Skip to content

7 Most Commonly Asked PCI Compliance Questions


Ignorance is not an excuse for failing a PCI DSS audit or, worse yet, being victimized by a data breach. The Payment Card Industry Data Security Standard (PCI DSS) clearly defines responsibilities and guidelines for protecting sensitive information such as credit card numbers.

Your company must comply with the PCI DSS if you handle payment card data in any way or if you plan to do so in the future. Failing a PCI DSS audit could prevent your company from being allowed to handle such data, thereby jeopardizing its ability to serve customers and perhaps undermining its ability to maintain viability altogether.

Passing a PCI DSS audit confirms that your company meets the needs of current customers and sets it apart to win more business. It assures customers that you abide by best practices for securing their data.

Even if PCI DSS compliance isn’t required for your industry, potential customers may still ask about audits and compliance. Therefore, knowing about—and proving—PCI compliance could give your company a competitive advantage in the marketplace and help you close bigger business.

Position your company for growth by knowing the answers to these seven common PCI compliance questions before customers ask:

1. What is PCI DSS?

The PCI Security Standards Council (SSC) developed the PCI DSS in 2004 to combat credit card fraud. PCI DSS provides a baseline of technical and operational requirements designed to protect account data.

The 12 PCI DSS requirements provide consistent data security controls for secure payment environments. A PCI DSS compliance audit examines your security measures to see whether you adhere to the latest standards for protecting your customers’ data.

2. How do I know if PCI DSS applies to me?

All organizations involved with payment card processing, including merchants, acquirers, issuers, and service providers, must comply with the PCI DSS. Requirements for compliance vary based on the number of transactions that a business processes annually, so confirming your classification level is important for understanding PCI compliance auditing. Knowing your responsibilities will help you prepare for a PCI compliance audit.

3. Do I have to fulfill PCI DSS requirements if I only take credit card information by phone?

Yes. The PCI DSS applies to all merchants and vendors that handle card data, including those that accept or process payments made through printed forms, over the phone, in person, or online. You must comply when you have people taking credit cards by phone.

4. If a client requests that my company comply with a higher level of PCI DSS than we qualify for, are we required to do so?

Clients may stipulate that you comply with a higher level of PCI DSS as a condition of doing business with you. If this happens, then you may be contractually obligated to comply with more stringent PCI DSS requirements than you would otherwise.

Maintaining a higher level of PCI compliance in such a case could be more costly and challenging. But it also could help you attract larger clients who have more sophisticated security requirements for vendors that they trust with their data, such as banking, healthcare, or software-as-a-service (SaaS) companies.

5. If my organization has more than one location, does each one have to be PCI compliant?

You probably only need to validate once annually for all locations if they process payment card data under the same Tax ID, according to a summary of PCI FAQs from Each location may need to pass quarterly network scans by a PCI SSC Approved Scanning Vendor (ASV).

6. Does my company have to prove PCI compliance if it doesn’t store credit card data?

Yes. When describing the importance of maintaining payment security, the PCI Security Standards Council states that if you accept or process payment cards, the PCI DSS applies to you. You don’t have to store credit card data to be subject to the standards.

7. Do I need a readiness assessment before I start my PCI DSS audit?

You don’t need a readiness assessment—but it would help you improve your security and attain PCI compliance by showing you where you stand in relation to your requirements. Then you could identify and close any gaps that might prevent you from passing a PCI DSS audit.

Your company may not have needed to maintain PCI compliance before now. However, it will likely have to do so in the future as regulators and customers demand greater protection from data breaches.

Knowing the answers to these commonly asked PCI compliance questions will help you optimize financial growth for your company by becoming more competitive.