What is the PCI DSS Standard and Do You Need It?

If your company accepts bank card payments, you have likely encountered PCI DSS requirements. Many entrepreneurs perceive this as just another bureaucratic procedure, but in reality, it is a serious security tool. When a leak of client payment data occurs, a company loses its reputation, money on fines, and may lose the ability to work with payment systems altogether. Let's look into what PCI DSS is, why it is important, and how it actually works in Kazakhstan.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. In simple terms, PCI DSS is a set of international requirements for protecting bank cardholder information during the processing, storage, and transmission of payment data.

The standard was developed in 2004 by a consortium of major payment systems: Visa, MasterCard, American Express, Discover, and JCB. The standard is managed by the PCI Security Standards Council (PCI SSC). This is not a government agency, but an independent body created by the payment systems themselves to develop and maintain unified security requirements.

The standard is constantly evolving. While version 3.2.1 was previously in effect, as of April 2024, the primary version became PCI DSS 4.0, which contains over 50 new requirements and enhanced security measures.

It is important to understand that PCI DSS is not a law. It is a voluntary standard that payment systems require compliance with as a condition for cooperation. However, when a payment system or bank requires compliance, it becomes a condition of your contract. Non-compliance risks fines ranging from $5,000 to $200,000 per month and complete termination of work with payment systems.

Standard Requirements

The PCI DSS standard consists of 12 main requirements, each containing several sub-requirements. The requirements cover all aspects of protecting payment data — from network architecture to personnel policy.

The first two requirements concern the protection of network infrastructure. A company must install and maintain firewalls that control access to payment processing systems. It is also necessary to abandon all default passwords and security parameters set by the equipment manufacturer. Each system must have unique, secure credentials.

Requirements 3 and 4 are dedicated to protecting the payment data itself. A company must not store the full card number, PIN code, or CVV code together. When transmitting data over a network, encryption with a minimum key length of 128 bits is mandatory, using modern security protocols such as TLS version 1.2 or higher.

Requirements 5 and 6 aim to protect against malware and vulnerabilities. All computers in the organization must have up-to-date antivirus software. Furthermore, it is necessary to timely install all security updates and regularly conduct vulnerability scans and security testing. Per Requirement 6, companies must perform quarterly external vulnerability scans using an Authorized Scanning Vendor (ASV).

Requirements 7-9 regulate access management. Access to payment data should only be granted to those employees who need it for their work. Each user must be identified and authenticated. Multi-factor authentication is mandatory for administrators accessing critical systems. Physical access to servers and rooms with equipment must be restricted and controlled.

Requirements 10-12 concern monitoring, testing, and management. All actions with payment data must be logged and regularly reviewed. The company must conduct annual pentests (penetration tests) and security testing. Finally, the organization must have a clear information security policy that documents all requirements and processes.

A full list of all requirements with detailed descriptions can be found in the official documents on the PCI SSC Document Library page.

How to Get a PCI DSS Certificate

The process of obtaining a PCI DSS certificate depends on the scale of your business. Payment systems divide companies into four levels based on the number of transactions processed per year.

Level 1 companies process more than 6 million transactions per year. An annual audit by a Qualified Security Assessor (QSA) is mandatory for them. Level 2 is from 1 to 6 million transactions, Level 3 is from 20,000 to 1 million, and Level 4 is fewer than 20,000 transactions per year. For Level 2-4 companies, a Self-Assessment Questionnaire (SAQ) is often sufficient.

The certification process usually begins with an assessment of the current state of systems. Consultants analyze your infrastructure, identify non-compliance, and create a work plan. During the preparation stage, the company implements the necessary technical solutions.

Then, an external audit is conducted if required by your level. The auditor verifies compliance with all 12 requirements, tests the systems, and prepares a report. After addressing any findings and a follow-up check, a PCI DSS compliance certificate is issued, which is valid for one year. Then the process repeats.

Is it Possible Not to Comply with PCI DSS Requirements in Kazakhstan?

Technically, PCI DSS requirements are not a law in Kazakhstan. However, this does not mean that companies can ignore them.

In reality, PCI DSS requirements are set by payment systems like Visa and MasterCard. If you want to accept payments through these systems or work with acquiring banks that cooperate with them, you are obliged to fulfill their requirements as specified in contracts.

Ignoring the requirements leads to serious consequences. An acquiring bank may refuse service or terminate the contract. Payment systems issue fines ranging from $5,000 to $200,000 per month. In the event of a cardholder data breach due to non-compliance, a company may be held liable for violating consumer rights and causing damage.

Furthermore, compliance with PCI DSS requirements overlaps with Kazakhstan's legislation on personal data protection. Therefore, by fulfilling the standard's requirements, you also comply with local law.

How to Get a PCI DSS Certificate Easier and Faster

Full compliance with all PCI DSS requirements requires time and investment. But there are several ways to simplify this process.

The easiest path is to use payment aggregators or payment gateways that already have PCI DSS certification. Such companies take on all responsibility for processing payment data. You simply redirect clients to the payment aggregator's secure page, and card data is not stored on your server, allowing you to avoid most of the standard's requirements.

An alternative is to use cloud platforms and services with support for modern APIs designed with PCI DSS requirements in mind.

If you decide to process payments independently, it makes sense to engage an experienced consultant. This saves time and money. Another approach is phased implementation, starting with critical requirements (1, 2, 3, 4, 6).

It is also useful to use automated tools for compliance monitoring. Specialized services help track software updates, scan for vulnerabilities, and manage logs.

Conclusion

PCI DSS is a serious tool for protecting your clients' data and ensuring the security of your business. Compliance shows that you take responsibility for your clients' information, which increases trust and builds a reliable reputation.

The good news is that obtaining PCI DSS compliance and a DSS certificate is becoming easier. If you work with payment aggregators, much of the work is already done for you.

Thus, PCI DSS certification is a reality of modern payment business. Choosing the right payment processing method allows for reliable data protection.

PayGate LLP has successfully undergone certification for compliance with the PCI DSS standard. If you need flexible and secure solutions for accepting payments in Kazakhstan, including various payment methods via phone and QR codes, PayGate offers automated systems that already meet all requirements.

FAQ

What is PCI DSS?

PCI DSS is an international security standard from Visa, Mastercard, and others. It sets 12 requirements for protecting PAN/CVV during processing, storage, and transmission.

PCI DSS Standard Requirements

Network protection (firewalls), data encryption, antiviruses, access control, logging, and annual pentests. Version 4.0 (2024) strengthened the risk-based approach.

How to Get a PCI DSS Certificate?

For small businesses — SAQ (self-assessment); for large ones — a QSA audit. It depends on transaction volume (Levels 1–4) and is valid for 1 year.

Is it Possible Not to Comply with PCI DSS Requirements in Kazakhstan?

No, if you accept cards, it is a condition of the acquirer and payment systems. Fines can reach $200k/month, along with potential blocking.