Minimise risk and ensure PCI DSS compliance with CCL Group.

Get in Touch

Minimise Risk and Improve Compliance

Partner with CCL Group and meet your compliance obligations for payment security. CCL Group has the experience and expertise to support organisations with security controls around cardholder data.


Assist you with completing the relevant PCI DSS Self-Assessment Questionnaire.

Compliance Report

Conduct a PCI DSS Report on Compliance – an on-site audit of your policies, methods and technologies involving the storage, handling or transmission of cardholder data.

Security Controls

Perform an independent review of your security controls and processes for cardholder data if you are victim of a breach. 

What is PCI DSS?

PCI Card Reader

Globally recognised and adopted, the Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that help you to manage and process card payments safely and securely.

The PCI DSS Requirements detail the goals to be achieved and what needs to be done to help you become compliant. By assessing your business against these goals and maintaining your cyber security in line with these requirements, your customers have the confidence that you have adequate protections to preserve their personal and financial data.

Do I need to be PCI DSS compliant?
Although there is no legal obligation for merchants accepting card payments to comply with the PCI DSS Requirements, you will need to ensure you are fulfilling your obligations under the relevant data privacy laws and regulations such as The Data Privacy Act, 1988 and the requirements of GDPR.

If your organisation is storing, processing or transmitting cardholder data in any form, you may have a contractual responsibility to be PCI DSS compliant with your card payment service provider. Breach of this could result in withdrawal of services, monetary penalties and possible fee increases.

What do I need to do be PCI compliant?
The steps to PCI compliance identify the actions needed to fulfil the PCI DSS Requirements. Once you have completed the necessary actions, you will need to submit your completed PCI Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC) to your payment service provider or acquiring bank.

PCI-DSS Diagram

The 12 PCI DSS Requirements


Build and Maintain a Secure
Network and Systems

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Card Holder

Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability
Management Program

  • Protect all systems against malware and regularly update antivirus software or programs
  • Develop and maintain secure systems and applications
Secure Access

Implement Strong Access
Control Measures

  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Monitor and Check

Regularly Monitor
and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information
Security Policy

  • Maintain a policy that addresses information security for all personnel

Do I need to complete a PCI DSS Self Assessment Questionnaire (SAQ) or a Report on Compliance (RoC)?

To determine the level of risk, the payment card industry uses four merchant level rankings; 1-4. They are used to establish the level of security required and whether an SAQ or RoC should be submitted.

The table below is an indication of the current PCI DSS merchant levels and the security validation and assessment required by MasterCard and Visa. Each card brand and payment service provider will have their own requirements; however, these can be used as a general guide.

Merchant Level
PCI Merchant Level 1
PCI Merchant Level 2
PCI Merchant Level 3
PCI Merchant Level 4
Transactions Annually
6,000,001 or more
20,000 or less
Validation Requirements*
- Annual RoC, QSA audit and a Quarterly ASV scan
- Annual SAQ and a Quarterly ASV scan
- Annual SAQ and a Quarterly ASV scan
- Annual SAQ and a Quarterly ASV scan

If you are unsure which merchant level you are or would like to get some free advice, request a no obligation review with one of our security experts.

How do I stay PCI compliant?

Protecting your business from data and security breaches is more than just a regulatory requirement. You also risk your customers’ trust, reputation, financial penalties and potential legal action.

A key part of PCI Requirements 10 and 11 is to monitor system events and changes within your environment, our managed SOC and CREST penetration testing services can be utilised to fulfil these controls and provide the visibility that PCI requires.


CREST Penetration testing

To prevent unauthorised access and other malicious activity, both internally and externally, penetration testing attempts to identify and exploit system and network vulnerabilities. Penetration tests should be performed at least annually and whenever there is a significant change made to your system.


Security Operations Centre

Continuously working in conjunction with your cyber security systems to identify suspicious behaviours and potential breaches as they occur in real time, CCL Group’s Managed Security Operations Centre (SOC) is designed to identify, manage and mitigate information security risks to your business.

Get in Touch