Summary: Understanding the six PCI DSS compliance goals is essential for any business processing credit card data. These PCI DSS compliance goals provide a framework for the 12 specific requirements needed to ensure a secure payment environment.
The goals of PCI compliance are:
- Building secure networks
- Protecting cardholder data
- Maintaining vulnerability management programs
- Implementing strong access control
- Regularly monitoring networks
- Maintaining formal security policies
Adhering to these PCI compliance goals helps organizations of all levels mitigate risk and protect against data breaches.
The Payment Card Industry Security Standards Council (PCI SSC) is a collective body that creates industry standards for processing, storing, or transmitting credit card information.
This security council maintains rules for credit card processing, called the PCI Data Security Standard (PCI DSS) compliance goals.
The PCI DSS ensures that businesses provide a secure method for taking credit card payments. Following these PCI compliance goals keeps your company in line with industry rules and helps prevent data breaches.
With a larger number of employees now working remotely, understanding the goals of PCI compliance and implementing secure payment tools has become more important than ever.
PCI DSS Goals and Requirements
PCI DSS, or Payment Card Industry Data Security Standard, was created in 2004 by the major payment card brands.
What PCI Compliance means is that all payment details, like credit card numbers and three-digit CSV are handled securely.
Anyone who accepts credit card payments is obligated to adhere to the PCI guidelines to some degree. What to know:
- PCI DSS is a set of goals and requirements for all businesses that process, store, or transmit credit card information, so it is done in a secure environment.
- It covers all payment card network brands, including American Express, Discover, JCB, MasterCard, and Visa.
What Are the 6 PCI DSS Compliance Goals?
Below are the six PCI DSS Compliance goals. The list includes security management, policies, procedures, network architecture, software design, and other critical protective measures.
Build and Maintain a Secure Network and Systems
Establish and maintain a secure network and system so that credit card payments are processed safely. To achieve this, establish Network Security Controls (NSCs) to protect cardholder data. Note:
- Security controls apply to cloud environments (AWS/Azure)
- Vendor-supplied default passwords must be changed before any system is installed.
These NSCs must also be effective without causing inconvenience (slow processing times) to cardholders.
Protect Cardholder Data
Protecting stored cardholder data is a central goal of PCI compliance. To comply, any organization that stores this data must take steps to protect against hacking and securely encrypt information in transit and at rest.
Companies must also follow the “Never Store” rule, which states that there is some Sensitive Authentication Data (SAD) that can never be stored. This includes:
- Full magnetic stripe information
- CVV/CSV
- PIN
Maintain a Vulnerability Management Program
PCI compliance requires companies to establish vulnerability management programs to keep information secure. Install anti-malware for all systems that can be affected by malware (Linux, Windows, Mac) to protect against malicious hackers.
- Companies cannot rely solely on manual human review or employee training to stop phishing attacks.
- You must deploy technical tools that automatically intercept and neutralize threats before they reach staff.
- Advanced email filtering, link scrubbing and email authentication protocols can all be used to protect against phishing attempts.
Implement Strong Access Control Measures
Organizations must restrict and control access to any Cardholder Data Environment (CDE). To maintain these access controls:
- Multi-Factor Authentication (MFA) is now mandatory for ALL access to the Cardholder Data Environment (CDE).
- Minimum password length is now 12 characters (changed from 7).
- Cardholder data should not be provided unless it is required for a transaction.
- Each person who uses a computer in the system must be assigned a unique and confidential identification name or number.
- Protect physical access to cardholder data as well as data submitted electronically.
Regularly Monitor and Test Networks
In recent years, hackers have used malicious code on websites to steal credit card data from browsers. To combat this issue, merchants must follow two requirements:
- Requirement 6.4.3 (Script Management): Have total visibility and control over every piece of code (JavaScript) that runs on payment pages.
- Requirement 11.6.1 (Change and Tamper Detection): Monitor pages for unauthorized modification and alert the right personnel if this happens.
Maintain a Formal Information Security Policy
Maintain a policy that addresses information security for all personnel. One aspect of this requires conducting a Targeted Risk Analysis (TRA).
This allows organizations to define how often they perform certain security tasks based on their specific risk level. The TRA must be done every 12 months to keep findings valid and accommodate new threats.
Many requirements within the six PCI DSS compliance goals can be satisfied by using a PCI compliant payment processor like PDCflow.
We host payment portals, encrypt and tokenize payment details, and securely store data on behalf of merchants. This simplifies many aspects of PCI compliance.
How the 6 PCI DSS Goals Relate to the 12 Requirements
PCI DSS is organized into two layers: goals and requirements. The six goals define what must be protected.
In addition, there are 12 PCI compliance requirements that define how protection is enforced. Together, they form a complete security framework. The twelve requirements are as follows:
- Install and Maintain Network Security Controls
- Apply Secure Configurations to All System Components
- Protect Stored Account Data
- Protect Account Data with Strong Cryptography During Transmission
- Protect All Systems and Networks from Malicious Software
- Develop and Maintain Secure Systems and Software
- Restrict Access to System Components and Account Data by Business Need to Know
- Identify Users and Authenticate Access to System Components
- Restrict Physical Access to Cardholder Data
- Log and Monitor All Access to System Components and Cardholder Data
- Test Security of Systems and Networks Regularly
- Support Information Security with Organizational Policies and Programs
Determining Your PCI Compliance Levels (1-4)
PCI Compliance Level
Level 1:
Merchants that process over 6 million Visa transactions annually across all channels.
PCI Requirements
Every year:
- File a Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or internal auditor if signed by an officer of the company.
- Submit an Attestation of Compliance (AOC) form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (ASV).
PCI Compliance Level
Level 2:
Merchants that process 1 to 6 million Visa transactions annually across all channels.
PCI Requirements
Every year:
- Complete a Self-Assessment Questionnaire (SAQ).
- Submit an Attestation of Compliance (AOC) form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (ASV).
PCI Compliance Level
Level 3:
Merchants that process 20,000 to 1 million Visa ecommerce transactions annually.
PCI Requirements
Every year:
- Complete a Self-Assessment Questionnaire (SAQ).
- Submit an Attestation of Compliance (AOC) form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (ASV).
PCI Compliance Level
Level 4:
Merchants that process fewer than 20,000 Visa ecommerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually.
PCI Requirements
Every year:
- Complete a Self-Assessment Questionnaire (SAQ).
- Submit an Attestation of Compliance (AOC) form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (ASV).
How PCI Levels Affect Validation and Reporting
There are different levels of certification:
- Level 1 Service Provider or Level 1 Merchant certification requires an on-site assessment by a qualified security assessor.
- Level 2-4 Merchant certification can be attained by self-assessment via the Self Assessment Questionnaire (SAQ).
A business can only self-certify by completion of a Self Assessment Questionnaire (SAQ), if you:
- Have never suffered a data breach.
- Are using the services of a third-party payment processor that has attained Level 1 Certification, such as PDCflow.
- Have a processing level of fewer than 6 million visa transactions a year.
Why Choose a Level 1 PCI Service Provider?
The PCI DSS standard is recognized as the security benchmark for payments and Level 1 Compliance. It is a clear indicator of a mature processor that can be used to safely process your payments.
PDCflow recertifies each year as a Payment Card Industry-Data Security Standard (PCI DSS) Level 1 Service Provider. We complete a detailed assessment to ensure we store, process, and transmit credit card data in a secure and protected manner.
The comprehensive assessment for Level 1 certification includes document collection and analysis, vulnerability scanning and penetration testing, as well as regular scans throughout the year.
Along with the cost and time burden that accompanies PCI certification, PDCflow also understands the struggle of adjusting office procedures to the new reality of remote work.
PDCflow’s secure payment capture and storage keeps your business and consumers safe, no matter where your staff is processing credit card payments. Your employees never see or hear cardholder data during transactions with customers.
What to Ask Before Choosing a PCI Level 1 Provider
When vetting a Level 1 service provider:
- Request Attestation of Compliance (AOC): to verify that a third-party auditor has validated their security controls.
- Inquire about their specific data handling methods: ask about encryption and tokenization to minimize your own compliance footprint.
- Ask about audit support: a reliable vendor should provide the necessary documentation and technical evidence required to streamline your own annual PCI assessment.
PCI DSS compliance is a commitment to protecting your customers’ data and your brand’s reputation. By following the six goals of PCI compliance, you can build a defense against evolving cyber threats.
Learn more about your company’s PCI compliance responsibility, why it’s important, and how a Level 1 processor can help keep you and consumers safe. Check out our PCI compliance guide for businesses.
Frequently Asked Questions
▸How are PCI DSS goals different from PCI DSS requirements?
▸How many PCI DSS compliance levels or groups are there?
▸What is PCI DSS Requirement 6 and how did it change in 2025?
▸Do I need Multi-Factor Authentication (MFA) for all employees now?
▸How do the six PCI DSS goals support the 12 requirements?
Sign Up:
Want to know more about PDCflow Software?
Press ▶️ to watch our explainer video
ONE-STEP PROCESS
- ABOUT THE AUTHOR -
Hannah Huerta, Marketing Specialist
Hannah Huerta is a Marketing Specialist at PDCflow. She creates content for the accounts receivable and payment industry.
Related Articles
