This information is not legal advice and should not be interpreted as such. Consult with your own legal counsel to determine your regulatory obligations and assess the effectiveness of your compliance programs. Arctic Wolf products and services are not compliance solutions but are tools that can support your compliance programs.
The world is going cashless. The Federal Reserve reported that cash was used in just 16% of all U.S. transactions in 2024. And that number is expected to continue to decline. The widespread use of credit and debit cards, plus the rise of digital wallets and contactless payments, have reshaped the financial landscape, increasing flexibility as well as financial protection. However, it’s also increased the levels of fraud.
Personally identifiable information (PII) — any data that can be used to uncover a person’s identity — is among the most frequent targets of cyber attacks. Cardholder data, including account numbers, pin numbers, expiration dates, and account holder names and addresses, is highly valuable PII to bad actors. Threat actors like ransomware gangs love to hold such data hostage, often releasing it to the dark web to further financial fraud; any organization that holds such data is at risk of a data breach, including retail, technology, business and, of course, financial services.
To assist organizations in implementing best practices to combat this growing threat and protect cardholder data, the Payment Card Industry Data Security Standard (PCI DSS) was created.
So, what is PCI DSS, how does it help to ensure cardholder data security, and how can organizations maintain compliance to better protect themselves and their customers’ data?
What Is PCI DSS?
Created in 2004, PCI DSS is a set of industry guidelines designed to ensure the protection of cardholder data.
It is overseen by the PCI Security Standards Council (SSC), which is run by the five largest credit card companies — American Express, Discover Financial Services, JCB International, Mastercard, and Visa. This council regularly evaluates and updates the regulations, with the most recent version (v4.0) released in March of 2022 to address emerging threats and technologies and enable innovative methods to combat new threats.
While PCI DSS is not federal law, the major credit card companies do require compliance by their vendors, as well as anyone who stores, processes, or transmits cardholder data. Since its inception, some states — like Nevada, Minnesota, and Washington — have adopted PCI DSS language into their laws.
In addition, compliance and security go hand in hand, as maintaining compliance automatically means your organization has certain security controls and procedures in place to protect against cyber threats.
Why Does PCI DSS Matter?
Non-compliance increases both breach risks and costs. In 2024, over 1.7 billion people had their PII leaked or stolen due to a data breach. That’s an increase of over 300% from 2023. These breaches proved incredibly costly for victims, with the Federal Trade Commission reporting $12.5B (USD) in losses due to fraud.
But the victims of a data breach are not the only ones faced with high costs after a successful data breach. According to IBM, the average cost of a data breach climbed 10% year over year to $4.88M(USD), with the payment of regulatory fines for non-compliance being a major contributing factor to the increase.
Card brands may impose fines ranging from $50 to $90 per compromised payment card. For breaches involving thousands or millions of records, this can quickly escalate to millions of dollars in penalties, never mind other costs.
Even without a breach, failing to maintain PCI DSS compliance can result in monthly fines from acquiring banks (which process transactions for merchants) or card brands:
- $5,000 – $10,000 per month during early stages of non-compliance
- $25,000 – $50,000 per month if non-compliance persists for 4 to 6 months
- $50,000 – $100,000 per month for longer periods of non-compliance
Following a compliance framework like PCI DSS not only provides a strong foundation for a data security program, but it can also foster cost savings for your organization, particularly by adhering to security best practices that can help avoid an expensive card data breach.
The Four PCI Compliance Levels
The PCI DSS divides merchants into four compliance levels, determined primarily by annual transaction volume per card brand, and includes separate thresholds for service providers. Understanding your level is essential, as it determines the type of assessment, reporting requirements, and validation process needed for compliance.
Level 1: Highest Volume and Risk
Merchants that process more than six million transactions annually per card brand (e.g., Visa, Mastercard, American Express), or any merchant that’s suffered a breach or is otherwise classified as high-risk by a card brand.
Requirements:
- Annual on-site audit by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). These are independent security organizations or internal employees who have been qualified by the PCI Security Standards Council to validate an organization’s adherence to PCI DSS.
- Report on Compliance (ROC), which “provides details about the entity’s environment and assessment methodology, and documents the entity’s compliance status for each PCI DSS Requirement.”
- Attestation of Compliance (AOC), which is “a declaration of the merchant’s compliance status with the Payment Card Industry Data Security Standard.”
- Quarterly vulnerability scans by an Approved Scanning Vendor (ASV), “an organization with a set of security services and tools (“ASV scan solution”) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS.”
- Annual penetration testing.
Level 1 organizations must demonstrate strong security governance and continuous monitoring due to their large attack surface and high volume of annual transactions.
Level 2: Mid- to Large-Sized Merchants
Merchants handling from one million to six million transactions per year, per card brand.
Requirements:
- Self-Assessment Questionnaire (SAQ) annually
- AOC submission
- Quarterly ASV scans
- Penetration testing is recommended (and sometimes required by acquirers)
While Level 2 organizations aren’t required to undergo a full audit, card brands or acquiring banks may still request one based on perceived risk or past cyber incidents.
Level 3: Small Businesses Focused on E-Commerce
Merchants conducting 20,000 to 1 million e-commerce transactions annually.
Requirements:
- Annual SAQ and AOC
- Quarterly ASV scans
- Penetration testing recommended (depending on payment environment)
Because Level 3 merchants often use hosted e-commerce platforms or third-party gateways, vendor PCI compliance becomes a critical factor in risk reduction.
Level 4: Low-Volume or Small Brick-and-Mortar Merchants
Merchants who process fewer than 20,000 e-commerce transactions, or up to 1 million in-person card transactions annually.
Requirements:
- SAQ and possibly ASV scans (if cardholder data flows through an IP-based system)
- Penetration testing is not required, but security hygiene is essential
While formal enforcement is lighter at this level, small merchants are frequent targets of cyber attacks due to often weaker security controls and immature security postures.
The Six Goals of the PCI Data Security Standard
At its core, PCI DSS is organized around six primary goals, each supported by specific requirements that define the actions businesses must take to secure cardholder information:
Build and Maintain a Secure Network
This goal focuses on keeping unauthorized individuals out of systems that store or process payment data via two major requirements.
Requirements:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
This goal recognizes that protecting cardholder data, both while at rest and in transit, is crucial for minimizing exposure if a system is compromised.
Requirements:
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Staying ahead of known threats is key to maintaining a secure environment, as the majority of external attacks leverage known, existing vulnerabilities for which a patch exists.
Requirements:
5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Limiting access to only those who need it reduces the chance of internal misuse or accidental exposure.
Requirements:
7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Constant oversight helps organizations detect anomalies and respond before significant damage occurs.
Requirements:
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
Maintain an Information Security Policy
A strong security posture starts with clear policies and informed personnel.
Requirements:
12. Maintain a policy that addresses information security for all personnel
By following these six principles and accomplishing their supporting requirements, organizations can significantly reduce the risk of data breaches and foster greater trust in their payment systems.
A Checklist for the 12 PCI DSS Requirements
As shown above, there are 12 specific requirements for achieving compliance, each aligning with one of the six core principles of the PCI Data Security Standard. However, accomplishing these requirements can be difficult for stretched IT and security teams. Here, in this PCI DSS checklist, we examine the requirements in more detail and offer advice on accomplishing them to gain compliance with PCI DSS.
It would be difficult to find a risk assessment that didn’t recommend firewalls. Hardware, software, and web application firewalls should all be investigated to assess the right approach. In addition, the firewall must be set up and configured properly as well as regularly maintained. This last element is critically important — if the firewall is not configured properly and tended to regularly, the network can be compromised.
Best practices:
- Set up virtual private networks (VPNs) for remote access
- Set inbound/outbound rules to decide what traffic comes in and out of your network
- Segment different networks with switch ports (e.g., Internet, office, EMR)
- Set security settings for each switch port, particularly if you’re using segmentation
Default credentials are widely known and frequently exploited by attackers, making them a significant security risk. To comply with PCI DSS Requirement 2, organizations must ensure that all systems are hardened by changing default usernames, disabling unnecessary services, and applying secure configurations during setup.
Best practices:
- Maintain an up-to-date list of all network-connected devices (e.g., routers, firewalls, servers, POS terminals)
- Replace factory-set usernames and passwords on all devices and applications during initial setup
- Disable or delete default user accounts if not needed
- Use industry-standard hardening guides (e.g., CIS Benchmarks, NIST) to create secure configurations for each system type
- Disable unused ports, services, and protocols
- Train IT staff on secure setup procedures
Data encryption provides an additional layer of security for sensitive information if threat actors successfully access your organization’s systems. This makes the data much more difficult to steal, hold for ransom, or use in committing fraud.
Best practices:
- Employ algorithms approved by industry standards (e.g., AES-256, RSA-2048) and ensure encryption methods meet NIST and FIPS 140-2 standards.
- Render PANs unreadable through truncation, tokenization, hashing, or encryption, depending on the use case.
- Store cardholder data only if absolutely necessary, for the shortest time possible, and implement automated data purging for expired or unnecessary records
Financial organizations must ensure secure transmission of cardholder data across open networks and meet PCI DSS v4.0’s rigorous expectations for data-in-transit protection.
Best practices:
- Use strong cryptography protocols like transport layer security (TLS) version 1.2 or higher, with 1.3 being preferred
- Disable insecure protocols (e.g., SSL, TLS 1.0/1.1, FTP, Telnet) on all systems transmitting cardholder data
- Apply end-to-end encryption whenever possible to prevent data from being exposed at intermediate systems or network hops
- Use secure key exchange methods to protect session keys from interception and ensure keys are generated for each session, rather than reused
Antimalware tools must be deployed on all systems that are vulnerable to viruses or malicious code. These tools must be kept up to date and configured for automatic scanning.
Best practices:
- Install antimalware software on all endpoints (e.g., desktops, laptops, IoT devices) servers, email gateways and anything that interacts with or rests on the edge of the perimeter.
- Configure malware protection tools to update signatures daily (at minimum) and enable real-time scanning for files, emails, and web activity to detect threats as they appear.
Organizations must develop and maintain secure systems and applications through a combination of technical controls and secure development practices.
Best practices:
- All system components must be patched regularly, with critical security updates applied within a defined timeframe
- Organizations should track emerging threats, subscribe to vendor security bulletins, and test all changes before deployment
- Web applications must be protected against common attacks such as SQL injection and cross-site scripting
Access should be based on the principle of “need to know,” meaning users are granted only the minimum level permissions and access to data necessary to carry out their job duties. In cybersecurity, this is more commonly known as the principle of least privilege (PoLP).
Best practices:
- Implement role-based access control (RBAC) to define roles based on job functions and responsibilities and assign access permissions strictly aligned with those roles
- Grant users the minimum level of access required to perform their duties and regularly review user access to ensure it remains appropriate
- Use identity and access management (IAM) solutions to manage roles and permissions centrally as well as automate the provisioning and de-provisioning of access rights
Ensure users are uniquely identified and authenticated before accessing systems to significantly reduce the risk of unauthorized access to systems that store, process, or transmit cardholder data.
Best practices:
- Ensure every individual user has a unique user ID
- Require multi-factor authentication (MFA) for all administrative access and remote access to the Cardholder Data Environment (CDE)
- Enforce strong password hygiene
- Automatically disable user accounts after 90 days of inactivity
Control who can physically access devices or locations where card data is stored or processed, using badges, locks, or surveillance.
Best practices:
- Employ physical access controls like badge readers, keycards, biometric scanners, or PIN pads for secure entry.
- Train users to prevent and report physical attacks like tailgating
- Maintain a visitor management program that requires visitors to sign in and present ID, and ensures visitors are escorted at all times in areas where cardholder data is stored
Create comprehensive logs of access to systems and cardholder data. These logs must be protected, retained, and reviewed regularly.
Best practices:
- Collect logs from servers, firewalls, databases, payment systems, and applications that store, process, or transmit cardholder data
- Centralize logs for aggregation and analysis
- Ensure logs capture critical information, including user ID, date and time, type of event, system component affected, success or failure of the event, and origination of the access attempt
- Retain at least one year of audit logs, with the most recent three months immediately available for analysis.
Conduct regular security testing — including vulnerability scans, penetration tests, and file integrity monitoring — to verify that defenses remain effective.
Best practices:
- Perform internal and external vulnerability scans using Approved Scanning Vendors (ASVs)
- Address and resolve any high-risk vulnerabilities before marking scans as complete
- Conduct both internal and external penetration tests annually and after significant changes (e.g., new systems, network changes)
Create a formalized security policy that outlines responsibilities, risk assessments, employee training, and incident response procedures. This helps create a security-conscious culture across the organization.
Best practices:
- Establish a formal information security policy that outlines the organization’s security objectives, responsibilities, and expectations
- Review and update the policy annually or after significant changes
- Designate personnel (e.g., CISO, security team) responsible for developing, implementing, and enforcing security policies and clearly define responsibilities regarding data protection, access control, and incident response
- Train all employees — especially those with access to cardholder data — on security best practices and PCI DSS requirements, then reinforce that training with frequent, relevant, and engaging content based on the latest threats and attack methods.
How Arctic Wolf Helps with PCI DSS Requirements
While compliance requirements are beneficial for business and security operations, they are not always easy to implement. Headcount, budget, and current business goals all impact how compliance requirements are reached. Unfortunately, many organizations treat compliance as a single point-in-time task, not a part of their overall, ongoing security journey, which weakens the protections those requirements can provide.
An external security operations partner like Arctic Wolf can support compliance programs for organizations of all sizes through security solutions that align with frameworks like PCI DSS. Here’s how:
- Monitor access to card holder data on-premises and in the cloud
- Tackle cybersecurity threats and risks posed to data
- Perform continuous vulnerability scanning of internal and external networks, and endpoints
- Expose the lack of secure configuration policies via scans
- Identify and prioritize vulnerabilities based on threat exposure, assets, and severity
- Automatically detect and scan new devices
- Create, assign, track, and verify remediation tasks
- Demonstrate compliance and communicate progress with reports, analytics, and live dashboards from the Arctic Wolf Concierge Security® Team
Learn more about how Arctic Wolf helps organizations achieve compliance with PCI DSS as well as other regulatory frameworks.
Take a deep dive into the various information security and data protection requirements with our Cybersecurity Compliance Guide.
