The Payment Card Industry Data Security Standard (PCI DSS) is a collection of security standards designed to protect cardholder data. PCI DSS applies to all organizations that process, store, or transmit credit card information.

PCI DSS is managed by the Payment Card Industry Security Standards Council (PCI SSC), a group of major credit card companies.


Accorian For Your PCI DSS Compliance

Accorian can assist you with

Key step in your PCI journey and it helps you determine your applicable scope with/without inheritance of controls and card flow.

Aiding you to understand your current readiness against PCI DSS.

Simplifying the requirements of PCI DSS, remediation advisory, evidence collection, program management and augment your team to aid in remediation.

Aiding you in developing/updating your security framework.

A readiness audit to ascertain if you meet the PCI requirements.

Aiding you in filling your SAQ.

Final audit with reporting conducted by a QSA.

As a PCI ASV (Approved Scanning Vendor), we can aid in conducting this mandatory quarterly network scan.

Who Does PCI DSS Apply To?

PCI Compliance

PCI DSS affects all companies that accept or process credit cards and have access to cardholder data (CHD) or sensitive authentication data (SAD) that constitutes account information. It also applies to all service provider companies that accept or process credit cards (directly or indirectly) due to the trickle-down of their Third-Party Risk Management Strategy. Thus, becoming a benchmarking security standard for most organizations. This is regardless of size, number of transactions, or if the information is collected directly or indirectly.

What Data Does PCI DSS Impact?

PCI DSS Impact

PCI DSS Requirements

Organizations must adhere to 12 basic PCI DSS compliance requirements to handle credit card information securely. Failure to comply with these requirements increases the risk of a data breach or other fraudulent behavior at the company:

12 PCI DSS Requirements

What Are The Requirements To Be PCI Compliant?

The requirements are based on the volume of transactions per year. The PCI DSS guide breaks down companies into 4 merchant levels.

The 4 Levels of PCI Compliance

4 Levels of PCI

Merchant Level 1:

Level 1 merchants must undergo an audit by PCI QSA (Qualified Security Assessor) with the need for a more significant number of requirements compared to the other levels. This would generate a PCI RoC (Report on Compliance). This audit report includes findings based on the review of the organization’s current security policies, procedures, and controls being in place for protecting cardholder and account data. The audit also requires an on-site assessment and review of all compensatory controls.

This audit needs to be conducted annually or every time there is a change in the environment.

The number of requirements, implementation, time, cost & rigor required to meet the PCI Level 1 and RoC requirements is high. As this will be assessed by a PCI QSA, you can display the PCI Compliant logo on attaining a passing RoC.

Merchant Levels 2,3,4:

Companies need to submit their SAQ (Self-Assessment Questionnaire) for all these 3 merchant levels. There are 9 types of SAQs, with the number of requirements ranging from 24 to 370.

There are cases in which the non-level 1 merchant has to undergo the PCI RoC audit due to their criticality in the supply chain. This is decided by the acquirer or, sometimes, requested by end clients.

Choosing The Right PCI DSS SAQ

Selecting the right SAQ (Self-Assessment Questionnaire) is key to meeting the PCI DSS requirements applicable to your organization.


All level 2-4 merchants must complete their SAQ and answer all questions to signify passing or, be able to state specific requirements as “not applicable”. If even a single question is missed by the merchant, he will be considered non-compliant and will be required to address and mitigate the risk immediately.

All SAQs have an expected testing column that provides merchants guidance with descriptions of the testing activity that needs to be performed to indicate compliance with PCI DSS.

Upon completion of the SAQ, an attestation of compliance (AoC) needs to be completed by merchants and is signed by the CISO/officer of the company.


What Our
customers are
saying about us

The Accorian Advantage

Accorian’s cybersecurity and compliance teams bring a wealth of experience to help navigate organizations through their information security journey. Our hands-on, white-glove approach combined with a goal-oriented, proven methodology brings both fiscal value and expertise to each of our clients. The facts speak for themselves.

Ready to Start?

We are Qualified

we are qualified
we are qualified

Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

© 2023 Accorian. All Rights Reserved.

Ready to Start?

Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide