PCI Compliance in a Post-PAN World: What Enterprise Merchants Need to Know

As the Mastercard-designed Compliance and Validation Exemption Program (C-VEP) reshapes how Level 3 and 4 merchants approach PCI compliance, larger enterprises naturally ask: What does this mean for us? 

To explore how the evolution to risk-direct security impacts Level 1 and 2 merchants and the broader compliance landscape, we sat down with Michael Aminzade, VikingCloud’s VP of Compliance & Risk Services, for his perspective. 

A Closer Look at C-VEP 

Q: For those who may not be familiar, can you briefly explain what C-VEP is and how it changes the compliance burden for smaller merchants?

A: C-VEP is a shift from compliance paperwork to continuous risk-directed security assurance. It allows Level 3 and 4 merchants to implement a set of defined security controls that lower their cyber risk to an acceptable threshold. The C-VEP Cyber Risk Score continuously assesses each merchant's unique risk profile, identifying specific security gaps and recommending targeted remediation tools to address them. Once these controls are in place and verified, the merchant is exempt from both PCI DSS compliance requirements and validation processes.

However, that exemption isn't permanent—eligibility depends on maintaining those lower risk levels through ongoing protection and monitoring. Instead of focusing on filling out documentation, smaller merchants now focus on the actual security controls that protect their environment. Many of these businesses don't have in-house technical expertise, so traditional compliance tasks were often a struggle. C-VEP allows them to focus on tangible cybersecurity outcomes rather than administrative checkboxes.

C-VEP’s Impact on L1/L2 - Larger Merchants 

Q: Some may assume C-VEP eliminates the need for PCI DSS compliance altogether. Can you clarify why that's not the case, especially for larger merchants (Level 1 and 2)?

A: That's a common misconception. C-VEP doesn't apply to Level 1 or 2 merchants due to the scale and complexity of their environments. These organizations handle significant transaction volumes and store or process large amounts of sensitive data, making them prime targets for cybercriminals. PCI DSS remains fully relevant for these larger environments and will continue to evolve to support the unique challenges they face.

However, Level 1 and 2 merchants can benefit significantly from C-VEP's risk-directed security approach. The same Cyber Risk Score technology and automated tools developed for C-VEP can help QSAs and enterprise merchants identify specific vulnerabilities within their environments—turning compliance assessments into opportunities for targeted risk remediation. These AI-powered tools can also simplify multi-framework compliance, making it more efficient and cost-effective for larger organizations to protect their platforms while continuing to meet their PCI DSS and other requirements. It's about moving beyond checkbox compliance to proactive risk reduction.

Q: What unique risks or complexities do larger merchants face that still require ongoing compliance validation, even in a “post-PAN” world? 

A: Even as we move toward tokenization and other data-minimizing technologies, the payment ecosystem still relies on identity information to authorize transactions. Whether that identity is represented by a Primary Account Number (PAN) or a token, it’s still a valuable target. As the data landscape evolves, attackers evolve with it. Larger merchants will always need robust environmental controls and validation processes to safeguard these high-value data flows. 

Q: How should Level 1 and 2 merchants think about PCI DSS in light of C-VEP? Does it change their compliance strategy at all, or does it simply reinforce it? 

A: It reinforces it. C-VEP is proof that the industry is moving toward a “security-first” mindset rather than a compliance-only one. For larger merchants, PCI DSS remains the baseline; it’s the minimum standard required to handle payment data responsibly. 

That said, organizations should look beyond PCI alone. Implementing frameworks such as ISO 27001 can provide a more holistic approach to risk management, helping align cybersecurity investments with both compliance requirements and real-world threats. 

The Future of Compliance 

Q: The payments ecosystem is evolving rapidly. How do you see the role of compliance shifting as technologies like tokenization and encryption become more widespread? 

A: We’re already seeing compliance shift toward assurance-based models. Instead of prescriptive checklists, organizations will increasingly be expected to demonstrate that they’ve analyzed their risks, implemented appropriate controls, and can prove ongoing assurance. 

This is the direction many regulatory bodies are moving, especially in the EU. PCI DSS was groundbreaking when it launched, but the future lies in adaptive assurance programs that evolve with technology and business risk. 

Q: PCI DSS isn’t going away; it’s expected to evolve into a new “future environment security standard” starting development in 2026. How should merchants interpret this evolution? 

A: It’s a very positive step. This next-generation standard will better integrate with other frameworks within the PCI ecosystem and align more closely with global standards like ISO 27001. The goal is to reduce overlap and confusion while improving the quality of assurance across the industry. 

Ultimately, it signals that compliance isn’t static; it’s part of an evolving ecosystem designed to protect businesses, customers, and data integrity. 

Common Misconceptions 

Q: What misconceptions do merchants, large or small, most often have about C-VEP and compliance? 

A: The biggest misconception is that compliance is just a cost of doing business. In reality, cybersecurity is how you stay in business. 

Today, every organization, regardless of size, is a data company. Payments, identities, and customer behavior are all data-centric. Programs like C-VEP help small merchants put meaningful protections in place while signaling to larger merchants the need to proactively invest in controls and risk management that fit their scale. 

Expert Advice for Acquirers, Processors, and Large Merchants 

Q: What advice would you give to acquirers, processors, or enterprise merchants navigating this “new world” where C-VEP exists alongside traditional PCI DSS requirements? 

A: Understand that both programs serve critical but distinct purposes. C-VEP is about raising the security baseline for small merchants, while PCI DSS and future assurance standards continue to safeguard the broader payment ecosystem. 

For acquirers and processors, it’s vital to recognize how these frameworks interconnect and support merchants in adopting them appropriately. The VikingCloud team can help with both implementation and ongoing navigation of this evolving landscape. 

Closing Thoughts 

Q: Ultimately, what does this mean for the future of merchant compliance? Will we see a divergence between small and large merchant journeys? 

A: Yes, but that’s a good thing. For smaller merchants, C-VEP turns non-compliance fees into investments in real cyber controls. For larger merchants, we’ll see more proactive, risk-aligned strategies that treat compliance as a byproduct of strong security, not the other way around. 

Q: If you could leave merchants with one takeaway about C-VEP and the future of compliance, what would it be? 

A: Embrace the change. The sooner organizations shift their mindset from meeting compliance to managing risk, the sooner they’ll realize the benefits of resilience, customer trust, and long-term competitiveness. 

 -----

As C-VEP reshapes how smaller merchants approach compliance, larger organizations have an opportunity to assess their own strategies. The future of payment security isn’t about checking boxes; it’s about continuous assurance, proactive risk management, and alignment between technology, regulation, and business goals. 

For Level 1 and 2 merchants, PCI DSS remains the foundation for protecting data, maintaining trust, and demonstrating due diligence in an increasingly complex environment. By pairing compliance with a broader security-first mindset, enterprises can stay ahead of both evolving standards and emerging threats. 

Learn more about how VikingCloud helps enterprise merchants maintain compliance and reduce risk by visiting https://www.vikingcloud.com/compliance-risk/pci-compliance.