Support Center
About Us
Facebook-f X-twitter Linkedin-in

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Let's talk!
Top Cyber Threats Facing Manufacturers this Holiday Season | Right Hand Technology Group

PCI DSS establishes baseline security controls for any organization that handles payment card data. We right-size your scope, implement practical safeguards, and prepare the documentation and evidence you need for SAQs, external scans, and assessments—delivered through the RightSentry Protocol™ (Recon → Strategy → Fortify → Verify → Evolve).

Who Must Comply?

If your organization accepts, processes, stores, or transmits cardholder data or can impact the security of that data (e.g., a service provider), you fall under PCI DSS. Compliance applies to all merchants and service providers—regardless of size or transaction volume. We’ll help you minimize scope (e.g., through tokenization and segmentation), lower risk, and choose the right validation path.

PCI DSS COMPLIANCE LEVELS

Compliance is divided into four levels that are based on the annual number of credit or debit card transactions a business processes. The classification level determines what an organization needs to do to remain compliant:

Level 1

More than 6 million Visa/Mastercard transactions annually (or at brands’ discretion). Requires an annual on-site assessment by a Qualified Security Assessor (QSA) and quarterly ASV scans.

Level 2

Between 1 million and 6 million transactions annually. Requires an annual Self-Assessment Questionnaire (SAQ); some brands may require QSA review. Quarterly ASV scans typically required.

Level 3

Between 20,000 and 1 million e-commerce transactions annually. Annual SAQ and quarterly ASV scans; additional validation may apply per brand.

Level 4

Fewer than 20,000 e-commerce transactions annually, or up to 1 million total transactions. Annual SAQ and quarterly ASV scans recommended/required per brand rules.

REQUIREMENTS FOR PCI DSS LEVELS

The PCI SSC has 12 requirements for handling cardholder data and maintaining a secure
network. Distributed between six broader goals, all are necessary for an organization to
become compliant:

1

Secure Network

  • Maintain secure network architecture and firewalls.
  • Remove vendor defaults and harden configurations.
2

SECURE CARDHOLDER DATA

  • Protect stored cardholder data; use strong cryptography and key management.
  • Encrypt transmission of cardholder data across open networks.
3

VULNERABILITY MANAGEMENT

  • Maintain anti-malware and secure software practices.
  • Patch and vulnerability-scan systems routinely; remediate by severity.
4

ACCESS CONTROL

  • Limit access by business need-to-know and least privilege.
  • Enforce unique IDs, MFA for admins and remote access, and secure physical access.
5

MONITORING & TESTING

  • Log and monitor access to network resources and cardholder data.
  • Perform regular security testing (ASV scans, internal scans, segmentation tests, and penetration testing).
6

INFORMATION SECURITY

  • Maintain policies, procedures, and training for all personnel.
  • Operate an incident response plan and vendor management program.

HOW WE HELP

We make every effort to understand your business–where you’re going and where you want to be. We protect your data, your customers, your reputation, and your bottom line. You’re safe in our hands.

1

Define & Scope
Identify where account data exists, systems and networks in scope, and opportunities to reduce scope (tokenization, outsourcing, segmentation).

2

Analyze
Perform a readiness assessment against PCI DSS requirements; identify gaps; confirm your merchant/service provider level and SAQ/ROC path.

3

Roadmap
Deliver a prioritized plan with owners, timelines, and artifacts (policies, procedures, diagrams, inventories). Coordinate ASV scans and required testing.

4

Implement & Verify
Operationalize controls, collect evidence, and complete your SAQ/ROC. We support quarterly scans and ongoing reviews so you remain compliant year-round.

We Can Help!

Right Hand Technology Group is CompTIA Security Trustmark+™ certified and recognized among top MSPs. Our cybersecurity-first approach embeds protection and verification into daily operations—not just assessment week. The best first step is the RightSentry Snapshot™—a concise, executive-level assessment that pinpoints PCI scope, gaps, and next steps ($975, credited to your first month if you proceed with Comply™, Vanguard™, or Coach™).

Schedule your RightSentry Snapshot™

Who must comply with PCI DSS?

Any merchant or service provider that stores, processes, transmits, or can impact the security of cardholder data—regardless of size or volume.

How do we know our PCI level and validation path?

Your annual transaction volume by brand sets Level 1–4 (merchants) or service-provider thresholds. Validation is via SAQ or a QSA-led Report on Compliance (ROC). We confirm level with your acquirer and brands.

What’s the difference between SAQ and ROC?

An SAQ is a self-assessment for lower-volume merchants/providers (with quarterly ASV scans). A ROC is a QSA’s on-site assessment required for Level 1 and sometimes by brand or contract.

How can we reduce PCI scope (and cost)?

Use tokenization/P2PE, segment networks, minimize data retention, and outsource payment functions to PCI-validated providers. Less scope = fewer controls, lower risk.

How often are scans and tests required?

External ASV scans quarterly (and after significant changes); internal vulnerability scans quarterly; penetration testing at least annually and after significant changes; MFA, logging, and backups continuously.

Where should we start?

With a quick RightSentry Snapshot™ to define scope, level, gaps, and next steps. From there choose Comply™ (fully managed), Vanguard™ (co-managed), or Coach™ (guided program).