Cyber One Solutions logo.
Get Support
Compliance / PCI DSS

PCI DSS Compliance: Implement the Controls That Protect Cardholder Data.

The Payment Card Industry Data Security Standard (PCI DSS) is the security standard that protects payment card data. It is maintained by the PCI Security Standards Council, the body founded by the major card brands, and it applies to every organization that stores, processes, or transmits cardholder data, from a small merchant taking online orders to a large service provider handling transactions for others. The standard is built on twelve requirements grouped under six control objectives, covering network security, data protection, vulnerability management, access control, monitoring, and security policy. The current version is PCI DSS v4.0.1. There is no permanent PCI certificate: compliance is validated each year, either through a Self-Assessment Questionnaire for most merchants or a Report on Compliance prepared by a Qualified Security Assessor for the largest ones, and supported by quarterly external scans from an Approved Scanning Vendor.

PCI DSS is not a government law. It is a contractual requirement enforced by the card brands and your acquiring bank, and the consequences of falling short are real: fines passed down through your acquirer, higher transaction fees, liability for the cost of a breach, and in serious cases the loss of your ability to accept cards.

Cyber One Solutions implements and operates the technical and operational controls the standard requires: network security controls and segmentation that shrink what is in scope, encryption of stored and transmitted cardholder data, anti-malware and patching, access control with multi-factor authentication, centralized logging and monitoring, and a tested incident response plan. We run the readiness and gap assessment, help you scope the cardholder data environment and choose the right Self-Assessment Questionnaire, coordinate the Approved Scanning Vendor scans, and support the Qualified Security Assessor when a Report on Compliance is required. We are not a QSA or an ASV and do not issue your Attestation of Compliance; your acquirer and the card brands set your merchant level and the validation path.

Request a PCI DSS Readiness AssessmentAll Compliance Frameworks
What You Get
A readiness and gap assessment that maps your current controls against the twelve PCI DSS requirements and defines the cardholder data environment in scope.
Network security controls and segmentation that isolate the cardholder data environment and reduce the systems, and the cost, in scope for assessment.
Encryption of stored cardholder data and strong cryptography for data transmitted over open, public networks, with sensitive authentication data never retained after authorization.
Access control by business need to know, unique user IDs, and multi-factor authentication into the cardholder data environment, with physical access to card data restricted.
Centralized logging and monitoring of access to cardholder data, coordinated quarterly Approved Scanning Vendor scans, and annual penetration testing.
Help selecting and completing the right Self-Assessment Questionnaire and Attestation of Compliance, with Qualified Security Assessor support when a Report on Compliance is required.
The Short Answer

What is PCI DSS, and who needs to comply?

PCI DSS, the Payment Card Industry Data Security Standard, is the security standard that protects payment card data. It is maintained by the PCI Security Standards Council and applies to every organization that stores, processes, or transmits cardholder data, from small merchants to large service providers. It is built on twelve requirements under six control objectives, and the current version is PCI DSS v4.0.1. It is enforced by contract through the card brands and your acquiring bank rather than by a government law. Compliance is validated annually, by a Self-Assessment Questionnaire for most merchants or a Report on Compliance from a Qualified Security Assessor for the largest, and supported by quarterly Approved Scanning Vendor scans. Cyber One Solutions implements and operates the controls, scopes the cardholder data environment, and prepares your validation. We are not a QSA and do not issue your Attestation of Compliance.

  • Maintained by the PCI Security Standards Council; enforced by the card brands and your acquirer
  • Applies to anyone who stores, processes, or transmits cardholder data
  • Twelve requirements under six control objectives; current version PCI DSS v4.0.1
  • Validated annually by Self-Assessment Questionnaire or a QSA Report on Compliance
  • Cyber One Solutions implements the controls and prepares your validation; it is not a QSA
The 12 PCI DSS Requirements

The Control Areas a PCI DSS Assessment Covers.

PCI DSS organizes twelve requirements under six control objectives. Together they cover how you build your network, protect card data, manage vulnerabilities, control access, monitor activity, and govern security. These are the control areas an assessment evaluates, and the work Cyber One Solutions implements and operates against each one so your validation has evidence behind it.

Build and Maintain a Secure Network (Requirements 1-2)

Network security controls, including firewalls, restrict traffic into and out of the cardholder data environment, and all system components are deployed with secure configurations rather than vendor defaults. Segmentation here is the single biggest lever for reducing scope, isolating card data from the rest of your network so fewer systems fall under assessment.

Protect Account Data (Requirements 3-4)

Stored cardholder data is kept to a minimum and protected with encryption, truncation, or masking, and sensitive authentication data is never retained after authorization. Cardholder data transmitted over open, public networks is protected with strong cryptography so it cannot be intercepted in transit.

Maintain a Vulnerability Management Program (Requirements 5-6)

All systems are protected against malicious software with anti-malware that is kept current, and systems and software are developed and maintained securely, with patches applied on a defined timeline and secure coding practices for any custom applications that handle card data.

Implement Strong Access Control (Requirements 7-9)

Access to cardholder data is restricted to those with a business need to know, every user has a unique ID, and access into the cardholder data environment requires multi-factor authentication. Physical access to the systems and media that hold card data is controlled so it cannot be reached or removed by unauthorized people.

Regularly Monitor and Test Networks (Requirements 10-11)

All access to system components and cardholder data is logged and monitored so events can be detected and investigated, and the security of systems and networks is tested regularly. That includes quarterly external scans by an Approved Scanning Vendor, internal vulnerability scans, and annual penetration testing.

Maintain an Information Security Policy (Requirement 12)

An overarching information security policy, supported by a risk assessment, security awareness training, an incident response plan, and oversight of the third-party service providers that handle card data on your behalf, ties the technical controls to an accountable, documented program that operates all year.

Why PCI DSS Matters to Your Business

PCI DSS is a contractual obligation, not a government law.

No statute makes PCI DSS mandatory. The card brands and your acquiring bank do, through the agreement that lets you accept cards. That makes compliance a condition of doing business for any organization that takes payment cards, and it makes the cost of non-compliance, fines, higher fees, breach liability, and the potential loss of card acceptance, a direct business risk rather than a regulatory abstraction.

Who must comply, and how your merchant level sets the path.

PCI DSS applies to every merchant and service provider that stores, processes, or transmits cardholder data. How you validate that compliance depends on your merchant level, which the card brands and your acquirer assign based mainly on your annual transaction volume. There are four levels. Level 1, the largest merchants and any merchant that has suffered a breach, validate through an annual Report on Compliance prepared by a Qualified Security Assessor or a qualified internal assessor. Levels 2 through 4 validate through the appropriate annual Self-Assessment Questionnaire.

Most businesses are Level 4 or Level 2 and complete a Self-Assessment Questionnaire rather than a full assessment. Where card data touches a network, a quarterly external scan by an Approved Scanning Vendor is also required. Your acquirer is the authority on which level and which validation documents apply to you, and Cyber One Solutions helps you confirm that early so the program is scoped correctly from the start.

Scope is everything: shrink the cardholder data environment.

The cardholder data environment is every system that stores, processes, or transmits cardholder data, plus the systems connected to them. Everything in that environment is subject to the twelve requirements, so the size of the environment drives the size, cost, and difficulty of compliance. The most effective way to reduce that burden is to make the environment smaller.

Network segmentation isolates the systems that handle card data from the rest of your network, so the rest of your network falls out of scope. Not storing cardholder data when you do not need it, and using approaches such as tokenization and point-to-point encryption, removes data from your environment entirely and can change which Self-Assessment Questionnaire applies. Cyber One Solutions starts every engagement by mapping where card data flows and lives, then designs segmentation and data-handling changes that shrink the environment before any controls work begins.

Validation is annual, but the controls run all year.

PCI DSS v4.0.1 reinforces that security is a continuous, business-as-usual practice rather than a once-a-year exercise. The validation documents are produced annually, but the requirements behind them, monitoring, access control, patching, scanning, and the rest, must operate continuously, and the quarterly scans make that cadence explicit.

Cyber One Solutions operates those controls on your environment year-round and keeps the evidence, logs, scan results, access reviews, and change records, organized so validation confirms how you already work rather than triggering a scramble. The independent parties keep their roles: an Approved Scanning Vendor runs the external scans, a Qualified Security Assessor prepares a Report on Compliance where one is required, and your acquirer and the card brands set and accept your validation. Our job is to make sure the controls are genuinely in place and the evidence is ready.

Frequently asked questions.

Which Self-Assessment Questionnaire applies to us?

It depends on how you accept cards and whether you store cardholder data. The PCI Security Standards Council publishes several Self-Assessment Questionnaires, each matched to a way of handling card payments.

As examples, SAQ A is for merchants that fully outsource their card processing to validated third parties and store no card data themselves, which is common for e-commerce sites that redirect to a hosted payment page; SAQ B covers certain standalone terminal or imprint setups; SAQ C applies to merchants with payment application systems connected to the internet; and SAQ D, the most extensive, applies to merchants that store cardholder data or do not fit the other categories, and to service providers.

The right questionnaire depends on your exact payment flows, which is why scoping comes first. Cyber One Solutions reviews how card data enters and moves through your business and helps you confirm the correct questionnaire with your acquirer.

What changed in PCI DSS v4.0?

PCI DSS v4.0, and the v4.0.1 revision that followed, modernized the standard in four broad ways. It strengthened requirements around authentication, including expanded multi-factor authentication and updated password practices. It added a customized approach that lets mature organizations meet a requirement's objective with alternative controls, alongside the traditional defined approach. It increased the emphasis on continuous, business-as-usual security and clearer assignment of roles and responsibilities. And it expanded requirements aimed at modern threats, such as protections against e-commerce skimming and stronger controls for service providers. Several of the new requirements were future-dated to give organizations time to adopt them and are now in effect. Cyber One Solutions implements your program against the current version so you are not caught out by a requirement that has since become mandatory.

Common Questions

PCI DSS Compliance, Answered.

Common questions from merchants and service organizations on scope, merchant levels, the Self-Assessment Questionnaire versus a Report on Compliance, quarterly scans, and who does what.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question
Related Services

Related Services.

Compliance works best as part of a managed security program. Explore the services that deliver and sustain these controls.

Compliance Management
Full compliance programs across PCI DSS, HIPAA, SOC 2, CMMC, FTC Safeguards, and the Texas Data Privacy and Security Act.
Learn More
Managed Cybersecurity
24/7/365 SOC, managed EDR, network security, encryption, and logging: the operational controls behind the PCI DSS requirements.
Learn More
SOC 2 Compliance
Implement and operate the security, availability, and confidentiality controls a SOC 2 examination evaluates.
Learn More
Cyber Insurance Readiness
Implement and evidence the security controls cyber insurance carriers verify before they bind or renew coverage.
Learn More