9 min read

What is PCI SSC Compliance?

June 24, 2020




What is PCI Compliance?

If your systems or applications process electronic payments or store client payment and transaction data, then PCI compliance should be a high priority for your business.

PCI compliance is governed by the PCI Security Standards Council (PCI SSC) formed in 2006 by American Express, Discover, JCB International, Visa & Mastercard, who established a Data Security Standard (PCI DSS) as a standard for their respective data security compliance programs.

The goals of PCI DSS are to encourage businesses to:

  • Build and maintain a secure network

    • Install and maintain firewalls to protect cardholder data

    • Do not use vendor supplied passwords and other security parameters.

  • Protect cardholder data

    • Protect stored data

    • Encrypt transmission of cardholder data across open or public networks

  • Maintain a vulnerability management program

    • Use and regularly update anti-virus software

    • Develop and maintain secure systems and applications

  • Implement strong access control measures

    • Restrict access to cardholder data by business need-to-know basis

    • Assign a unique ID to each person with computer access

    • Restrict physical access to cardholder data

  • Regularly monitor and test networks

    • Track and monitor all access to network resources and cardholder data

    • Regularly test security systems and processes

  • Maintain an information security policy

    • Maintain a policy that addresses information security


The PCI SSC provides the annual certification of independent security organisations as Qualified Security Assessors (QSA's). When seeking PCI Compliance through a 3rd party QSA you should verify their credentials here:


The PCI SSC also maintains a register of “Approved Scanning Vendors” being organisations that possess the tools and provide external vulnerability scanning services to ensure your systems meet PCI DSS requirements. This is required when organisations are undertaking Self Assessment. It's also a useful process to ensure your cloud network security is on point.

You can find a list of ASV's here:


Is PCI Compliance Mandatory?

While compliance is not mandated by law, businesses and payment processors you deal with in the day to day transactional operations of your business will expect your systems to meet certain standards. If not, you may attract higher card transaction fees or be exposed to legal and insurance claims to cover data breaches including the resulting card replacement fees, fines and the costs of forensic audits and investigations into your business systems.

The potential brand damage resulting data breaches involving personal data or credit card and bank account details can be potentially catastrophic.

The requirements set out in the PCI DSS guide organizations and sellers to safely and securely accept, store, process, and transmit cardholder data during credit card transactions to prevent fraud and data breaches.

It's important to note that while the PCI SSC sets the compliance framework, it is left to the individual credit card companies and businesses to 'self-regulate'. The PCI SSC provides mechanisms like the self-assessment questionnaire (SAQ) to ensure compliance, it is left to the payment processors to enforce them amongst sellers and organisations that accept credit cards.

Who needs PCI DSS compliance certification?

Although there is technically no such thing as “PCI certification,” sellers of all sizes, service providers, banks, and any other organizations that process credit card payments may need to prove they are PCI compliant. This is especially true if you store credit card numbers, card holder names, expiration dates or CAV2/CID/CCV2/CVV2 numbers in your database.

If you do, then you need to be prepared to demonstrate that this data is secure and your network is sufficiently locked down.

Who Needs PCI Compliance?

There are currently four PCI DSS compliance levels and each come with varying degrees of compliance requirements which are governed by the volume of payment transactions being processed.

Merchant Level 1

Businesses that process over 6 Million transactions per year are considered level 1 merchants.

You may also be placed in this category if you have suffered a data breach or hack that resulted in data loss or theft.

A merchant may also be considered level 1 if nominated by a card association.

PCI Requirements:

Level 1 merchants are required to prepare an annual report on compliance (ROC) by a qualified security assessor (QSA). This is more commonly known as a Level 1 onsite assessment.

On top of the ROC, you are also required to contract a qualified ASV to conduct quarterly network scan and complete a Attestation of Compliance form.

Merchant Level 2

Level 2 merchants process between 1 Million to 6 Million card transactions per year.

As a level 2 merchant you are required to complete a PCI DSS Self Assessment Questionnaire.

You will also need to complete and provide evidence of successfully passing network vulnerability scans conducted by an ASV.

Evidence of both SAQ and ASV pass should be provided to your acquirer (merchant processor)

Merchant Level 3

As a level 3 merchant processing between 20,000 and 1 Million transactions, you are also required to complete a PCI DSS Self Assessment Questionnaire.

You will also need to complete and provide evidence of successfully passing network vulnerability scans conducted by an ASV.

Evidence of both SAQ and ASV pass should be provided to your acquirer (merchant processor)

Merchant Level 4

Level 4 merchants process up to 20,000 transactions per year.

As a level 4 merchant you are required to complete a PCI DSS Self Assessment Questionnaire.

You will also need to complete and provide evidence of successfully passing network vulnerability scans conducted by an ASV.

Evidence of both SAQ and ASV pass should be provided to your acquirer (merchant processor)

What does it cost to be PCI DSS compliant?

The fees to become PCI compliant, and maintain that standing annually, can range anywhere from approximately $1,000 annually to over $50,000 annually, depending on the size of your business. Costs will vary depending on the ASV you engage to scan your network and whether you require a full ROC or handle the preparation of your SAQ internally or not.

Am I responsible for a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?

The PCI DSS Self-Assessment Questionnaire is a checklist ranging from 19 to 87 pages, created and distributed by the PCI Security Standards Council. It’s used as a mechanism for sellers to self-validate their PCI DSS compliance.

Depending on your payment processor and the payment gateway integration you have implemented sometimes the onus is your business to prepare the SAQ, while other times this is handled by your payment processor.

Is PCI Compliance International?

PCI DSS is a global standard

PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data.

The standards globally govern all merchants and organizations that store, process or transmit this data – with new requirements for software developers and manufacturers of applications and devices used in those transactions.

Compliance with the PCI set of standards is mandatory for their respective stakeholders, and is enforced by the major payment card brands who established the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

How does PCI Compliance affect developers?

PA-DSS the payment application data security standard is designed to guide developers in the production of secure payment processing applications.

The PA-DSS minimizes vulnerabilities in payment applications. The goal is to prevent the compromise of full magnetic stripe data located on the back of a payment card.

PA-DSS covers commercial payment applications, integrators and service providers. Merchants and service providers should use certified payment applications and should check with their acquiring financial institution to understand requirements and associated timeframes for compliance.

The PA-DSS recommends developers adhere to these guidelines:

Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CIV2, CW2) or PIN block data

Facilitate secure network implementation
Provide secure password features
Do not store cardholder data on a server connected to the Internet
Protect stored cardholder data
Facilitate secure remote software update
Log application activity
Facilitate secure remote access to application
Develop secure applications
Encrypt sensitive traffic over public networks
Protect wireless transmissions
Encrypt all non-console administrative access
Test applications to address vulnerabilities
Maintain instructional documentation and training programs for customers, resellers and integrators

How does Hava's accurate network documentation assist with PCI compliance?

Having automatically generated network documentation provides a credible platform to support your compliance obligations.

Because Hava uses automation, the network diagrams generated represent the source of truth. You are looking at the “Actual” state of your network topology, not the assumed state of play based on potentially outdated architecture diagrams.

One of the core requirements of PCI compliance is network and data security. Hava's unique security visualization maps out exactly how traffic flows in and out of your network and security groups. Any open ports that shouldn't be open immediately stand out and can be addresses well in advance of reaching an audit or being discovered by a bad actor.

Having a comprehensive version history is also invaluable, especially if you have been deemed a Level 1 organisation because of suspected network incursion or data loss.

If you are subjected to a PCI Compliance audit for legal or insurance purposes, having an accurate unadulterated representation of your network at any point (since you connected your cloud accounts to Hava) in time, means you have documentary evidence that all your technical ducks were in a row.

With more and more organisations transitioning from on-premise infrastructure to public cloud solutions, the need to keep on top of things like PCI compliance and broader network security is paramount.

Having continuously self-updating network documentation that retains version history diagrams every time your network configuration is a major step forward for organisations looking to address security and PCI DSS requirements as part of their broader governance obligations.

You can connect hava.io to your AWS, Azure or Google Cloud Platform accounts and start automatically documenting your cloud infrastructure and verify your cloud architecture expectations vs reality.

A 14 day free trial is available for your team to assess whether Hava will provide the diagrams and documentation your developers, operations and security team need in order to sail through your next PCI compliance audit or ASV network security assessment.



Take the free trial and within minutes you'll have your first aws architecture diagram, gcp diagram or azure diagram (or combinations of all three)

(No CC required)


Team Hava

Written by Team Hava

The Hava content team