Your Guide to PCI DSS Certification 

by: A-LIGN 02 Dec,2025 5 mins

Protecting customer cardholder data is crucial to merchants that store, process, or transmit this data or other companies that can impact the security of this valuable information. Standards that help companies protect this data are cumbersome and prescriptive to ensure proper protection of cardholder data which will allow entities to demonstrate proper security controls to customers and banks which build trust. 

Read on to learn about PCI DSS and how it protects valuable customer data. 

What is PCI DSS? 

PCI DSS (Payment Card Industry Data Security Standard) is the only accepted industry enforced and run standard consisting of a set of policies and procedures intended for organizations that handle or effect security of credit, debit, and card branded cash card transactions to ensure the protection of cardholders’ personal information.   

What is PCI SSC? 

The PCI Security Standards Council develops and implements security standards for PCI DSS and other certifications. This group aims to drive education, awareness, and implementation of effective frameworks by its stakeholders. 

What are the principles of PCI DSS? 

There are 12 principal PCI DSS requirements that roll into six principles: 

Build and maintain a secure network and systems 

  • Install and maintain network security controls 
  • Apply secure configurations to all system components 

Protect account data 

  • Protect stored account data 
  • Protect cardholder data with strong cryptography during transmission over open, public networks 

Maintain a vulnerability management program 

  • Protect all systems and networks from malicious software 
  • Develop and maintain secure systems and software 

Implement strong access control measures 

  • Restrict access to system components and cardholder data by business need to know 
  • Identify users and authenticate access to system components 
  • Restrict physical access to cardholder data 

Regularly monitor and test networks 

  • Log and monitor all access to system components and cardholder data 
  • Test security of systems and networks regularly 

Maintain an information security policy 

  • Support information security with organizational policies and programs 

These processes help protect cardholder data from bad actors and ensure that companies with this information have done their best to shield their environment from potential attacks. 

Why is PCI DSS important? 

Earning a PCI DSS Report on Compliance (RoC) certification demonstrates your organization’s commitment to payment card data security and identifies the level of validation you have achieved. Failing to maintain PCI DSS compliance can range in fines from $5,000 to $100,000 per month depending on the size of the company and the scope of noncompliance. Additionally, fines and penalties are even greater for organizations that experience a security incident.   

Who should get a PCI DSS certification? 

PCI DSS was developed for companies that store, process, or transmit sensitive credit card data. PCI DSS can also apply to companies that provide services to organizations that maintain their own Card Data Environments (CDE). If you affect the security of a CDE or your client’s CDE, then you can be brought into scope for a PCI DSS assessment. 

The most common recipients of PCI DSS include:  

  • Retailers 
  • Ecommerce platforms 
  • Payment processors 
  • Payment BPO providers (e.g. Call Centers) 

Who needs a Report on Compliance? 

Your organization’s level of complexity and transaction volume will determine the level of validation you will need to comply with according to the Card Brands validation requirements. There are four merchant and to service provider levels: 

  • Level 1: Merchants that process over 6 million and Service Providers handling over 300,000 card individual transactions per year. 
  • Level 2: Merchants that process between 1 million and 6 million and Service Providers under 300,000 individual transactions per year. 
  • Level 3: E-commerce merchants that handle between 20,000 and 1 million transactions per year. 
  • Level 4: Merchants that handle fewer than 1 million transactions per year and e-commerce merchants with less than 20,000 transactions per year. 

Merchants should check with their acquirer to confirm their current merchant validation level.  Levels 2, 3, and 4 are eligible to complete a Self-Assessment Questionnaire (SAQ). However, some level 2 payment channels (e.g. e-commerce) may be required to be attested by a QSA or ISA.  Meanwhile, merchants that fall into Level 1 will need to complete a RoC, which is an on-site assessment conducted by a Qualified Security Assessor (QSA) to establish PCI DSS compliance.  Nothing prohibits a lower-level merchant or service provider from achieving a Level 1 RoC and many Service Providers that technically meet level 2 status conduct an annual Level 1 RoC to meet customer validation expectations. 

How long does it take to complete a PCI DSS assessment? 

The preparation phase can take about six to eight months for those undergoing the assessment for the first time, and around three to four months on average for a renewal assessment. The amount of time it takes to complete the assessment ultimately varies depending on the organization’s environment, what its processes are, number of locations, and what its infrastructure looks like (size and scope).   

For large entities, PCI DSS is a continual process. As soon as one audit ends, they’re prepping for the next year, making PCI DSS a continual process for them. Whereas smaller entities may have less of a lift to continually maintain those processes. 

Steps to achieving PCI DSS certification 

Learning the steps to earning PCI DSS certification is an essential part of the process. Being well prepared for this process can set your organization up for success. 

  • Understand requirements: Familiarize yourself with the requirements of PCI DSS and consider how they will impact your organization. Are there obvious gaps in your environment? Do you have an information security policy? How many transactions do you process each year? Which level of merchant does that make your organization? Learning about the PCI DSS requirements and how they show up in practice is the first step to compliance. 
  • Conduct a risk assessment: Conducting a formal risk assessment will inform your strategy going forward. These assessments identify vulnerabilities and their level of risk to your environment, giving your organization a baseline for your level of security, areas for improvement, and conformity to PCI DSS requirements. 
  • Address gaps, implement changes: Implementing changes ahead of a formal assessment will empower your organization to get on the right track for PCI DSS certification 
  • Engage with a Qualified Security Assessor: Depending on your level of certification, you may be able to complete a SAQ. If your organization is a Level 1 merchant as defined above, you will need to work with a QSA to complete a formal RoC and earn your PCI Attestation of Compliance (AOC). It’s important to choose a high-quality QSA that won’t just check the box but will set your organization up for success. Check out our list of six qualities to look for in a QSA

Getting started with PCI DSS  

If you’re ready to begin your journey to PCI DSS compliance, contact A-LIGN today to get started. The A-LIGN difference is: 

  • 2k+ PCI assessments completed 
  • 96% customer satisfaction rating 
  • 20+ years of experience 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor. 

Let's map out your compliance roadmap.

Begin your compliance journey with A-LIGN today.

GET STARTED