Understanding PCI DSS Compliance and the benefits of using a Sensitive Data Discovery tool to aid compliance

What is PCI DSS Compliance?

On September 7, 2006, the Payment Card Industry Security Standards Council (PCI SSC) was established to oversee the continuous development of security standards within the Payment Card Industry (PCI). Its primary objective was to enhance the security of payment accounts throughout the transaction process. The PCI DSS (Data Security Standard), which is responsible for safeguarding sensitive cardholder data, is administered, and supervised by the independent PCI SSC . The council was formed collaboratively by prominent payment card brands such as Visa, MasterCard, American Express, Discover, and JCB.

Who does PCI DSS apply to?

PCI DSS compliance affects a huge number of businesses across a wide range of sectors as it is applicable to all organisations, irrespective of their size or transaction volume, that handle, transmit, or store any data related to cardholders.

Are there different PCI DSS compliance requirements depending on the organisation size?

Merchants are categorised into four levels based on their Visa transaction volume within a 12-month period. The transaction volume is determined by the total number of Visa transactions (including credit, debit, and prepaid) conducted by a merchant under a single Doing Business As (DBA) name. In situations where a merchant corporation operates multiple DBAs, the aggregate transaction volume processed, stored, or transmitted by the corporate entity is considered to determine the validation level. However, if the data is not aggregated and the corporate entity does not handle cardholder data for multiple DBAs, acquirers will assess the validation level based on the individual transaction volume of each DBA.

Merchant levels as defined by Visa:

Merchant Level



Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.


Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.


Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.


Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.


Each merchant level is treated differently when it comes to PCI DSS compliance, with Level 4 merchant’s compliance requirements typically being less stringent.  However, all merchants, regardless of their level, must comply with the basic principles and security controls outlined in the PCI DSS to protect cardholder data and maintain a secure payment environment.

How can SecurEnvoy’s Sensitive Data Discovery Tool assist with PCI DSS Compliance?

There are six main areas where SecurEnvoy’s sensitive data discovery tool can assist with PCI DSS compliance.

  1. Identify Cardholder Data: PCI DSS compliance requires organisations to identify and locate cardholder data within their environment. This includes primary account numbers (PANs), cardholder names, service codes, and other sensitive authentication data. SecurEnvoy Data Discovery scans and analyses data repositories, systems, and networks to identify the presence and location of cardholder data.
  2. Scope Reduction: PCI DSS compliance efforts are more manageable and cost-effective when organisations can limit the scope of their cardholder data environment (CDE). SecurEnvoy Data Discovery assists in identifying where cardholder data is stored, processed, or transmitted, allowing organisations to focus their security controls and compliance efforts specifically on those areas.
  3. Data Flow Analysis: Understanding how cardholder data moves within an organisation is crucial for PCI DSS compliance. SecurEnvoy Data Discovery helps to trace the flow of cardholder data across systems, databases, applications, and network segments. This enables organisations to assess the security controls and identify potential vulnerabilities or points of exposure along the data flow paths.
  4. Risk Assessment and Vulnerability Management: PCI DSS mandates regular risk assessments and vulnerability management practices. SecurEnvoy Data Discovery assists in identifying potential risks and vulnerabilities associated with cardholder data. By scanning and analysing data repositories and systems, this sensitive data discovery tool can help detect misconfigurations, unauthorised access, or insecure storage practices that may put cardholder data at risk.
  5. Encryption and Tokenisation: PCI DSS strongly encourages or mandates the use of encryption and tokenisation to protect cardholder data. SecurEnvoy Data Discovery can help identify instances where encryption or tokenisation controls are not implemented or are improperly configured. This ensures that sensitive data is appropriately protected throughout its lifecycle.
  6. Auditing and Reporting: PCI DSS compliance requires regular audits and reporting on the security of cardholder data. SecurEnvoy Data Discovery provides visibility into the presence and location of cardholder data, aiding in PCI DSS compliance reporting and facilitating audits. These tools can generate reports that demonstrate the organisation’s efforts to identify, protect, and monitor cardholder data as required by PCI DSS.


Learn more about SecurEnvoy Data Discovery here >

Published: 13 June 2023

Category: Industry News, Industry Research

Compliance / Data Discovery / Data Security Awareness

Adam Bruce

Adam Bruce, CRO, SecurEnvoy

Adam’s career spans over twenty years, starting with a technical specialisation in Networking and Security. This start provided a sound technical understanding of Cyber Security and gave the foundation for twenty years in commercial sales. Adam’s experience includes over seven years operating within a high-profile Cyber Security VAR, working with household names across a wide range of sectors. Adam joined SecurEnvoy in 2005, as the first sales hire, with a hand in both End User Sales and Channel Development. The fifteen year SecurEnvoy journey has resulted in Adam successfully building out and leading the commercial operations and strategy. He has risen through many roles within the business at SecurEnvoy, culminating as Chief Revenue Officer.

Data Discovery Essentials

Data Discovery


Data discovery across your digital estate.

Essential data discovery for any organisation.

Learn more about SecurEnvoy DD
Cyber Security Blog

Hear more from
our security

Sign-up today

What to read next...