential cost of penalties, data breach lawsuits, and loss of business. If your company deals with cardholder data, refer to the following sections to learn more about what you need to do to determine your PCI compliance obligations and next steps.

1. PCI compliance starts with determining if your business is a merchant or service provider 

Entities that deal with cardholder data fall into one of two categories: merchant or service provider. A merchant is a business that directly accepts customer payments for goods and services, like an eCommerce or brick and mortar retailer.


A service provider may not directly accept payments, but comes into contact with payment data (or could impact the security of another entity’s cardholder data or cardholder data environment). Payment data may include entities like:


  • Hosting providers
  • Managed security service providers
  • Financial service companies
  • Payment facilitators


 Both service providers and merchants must be PCI compliant and formally validate their compliance status annually through a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Both the SAQ and ROC assessments require the entity to complete a compliant Attestation of Compliance (AOC).


The major difference between the SAQ and ROC is the level of validation and evidence required for PCI compliance. A SAQ is typically performed “in-house” by a qualified internal resource or team, while the ROC must be performed by an external Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).


Which level of PCI compliance and validation an entity is required to meet is determined primarily by annual transaction volume. A bank or the card brand may require an entity to complete a higher level based on perceived risk, a previous breach, or other factors.


2. Determine your required level of PCI compliance  ‍

PCI compliance for merchants 

Both merchants and service providers are grouped into different PCI compliance levels that dictate how they must validate compliance. For merchants, there are PCI compliance levels one through four, primarily based on the number of transactions processed each year.


A merchant that processes over six million transactions annually is classified as “Level 1” and must complete a Report on Compliance. Merchants below this transaction threshold are classified as Level 2-4 and typically qualify to complete a Self-Assessment Questionnaire. 

PCI compliance for service providers 

For service providers, there are only two levels of PCI compliance: a PCI DSS Level 1 service provider processes over 300,000 transactions per year and is required to complete a Report on Compliance. A service provider that impacts fewer than 300,000 transactions is a Level 2 service provider and typically qualifies to complete a Self-Assessment.


Many merchants and service providers that qualify for Self-Assessment (based on transaction volume) often choose to perform the higher level of validation through a ROC. There are multiple reasons why an entity may choose to pursue the more stringent validation process. Compliance via ROC is often used to meet internal security requirements, customer requests, or as a sales/marketing differentiator. ‍

3. Complete the requirements for your level of PCI compliance ‍

Once you determine if you fall into the merchant or service-provider categories, and your PCI compliance level within, you can determine your compliance obligations and controls. 

For Level 1 merchants and service providers: ROC and QSA/ISA 

For both merchants and service providers, Level 1 entities are required to validate through an external third-party assessor (A QSA) or Internal Security Assessor (ISA, which is essentially a QSA employed at your company).


The QSA/ISA will assist the entity in validating the scope of the cardholder environment, and assess the adequacy of relevant controls through a combination of:

  • Documentation review 
  • Technical validation
  • Observation of processes
  • Interviews
  • Sampling


At the end of the assessment, the QSA/ISA will complete the Report on PCI Compliance and formally document the results in the Attestation of Compliance. 

PCI compliance for non-Level 1 merchants and service providers (SAQ)  

‍If you are a Level 2 service provider or a Level 2-4 merchant, the process to be PCI compliant is a bit simpler. Entities that qualify can complete a Self-Assessment Questionnaire and Attestation of Compliance. This process can be done by any qualified resource in your company, though many entities still choose to retain the services of an outside consultant to help them assess their compliance status. 


For the SAQs that require it, you need to receive a scan from an ASV each quarter and you need to complete a SAQ to verify that you are adhering to all 12 standards. Most companies with less then six million annual transactions can use a SAQ to demonstrate PCI compliance. There are eight SAQs to choose from, determined by how your company interacts with cardholder data (eCommerce only vs. in person, for example).


The PCI Security Standards Council (governing body responsible for maintaining various PCI programs) has released detailed guidance for determining your SAQ type. The last page of this document includes a useful flowchart to quickly help you determine your type. 

PCI DSS compliance can be a confusing and daunting task at first glance. If you are a current Vanta customer, contact your Customer Success Manager or our team of PCI compliance experts to help guide you through the PCI process. Interested in pursuing PCI compliance with Vanta? Learn more here.

Learn more about PCI compliance 

Vanta PCI Blogs

Vanta PCI Guides

PCI Security Standards Council (SSC)


SAQ Templates

What’s My SAQ Type?

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes