Library

What is PCI DSS?

Payment card data is one of the most targeted types of sensitive information—and for good reason. Whether you’re a SaaS-driven merchant or a service provider enabling payment features, if you store, process, or transmit cardholder data, PCI DSS applies to you.

The Payment Card Industry Data Security Standard (PCI DSS) helps protect against breaches, reduce fraud, and build customer trust. But compliance isn’t a one-time checkbox; it’s an ongoing, technical, and sometimes complex process. Understanding how PCI DSS works—and how it’s evolving—is key to staying audit-ready.

What is PCI DSS?

The PCI Data Security Standard is a global framework issued by the PCI Security Standards Council (PCI SSC). It establishes baseline cybersecurity and data protection requirements for entities that handle credit card data. That includes not only merchants and payment processors, but also third-party service providers whose systems could affect payment card data security.

PCI DSS requires covered organizations to maintain layered controls, including access restrictions, encryption standards, vulnerability scanning, and formalized security testing.

Why it matters: Payment card brands like Visa and Mastercard mandate compliance as part of their terms, and acquirers (banks/processors) enforce it. Noncompliance can lead to fines, loss of payment privileges, and reputational risk.

The compliance levels and validation process

Not all organizations validate PCI DSS in the same way. Validation level depends on transaction volume and role in the payment process.

Level 1 entities—typically merchants processing over 6 million transactions annually, or service providers with broad scope—must complete an annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA).

Lower-level entities may be eligible to self-assess using a Self-Assessment Questionnaire (SAQ), if certain eligibility criteria are met. Each SAQ version maps to a specific business model and requires testing and attestation based on scope.

Whether completing a ROC or SAQ, you’ll also need to comply with ongoing requirements like quarterly external vulnerability scans (performed by an Approved Scanning Vendor), periodic internal scans, penetration testing, and annual risk assessments.

Historically, PCI DSS has focused on prescriptive controls

When PCI DSS was first introduced in 2004, it provided a uniform approach to securing payment data but left little room for flexibility. Framework updates since then—most recently PCI DSS v4.0 and its 2024 update v4.0.1—have shifted that narrative.

Earlier versions leaned heavily on legacy payment environments, with controls designed around physical server infrastructure and on-premise networks. As fintech and e-commerce developed, many organizations struggled to apply these requirements in cloud-native, distributed environments.

Documentation was difficult to manage. The process involved assembling evidence from scattered systems, formatting reports in PCI SSC-provided templates, and often manually updating artifacts after audits.

Maintaining continuous compliance was a challenge. Organizations treated PCI validation as a once-a-year event rather than an operational priority. As a result, control violations often went unnoticed until audit time.

Third-party oversight was underdeveloped. Requirement 12.8—related to vendor risk—was often overlooked or incomplete. It became clear that modern risk landscapes needed stronger, shared-responsibility documentation.

Common PCI DSS challenges organizations face today

Even with the improvements introduced in version 4.0 and 4.0.1, staying compliant isn’t easy. Here’s what typically gets in the way.

Scoping remains difficult in modern architectures. Hybrid cloud environments, containerized services, and third-party integrations make it harder to clearly define the cardholder data environment (CDE). Errors in scoping lead to incomplete assessments and gaps in compliance.

Segmentation strategies aren’t always effective. Poorly documented or inefficient segmentation techniques may expose more of the environment than necessary, increasing both risk and audit complexity.

Self-assessment mistakes carry risk. Many organizations rely on SAQ eligibility without verifying correct scope, choosing the wrong SAQ type, or missing updated SAQ guidance—especially with changes introduced in v4.0.1 for e-commerce merchants.

Evidence is decentralized and difficult to validate. Without a centralized system to track evidence, teams spend weeks chasing screenshots, logs, and settings—only to find that some information is outdated or noncompliant.

Third-party service providers create uncertainty. Missing AOCs (Attestations of Compliance), unclear responsibility matrices, and outdated agreements are common weaknesses under PCI Requirement 12.8.

Auditor relationships matter. Choosing a QSA who understands your environment—and who doesn’t grade their own work—is crucial to building a smooth, repeatable audit cycle.

What’s next: PCI DSS in 2026 and beyond

By 2026, PCI DSS compliance will be increasingly continuous, flexible, and technology-enabled.

Customized Approach becomes the norm. Version 4.x introduced the Customized Approach to allow organizations to meet PCI objectives outside of prescribed controls, using alternate methods validated by the QSA. This benefits innovative or cloud-native organizations but increases the need for detailed documentation and strong security rationale.

Risk assessments are more central. Targeted Risk Analyses—introduced in v4.0—allow organizations to tailor control frequency and rigor based on formal risk evaluations. While this improves efficiency, it puts pressure on teams to maintain structured, defensible assessments.

Templates and reporting policies will evolve. All entities must now use official PCI SSC templates when submitting a ROC, AOC, or SAQ. Informal “certificates” aren't accepted. Expect enhanced scrutiny on the accuracy and timeliness of submissions.

Automation becomes an expectation. Security tooling that integrates ASV scans, penetration tests, evidence tracking, and ROC preparation reduces the operational burden. Effective technology will enable teams to transition from reactive to proactive compliance.

Visibility and accountability extend to third parties. As more organizations rely on external services for payment processing, hosting, and application delivery, PCI compliance requires stronger third-party governance and contract monitoring.

How Thoropass simplifies PCI DSS compliance

Compliance shouldn’t slow you down. Thoropass makes PCI DSS audit readiness easier, faster, and more reliable with an end-to-end solution that combines security automation with accredited audit services.

We’re a Qualified Security Assessor Company. Thoropass is a fully approved QSAC. Our in-house QSAs prepare your ROC, evaluate your controls, and stay engaged across the review process. You’re not left managing siloed tools and external assessors on your own.

Audit readiness starts early. We don’t wait until audit day. Thoropass gives you a centralized hub to define scope, track tasks, collect evidence, and auto-generate required ROC, SAQ, and AOC documentation using PCI-approved templates.

Automation meets expertise. Our platform integrates external vulnerability scans using PCI-approved ASV tooling and streamlines recurring tests like penetration testing and segmentation validation. You’ll spend less time coordinating vendors and more time maintaining security.

Robust control mappings and risk assessments. With built-in support for the Customized Approach and Targeted Risk Analyses, Thoropass helps you meet v4.x expectations with full documentation and auditor-ready formatting.

Third-party visibility built in. Manage vendor responsibility matrices, collect third-party AOCs, and verify roles and scope—all inside your compliance workspace. No more last-minute surprises during your audit review.

Continuous compliance is our default. Thoropass helps you shift from point-in-time assessments to a year-round compliance posture. That means fewer disruptions, faster audit cycles, and more confidence in your payment security.

Schedule a discovery session today and see how Thoropass sets a new standard for PCI DSS readiness.

Get Started

Products

Thoropass AuditCompliance Automation
PentestingThoropass AIAccess ReviewsSecurity QuestionnairesRisk AssessmentTrust CenterIntegrations and APIs

Solutions

Get CompliantMaintain ComplianceIT Security AuditsThoropass vs. Audit FirmsThoropass vs. Vanta

Frameworks

SOC 1SOC 2HIPAAHITRUSTCyber EssentialsGDPRISO 27001ISO 27018ISO 42001CMMC Level 1NIST CSF 2.0PCI DSSOther Frameworks

Resources

Case Studies
BlogGuidesEventsGlossaryHelp Center

Industries

HealthcareSaaSFinTechOther Industries

Company

Our DifferenceMeet the ExpertsNewsroomCareersIndependence and ExcellenceBecome a PartnerTrust CenterContact us

Legal

MSADPAReport an IssueTerms and ConditionsPrivacy Policy

Certifications:

Laika Compliance, LLC dba Thoropass Assurance is a licensed certified public accounting firm registered with the American Institute of Certified Public Accountants (AICPA). Thoropass, Inc. dba Thoropass is a leading cybersecurity and compliance professional services and technology firm.

© Copyright 2025 Thoropass, Inc.

Linkedin Logo Streamline Icon: https://streamlinehq.com
X Logo Streamline Icon: https://streamlinehq.com
Video Player 1 Streamline Icon: https://streamlinehq.com