How to ace your next PCI DSS audit? Read now!

PCI DSS Level 1 Compliance Guide

Lucia Kányová
·

PCI DSS Level 1 Compliance Guide – What You Really Need to Know

So you are handling over 6 million card transactions or storing those juicy pieces of cardholder data? Congratulations, you have become a part of the PCI DSS VIP club. That also means welcome to audits, scans, policies, and piles full of paperwork.

Do not panic. Whether you are a growing fintech startup or already knee-deep in payment flows, this guide breaks down your new and 360 pages-long bible without boring you to death (hopefully). Let's decode the 12 PCI commandments and give you the real step-by-step guide on how to achieve PCI DSS Level 1 compliance.

Requirements 1-2: Build and Maintain a Secure Network and Systems

Translation: Your firewall should work, and your passwords shouldn’t suck.

Let’s start with the foundation – your network. PCI DSS wants to make sure your systems are not wide open to attackers or running on 2005 settings. So, your job is to install a properly configured firewall that stands between the open internet and your precious cardholder data. Think of this data as a sacred Pandora’s box that no one can open! That is why a firewall needs to be not only installed, but maintained, tested, documented, and reviewed regularly. If you are using default passwords from your vendors (the ones that come on the router box or server build sheet), get rid of them. PCI security standards are clear: vendor defaults are a hacker’s best friend. Your infrastructure should be hardened and locked down as much as possible to anyone trying to get in without permission.

Requirements 3–4: Protect Cardholder Data

Translation: Do not store card numbers unless you really need to. If you do, encrypt like your life depends on it.

Now that your network has been secured, it is time to protect the precious cardholder data inside. If you are storing it, you better be encrypting it with strong cryptography (think AES-128 or better). And no, storing the decryption keys right next to the encrypted data does not count as “secure.” If you do not need to store card numbers, don’t. Storing full card numbers = legal and technical nightmare. Tokenization and redirection are your best friends! Use a payment provider to handle this wherever possible and minimize your PCI scope. As for data in transit? Encrypt it too. Only secure protocols like TLS 1.2 or higher should be allowed. Anything older is like mailing a credit card through a postcard.

Requirements 5–6: Maintain a Vulnerability Management Program

Translation: Keep bad stuff out and fix your solution regularly.

Next, PCI wants to make sure you are actively protecting yourself from threats like malware and patching holes before someone can get in. This starts with running antivirus or anti-malware tools on all systems that are exposed to threats, and yes, even cloud workloads if they are not isolated. More importantly, you need to keep all your systems up to date. That means patching operating systems, third-party software, firmware, and even that obscure printer driver. Vulnerabilities are often the easiest way in, and attackers love outdated stuff.

Scan, scan, scan, scan, and test and test... Quarterly vulnerability scans, bi-annual segmentation tests and annual penetration testing are a must. You are also expected to scan your environment for vulnerabilities internally and externally. External scans must be done by an Approved Scanning Vendor (ASV), while internal scans and pen tests can be handled in-house or via a trusted partner. Just make sure someone competent is doing it and that you are actually fixing the issues they find. Start by researching online, and most importantly, look for any ASV and PCI mentions, as you need a proper report for your audit. Do not just chase cost efficiency, but really interrogate your future vendor, as you will deal with them at least 8x a year! But do not worry, you can save some research time by visiting our security testing web page. We have got you covered!

Requirements 7–9: Implement Strong Access Control Measures

Translation: Not everyone needs access to everything. Control who touches what.

No one should have more access than they need. That is the core idea behind PCI access control requirements. Everyone in your organization, from developers to support teams, should have access only to the systems and data required to do their job, and nothing more. This principle of least privilege helps limit the blast radius if something goes wrong. Access to cardholder data should be tightly controlled and logged, which has to be documented as well! You will also need to assign unique user IDs for every person accessing systems. No shared logins, ever. Throw in some multi-factor authentication (MFA) on top, especially for admin or remote access. On the physical side of things, make sure your servers and hardware handling card data are in secured locations. That does not mean locked behind a janitor’s closet; it means badge access, physical tokens, cameras, and restricted entry. If you want to skip physical security (Requirement 9) entirely, consider using a cloud provider. With their PCI DSS Attestation of Compliance (AOC) in hand, you can check this box without managing any physical security yourself.

Requirements 10–11: Regularly Monitor and Test Networks

Translation: Log on!

Now that your systems are locked down and access is limited, PCI wants to know: are you actually watching what’s going on? Monitoring is a huge part of compliance. You are expected to collect logs from all critical systems, track every login attempt, config change, file access, and network events that could be relevant to cardholder data. Those logs must be stored securely, protected from tampering, and retained for at least a year. But logging alone is not enough; you need to actively review and analyze those logs, either manually or with a SIEM (Security Information and Event Management) tool. As mentioned before, you will be expected to perform vulnerability scans and penetration tests regularly, and yes, if something changes in your environment (like a new payment flow or app release), that counts as a good reason to test again. The idea is simple: do not let security rot between audits.

Requirement 12: Maintain an Information Security Policy

Translation: Policies and actual knowledge are the key!

Last but definitely not least, write everything down. PCI requires you to have formal information security policies that govern everything, from how you store data to who has access to systems to how you handle a breach. These policies are not just for compliance; they are also a great way to onboard new team members and stay consistent. They must be reviewed and updated at least annually, and yes, your staff must be trained on it. That includes your developers, customer support, operations—everyone. Your team should also know what to do if (or when) something goes wrong. Incident response plans for all critical operations are mandatory, and they should be tested with tabletop exercises at least once a year. If you’ve never done one, they’re kind of fun—in a “pretend there’s a data breach” sort of way.

How to Get Started (Without Losing Your Mind)

Now that you understand the 12 basic topics of PCI DSS, let’s start complying with it. The first thing you need to do is scope your environment. That means identifying every system, process, and person that touches cardholder data, directly or indirectly. Once you know what you’re working with, you can look for ways to reduce that scope—tokenization, redirection, and segmentation can shrink your PCI footprint drastically.

Next comes the gap analysis. Grab the Self-Assessment Questionnaire (even if you’re going for a full QSA audit) and start mapping your current controls against the PCI DSS compliance requirements. Where are the holes? Where are you doing things halfway? Write it all down.

From there, it’s time to implement and document. Fix the gaps. Create policies. Enforce access controls. Harden systems. Patch like your life depends on it. And then test it all. Do internal vulnerability scans, run pen tests, simulate incidents—whatever it takes to feel confident.

Once you’re ready, find a Qualified Security Assessor (QSA). They’ll work with you to validate your controls, gather evidence, and prepare the holy grails of compliance: the ROC (Report on Compliance) and AOC (Attestation of Compliance). When that’s done, you submit them to your acquiring bank or card brand.

PCI Compliance Isn’t a Project—It’s a Lifestyle

The worst thing you can do is treat PCI like a one-and-done checklist. It’s not. It’s a year-round commitment to security hygiene. That means regular vulnerability scans, policy reviews, continuous staff training, and a healthy dose of paranoia.

But here’s the thing: once you build PCI into your company’s DNA, it stops feeling like a burden and starts looking a lot like common sense. After all, protecting your customers’ payment data is good for business—compliance just gives you the framework to prove it.

Still feel like it’s too much? You’re not alone. We’ve been there, and we’re here to help! Contact us for expert consultancy and complete PCI DSS security testing to keep you compliant and audit-ready.