Blog/

Compliance /

About PCI DS compliance in 2025

PCI DSS (Payment Card Industry Data Security Standard) is a comprehensive set of security requirements designed by major credit card companies to protect cardholder data and ensure secure payment processing. The standard serves as the security blueprint that all organizations handling credit card information must follow to keep customer payment data safe from cybercriminals and data breaches.

What PCI DSS is

The Payment Card Industry Security Standards Council, formed by American Express, Discover, JCB, MasterCard, and Visa, created PCI DSS in 2006. Payment card data is an extremely attractive target for cybercriminals, and the financial industry needed unified security requirements to protect this sensitive information across all businesses that handle it.

PCI DSS applies to any organization that stores, processes, or transmits cardholder data, regardless of size or number of transactions. This includes merchants, payment processors, acquirers, issuers, and service providers that handle payment card information.

Core requirements

PCI DSS is built around twelve fundamental requirements organized into six main categories:

Build and maintain secure networks:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data:

  1. Protect stored cardholder data through encryption and proper data handling
  2. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program:

  1. Use and regularly update anti-virus software on all systems
  2. Develop and maintain secure systems and applications

Implement strong access control measures:

  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data

Regularly monitor and test networks:

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an information security policy:

  1. Maintain a policy that addresses information security for all personnel

Types and categories

Organizations fall into different compliance levels based on their annual transaction volume:

Level 1: Over 6 million transactions annually

  1. Requires annual on-site audit by a Qualified Security Assessor (QSA)
  2. Must complete a Report on Compliance (ROC)
  3. Requires quarterly network vulnerability scans

Level 2: 1-6 million transactions annually

  1. May require annual on-site audit or can complete Self-Assessment Questionnaire (SAQ)
  2. Requires quarterly network vulnerability scans

Level 3: 20,000-1 million e-commerce transactions annually

  1. Completes annual SAQ
  2. Requires quarterly network vulnerability scans

Level 4: Under 20,000 e-commerce transactions or under 1 million of any other transaction type annually

  1. Completes annual SAQ
  2. May require quarterly network vulnerability scans depending on the acquirer

Organizations complete different types of SAQs (A, A-EP, B, B-IP, C, C-VT, D) based on their specific payment processing methods and environment.

Compliance process

Achieving PCI DSS compliance typically follows these steps:

  1. Scope assessment (1-2 months): Determine what systems, people, and processes are in scope for PCI DSS requirements
  2. Gap analysis (2-4 weeks): Identify current security posture gaps against PCI DSS requirements
  3. Remediation planning (2-4 weeks): Develop a roadmap to address identified gaps
  4. Implementation (3-12 months): Execute security improvements and policy changes
  5. Internal testing (4-8 weeks): Validate that all requirements are met
  6. External assessment (2-8 weeks): Complete SAQ or undergo QSA audit
  7. Ongoing monitoring: Maintain compliance through continuous monitoring and annual reassessment

Key roles include:

  1. Executive sponsors who provide budget and organizational support
  2. Project managers to coordinate compliance activities
  3. IT security teams to implement technical controls
  4. QSAs for Level 1 organizations requiring external audits
  5. Compliance officers to manage ongoing requirements

Common challenges

Organizations frequently struggle with several obstacles:

Scope creep: As business operations evolve, keeping track of all systems that handle cardholder data becomes complex. New applications, databases, or network segments can unknowingly enter PCI scope.

Resource constraints: Compliance requires dedicated staff time, security expertise, and financial investment that many organizations haven’t budgeted adequately.

Legacy system integration: Older payment systems may not support modern security requirements without expensive upgrades or replacements.

Vendor management: Ensuring third-party service providers maintain their own PCI compliance and properly secure shared environments.

Documentation and evidence collection: Maintaining the detailed documentation required for compliance validation can be overwhelming, especially for organizations without dedicated compliance staff.

Cultural resistance: Getting buy-in from employees who view security measures as impediments to productivity rather than business necessities.

Benefits of compliance

Enhanced security: Following PCI DSS requirements significantly reduces the risk of data breaches by implementing industry-proven security practices.

Customer trust: Compliance demonstrates to customers that their payment information is protected, building confidence in your business.

Competitive advantage: PCI compliance can differentiate your organization when competing for contracts or partnerships.

Regulatory protection: Compliance helps satisfy other regulatory requirements and provides liability protection in case of incidents.

Operational efficiency: The structured approach to security often reveals operational improvements beyond just payment security.

Cost avoidance: Preventing data breaches avoids the massive costs associated with incident response, legal fees, regulatory fines, and reputation damage.

Who needs it and when

Mandatory compliance applies to:

  1. Any business that accepts credit card payments
  2. Payment processors and gateways
  3. Hosting providers that store cardholder data
  4. Any organization in the payment chain

Immediate compliance is required when:

  1. You begin accepting credit card payments
  2. You experience a data breach
  3. Your acquiring bank requires validation
  4. You’re entering contracts that require PCI attestation

Recommended for:

  1. Organizations handling any sensitive customer data, even if not payment-related
  2. Businesses seeking to improve their overall security posture
  3. Companies in highly regulated industries
icon-arrow-long
icon-arrow-long
icon-arrow-long
icon-arrow-long
icon-arrow-long

Thoropass Team

See all Posts

Related Posts

Workflows to transform your GRC and audit program

Your organization runs hundreds, maybe thousands, of workflows to support GRC and audit efforts. But which ones need automation? Which require human expertise? And where does AI fit in?The answer isn’t choosing one over another. It’s understanding how automation, AI, and human review work together to close the audit gap—that persistent disconnect between compliance teams preparing for audits and what auditors actually need.

Read Article

Reducing risk and increasing ROI: why new industries are increasingly turning to HITRUST for certification

For years, HITRUST certification has been closely tied to healthcare. But we recently sat down with Ryan Patrick, VP of Market Research and Strategy for HITRUST, to learn more about the certification and how they’re supporting organizations across a much wider range of industries. From reducing risk to unlocking new business opportunities, HITRUST has become a standard worth considering regardless of your sector. Here are the main takeaways from our conversation.

Read Article

Stay connected

Subscribe to receive new blog articles and updates from Thoropass in your inbox.


Want to join our team?

Help Thoropass ensure that compliance never gets in the way of innovation.

View Open Roles

Have any feedback?

Drop us a line and we’ll be in touch.

Contact us
Get Started

Solutions

Get CompliantMaintain ComplianceIT Security Audits

Products & Services

Thoropass AuditCompliance AutomationPentestingThoropass AIAccess ReviewsSecurity QuestionnairesRisk AssessmentTrust CenterIntegrations and APIs

Frameworks

SOC 1SOC 2HIPAAHITRUSTCyber EssentialsGDPRISO 27001ISO 27018ISO 42001CMMC Level 1NIST CSF 2.0PCI DSSOther Frameworks

Industries

HealthcareSaaSFinTechOther Industries

Company

Our DifferenceMeet the ExpertsNewsroomCareersIndependence and ExcellenceBecome a PartnerTrust CenterContact us

Resources

Case StudiesBlogGuidesEventsHelp Center

Legal

MSADPAReport an IssueTerms and ConditionsPrivacy Policy

Leading by Example: Thoropass' Certifications

© Copyright 2025 Thoropass, Inc.