PCI Compliance: The Ultimate Guide

PCI compliance helps businesses protect their customers' card data.
Kurt WoockOct 22, 2021

Many or all of the products featured here are from our partners who compensate us. This may influence which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here's how we make money.

Payment card industry, or PCI, compliance is the process businesses use to assess and confirm the security of customer card data. This data — including credit card account numbers and security codes — weaves through a number of different systems each time a transaction is made. Part of the responsibility of securing it lies with business owners. Not following the proper procedures can lead to serious problems, including fines of thousands of dollars. Understanding how this process works and what to do is a must for anyone who wants to take card payments.

PCI compliance: What is it, who runs it and why?

Whenever a card is used, a customer’s card information is captured, transmitted and sometimes stored by the merchant. In 2006, American Express, Discover, JCB International, Mastercard and Visa founded the PCI Security Standards Council with the goal of standardizing security protocols and practices required of those involved in card transactions. These standards apply to digital and physical practices and records.

Source: PCI SCC

Data security isn’t an issue for large, well-known companies only. A National Cyber Security Alliance survey found that about 1 in 4 small businesses had a data breach in one 12-month period and, of those, 1 in 3 ended up filing for bankruptcy or shutting down.

PCI compliance applies to businesses of all sizes, from international conglomerates to your local pizza place, though specific requirements can vary. These requirements typically include some combination of:

  • An assessment to determine how secure the systems and practices of a business are. Large businesses are required to hire a third-party firm to do this assessment while most small businesses can perform a self-assessment.

  • A scan of the network the business uses. This is a technical exercise that requires the use of an outside firm.

Who’s involved in PCI compliance?

Generally, the rules that help safeguard card information are agreed to and enforced in contracts rather than by laws.

Entity

Role in PCI compliance

PCI Security Standards Council

  • Creates broad security standards.

  • Certifies vendors.

  • Tests and certifies payment technology.

Credit card networks, like Visa and Mastercard

  • Founded the PCI Security Standards Council.

  • Each card network creates its own set of specific requirements, guided by the security standards set by the PCI Security Standards Council.

Business owners

  • Meet the requirements set forth by their merchant account provider.

Merchant account providers

  • Follow rules set by card networks.

  • Establish requirements for businesses that hold merchant accounts.

The PCI Security Standards Council neither creates nor enforces the specific rules a merchant account provider might require of its customers — it’s best to refer directly to the terms found in your contract. However, the rules are broadly similar thanks to the common language and shared goals it maintains. Meeting the requirements means your business is in compliance. If you aren’t in compliance, you could face fines or lose your merchant account.

It’s important to note that many businesses use payment service providers, like Square or Stripe, in lieu of using a merchant account. In these instances, the payment service provider often takes on many of the compliance responsibilities as it — not the small businesses that use it — holds the merchant account with a bank. Still, it’s best to check directly with whichever financial service you use to verify what is expected of you and what assistance they offer.

Finally, some payment processors charge PCI compliance fees. Sometimes these fees include services, like access to consultants who help you complete compliance requirements. Weighing the cost of this fee, if any, against the services you receive can play a role in choosing the best payment processor for you.

How does PCI compliance work?

The details of PCI compliance can quickly get technical. However, the PCI Security Standards Council’s guidelines, called the Payment Card Industry Data Security Standard, or PCI DSS, shows what the overarching goals are in straightforward terms. Pursuing these six goals, by meeting the 12 primary requirements that support them, makes it difficult for bad actors to access sensitive payment data.

Build and maintain a secure network

1. Install and maintain a firewall.

2. Use strong passwords.

Protect cardholder data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data.

Maintain a vulnerability management program

5. Use up-to-date antivirus software.

6. Develop and maintain secure systems and applications.

Implement strong access control measures

7. Grant access to cardholder data only as business needs warrant.

8. Assign a unique identification to each person who can access cardholder data.

9. Restrict physical access to cardholder data.

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an information security policy

12. Maintain a policy that addresses information security for employees and contractors.

Nerdy tip: Be aware that the PCI Security Standards Council will be releasing a major update to these guidelines in the first half of 2022 followed by a multiyear transition period.

Compliance requirements

Determining how well your business adheres to these standards in a practical sense requires a thorough checkup. That’s the purpose of the required assessment of a business’s security practices every year.

While the requirement is universal, there's no one-size-fits-all assessment. Instead, the type of annual assessment a business takes depends on a few factors, including the size of the business as measured by the volume of card transactions. A business falls into one of four tiers:

Level 1 merchants are businesses that process more than 6 million card transactions per year or have had a hack or attack that led to data loss.

  • A PCI Security Standards Council Qualified Security Assessor, or QSA, or a PCI Security Standards Council Internal Security Assessor, or ISA, must perform an annual PCI DSS assessment. These third-party experts help companies determine how effective their security practices are.

  • File a Report on Compliance, or ROC.

  • An Approved Scanning Vendor, or ASV, must perform a quarterly network scan. A network scan, which is typically performed remotely, detects vulnerabilities in a business’s website, network or other exploitable system.

  • Submit an Attestation of Compliance, or AOC, form.

Level 2 merchants process 1 million to 6 million card transactions per year.

  • Complete self-assessment questionnaire, or SAQ.

  • An Approved Scanning Vendor, or ASV, must perform a quarterly network scan.

  • Submit an Attestation of Compliance, or AOC, form.

Level 3 merchants process 20,000 to 1 million online card transactions per year.

  • Complete self-assessment questionnaire, or SAQ.

  • An Approved Scanning Vendor, or ASV, must perform a quarterly network scan.

  • Submit an Attestation of Compliance, or AOC, form.

Level 4 merchants process less than 20,000 online card transactions or up to 1 million total transactions per year.

  • Complete a self-assessment questionnaire, or SAQ, or other requirement stated by the merchant acquirer.

  • Might be required to have an Approved Scanning Vendor, or ASV, perform a quarterly network scan.

  • Submit an Attestation of Compliance, or AOC, form.

Most small businesses fall under Level 4 and are required to perform a self-assessment. The self-assessment questionnaire has multiple versions. The manner in which a business accepts card payments determines which one to take. For example, Questionnaire B is for a merchant who doesn't use an electronic imprint machine to gather customer card information while Questionnaire A-EP is for businesses that outsource all payment processing to certified third parties.

Another tip: PCI Security Standards Council maintains lists of certified Approved Scanning Vendors, Qualified Security Assessors and Internal Security Assessors.

Simple steps to become more secure

Given the technical nature of data security, completing the questionnaire can be challenging for small-business owners. However, there are ways to make the process easier.

One place to look is on the PCI Security Standards Council website.

"We want to make payment security as frictionless as possible," says Troy Leach, senior vice president and engagement officer at PCI Security Standards Council. "We create standards and focus on training merchants to understand those standards."

Practice good data hygiene

Setting up good data habits before undergoing a self-assessment can make the process smoother. The self-assessment consists of yes-or-no questions; if you answer "no" to any of them, you must address the issue before submitting it. Much of the advice on securing data mirrors best practices you might already be familiar with when securing your own personal devices, including:

  • Use strong passwords. This might sound simple, but millions of people still use poor passwords, like "password" and "123456."

  • Keep software updated. Leach says older point-of-sale terminals can be particularly vulnerable. Newer, cloud-based systems are built with strong encryption, typically receive updates automatically and are a fraction of the cost of their decades-old counterparts.

  • Store only what you need to. For example, you probably don’t need to store physical copies of receipts. "When a chargeback happens, you don’t need to have an account number stored in order to have this dispute resolved," Leach says.

  • Don’t click on suspicious links. "My most important tip is be sure of what you’re clicking," Leach says.

Other best practices address business-specific issues:

  • Only use card readers and payment software that are validated by the PCI Security Standards Council.

  • Make sure employees know about protecting cardholder data.

Get help with the paperwork

Self-assessment questionnaires are technical in nature and can frustrate business owners, says Gary Glover, vice president of assessments at SecurityMetrics.

Some people are tempted to simply check "yes" to all the questions without giving the questionnaire much thought. "People just get frustrated," he says. "We see this a lot. This is a business risk you’re taking." Glover says that if a business owner does this and is later compromised, penalties are often stiffer.

Business owners can benefit from help from an expert. Where do you start to find someone? "I’d go to the bank and see if there’s anyone they work with on compliance," Glover says. Banks that offer merchant accounts often form partnerships with trusted cybersecurity companies that help businesses of all sizes walk through the steps necessary to achieve compliance. These companies often also perform approved vendor scans.

Working with outside experts can run a few hundred dollars, but the time saved can be worth it. In addition, expert advice in reducing risk levels can also help reduce your risk of incurring fines that run into the thousands if your business were compromised.

Choose systems that make compliance easier

Glover says that business decisions about technology, like choosing a point-of-sale, or POS, system, can make achieving PCI compliance easier. This means that, for many small businesses, the best solution is often a cloud-based aggregator that integrates payment processing, a POS system, EMV readers and other features that help minimize security risks. These end-to-end systems are secure, low-maintenance and often include PCI compliance support.

Contrasted with this type of solution is a business owner who pieces together a system using an array of products and services, either personally or through a third-party vendor. These systems can be less secure and often rely on the owner to keep everything up-to-date. If you face compliance issues with these systems, compare the cost of bringing your system into compliance to the cost of migrating over to an integrated system.

Compliance resources checklist

Understand your business

  • Know which tier your business falls under.

  • Know which assessment you are required to take.

Talk to your payment processor about the following

  • Ensure you understand the specific compliance requirements in your contract.

  • Ask whether they have consultant recommendations should you need help.

  • Verify whether you are paying a PCI compliance fee.

  • Inquire about any compliance services they provide or recommend.

Get help from the experts

  • Use resources on the PCI Security Standards Council website to learn more about securing customer data.

  • For help finding an Approved Scanning Vendor or someone to help with your assessment, talk to your financial partners or use the vendor lists PCI Security Standards Council keeps.