A PCI compliance test combines a Self-Assessment Questionnaire or Report on Compliance, quarterly ASV scans, and annual penetration testing. Here's the 5-step process, the costs by merchant level, and how to keep evidence audit-ready year-round.
If your business handles credit card payments or stores cardholder data, maintaining PCI compliance is an ongoing process. Regular PCI compliance tests are essential to safeguard sensitive data. Such measures not only help avoid penalties but also demonstrate your commitment to customer security and strengthen your brand's reputation.
A compliance breach can expose your business to severe penalties, increased operational costs, and a loss of customer trust. To put it in perspective, an IBM report states that the global average cost of a data breach in 2023 rose to USD 4.45 million, marking a significant high of 15% compared to the previous three years.
To effectively maintain PCI compliance, consider implementing measures such as conducting thorough penetration tests, running regular vulnerability scans, and updating your policies regularly. This guide provides practical steps to test, check, and maintain PCI compliance efficiently.
Let’s get started.
PCI Compliance, which stands for Payment Card Industry Compliance, refers to a set of technical and operational standards established by the PCI Security Standards Council. They help protect cardholder information and prevent data breaches by ensuring the secure processing, storage, and transmission of credit card data.
The payment card industry emerged in 2006 when online payment systems boomed. To ensure a secure database for customer information, company assets, and capital, security protocols were required. Thus, industry giants like Visa, MasterCard, Discover, American Express, and JCB International established the PCI SSC (Security Standards Council) and introduced the PCI DSS (Data Security Standard) to mitigate financial data breaches.
PCI DSS is a required set of security standards for organizations that handle payment card data, whether online, offline, or both. It applies to any entity that stores, processes, or transmits cardholder data. This includes:
In compliance with PCI DSS, PCI testing evaluates and ensures that a business's payment card operations meet the standard protocols of PCI DSS. To prevent data breaches and fraud, this comprehensive testing involves assessing the security of card data storage, processing, and transmission environments.
The PCI Compliance Checklist consists of 6 Objectives and 12 key Requirements that aim to protect customer information and ensure secure handling, storage, and transmission of cardholder data. These requirements are organized into 6 broader goals, each with more than 300 sub-requirements.
1. Build and maintain a secure network and systems
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel
While not a federal law, PCI DSS is enforced through:
Moreover, the financial implications of fraud or data breaches extend beyond fines, including expenses related to refunds, forensic audits, and investigations, not to mention the potential reputational damage. This underscores the importance of PCI DSS compliance as an essential component of a business’s overall security strategy.
The PCI compliance test process is a five-step sequence — the same five steps every QSA, self-assessor, and audit follows. Each step is detailed below; this is the at-a-glance version:
The rest of this guide walks each step in detail, the costs by merchant level, the risks of failing a PCI compliance test, and how to keep evidence current between annual audits.
The PCI Compliance standards classify merchants into four levels depending on their annual transaction volume. This can be divided into:
Important: Regardless of the level, all businesses must adhere to the 12 fundamental PCI compliance requirements as stated above.
Each brand has its own specific PCI DSS testing nuances, outlined in the PCI DSS Quick Reference Guide, which assists in preparing for PCI penetration testing and maintenance.
The third step involves scanning for vulnerabilities and conducting penetration testing. The PCI DSS requirement 11 mandates regular security system testing, which can be achieved through penetration testing as a primary method of fulfilling the requirement.
A QSA is a certified data security firm authorized by the PCI Council to perform on-site assessments of the organization’s compliance with the PCI DSS. A QSA will evaluate an organization’s security controls, guide how to achieve compliance and produce a final report detailing their findings and recommendations. When choosing a QSA, it is important to consider their experience, qualifications, costs, and references. To work with a QSA, it is important to be prepared, responsive, and cooperative.
QSAs must utilize either an SAQ or a Report on Compliance, determined as per the specific requirements of the card brands. Failure to comply can lead to hefty penalties ranging from USD 5,000 to USD 100,000 a month, along with the potential risk of losing your credit card merchant account.
Automation through PCI compliance tools can help by tracking sensitive data more efficiently and accurately.
The financial burden of PCI compliance varies based on several factors, including the payment processor and company size.
1. Level 1 companies: These companies typically handle over 6 million transactions annually and must produce an annual ROC by a QSA. The cost of this assessment starts at around $10,000.
2. Level 4 companies: These businesses handle fewer than 20,000 transactions annually, so they may not need a QSA, potentially reducing their compliance costs significantly. Overall, PCI compliance can cost as little as USD 1,000 for smaller companies with less complex operations to USD 50,000 for larger companies. Factors influencing this cost include:
3. The frequency and depth of required audits and assessments
4. The sophistication of the security technologies employed, and
5. The need for specialized consultant services
To maintain and verify PCI compliance, constant efforts are required, including routine testing, documentation, and updates to security measures. Leveraging automation through PCI-compliant tools can help businesses handle these tasks more effectively, potentially reducing the complexity and cost of maintaining compliance.
Here’s how Strac ensures PCI compliance.
Strac offers robust DLP capabilities that continuously monitor for unauthorized data access or movements, which is crucial for meeting PCI DSS standards. This immediate detection facilitates swift incident response and provides essential data for compliance audits.
Strac conducts extensive scans across a business’s digital infrastructure to identify and secure sensitive authentication data. By applying necessary encryption and access controls, Strac ensures the safety of this data, significantly reducing the risk of breaches.
Strac is compatible with various platforms, including SaaS Cloud and endpoint environments such as Zendesk, Slack, and Office 365, ensuring coverage and protection against data theft across all business operations. This integration allows detection, masking, and redaction of sensitive emails that can affect the overall security of the system.
Strac implements stringent access controls that limit data accessibility to authorized personnel only. It logs each access attempt, providing an auditable trail that supports compliance efforts and consistent protection of cardholder data.
Strac's DLP solution includes a feature for real-time compliance reporting. This feature automatically generates reports detailing compliance status, highlighting vulnerabilities, and documenting any incidents that occur. It simplifies the audit process and helps businesses demonstrate their compliance with PCI DSS requirements at any time, making audits less stressful and more predictable.
Strac not only supports PCI DSS compliance but also elevates overall data security for businesses. Schedule a demo to learn more about PCI DSS testing and maintenance.
A PCI compliance test is the structured assessment that proves a business handling payment card data meets the Payment Card Industry Data Security Standard (PCI DSS v4.0.1). It is not a single event — it is a combination of an annual Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC), quarterly Approved Scanning Vendor (ASV) external vulnerability scans, at least annual internal penetration testing, and continuous evidence of the 12 PCI DSS requirements in operation.
The reporting cadence is annual, but the underlying testing is more frequent: ASV external scans are quarterly, internal vulnerability scans are quarterly, penetration testing is at least annual (and after any significant infrastructure change), and continuous monitoring (logging, file integrity, IDS/IPS) is — by definition — continuous. A PCI compliance test that only happens once a year is, in practice, a failed control.
It depends on merchant level. Level 1 merchants (over 6 million transactions annually) must use a Qualified Security Assessor (QSA) to produce a Report on Compliance. Levels 2, 3, and 4 can self-attest via the appropriate Self-Assessment Questionnaire — but Level 2 merchants frequently engage a QSA anyway because acquiring banks often require it. ASV scans are never self-performed at any level: they must come from a PCI-listed Approved Scanning Vendor.
The Self-Assessment Questionnaire (SAQ) is a merchant-completed checklist for Levels 2–4. There are nine SAQ variants (A, A-EP, B, B-IP, C, C-VT, D, P2PE) — the right one depends on how the merchant accepts payments. The Report on Compliance (ROC) is a much deeper, QSA-produced document required for Level 1, with hundreds of pages of evidence per requirement. Both feed into a final Attestation of Compliance (AOC) submitted to acquiring banks and card brands.
For a Level 1 ROC, the engagement runs 6–12 weeks from kickoff to final report, plus 4–8 weeks of remediation if findings come back. For an SAQ-D at a mid-market company, expect 2–6 weeks of evidence collection. The single biggest time sink is not the testing itself — it is gathering and proving the continuous controls (logs, scans, access reviews) the QSA wants to see.
QSA fees for a Level 1 ROC typically run USD 30,000–150,000+ depending on environment scope. Level 2 engagements run USD 10,000–30,000. SAQ-based attestation (Levels 3–4) can be done in-house but the all-in cost — QSA fees if engaged, ASV scans, penetration testing, remediation tooling, internal labor — lands between USD 5,000 and USD 50,000 for most mid-market merchants.
Penetration testing is one component of a PCI compliance test, not a synonym. PCI DSS Requirement 11.4 specifically mandates penetration testing at least annually and after any significant change. The full compliance test is broader: it also includes vulnerability scanning, configuration review, access control validation, log review, and policy/procedure evidence. A pen test passes but the SAQ fails when companies confuse the two.
Card brands and acquiring banks can levy fines of USD 5,000 to USD 100,000 per month until remediation, force the merchant to a higher reporting level (Level 4 → Level 2 for example), suspend card processing privileges entirely, or revoke the merchant account. The harder cost is post-breach: forensic investigation, card replacement fees, fraud reimbursement, and litigation. The 2024 Verizon PCI report still shows that the majority of breached merchants were nominally PCI-compliant at the time of their last assessment — point-in-time compliance is not the same as a real control.
Strac sits on the data layer and produces the evidence a PCI compliance test asks for: continuous discovery of cardholder data across SaaS, cloud, endpoint, email, and browser surfaces (Requirements 3.x); real-time redaction of card numbers before they leak into ChatGPT, Slack, support tickets, or shared drives (Requirements 3.3 and 4.x); access controls and audit logging mapped per requirement (Requirements 7, 8, 10); and on-demand evidence export for the QSA. The full evaluation guide is in the PCI DSS Compliance Software breakdown.
.avif){kind=icon}
.gif)
.webp)
