Business News Daily receives compensation from some of the companies listed on this page. Advertising Disclosure
Updated Nov 20, 2023

What Is PCI Compliance?

Sue Marquette Poremba, Contributing Writer

Table of Contents

Open row

The payment card industry (PCI) comprises all companies involved with credit and debit card transactions. For commerce and retail — and any institutions that issue any type of credit, debit or prepaid card — complying with PCI regulations is essential. Payment Card Industry Data Security Standard (PCI DSS) rules apply to every business that accepts these forms of payment. 

Even if your business employs only a few people and conducts one credit card transaction per month, your company must be PCI DSS compliant. Knowing what PCI compliance entails is central to your financial security and customer loyalty. Read ahead for a guide on PCI compliance and for answers to merchants’ most commonly asked questions about compliance for small businesses.

What is PCI compliance?

PCI compliance encompasses following the requirements set forth by the Payment Card Industry Security Standards Council (PCI SSC), the organization that sets all PCI regulations. Merchants must comply with these standards no matter how many credit card transactions they conduct.

However, this may be easier said than done. The Verizon 2023 Payment Security Report found that only 43 percent of companies maintain a sustainably compliant security environment. Those found not in compliance may be subject to hefty fines.

Editor’s note: Looking for the right credit card processing service for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.

Every company that accepts credit and debit cards is required to follow PCI DSS, no matter its size (although the PCI SSC does provide help for small businesses). However, there are four levels of compliance. These levels determine the actions the organization must take to be compliant; the more transactions, the more actions necessary. These are the four levels and their requirements. 

  • Level 1: Any merchant, regardless of the acceptance channel, that processes over six million Visa transactions per year and any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  • Level 2: Any merchant, regardless of the acceptance channel, that processes one million to six million Visa transactions per year.
  • Level 3: Any merchant that processes 20,000 to one million Visa e-commerce transactions per year.
  • Level 4: Any merchant that processes fewer than 20,000 Visa e-commerce transactions per year, and all other merchants, regardless of the acceptance channel, that process up to one million Visa transactions per year.

12 requirements for PCI DSS

There are 12 requirements to meeting the PCI DSS:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Protect all systems against malware and regularly update antivirus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data on a business need-to-know basis.
  8. Identify and assign a unique ID to all personnel with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for employees and contractors.

Why PCI compliance matters

Many high-profile data breaches have occurred through stolen credit and debit card information in the retail and service industries, so consumers want to know that they are doing business safely. PCI compliance doesn’t guarantee a data breach won’t happen, but it adds safeguards. 

If your business is found to be noncompliant, you could face fees of $5,000 to $100,000 per month. If noncompliance persists, your business could be stripped of payment processing services.

Did You Know?Did you know

PCI DSS compliance can help your business protect consumer data and help you avoid hefty, punishing fines resulting from noncompliance.

How to stay PCI compliant

PCI compliance is nonnegotiable if you accept credit and debit cards, but preparing for a PCI audit and ensuring that your company meets credit card compliance standards can be daunting.

Jeff VanSickel, VP CyberGRC manager at The Bancorp, provided a few tips for preparing for a PCI assessment and keeping your standards at secure levels at all times:

  1. Identify all business and client data. This includes any cardholder data, its sensitivity and its criticality. Correctly defining the scope of assessment is probably the most difficult and important part of any PCI compliance program, VanSickel said. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.
  2. Understand the boundaries of the cardholder data environment. Monitor all of the data that flows into and out of it. Any system that connects to the cardholder data environment is within the scope of compliance and, therefore, must meet PCI requirements. The cardholder data environment includes all processes, technology, and people who store, process, or transmit customer cardholder data or authentication data. It also encompasses all connected system components and any virtualization components, like servers.
  3. Establish operating controls. This measure is necessary to protect the confidentiality and integrity of any cardholder data. Cardholder data should be protected wherever it is imported, processed, stored and transmitted. It must also be properly disposed of at the end of its life span. “Backups must also preserve the confidentiality and integrity of cardholder data,” VanSickel said. “Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company-owned computer systems but also leased systems and the storage included in modern copy machines and printers.”
  4. Have an incident response plan in place. When a security incident occurs, have a plan to return to secure operations as quickly as possible. This plan should define roles, responsibilities, communication requirements and contact strategies in the event data is compromised, including notification of the payment brands, legal counsel and public relations. “Ideally, companies should have a certified forensics specialist on retainer who can gather evidence and testify as an expert witness if necessary,” VanSickel said.
  5. Explain and enforce security procedures. You can never be sure that employees understand security practices and behaviors that can put your business at risk. It is up to you to make sure everyone in the company, including IT specialists and upper management, is educated on PCI compliance procedures.
Key TakeawayKey takeaway

PCI compliance involves properly tracking the right data and having an incident response plan in place, including security procedures to follow in the event of a breach.

PCI compliance FAQs

PCI compliance — or, more officially, Payment Card Industry Data Security Standard (PCI DSS) compliance — is adherence to a set of standards established by the Payment Card Industry Data Security Standards Council. This coalition was formed by the major credit card companies (Visa, Mastercard, American Express and Discover) and the Japan Credit Bureau in 2006. Businesses that accept any amount of credit card payments may be fined if they don’t follow these standards.

The data that falls under PCI compliance encompasses what’s called “cardholder data,” which may include the following information:

  • Account numbers, also known as primary account numbers (PANs), which need to be encrypted
  • Sensitive authentication data used to authenticate cardholders
  • Tracked data contained in the stripe or chip
  • Debit card PINs
  • CVVs for credit and debit cards

You should routinely review your PCI compliance practices to ensure you’re meeting all requirements. Do this on at least a quarterly basis, perhaps with the help of professional PCI compliance auditors. After that, address any vulnerabilities you find.

While PCI compliance is a requirement for all companies processing credit card transactions, technically, it’s not mandated by federal law. The PCI DSS instead establishes and enforces compliance requirements. However, some states, such as Minnesota and Nevada, have enacted statutes mandating PCI compliance. Nevertheless, the PCI DSS is a powerful entity — it comprises all major credit card bands — so its rules are worth following.

For taking credit cards by phone, the following protocol should be observed:

  • Make sure you are using a secure network to accept PANs and other sensitive information.
  • Ensure your phone system is PCI compliant.
  • Use landlines whenever possible, as smartphones can present more security risks.
  • If your business records phone calls, ensure that credit card information is redacted in the recording.
  • Never write down the card information being relayed over the phone.
  • Ensure all employees are trained on your PCI compliance procedures.

Credit card companies can levy fees of several thousand dollars per month or more, without regard for the size of your business. These fees can be devastating for small businesses, which makes compliance essential. [Get tips on how to negotiate lower credit card fees for your company]

You may experience nonfinancial penalties as well. For example, card issuers may choose to stop working with your business, which leaves you with fewer payment options to provide customers. Or you may face a public relations nightmare as more people learn about a security breach and are afraid to give your company their sensitive information. You may also be subject to federal auditing or legal action.

Your business can obtain PCI certification after a comprehensive PCI DSS audit. A qualified security assessor performs this audit, and the process can take months. While PCI certification is not required for your business to be PCI compliant, you may choose to undergo PCI certification to build trust with your customers.

The moment your customer hands over a credit or debit card, you become responsible for keeping the data associated with that card secure. While the above steps are primarily meant to prepare you for a PCI audit, they will also provide a safety net in between assessments.

PCI compliance keeps your business secure

If you run a business and plan to accept credit card payments, you should be familiar with PCI compliance requirements. Taking steps to comply with these standards and protect credit card information is key to avoiding large fines — but that’s not all. It’s also essential for your financial security, as well as your customers.’ 

Natalie Hamingson and Stella Morrison contributed to this article. Source interviews were conducted for a previous version of this article.

Sue Marquette Poremba, Contributing Writer
Sue Marquette Poremba is a freelance writer based in State College, Pennsylvania. She primarily covers cybersecurity and emerging technology, with an emphasis on how emerging technology and cybersecurity overlap. 
Back to top
Desktop background imageMobile background image
In partnership with BDCBND presents the b. newsletter:

Building Better Businesses

Insights on business strategy and culture, right to your inbox.
Part of the business.com network.