Your 12 step checklist to achieve PCI-DSS compliance

The word ‘compliance’ fills most people with dread, evoking images of endless paperwork and more jargon than you can shake a stick at. However, like it or not, compliance isn’t optional; it’s the cost of doing business.

And when it comes to accepting card payments, few compliance challenges are more important, or more complex, than PCI DSS.

If you’re new to PCI compliance, you’re probably asking yourself a lot of questions, like:

• What is PCI compliance?
• Four levels of PCI compliance
• Validating PCI-DSS compliance
• 4 common questions about PCI compliance
• How to be PCI compliant: a 12-step checklist
• How to be PCI compliant with Primer
  

To make compliance a little less scary, we’re offering this 12-step PCI DSS compliance checklist and some tips on making the process easier.

Looking to take control over your payment stack? Book a call with Primer.

What is PCI compliance?

PCI-DSS stands for Payment Card Industry Data Security Standard. It’s a global set of general practices devised by the PCI Security Standards Council to keep cardholder data (such as account numbers, personal information, and other credit card information) secure and out of the hands of cybercriminals.

PCI-DSS was created to bring consistency across the major credit card companies’ security measures. The first version was released in December 2004. As of this writing, the most recent version is Version 4.0.1

In a nutshell, PCI states the technical and operational security requirements needed to protect payment data, prevent security vulnerabilities, and keep your customers safer. This includes criteria like using strong encryption, installing firewalls, antivirus and anti-malware software, and restricting employee access to credit card data.

Let’s take a closer look.  

Read about more ways to keep your customers safe: How Primer gives merchants the tooling to prevent payment fraud

Four levels of PCI compliance

There are four different compliance levels applicable to merchants. You must pick the appropriate level based on the volume of transactions your organization processes annually:

• Level 1 – 6 million+ transactions per year
• Level 2 – 1 to 6 million transactions per year
• Level 3 – 20,000 to 1 million transactions per year
• Level 4 – Less than 20,000 transactions per year

Validating PCI-DSS compliance

Each card network (Visa, Mastercard, American Express, Discover) enforces PCI-DSS in its own way, but all align on the same core standards. Once you determine your level, the next step is to validate your compliance, a critical process that proves you’re meeting those security standards.

There are two main types of validation:

• Report on Compliance (ROC): A formal audit conducted by a Qualified Security Assessor (QSA). This is typically required for Level 1 merchants processing over six million transactions annually. The assessor examines your systems, documents your controls, and issues a signed attestation of compliance. It’s a rigorous process, but one that reassures partners, issuers, and regulators that you take security seriously.
• Self-Assessment Questionnaire (SAQ): A self-evaluation for businesses processing lower volumes. You complete a set of yes/no questions based on your environment and submit it to your acquiring bank or payment provider. It’s less intensive, but still a vital demonstration that you’re maintaining minimum security standards.

Choosing the right validation method isn’t just about meeting obligations; it also affects how much scrutiny your business is under, what kind of data you can handle, and how confidently you can scale. For example, showing ROC validation may be required when onboarding new enterprise partners or expanding internationally.

4 common questions about PCI compliance

1. How much does PCI compliance cost?

According to IBM research, the global average cost of a data breach in 2024 was $4.88 million. It’s clear that PCI compliance should be a priority for every merchant, if it hasn’t already been established.

However, elevating your company’s operational and security procedures to meet the standards can come at a significant cost.

How much, exactly? The cost of being PCI-DSS compliant varies significantly based on several factors. These factors include:

• Your business type
• The size of your organization
• Your existing security culture
• Your organization’s environment
• Whether you have dedicated PCI personnel
• Whether your acquirer covers the cost

2. Is PCI-DSS compliance required by law?

PCI-DSS is not a statutory legal requirement*. However, compliance is contractually mandated by major card networks such as Visa and Mastercard, and enforced through agreements with acquiring banks and payment processors. This means that even in the absence of specific legislation, merchants are still legally bound to comply.

*In the US, certain states have incorporated elements of PCI-DSS into law, including Nevada, Minnesota, and Washington.

3. Why is PCI-DSS critical for my business?

The PCI-DSS standards apply to any organization responsible for the storing, processing, and transmitting cardholder data.

Businesses that engage in any of these activities must adhere to the PCI compliance requirements. Compliance helps protect organizations and their consumers from data breaches and payment card fraud.

4. What are the risks of not complying with PCI?

The risks of not complying with PCI-DSS are serious. A data breach has immediate and potentially long-lasting consequences for your business, including affecting its financial health, cash flow, and reputation.  

If your business doesn’t comply with PCI-DSS, you could face:

• Fines and penalties issued by processors and payment service providers
• Suspension of your credit card payment processing privileges
• Liability for fraud charges
• Legal action from customers affected
• Costs to address the security breach
• Reputational damage leading to loss of revenue

This paints a pretty grim picture. However, it’s essential to remember that the primary goal of PCI compliance is to safeguard your customers’ payment information. Making this your primary goal will help your brand gain credibility and nurture trust in your payment journey.

Offer your customers an extra layer of protection with a solid 3DS strategy: Key questions to ask when building an optimal 3DS strategy

How to be PCI compliant: a 12-step checklist

There are six key goals for PCI-DSS compliance, which are:

• Build and maintain a secure network and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access-control measures
• Regularly monitor and test networks
• Maintain an information security policy

Within these six areas, there are 12 PCI-DSS requirements. Consider this your PCI-DSS compliance checklist:

• Install and maintain network security controls
• Apply secure configurations to all system components
• Protect stored account data
• Protect cardholder data with strong cryptography during transmission over open, public networks
• Protect all systems and networks from malicious software
• Develop and maintain secure systems and software
• Restrict access to system components and cardholder data
• Identify users and authenticate access to system components
• Restrict physical access to cardholder data
• Log and monitor all access to network resources
• Carry out penetration testing of systems and networks regularly
• Create an information security policy

Be sure to review the full PCI-DSS v4.0.1 guidelines to understand the complete set of expectations and ensure your organization stays compliant over time.

PCI compliance: just the starting point

You can use this checklist as a starting point to ensure your business meets the core PCI-DSS requirements. However, remember that compliance isn’t a one-time project. It requires regular testing, monitoring, and updates to maintain system security and minimize the risk of a data breach.

It’s also important to note that these are the minimum requirements. Many businesses opt to go further, especially in high-risk sectors or where customer trust is crucial.

How to be PCI compliant with Primer

While we’ve told you throughout this article how to become PCI compliant. But there’s a shortcut: work with a partner like Primer that solves PCI compliance for your business.

Our Universal Checkout securely captures payment method data and communicates with our PCI Level 1 tokenization service. In short, we transform sensitive customer data into a secure, uniform string called a payment method token.

Using secure payment method tokens paired with a customer ID, Primer’s Vault enables:

• Recurring merchant-initiated payments
• A seamless one-click experience for your customers with Universal Checkout

Learn more about saving payment methods using Primer’s Vault to get a better handle on how this feature delivers a better customer payment journey.

What else do you get with Primer? 

Meeting PCI requirements is just one part of building a high-performing payments setup. With Primer, you also gain access to powerful tools that streamline operations, mitigate risk, and help you scale more efficiently.

Seamlessly connect to PSPs and activate new payment methods

As your business scales, managing multiple payment providers can become time-consuming and fragmented. Primer allows you to connect PSPs, gateways, fraud tools, and local payment methods with just a few clicks. No engineering work is required.

You can activate providers like Adyen and Stripe while offering customer-preferred methods, including digital wallets and Buy Now, Pay Later (BNPL). 

Read more: What is payment orchestration and how can it maximise payment efficiency?

Recover lost revenue with Primer Fallbacks

Every failed payment is a missed opportunity. Soft declines can lead to lost revenue and frustrated customers. That’s why it’s crucial to establish a backup processor. However, this can be resource-heavy to configure and maintain.

Primer Fallbacks removes the engineering demands from the equation. You can configure Fallbacks to automatically retry failed (and recoverable) transactions through another provider of your choice. And because Primer 3DS is agnostic, failed payments can be retried without your customers having to undergo another 3DS challenge. 

Learn more: Why merchants should build a Fallback strategy

Get full visibility with Observability

When you work with multiple PSPs, monitoring performance is often fragmented. Primer’s Observability dashboard provides a unified view of your entire payment stack in real-time.

You can set custom Monitors to alert you when key metrics fall outside your thresholds. Alerts can be delivered by webhook, email, or Slack, helping your team respond quickly and prevent revenue loss.

Improve authorization rates and reduce fraud with network tokenization

Primer replaces raw card numbers with secure, network-issued tokens that update automatically when a customer’s card is reissued or replaced. This reduces failed payments from outdated card details, improves authorization rates, and helps prevent card data exposure in the process.

Read more: How to optimize payments using network tokenization

Add fraud protection without engineering effort

Primer lets you activate leading fraud prevention providers, including Signifyd, Sift, and Riskified, directly within your payment workflows. You can dynamically assess risk before a transaction completes, all without custom integrations or dev time.

Read more: How Primer gives merchants the tooling to prevent payment fraud

Make compliance easy with Primer 

The benefits of working with a PCI compliance expert can far outweigh the cost. Together, we help merchants navigate complex payment problems and facilitate a smoother PCI compliance journey.

Want to learn more about how Primer can help your business? Get in touch with our payment experts.

Frequently Asked Questions (FAQ) about PCI-DSS Compliance

1. What is PCI-DSS compliance, and why is it important?
PCI-DSS compliance means your business follows the Payment Card Industry Data Security Standard, a global set of security requirements for handling credit and debit card data. It’s important because it protects your customers’ payment information, reduces the risk of data breaches, and is often contractually required by card networks.

2. Who needs to be PCI-DSS compliant?

Any business that stores, processes, or transmits cardholder data must comply with PCI-DSS. This includes ecommerce companies, SaaS platforms with embedded payments, and any merchant that accepts card payments online or offline.

3. What are the PCI-DSS compliance levels?
There are four levels of PCI-DSS compliance, based on the number of card transactions a business processes per year. Level 1 is for over 6 million transactions annually, while Level 4 is for fewer than 20,000 transactions. Your level determines the type of validation required, such as a self-assessment or an external audit.

4. How do I validate PCI-DSS compliance?
You validate compliance through one of two methods:

• A Self-Assessment Questionnaire (SAQ) if you’re a smaller business.
• A Report on Compliance (ROC) if you process over 6 million transactions per year.

The method depends on your merchant level and transaction volume.

5. What happens if I’m not PCI compliant?
If you’re not PCI-DSS compliant, you risk fines from card networks, the suspension of your ability to process card payments, and serious financial and reputational damage in the event of a data breach.