top of page

PCI DSS Awareness: Compliance: Overview of Key Concepts and Guidelines


ree

The Soltesz Institute recently hosted a session on one of the most widely referenced yet often misunderstood security standards in the payments industry: the PCI DSS compliance. 

Viktoria Soltesz, founder of the Institute was joined by Kanchan Saxena, a cybersecurity consultant and qualified security assessor, who has extensive experience helping businesses achieve and maintain compliance with PCI DSS, ISO, SOC and other security frameworks. The webinar revealed what PCI DSS really means for businesses, how it applies in practice, and the key mistakes that can put companies, and their customers at risk.


Understanding PCI DSS PCI DSS (Payment Card Industry Data Security Standard) 

PCI DSS was created by the major card networks to ensure that any organisation storing, processing or transmitting cardholder data maintains a secure environment. This covers debit and credit cards across all payment channels, from e-commerce to retail, mobile banking and B2B transactions. The standard exists to reduce payment card fraud and protect sensitive customer information, while demonstrating to partners and clients that data security is taken seriously.

The current version, PCI DSS 4.0.1, expands on the core requirements with updated controls for modern security challenges such as cloud and serverless environments. While the framework still rests on its 12 main requirements, it now demands clearer role definitions, stronger cryptography, and targeted risk analysis. These requirements are grouped under six key objectives – from building secure networks and protecting stored cardholder data to maintaining malware defences, enforcing access control, and monitoring systems continuously.

Small Businesses Are Not Exempt We discussed how PCI DSS is often seen as a concern for large financial institutions, yet breaches in small businesses are just as damaging. 


Outsourcing 

Many businesses believe that outsourcing payment processing to a third-party provider removes their responsibility entirely. While it does reduce the compliance scope, it does not remove the obligation to choose PCI-compliant providers, define security responsibilities in contracts, and ensure cardholder data remains protected throughout the transaction flow. The merchant remains accountable for due diligence and monitoring of the third party.


Access Controls

Access must be restricted to those with a legitimate business need, and different roles require different levels of access. Role-based models and least-privilege principles help limit exposure. Regular audits and continuous monitoring are essential to detect unauthorised or suspicious activity before it escalates.


Certification Process 

Certification is handled by Qualified Security Assessor (QSA) companies authorised by the PCI Security Standards Council. The process includes defining the scope, assessing systems and processes, identifying gaps, and producing a remediation plan. Once gaps are addressed, the assessor performs a final audit and issues a Report on Compliance, an Attestation of Compliance, and a certificate.

Common Pitfalls 

The most frequent issues arer the unclear scope definition, lack of awareness of data being collected, storing prohibited sensitive authentication data (like CVV or PIN), underestimating the budget and time required, and not keeping up with standard updates. Smaller organisations are especially vulnerable when balancing security with customer experience, and many do not fully understand which self-assessment questionnaire applies to them.


Summary

Our discussion made it clear that PCI DSS is a culture of security that must be integrated into daily operations. Whether through in-house systems or outsourced providers, businesses must take responsibility for the security of cardholder data at every stage.

Payment and banking today impact customer experience, risk management, technology, product development, data security, compliance, finance, and more. We argue that it should be considered a standalone function, an essential element of the business strategy, not just a part of finance.


 
 
bottom of page