Your PCI Compliance Roadmap

From Understanding to Action

You've made it to the final guide in our Compliance 101 series. Over the previous nine guides, we've covered what PCI DSS is, what its requirements mean, how compliance levels and SAQ types work, how to descope your environment, the specific challenges of telephone payments, how DTMF masking works, what changed in v4.0.1, and the mistakes you need to avoid. That's a solid foundation of knowledge.

Now it's time to turn that knowledge into action. This guide gives you a practical, step-by-step roadmap to achieving and maintaining PCI DSS compliance. Whether you're starting from scratch or tightening up an existing programme, these ten steps will guide you through the process in the right order.

Step 1: Map Where Card Data Flows

Everything starts with understanding where cardholder data exists in your business. You can't protect what you can't find, and you can't define your scope without knowing where data flows.

Trace the complete journey of card data through your organisation. Consider every payment channel: online, in person, over the phone, by post, and via recurring billing. For each channel, document where card data enters your environment, which systems it passes through, where it might be stored (even temporarily), and where it exits to a payment processor or acquirer.

Don't forget the non-obvious places: call recordings capturing spoken card numbers, CRM systems where agents note down details, email threads, paper forms, backup systems, and reconciliation spreadsheets. Card data tends to spread further than anyone expects. Document everything you find — you'll need this map for every subsequent step.

Step 2: Determine Your Compliance Level

Your compliance level determines how you validate your PCI compliance. As we explained in Guide 3, there are four levels based primarily on your annual transaction volume:

• Level 1: Over 6 million transactions per year — requires a full audit by a Qualified Security Assessor (QSA)
• Level 2: 1 to 6 million transactions — typically SAQ with possible on-site assessment
• Level 3: 20,000 to 1 million e-commerce transactions — SAQ validation
• Level 4: Under 20,000 e-commerce or up to 1 million total transactions — SAQ validation

Check with your acquiring bank (the bank that provides your merchant account) to confirm your level. They may have specific requirements beyond the general thresholds. Note that the thresholds can vary slightly between card brands, and your acquirer's interpretation is what matters in practice.

Step 3: Identify Your SAQ Type

The Self-Assessment Questionnaire you need depends on how you accept payments. As we detailed in Guide 4, the SAQ types range from SAQ A (22 questions, for businesses that fully outsource card processing) to SAQ D (326 questions, for businesses that store, process, or transmit card data themselves).

Your SAQ type is determined by the card data flow map you created in Step 1. If card data never enters your systems — because you use hosted payment pages and DTMF masking — you'll likely qualify for SAQ A. If you process card data on your own servers, you'll need SAQ D.

Getting the right SAQ type is critical. Completing the wrong one means your validation is invalid. If you're unsure, your QSA or acquiring bank can help determine the correct type.

Step 4: Reduce Your Scope

Before you start implementing controls, reduce your scope. This is the single most impactful step you can take to simplify and accelerate your compliance journey. We covered descoping strategies in detail in Guide 5, but here's the summary:

For online payments: Use a hosted payment page or hosted iframe so card data goes directly from the customer's browser to the payment processor, never touching your servers.

For telephone payments: Implement DTMF masking so customers enter card details on their phone keypad. The tones are masked, the agent never hears or sees the data, and your contact centre infrastructure stays out of PCI scope. This is Paytia's core technology, and it's the most effective way to descope the telephone channel — as we explained in Guide 7.

For in-person payments: Use P2PE (Point-to-Point Encryption) validated terminals that encrypt card data at the point of entry, preventing your local systems from ever accessing it in clear text.

For stored data: Eliminate unnecessary storage. If you don't need to store card data, don't. Use tokens (references that map to card data held securely by your payment processor) instead of actual card numbers for recurring billing and refunds.

Every system you remove from scope is a system you don't need to secure, monitor, patch, audit, and document to PCI standards. Scope reduction isn't just about making compliance easier — it's about genuinely reducing your risk.

Step 5: Implement Required Controls

With your scope minimised, implement the PCI DSS controls required for your environment. The specific controls depend on your SAQ type. If you've descoped effectively and qualify for SAQ A, the controls are relatively straightforward — mostly around vendor management, access controls, and security policies.

If your SAQ requires more extensive controls, work through the requirements systematically. We covered all 12 in Guide 2. Prioritise the areas where you have the biggest gaps. Common areas requiring attention include:

• Network security — firewalls, segmentation, and secure configurations
• Access control — unique IDs, strong passwords (minimum 12 characters under v4), MFA for CDE access
• Encryption — data in transit (TLS 1.2+) and data at rest (field-level encryption)
• Logging and monitoring — full audit trails with automated review
• Vulnerability management — patching, anti-malware, and secure development practices

Don't try to do everything at once. Create a prioritised implementation plan based on risk, starting with the controls that address your most significant exposures.

Step 6: Train Your Staff

PCI DSS Requirement 12.6 mandates security awareness training for all personnel. But effective training goes beyond compliance — it's about building a security-aware culture where people understand why these controls matter and what role they play.

Training should cover: what PCI DSS is and why it matters, your organisation's security policies, how to handle cardholder data correctly, what to do if they suspect an incident, and the consequences of non-compliance. For staff who handle payments directly, training should be more detailed and role-specific.

Under PCI DSS v4.0.1, training must be provided at least annually and upon hire. Document all training — who attended, when, what was covered — as your assessor will ask for these records.

Step 7: Complete Your SAQ or Undergo Your Audit

With controls in place and staff trained, you're ready to formally validate your compliance. For most businesses (Levels 2-4), this means completing your SAQ and submitting it along with an Attestation of Compliance (AoC) to your acquiring bank.

Approach the SAQ honestly. Each question should be answered "Yes" (the control is fully in place), "Yes with CCW" (a compensating control worksheet applies), "No" (the control is not in place — you'll need a remediation plan), or "N/A" (not applicable to your environment, with justification).

If you're Level 1 or otherwise require a QSA audit, schedule the assessment well in advance and prepare by gathering evidence: policies, configuration screenshots, access control lists, training records, and scan reports. For quarterly external vulnerability scans, engage an Approved Scanning Vendor (ASV) — these scans must pass and the results must be current at the time of your assessment.

Step 8: Set Up Ongoing Monitoring

Passing your SAQ or audit isn't the finish line — it's the starting point for continuous compliance. As we discussed in Guide 9, one of the most common mistakes is letting things slide after assessment.

Establish a routine that includes: continuous log monitoring with automated alerting, quarterly ASV scans, regular internal vulnerability assessments, ongoing patch management, periodic access reviews, and regular checks that security controls are functioning as intended.

Assign clear ownership for each activity. PCI compliance isn't just the IT department's responsibility — it requires coordination across IT, operations, HR, and management.

Step 9: Plan for Annual Re-Validation

PCI compliance isn't a one-off achievement. You must re-validate annually by completing a new SAQ (or undergoing a new audit) and submitting a fresh Attestation of Compliance. Build re-validation into your business calendar — start preparation at least three months before your compliance anniversary.

V4.0.1 expects you to show that controls have been in place throughout the year, not just at assessment time. If you've been following Step 8 — ongoing monitoring — you'll have the evidence you need.

Step 10: Document Everything

Documentation is the backbone of PCI compliance. If it isn't documented, it didn't happen — at least as far as your assessor is concerned. Key documents include: data flow and network diagrams, security policies covering each PCI requirement, operational procedures for patching and access reviews, training records, evidence of controls (configuration screenshots, scan reports), risk assessments, vendor management records, and your incident response plan.

Keep documentation up to date. Outdated documentation gives a false picture of your security posture and can lead to compliance findings. Review and update after every significant change and at least annually.

Your Next Steps

Broken down into these ten steps, PCI compliance becomes a structured, manageable project. The key insight from this entire series is that scope reduction is the single most effective thing you can do. For telephone payments — which, as we covered in Guide 6, create the broadest PCI scope of any payment channel — DTMF masking is the most effective descoping tool available. For online payments, hosted payment pages achieve the same result.

Wherever you are on your compliance journey, start with Step 1. Map your card data flows — you'll have the foundation you need to make informed decisions and take effective action.

Key Takeaways

• Start by mapping card data flows — you can't protect what you can't find, and this map drives every other decision
• Determine your compliance level and SAQ type early, so you know exactly what's required of your business
• Reduce your scope before implementing controls — descoping with hosted payment pages and DTMF masking is the most impactful step you can take
• Implement controls systematically, prioritising the biggest gaps and highest risks first
• Train all staff at least annually, with role-specific training for those who handle payments
• Complete your SAQ honestly and submit it with your Attestation of Compliance to your acquiring bank
• Set up ongoing monitoring — continuous compliance is a requirement under v4, not a nice-to-have
• Plan for annual re-validation starting at least three months before your compliance anniversary
• Document everything — policies, procedures, training, evidence, and risk assessments — because if it's not documented, it didn't happen
• Scope reduction is the single most effective strategy for making PCI compliance faster, simpler, and less expensive