PCI Compliance: The Ultimate Guide

Matthew Speiser

Matthew is a staff writer at Fundera. He has written extensively about ecommerce, marketing and sales, and payroll and HR solutions, but is particularly knowledgeable about merchant services. Matthew's writing has been published in Business Insider, The Fiscal Times, and NJ.com, among others. He has a degree in journalism from the University of Delaware.

There’s a lot that goes into accepting credit card payments. You need to find a payment processor to work with, set up a merchant account, and buy a credit card terminal—preferably one that can accept magstripe, chip card, and contactless forms of payment. If you sell products online, you also need to set up a payment gateway.

Then there’s fees: There’s the interchange rate you’ll pay to the credit card network, the markup fee required by most payment processors, a fee for using a payment gateway, plus additional expenses for things like chargebacks and account maintenance.

There’s also rules and regulations for accepting credit card payments. Most of these are part of a set of a standard known as PCI compliance. For small business owners looking to accept credit card payments, PCI compliance is one of those things that is easy to overlook. But do so at your own peril—being PCI noncompliant puts your business and your customers at greater risk of fraud and data breaches. There are also stiff financial penalties for not being PCI compliant.

So let’s learn about what PCI compliance is, why it matters, and how it can help your business.

What Is PCI Compliance?

The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The PCI DSS is administered and managed by the PCI Security Standards Council (SSC), an independent body comprised of the major payment card brands (Visa, Mastercard, American Express, Discover, and JCB).

According to their website, the job of the PCI SSC is to “help merchants and financial institutions understand and implement standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and theft of cardholder data.” However, the PCI SSC is not responsible for enforcing the PCI DSS. Instead, the expectation is that payment card brands and merchant acquirers self-regulate when it comes to PCI compliance, given that it is in their best interest to do so.

The PCI SSC website says, “Validation of compliance with the PCI Data Security Standard is determined by individual payment brands. All have agreed to incorporate the PCI DSS as part of the technical requirements for each of their data security compliance programs. The payment brands also recognize qualified security assessors and approved scanning vendors qualified by the PCI Security Standards Council.”

The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. A complete copy of the PCI DSS can be found on the PCI SSC website.

pci compliance

Why Does PCI Compliance Exist?

The PCI SSC was formed in 2006 to safeguard merchants, customers, and the payments industry from the inherent risks in accepting credit card payments. On their website, the PCI SSC explains why PCI compliance matters:

“The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions, their credit can be negatively affected—there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities. Following PCI security standards is just good business. Such standards help ensure healthy and trustworthy payment card transactions for the hundreds of millions of people worldwide that use their cards every day.”

There is a variety of information hackers will try to steal from cardholders, including the primary account number (PAN), cardholder name, card expiration date, card identification number (for American Express cards), card security code (for all other payment card brands), as well as the card’s chip or magstripe.

pci compliancePCI SSC website

This information can be stolen from a filing cabinet, compromised credit card terminal, data in a payment system database, hidden camera recording the entry of card data, or by someone tapping into your business’s wired or wireless network. In order to protect against these kinds of breaches, the PCI SSC recommends protecting your business’s card readers, point of sale systems, wireless network, payment card data storage and transmission, payment card data stored in paper-based records, and online payment applications and shopping carts.

The PCI DSS applies to all of these potential vulnerabilities and provides business owners with the most up to date standards on how to secure them.

How to Be PCI Compliant

Being PCI compliant involves implementing security controls outlined in the PCI DSS, signing a contract agreeing to a payment brand or merchant acquirer’s terms for PCI compliance, and completing an annual self-assessment. The process can be so complex that there are third-party services that exist to help businesses become PCI compliant.

We don’t want you to spend any more money than you have to in order to be PCI compliant, so we are going to explain to you what you must do to be PCI compliant, and how to do it.

PCI Compliance Requirements

The first thing to understand is that what you must do to be PCI compliant differs from business to business. There are four different levels of PCI compliance, with the requirements for each level varying based on the business type and processing volume during a 12-month period. Each level details the PCI DSS requirements that sellers are responsible for. In order to be PCI compliant you must meet 100% of the criteria.

Note that every credit card brand has slightly different criteria, but generally speaking, these are the four levels of PCI compliance:

Level 1 Merchants

A Level 1 Merchant according to the PCI DSS is a seller that processes over 6 million transactions annually or a merchant that has experienced a data breach or cyberattack that resulted in payment data being compromised. Level 1 merchants are subject to the most stringent PCI compliance standards.

To be PCI compliant, a Level 1 merchant must undergo a Report on Compliance (ROC) by a Qualified Security Assessor (QSA) every year. An ROC is essentially an audit of a seller’s payment policies and procedures to ensure they are compliant with the PCI DSS. A QSA is an independent security organization qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. The PCI SSC website provides a list of qualified QSAs across the United States.

A Level 1 Merchant must also undergo a network scan by an Approved Scan Vendor (ASV) four times a year, where an ASV is an “organization with a set of security services and tools to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS.” The PCI SSC website also provides a list of ASVs in the United States. Hiring a QSA and ASV are both expenses a seller will have to pay for out of their own pocket.

Finally, a Level 1 Merchant must complete a PSI DSS Self-Assessment Questionnaire and submit it to your merchant acquirer each year. The Self-Assessment Questionnaire includes a series of yes or no questions for each applicable PCI Data Security Standard requirement. If an answer is no, your organization may be required to state the future remediation date and associated actions. The Self-Assessment Questionnaire also comes with an Attestation of Compliance that must be completed and submitted.

Level 2 Merchants

A Level 2 Merchant is classified as a seller that processes between 1 million and 6 million transactions annually. To be PCI compliant as a Level 2 Merchant, you must complete a PSI DSS Self-Assessment Questionnaire and receive a network scan from an ASV, then submit evidence of both to your merchant acquirer along with an Attestation of Compliance annually.

Level 3 Merchants

A Level 3 Merchant is a seller that processes between 20,000 and 1 million ecommerce transactions annually. The standards for compliance as a Level 3 Merchant are the same as for a Level 2 Merchant: Complete a Self-Assessment Questionnaire and Attestation of Compliance, receive a network scan from an ASV, and submit evidence of all three to your merchant acquirer.

Level 4 Merchants

Level 4 Merchants are sellers that process under one million transactions annually and ecommerce merchants that process under 20,000 transactions annually. The standards are the same as for Level 2 and 3 merchants: Complete the Self-Assessment, Attestation of Compliance, and receive a network scan from an ASV, then submit all three to your merchant acquirer.

Meeting PCI Compliance Requirements

So how do you pass an ROC, network scan, and Self-Assessment in order to meet the requirements of PCI compliance? The PCI DSS explains the seven main goals of PCI compliance, and lays out the steps you need to take to meet those goals. We’ll list them here:

Goals PCI DSS Requirements
Build and maintain a secure network
  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program
  • Use and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications.
Implement strong access control measures
  • Restrict access to cardholder data based on who needs to know within your organization.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.
Regularly monitor and test networks
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
Maintain an information and security policy
  • Maintain a policy that addresses information security for employees and contractors.

PCI Compliance Best Practices

Along with explaining how to meet PCI DSS requirements, the PCI SSC also provides some best practices to help merchants maintain PCI compliance. They are as follows:

  • Buy and use only approved PIN entry devices at your POS.
  • Buy and use only validated payment software at your POS or website shopping cart.
  • Do not store any sensitive cardholder data in computers or on paper.
  • Make sure your wireless router is password-protected and uses encryption.
  • Use strong passwords. Be sure to change default passwords on hardware and software as most are unsafe.
  • Regularly check PIN entry devices and computers to make sure no one has installed rogue software or “skimming” devices.
  • Teach your employees about security and protecting cardholder data.

Cost of PCI Compliance

The cost of PCI compliance includes a cost for submitting a Self-Assessment Questionnaire, Attestation of Compliance, and ROC, as well as hiring an ASV or QSA. Generally speaking, the higher your level of PCI compliance, the more you will have to pay. This is because the higher your level, the larger your business, and ASVs and QSAs usually quote based on the size of your business.

If you have a dedicated merchant account, you will have to go about remaining PCI compliant on your own. But certain merchant services providers will work directly with credit card brands to maintain PCI compliance, while only charging you a small monthly or annual fee. Some merchant services providers, like Square, offer you PCI compliance at no cost whatsoever.

Penalties for Noncompliance

There are obviously inherent risks in not being PCI compliant: You leave your business more vulnerable to data breaches, fraud, and other incidents that could damage your brand. Credit card brands and merchant acquirers will also make you pay a financial penalty for being noncompliant.

Remaining PCI compliant is often in the contract you sign with your merchant acquirer, or the contract they sign with a credit card brand. Being noncompliant could cause a credit card brand to levy fines between $5,000 and $100,000 for each month a merchant acquirer is noncompliant—and your merchant acquirer will pass those fines along to you.

The PCI SSC also lists other issues your business may face for being PCI noncompliant, including:

  • Loss of customer loyalty
  • Reduced sales
  • Cost for reissuing new payment cards
  • Higher future costs of compliance
  • Increased legal fees
  • Loss of ability to accept credit cards

Last Word on PCI Compliance

PCI compliance can seem like a tedious regulation, but it is really in the best interest of your business to comply. There are lots of services out there to help you get started, including the PCI SSC website. You can also hire third-party vendors to ensure your payment systems are safe and secure. PCI compliance offers peace of mind to you, your business, and your customers.

Editorial Note: Fundera exists to help you make better business decisions. That’s why we make sure our editorial integrity isn’t influenced by our own business. The opinions, analyses, reviews, or recommendations in this article are those of our editorial team alone. They haven’t been reviewed, approved, or otherwise endorsed by any of the companies mentioned above. Learn more about our editorial process and how we make money here.

Matthew Speiser

Matthew is a staff writer at Fundera. He has written extensively about ecommerce, marketing and sales, and payroll and HR solutions, but is particularly knowledgeable about merchant services. Matthew's writing has been published in Business Insider, The Fiscal Times, and NJ.com, among others. He has a degree in journalism from the University of Delaware.

Our Picks