Ultimate Guide to PCI DSS Compliance in 2026

What Is PCI DSS Compliance?

PCI DSS compliance is a set of security standards that protects cardholder data, applying to any organization that processes, stores, or transmits credit card information. Failure to comply with PCI DSS can result in fines, increased fees, or loss of the ability to process credit cards. 

Who needs to comply:

• All businesses that accept credit cards: This applies to any organization that processes, stores, or transmits cardholder data, regardless of size.
• Even if using a third party: Businesses are still responsible for compliance even if they use a third party for transaction processing. 

Compliance is based on six groups of requirements, with 12 requirements in total, including: 

• Build and maintain a secure network and systems (e.g., using firewalls and strong passwords). 
• Protect cardholder data (e.g., encrypting stored and transmitted data). 
• Maintain a vulnerability management program (e.g., using antivirus software and updating systems). 
• Implement strong access control measures (e.g., limiting access to cardholder data). 
• Regularly monitor and test networks (e.g., tracking access and testing security measures). 
• Maintain an information security policy

Who Needs to Comply with PCI DSS? 

Any business or organization, regardless of size or transaction volume, that handles payment card data must comply with PCI DSS. This includes merchants, payment service providers, processors, acquirers, issuers, and other parties involved in the card payment ecosystem. 

If your organization stores, processes, or transmits payment cardholder data, PCI DSS compliance is mandatory. The scope extends to both physical and digital environments, capturing eCommerce, call centers, and retail stores alike.

Third-party service providers that can impact the security of cardholder data must also achieve and demonstrate PCI DSS compliance. This includes companies offering IT hosting, managed security, cloud services, and payment gateways. Even if only a small fragment of payment data flows through their systems, these providers are held to the same set of rigorous standards.

The 12 Requirements of PCI DSS 4.0 

Let’s review the 12 requirements of PCI DSS 4.0.

1. Install and Maintain Network Security Controls

Top-Level Category: Build and Maintain Secure Network and Systems

Properly installed and maintained network security controls, such as firewalls and intrusion prevention systems, are fundamental to PCI DSS. These controls protect the cardholder data environment from unauthorized access and malicious activity, segmenting sensitive areas and limiting the exposure of payment data. Network security controls should be consistently updated to address new vulnerabilities.

Compliance checklist: 

• Deploy firewalls or other network security controls at key boundaries
• Document and review network diagrams and data flow diagrams annually
• Restrict inbound and outbound traffic to necessary protocols and services
• Configure firewalls to deny all traffic by default
• Review and test firewall and router rule sets every six months
• Implement intrusion detection or prevention systems where applicable
• Maintain change control procedures for firewall and network changes

2. Apply Secure Configurations to All System Components

Top-Level Category: Build and Maintain Secure Network and Systems

Every component in the payment processing environment (servers, workstations, network devices, and applications) must use secure configurations. Default settings, manufacturer passwords, and unnecessary services are prime targets for attackers; thus, they must be changed or removed before deployment. Documenting secure baselines and applying configuration management processes form the backbone of this requirement.

Compliance checklist: 

• Remove or disable all unnecessary default accounts and services
• Change default passwords and security settings before deployment
• Establish and document secure configuration standards for all systems
• Use configuration management tools to enforce baselines
• Apply vendor-provided security patches and updates promptly
• Disable unused ports, protocols, and services
• Perform regular configuration reviews and audits

3. Protect Stored Account Data

Top-Level Category: Protect Cardholder Data

PCI DSS requires that sensitive cardholder data stored by organizations is protected through strong cryptography and strict access controls. Entities must minimize data storage by retaining only what is necessary for business, legal, or regulatory purposes, and deleting it as soon as it is no longer needed. Sensitive authentication data (such as the full magnetic stripe, CVV, or PIN) must never be stored after authorization.

Compliance checklist: 

• Minimize data retention to what is strictly necessary
• Never store sensitive authentication data after authorization (e.g., CVV, full track data)
• Use strong cryptography to encrypt stored cardholder data
• Implement access controls for encrypted data and encryption keys
• Mask PAN when displayed, showing only the first six and last four digits
• Securely delete cardholder data when no longer needed
• Document and enforce a formal data retention policy

4. Protect Cardholder Data with Strong Cryptography During Transmission

Top-Level Category: Protect Cardholder Data

Cardholder data must be transmitted across open, public networks only with the protection of strong encryption protocols such as TLS. Attackers often intercept data in transit through network sniffing or man-in-the-middle attacks, requiring cryptographic methods to mitigate this risk. Encryption keys must be managed securely to prevent unauthorized decryption of sensitive data during its journey from point A to point B.

Compliance checklist: 

• Use only strong, approved encryption protocols (e.g., TLS 1.2 or higher)
• Encrypt cardholder data when transmitted over open, public networks
• Disable insecure protocols such as SSL and early TLS
• Ensure certificates are valid, not expired, and issued by a trusted authority
• Secure key exchange and management processes
• Document all systems and applications that transmit cardholder data
• Regularly test encryption configurations and inspect for misconfigurations

5. Protect Systems and Networks from Malicious Software

Top-Level Category: Maintain a Vulnerability Management Program

Defense against malware is required wherever payment systems are susceptible, including endpoints, servers, and point-of-sale devices. Organizations must implement anti-malware solutions that provide real-time protection and frequent updates to detect emerging threats. Regular scans and monitoring for abnormal activity help maintain the integrity of systems that store, process, or transmit cardholder data.

Compliance checklist: 

• Deploy anti-malware software on all systems commonly affected by malware
• Ensure anti-malware tools are configured for automatic updates
• Perform regular malware scans and log scan results
• Monitor endpoints for suspicious activity and indicators of compromise
• Restrict users from disabling or altering anti-malware tools
• Implement controls for systems not commonly targeted by malware
• Review anti-malware alerts and respond to incidents promptly

6. Develop and Maintain Secure Systems and Software

Top-Level Category: Maintain a Vulnerability Management Program

The PCI DSS standard requires organizations to establish processes for secure application development, patch management, and vulnerability remediation. All software (proprietary, open-source, or commercial) should undergo thorough risk assessments, code reviews, and security testing before and after deployment. 

Compliance checklist: 

• Maintain an inventory of all system components and software
• Track security advisories and patch releases from vendors
• Apply critical patches within defined timeframes (e.g., 30 days)
• Develop secure coding guidelines and train developers accordingly
• Perform code reviews and static analysis for custom applications
• Conduct vulnerability scans and penetration testing on systems and apps
• Document software development lifecycle (SDLC) and secure coding practices

7. Restrict Access to System Components and Cardholder Data by Business Need to Know

Top-Level Category: Implement Strong Access Control Measures

Access to cardholder data and system components should be limited strictly to individuals whose job responsibilities require it. Role-based access controls must be enforced, and access privileges regularly reviewed to ensure that only authorized personnel are granted permissions. Excessive or outdated access increases the risk of internal or external compromise.

Compliance checklist: 

• Define access roles based on job responsibilities
• Grant access using least privilege principles
• Document and review access rights regularly (at least every 6 months)
• Implement access request and approval workflows
• Remove or modify access immediately upon role change or termination
• Enforce separation of duties in high-risk functions
• Maintain an auditable access control process

8. Identify Users and Authenticate Access to System Components

Top-Level Category: Implement Strong Access Control Measures

Accurately identifying and authenticating every user accessing PCI DSS environments is essential. Secure authentication mechanisms, including strong passwords, multi-factor authentication (MFA), and unique user IDs, prevent unauthorized use of privileged accounts. Shared or generic accounts should be eliminated, as they obscure accountability and complicate incident response.

Compliance checklist: 

• Assign unique IDs to all users accessing cardholder data environments
• Implement multi-factor authentication (MFA) for all remote access and admin-level access
• Disable inactive user accounts after a defined period (e.g., 90 days)
• Enforce strong password policies (length, complexity, expiration)
• Prohibit use of shared or generic accounts
• Log all authentication attempts, both successful and failed
• Review authentication logs for signs of unauthorized access

9. Restrict Physical Access to Cardholder Data

Top-Level Category: Implement Strong Access Control Measures

Physical security is as important as digital security for protecting cardholder data. Secure access controls must be applied to areas where sensitive data is processed or stored, including server rooms, data centers, and storage cabinets. Only authorized personnel should have physical access, and all entries and departures should be logged.

Compliance checklist: 

• Implement badge access or keycard systems for secure areas
• Maintain visitor logs and require visitor identification
• Escort visitors at all times in restricted areas
• Secure media containing cardholder data in locked containers
• Store backups in physically secure locations
• Review physical access logs and surveillance footage regularly
• Revoke access immediately for terminated employees

10. Log and Monitor All Access to System Components and Cardholder Data

Top-Level Category: Regularly Monitor and Test Networks

Organizations are required to log all access to systems handling cardholder data and the data itself. Detailed logs allow for forensic analysis in the event of a security incident, providing critical breadcrumbs for investigators. Logging must include user activity, system events, and administrative actions, ensuring comprehensive visibility across all relevant environments.

Compliance checklist: 

• Enable audit logging on all critical system components
• Log user activities, system events, and administrative actions
• Retain logs for at least 12 months, with 3 months readily available
• Protect logs from unauthorized access and modifications
• Implement centralized log management and monitoring solutions
• Review logs daily or implement automated log review tools
• Configure alerts for suspicious or unauthorized activities

11. Test Security of Systems and Networks Regularly

Top-Level Category: Regularly Monitor and Test Networks

Frequent security testing, such as vulnerability scans, penetration testing, and wireless scanning, is mandatory under PCI DSS. These tests uncover weaknesses before attackers exploit them, ensuring that security defenses remain effective against evolving threats. Testing schedules must align with system changes, new deployments, and after any significant modifications to the cardholder data environment.

Compliance checklist: 

• Conduct internal vulnerability scans at least quarterly and after changes
• Perform external vulnerability scans quarterly by an ASV
• Conduct penetration testing annually and after major changes
• Test segmentation controls at least every six months
• Document findings and remediation plans for all identified issues
• Retest to validate that vulnerabilities have been addressed
• Include web application security testing in compliance scope

12. Support Information Security with Organizational Policies and Programs

Top-Level Category: Maintain an Information Security Policy

PCI DSS mandates that organizations formalize information security through policies and management programs. These documents must define responsibilities, training requirements, incident response plans, and disciplinary measures for non-compliance. Strong governance practices ensure that security is an integral, ongoing part of organizational culture.

Compliance checklist: 

• Establish and maintain a formal information security policy
• Review and update policies at least annually or after significant changes
• Define roles and responsibilities for managing PCI DSS compliance
• Implement a security awareness training program for all staff
• Document and test incident response plans regularly
• Assign responsibility for information security to executive leadership
• Maintain evidence of policy distribution and employee acknowledgment

PCI DSS Audit and Validation Process: ROC, AOC, and SAQ Explained 

The PCI DSS audit and validation process determines whether an organization meets the required security standards. The process varies depending on the organization’s merchant level, which is defined by the major card brands based on transaction volume. Larger merchants or service providers may need an annual onsite assessment by a Qualified Security Assessor (QSA), while smaller entities may complete a self-assessment questionnaire (SAQ).

The audit includes a thorough review of security controls, documentation, and evidence of compliance. This can involve interviews, system inspections, policy reviews, and testing of controls. The objective is to validate that the organization implements all applicable PCI DSS requirements consistently and effectively. Organizations must also conduct regular internal scans and quarterly external vulnerability scans by an approved scanning vendor (ASV).

To summarize the key audits and documents involved in the PCI auditing process:

• Report on compliance (ROC): A formal report completed by a QSA after an onsite assessment. Required for level 1 merchants and service providers, the ROC details how each PCI DSS requirement is met and includes findings, test results, and recommendations.
• Attestation of compliance (AOC): A declaration that accompanies the ROC or SAQ, confirming the organization’s compliance status. It summarizes the scope of the assessment and is signed by a company officer and the QSA (if applicable).
• Self-assessment questionnaire (SAQ): A validation tool used by smaller merchants and service providers who are eligible to assess themselves. There are multiple SAQ types (e.g., SAQ A, SAQ D) depending on how the organization processes cardholder data. Each includes a checklist of PCI DSS requirements tailored to specific payment environments.

Consequences of Non-Compliance with PCI DSS 

Non-compliance with PCI DSS exposes organizations to significant operational, financial, and reputational risks. One of the most immediate consequences is the potential for data breaches. Without proper security controls, attackers can exploit vulnerabilities to access cardholder data, leading to fraud, legal liability, and loss of customer trust.

Financial penalties are also a major concern. Card brands and acquiring banks may impose fines ranging from thousands to hundreds of thousands of dollars per month for ongoing non-compliance. Additionally, organizations found responsible for breaches may be held liable for forensic investigation costs, card reissuance fees, fraud reimbursements, and legal settlements.

Beyond direct costs, non-compliance can result in increased scrutiny, mandatory audits, or the revocation of the ability to process payment cards. This disruption can cripple business operations, particularly for organizations that rely heavily on card-based transactions. Reputational damage from a publicized breach or compliance failure can lead to lost business.

PCI DSS Compliance Levels 

PCI DSS compliance levels categorize merchants and service providers based on the volume of card transactions they process annually. These levels determine the specific validation requirements an organization must follow. Each card brand defines its own thresholds, but generally, the levels are as follows:

• Level 1: Merchants processing over 6 million card transactions annually or those who have experienced a data breach. Requires an annual onsite assessment by a Qualified Security Assessor (QSA) and quarterly network scans by an approved scanning vendor (ASV).
• Level 2: Merchants processing 1 to 6 million transactions per year. Typically required to complete an annual self-assessment questionnaire (SAQ) and quarterly ASV scans. Some card brands may require a QSA review depending on risk factors.
• Level 3: Merchants processing 20,000 to 1 million eCommerce transactions annually. Must complete an annual SAQ and quarterly ASV scans.
• Level 4: Merchants processing fewer than 20,000 eCommerce transactions or up to 1 million card-present transactions per year. Also required to complete an SAQ and quarterly ASV scans, though enforcement may vary by the acquiring bank.

Service providers have separate compliance levels, often requiring a full ROC even at lower volumes. Understanding your compliance level is essential for meeting PCI DSS obligations appropriately and avoiding unnecessary audits or penalties.

Tools and Technologies That Support PCI DSS Compliance 

Secure Enclave Technology 

Secure enclave technology enables organizations to isolate and protect work-related data and applications on unmanaged or bring-your-own devices (BYOD) without relying on virtual desktop infrastructure (VDI). Solutions like Venn’s Blue Border™ create a dedicated, company-controlled enclave on personal PCs or Macs where all corporate data is encrypted and access is managed. Within this secure environment, work applications run locally, eliminating the lag and latency so common with virtual desktops.

This approach supports PCI DSS compliance by preventing data leakage from the enclave, enforcing data loss prevention (DLP) policies, and enabling standardized device compliance checks regardless of device ownership. The enclave separates personal and work activities visually and functionally, ensuring sensitive cardholder data never leaves the secured space. It also simplifies auditability and regulatory alignment by containing business data and activity within a monitored and encrypted environment.

Network Security Tools

Network security tools, including firewalls, intrusion detection/prevention systems (IDS/IPS), and network access controls, are vital for segmenting and defending cardholder data environments. These tools help organizations enforce policies that limit access to and from critical systems, shielding payment data from internal and external threats. Logging and alerting capabilities within these tools enable rapid response to suspected incidents.

Automated updates and frequent rule reviews are necessary to maintain the effectiveness of network defenses. Advanced tools incorporate threat intelligence feeds to block emerging threats, while centralized management consoles simplify administration and reporting. 

Encryption and Key Management Solutions

Encryption solutions ensure that cardholder data remains unreadable to unauthorized parties, both at rest and in transit. Strong algorithms and configurations must adhere to industry standards as specified by PCI DSS, with encryption endpoints and protocols diligently managed. Key management solutions provide secure storage, rotation, and destruction of cryptographic keys, reducing the risk of compromise.

Automating key lifecycle management mitigates risks associated with human error or insider threat. Regular validation tests confirm the proper application of encryption, and integrated key management tools can create auditable records needed for compliance reporting. These combined solutions bolster data privacy and are central to PCI DSS technology requirements.

Identity and Access Management

Identity and access management (IAM) solutions regulate who has access to cardholder data and systems, supporting strong authentication and authorization as required by PCI DSS. IAM platforms centralize user provisioning, enforce multifactor authentication, and maintain account lifecycle records. These capabilities make it easier to comply with requirements for limiting and tracking access based on business necessity.

Well-configured IAM systems support fast provisioning and deprovisioning of users, reducing the risk of excessive or outdated permissions. Audit logs and reporting features simplify compliance documentation and enable rapid detection of unauthorized access attempts. 

Anti-Malware and Endpoint Security

Anti-malware and endpoint security solutions defend against viruses, ransomware, and other malicious software that could compromise payment systems. Continuous endpoint monitoring, real-time scanning, and regular signature updates help detect and block new and evolving threats. Endpoint security suites often include host-based firewalls, device control, and application whitelisting for additional layers of defense.

Centralized management enables organizations to promptly address infections and ensure all workstations and POS systems are protected and policy-compliant. Automated reporting and alerting functions support immediate response to incidents, demonstrating proactive risk management in line with PCI DSS requirements. 

PCI DSS Compliance in BYOD Environments with Venn

Venn’s Blue Border helps organizations comply with PCI DSS by providing a secure, segregated, and encrypted environment for accessing cardholder data, ensuring that robust authentication, continuous monitoring, encryption, and secure access controls are in place. Venn’s technology helps mitigate risks associated with remote work on personal or unmanaged devices, supporting the enhanced security measures required by PCI DSS.

Venn is similar to an MDM solution, but for laptops. With Venn, work lives in a company-controlled Secure Enclave installed on the user’s PC or Mac, where all data is encrypted and access is managed. Work applications run locally within the Enclave – visually indicated by Venn’s Blue Border™ – protecting and isolating business activity while ensuring end-user privacy.

If you want to learn more about how Venn can help you meet PCI DSS with your users’ personal or unmanaged devices, feel free to book some time and we can connect you with an expert.