What is PCI DSS Compliance?
If your business stores, processes, or transmits payment card data, you must comply with PCI DSS. This is not optional: PCI DSS compliance is contractually mandated by the card brands (Visa, Mastercard, American Express, Discover, JCB) through your acquiring bank agreements, and it applies to every entity that handles cardholder data — regardless of size or transaction volume. In Saudi Arabia the obligation runs deeper still: SAMA (the Saudi Central Bank) mandates PCI DSS compliance for banks and licensed payment service providers as part of its regulatory framework for the payments sector.
PCI stands for Payment Card Industry. The PCI DSS (Payment Card Industry Data Security Standard) is developed and maintained by the PCI Security Standards Council, founded by the major card brands, and provides a unified baseline for protecting cardholder data and combating payment fraud.
The current version of the standard is PCI DSS v4.0.1, published in June 2024. It superseded v3.2.1, which was retired on 31 March 2024, and its future-dated requirements — initially designated best practice — became mandatory on 31 March 2025. Any assessment conducted today must be performed against v4.x; there is no valid path to compliance under the retired standard.
What Changed in PCI DSS v4.x
Version 4 is the most significant revision of the standard in a decade. Three shifts matter most for organizations in Saudi Arabia:
- The Defined and Customized Approaches — v4.x lets organizations meet each requirement either the traditional way (the Defined Approach, implementing the control exactly as written) or via the Customized Approach, designing an alternative control that meets the requirement’s stated objective, backed by a documented targeted risk analysis and assessor testing. Mature security organizations gain flexibility; everyone else gains clarity on intent.
- Continuous compliance over point-in-time — new requirements around targeted risk analyses, expanded roles-and-responsibilities documentation, and periodic scoping reviews push compliance from an annual event to an ongoing program.
- Stronger technical baselines — multi-factor authentication for all access to the cardholder data environment, tighter password rules, automated log review, anti-phishing controls, and payment-page script management, among others.
PCI Compliance Levels
There are four merchant levels. A business is assigned a level based on the number of annual transactions it processes; thresholds vary slightly between card brands:
- Level 1 — over 6 million transactions annually, or any business that has experienced a breach.
- Level 2 — between 1 and 6 million transactions.
- Level 3 — between 20,000 and 1 million e-commerce transactions.
- Level 4 — fewer than 20,000 e-commerce transactions, or up to 1 million total transactions.
Every level must fully comply with all applicable PCI DSS requirements. What varies by level is the validation instrument, not the obligation. Level 1 businesses must undergo an annual onsite assessment conducted by a Qualified Security Assessor (QSA) or a PCI SSC-certified Internal Security Assessor (ISA), producing a Report on Compliance (ROC), plus quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). Levels 2–4 validate annually through the appropriate Self-Assessment Questionnaire (SAQ) and, where applicable, quarterly ASV scans — and Mastercard additionally requires Level 2 merchants to have their assessment completed by a QSA or by ISA-certified internal staff.
The 12 Requirements of PCI DSS v4.0.1
To achieve compliance you must meet the 12 PCI DSS requirements, which break down into hundreds of detailed sub-requirements spanning technology, process, testing, and policy. The v4.0.1 requirements are:
- Install and maintain network security controls — firewalls and modern network security technologies that protect the cardholder data environment.
- Apply secure configurations to all system components — harden systems and eliminate vendor defaults and unnecessary services.
- Protect stored account data — minimize storage, render account data unreadable, and never store sensitive authentication data after authorization.
- Protect cardholder data with strong cryptography during transmission over open, public networks — encrypt card data in transit end to end.
- Protect all systems and networks from malicious software — deploy and maintain anti-malware, including anti-phishing controls.
- Develop and maintain secure systems and software — secure development practices, vulnerability management, and timely patching.
- Restrict access to system components and cardholder data by business need to know — least-privilege access to sensitive data.
- Identify users and authenticate access to system components — unique IDs, strong authentication, and multi-factor authentication for access to the cardholder data environment.
- Restrict physical access to cardholder data — control facilities, media, and devices that touch card data.
- Log and monitor all access to system components and cardholder data — audit trails that support detection and breach investigation.
- Test security of systems and networks regularly — vulnerability scanning, penetration testing, and change detection.
- Support information security with organizational policies and programs — governance, awareness, incident response, and third-party management.
PCI DSS Compliance Checklist
Follow this process to bring your organization into compliance:
- Determine your PCI level — establish annual transaction volumes per card brand and confirm your level with your acquirer.
- Map the flow of cardholder data — document every application, system, network segment, third party, and person that stores, processes, or transmits card data. Accurate scoping is the single biggest determinant of assessment cost and effort.
- Choose your approach per requirement — apply the Defined Approach by default; where your environment justifies it, use the Customized Approach with a documented targeted risk analysis.
- Complete the appropriate validation instrument — the correct SAQ type for your channel and level, or a QSA/ISA-led assessment producing a ROC for Level 1.
- Complete the Attestation of Compliance (AOC) — the formal attestation, signed by the merchant or service provider (and the QSA, where one performed the assessment), that accompanies your SAQ or ROC.
- Conduct quarterly ASV scans — external vulnerability scans by a PCI SSC Approved Scanning Vendor, where required by your SAQ type or level.
- Submit your evidence — provide the AOC, SAQ or ROC, and ASV scan reports to your acquirer and card brands as required.
- Maintain compliance continuously — v4.x expects compliance as business-as-usual: monitor controls, review scope after changes, and keep targeted risk analyses current throughout the year.
How PCI DSS Compliance is Validated
A point that trips up many organizations: the PCI Security Standards Council does not issue certificates, and there is no such thing as “PCI certification.” The PCI SSC has explicitly warned that compliance certificates sold by some vendors are not recognized and should not be trusted as proof of compliance. The only recognized evidence of PCI DSS compliance is the official validation documentation:
- Self-Assessment Questionnaire (SAQ) + AOC — for eligible merchants at Levels 2–4 (and some service providers), the appropriate SAQ type is completed annually and attested via the AOC. Mastercard requires Level 2 merchants to involve a QSA or ISA-trained staff in this process.
- Report on Compliance (ROC) + AOC — Level 1 merchants and higher-level service providers must undergo an annual onsite assessment by a QSA or PCI SSC-certified ISA, who tests every applicable requirement and documents the results in a ROC. The accompanying AOC is what acquirers and card brands accept as evidence.
- Quarterly ASV scans — externally facing systems must be scanned quarterly by an Approved Scanning Vendor, with passing scan reports retained as part of the evidence package.
As a Qualified Security Assessor (QSA), GRC360 performs ROC assessments recognized by acquirers and card brands — testing your environment against every applicable v4.0.1 requirement, documenting the results in the official ROC and AOC, and guiding remediation where gaps exist. For organizations validating via SAQ, we scope the correct questionnaire, run readiness gap assessments, and prepare the evidence your acquirer expects.
Benefits of PCI DSS Compliance
Beyond meeting your contractual and regulatory obligations, PCI DSS compliance delivers real advantages:
- Lowers risk — compliant businesses are considerably better positioned to withstand attempted breaches of payment systems.
- Increases customer confidence — customers are more likely to transact, especially online, with businesses that demonstrably invest in payment security.
- Avoids penalties and escalation — non-compliance and breaches expose you to acquirer fines, card-replacement and compensation costs, and — in Saudi Arabia — supervisory consequences from SAMA. A breached business is also escalated to Level 1, with the full QSA-assessed validation burden that entails.
- Aligns with a global baseline — PCI DSS applies the same rigorous standard across the industry worldwide, and its controls map cleanly onto SAMA CSF and other frameworks Saudi organizations already answer to.
