What Is PCI Compliance? A Guide for Small-Business Owners
Many, or all, of the products featured on this page are from our advertising partners who compensate us when you take certain actions on our website or click to take an action on their website. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here's how we make money.
How does PCI compliance work?
- Know whom you work with. The type of payment service you use can affect the compliance process. Payment service providers — like Square or Stripe — often take on some responsibilities themselves. You may not need to do anything. Check with your PSP to be sure.
- Review your contract. Businesses that use individual merchant accounts will likely have more work to do. Your PCI compliance requirements should be in the terms and conditions of your account agreement.
- Determine your merchant level. PCI compliance rules divide businesses into four groups (levels 1-4). How many transactions you process yearly determines your level. Larger businesses may need to hire a third party to audit them.
- Find the appropriate paperwork. Smaller businesses can assess themselves. There are multiple self-assessment questionnaires. You can find them in the PCI Security Standards Council’s document library. Which you use depends on how you handle card data.
- Complete the self-assessment questionnaire. Your merchant bank or payment processor should be able to help if you run into issues. That includes if you’re unsure which form to use.
- Repeat the process. PCI compliance isn’t a one-time exercise. Businesses should complete this task each year.
Is PCI compliance required by law?
What are the requirements to be PCI compliant?
1. Install and maintain a firewall
2. Change vendor-supplied default passwords and security settings.
3. Protect stored cardholder data
4. Encrypt cardholder data when transmitting it across open, public networks.
5. Use and regularly update antivirus software
6. Develop security systems and processes
7. Restrict access to cardholder data to a need-to-know basis
8. Assign user IDs to everybody with computer access
9. Restrict physical access to cardholder data
10. Track and monitor who accesses networks and cardholder data
11. Regularly test systems and processes
12. Have a policy on information security
Ready to choose a payment processor?
Do PCI compliance requirements change?
Who sets PCI compliance standards?
How much does PCI compliance cost?
How to become PCI compliant
Practice good data hygiene
- Use strong passwords.
- Keep software updated. Older point-of-sale terminals can be particularly vulnerable. Newer cloud-based systems are built with strong encryption, and typically receive updates automatically.
- Store only what you need. You probably don’t need physical copies of receipts, for instance.
- Don’t click on suspicious links.
- Only use card readers and payment software validated by the PCI Security Standards Council.
- Educate employees about protecting cardholder data.
Take the paperwork seriously
Use systems that make compliance easier
Compliance resources checklist
Understand your business
- Find out which level your business falls under. How many transactions your business completes each year determines this. You can ask your payment processor for details or visit the PCI Security Standards Council’s website for more information.
- Find out which assessment to use.
Talk to your payment processor
- Understand the specific compliance requirements in your contract.
- Ask for consultant recommendations should you need help.
- Check whether you are paying a PCI compliance fee.
- Find out if it provides or recommends compliance services.
Get help from experts
Article sources
-
PCI Security Standards Council. PCI Awareness Training. Accessed Jun 27, 2025.1. -
PCI Security Standards Council. PCI DSS v3.2.1 is Retiring on 31 March 2024 – Are You Ready?. Accessed Jun 27, 2025.2. -
PCI Security Standards Council. About Us. Accessed Jun 27, 2025.3. -
Mastercard. What merchants need to know about securing transactions. Accessed Jun 27, 2025.4. -
American Express. Protecting Payment Data Helps Protect Everyone. Accessed Jun 27, 2025.5. -
Dharma Merchant Services. What is the PCI Compliance Fee?.6.
Best Payment Processing Companies