PCI Compliance: The Ultimate Guide

Learn what PCI compliance is, why it matters, how it can help your business and the risk of noncompliance.

Matthew SpeiserJul 29, 2020
Many or all of the products featured here are from our partners who compensate us. This may influence which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here's how we make money.

PCI compliance is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. PCI compliance is administered and managed by the PCI Security Standards Council (SSC), an independent body comprised of the major payment card brands. Different business types will have to meet different requirements to maintain PCI compliance, and there are stiff penalties for being non-compliant.

For small-business owners looking to accept credit card payments, PCI compliance is one of those things that is easy to overlook. PCI compliance can seem like a tedious regulation, but it is really in the best interest of your business to comply. Being PCI non-compliant puts your business and your customers at greater risk of fraud and data breaches. There are also stiff financial penalties for not being PCI compliant.

There are lots of services out there to help you get started, including the PCI SSC website. You can also hire third-party vendors to ensure your payment systems are safe and secure. PCI compliance offers peace of mind to you, your business and your customers.

What is PCI compliance?

The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI DSS is administered and managed by the PCI Security Standards Council (SSC), an independent body comprised of the major payment card brands (Visa, Mastercard, American Express, Discover and JCB).

However, the PCI SSC is not responsible for enforcing the PCI DSS. Instead, the expectation is that payment card brands and merchant acquirers self-regulate when it comes to PCI compliance, given that it is in their best interest to do so.

The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. A complete copy of the PCI DSS can be found on the PCI SSC website.

Why does PCI compliance exist?

The PCI SSC was formed in 2006 to safeguard merchants, customers and the payments industry from the inherent risks in accepting credit card payments.

There is a variety of information hackers will try to steal from cardholders, including the primary account number (PAN), cardholder name, card expiration date, card identification number (for American Express cards), card security code (for all other payment card brands) and the card’s chip or magstripe.

Source: PCI SCC

This information can be stolen from a filing cabinet, compromised credit card terminal, data in a payment system database or hidden camera recording the entry of card data or by someone tapping into your business’s wired or wireless network. In order to protect against these kinds of breaches, the PCI SSC recommends protecting your business’s card readerspoint-of-sale systems, wireless network, payment card data storage and transmission, payment card data stored in paper-based records and online payment applications and shopping carts.

The PCI DSS applies to all of these potential vulnerabilities and provides business owners with the most up-to-date standards on how to secure them.

How to be PCI compliant

Being PCI compliant involves implementing security controls outlined in the PCI DSS, signing a contract agreeing to a payment brand or merchant acquirer’s terms for PCI compliance and completing an annual self-assessment. The process can be complex, though. Third-party services exist to help businesses become PCI compliant.

PCI compliance requirements

What you must do to be PCI compliant differs from business to business. There are four different levels of PCI compliance, with the requirements for each level varying based on the business type and processing volume during a 12-month period. Each level details the PCI DSS requirements that sellers are responsible for. In order to be PCI compliant, you must meet 100% of the criteria.

Note that every credit card brand has slightly different criteria, but generally speaking, these are the four levels of PCI compliance:

Level 1 Merchants

A Level 1 Merchant is a seller that processes over 6 million transactions annually or a merchant that has experienced a data breach or cyberattack that resulted in payment data being compromised. Level 1 merchants are subject to the most stringent PCI compliance standards.

To be PCI compliant, a Level 1 merchant must undergo a Report on Compliance (ROC) by a Qualified Security Assessor (QSA) every year. An ROC is essentially an audit of a seller’s payment policies and procedures to ensure they are compliant with the PCI DSS. A QSA is an independent security organization qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. The PCI SSC website provides a list of qualified QSAs across the United States.

A Level 1 Merchant must also undergo a network scan by an Approved Scan Vendor (ASV) four times a year, where an ASV is an “organization with a set of security services and tools to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS.” The PCI SSC website also provides a list of ASVs in the United States. Hiring a QSA and ASV are both expenses a seller will have to pay for out of their own pocket.

Finally, a Level 1 Merchant must complete a PSI DSS Self-Assessment Questionnaire and submit it to its merchant acquirer each year. The Self-Assessment Questionnaire includes a series of yes or no questions for each applicable PCI Data Security Standard requirement. If an answer is no, your organization may be required to state the future remediation date and associated actions. The Self-Assessment Questionnaire also comes with an Attestation of Compliance that must be completed and submitted.

Level 2 Merchants

A Level 2 Merchant is classified as a seller that processes between 1 million and 6 million transactions annually. To be PCI compliant as a Level 2 Merchant, you must complete a PSI DSS Self-Assessment Questionnaire and receive a network scan from an ASV, then submit evidence of both to your merchant acquirer, along with an Attestation of Compliance annually.

Level 3 Merchants

A Level 3 Merchant is a seller that processes between 20,000 and one million e-commerce transactions annually. The standards for compliance as a Level 3 Merchant are the same as for a Level 2 Merchant: Complete a Self-Assessment Questionnaire and Attestation of Compliance, receive a network scan from an ASV and submit evidence of all three to your merchant acquirer.

Level 4 Merchants

Level 4 Merchants are sellers that process under one million transactions annually and e-commerce merchants that process under 20,000 transactions annually. The standards are the same as for Level 2 and 3 merchants: Complete the Self-Assessment, Attestation of Compliance and receive a network scan from an ASV, then submit all three to your merchant acquirer.

Meeting PCI compliance requirements

How do you pass an ROC, network scan and Self-Assessment in order to meet the requirements of PCI compliance? The PCI DSS explains the seven main goals of PCI compliance and lays out the steps you need to take to meet those goals.

Build and maintain a secure network

  • Install and maintain a firewall configuration to protect cardholder data.

  • Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

  • Protect stored cardholder data.

  • Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program

  • Use and regularly update anti-virus software or programs.

  • Develop and maintain secure systems and applications.

Implement strong access control measures

  • Restrict access to cardholder data based on who needs to know within your organization.

  • Assign a unique ID to each person with computer access.

  • Restrict physical access to cardholder data.

Regularly monitor and test networks

  • Track and monitor all access to network resources and cardholder data.

  • Regularly test security systems and processes.

Maintain an information and security policy

  • Maintain a policy that addresses information security for employees and contractors.

PCI compliance best practices

Along with explaining how to meet PCI DSS requirements, the PCI SSC also provides some best practices to help merchants maintain PCI compliance:

  • Buy and use only approved PIN entry devices at your POS.

  • Buy and use only validated payment software at your POS or website shopping cart.

  • Do not store any sensitive cardholder data in computers or on paper.

  • Make sure your wireless router is password-protected and uses encryption.

  • Use strong passwords. Be sure to change default passwords on hardware and software as most are unsafe.

  • Regularly check PIN entry devices and computers to make sure no one has installed rogue software or “skimming” devices.

  • Teach your employees about security and protecting cardholder data.

Cost of PCI compliance

The cost of PCI compliance includes a cost for submitting a Self-Assessment Questionnaire, Attestation of Compliance and ROC, as well as hiring an ASV or QSA. Generally speaking, the higher your level of PCI compliance, the more you will have to pay. This is because the higher your level, the larger your business is and ASVs and QSAs usually quote prices based on the size of your business.

If you have a dedicated merchant account, you will have to go about remaining PCI compliant on your own. But certain merchant services providers will work directly with credit card brands to maintain PCI compliance, while only charging you a small monthly or annual fee. Some merchant services providers, like Square, offer you PCI compliance at no cost whatsoever.

Penalties for noncompliance

There are inherent risks in not being PCI compliant. You leave your business more vulnerable to data breaches, fraud and other incidents that could damage your brand. Credit card brands and merchant acquirers will also make you pay a financial penalty for being noncompliant.

Remaining PCI compliant is often in the contract you sign with your merchant acquirer or the contract they sign with a credit card brand. Being non-compliant could cause a credit card brand to levy fines between $5,000 and $100,000 for each month a merchant acquirer is noncompliant — and your merchant acquirer will pass those fines along to you.

The PCI SSC also lists other issues your business may face for being PCI non-compliant, including:

  • Loss of customer loyalty.

  • Reduced sales.

  • Cost for reissuing new payment cards.

  • Higher future costs of compliance.

  • Increased legal fees.

  • Loss of ability to accept credit cards.

A version of this article was first published on Fundera, a subsidiary of NerdWallet.