What Is PCI Compliance? A Guide for Small-Business Owners
PCI compliance helps businesses protect their customers' card data.
Many, or all, of the products featured on this page are from our advertising partners who compensate us when you take certain actions on our website or click to take an action on their website. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here's how we make money.
Updated · 4 min read
Written by
Lead Writer & Content Strategist 
Edited by
Managing Editor Payment card industry (PCI) compliance standards help businesses keep cardholders' data safe. Every business that takes credit card payments must be PCI compliant. If your business isn’t, it can lead to serious problems — including fines.
PCI requirements include encrypting data, managing firewalls and updating antivirus software. The PCI Security Standards Council manages these security standards. But card networks and credit card processing companies enforce them.
While requirements are universal, their implementation can vary. You can contact payment processors or card networks about their specific programs.
How does PCI compliance work?
Businesses should take the following steps to ensure their PCI compliance:
- Know whom you work with. The type of payment service you use can affect the compliance process. Payment service providers — like Square or Stripe — often take on some responsibilities themselves. You may not need to do anything. Check with your PSP to be sure.
- Review your contract. Businesses that use individual merchant accounts will likely have more work to do. Your PCI compliance requirements should be in the terms and conditions of your account agreement.
- Determine your merchant level. PCI compliance rules divide businesses into four groups (levels 1-4). How many transactions you process yearly determines your level. Larger businesses may need to hire a third party to audit them.
- Find the appropriate paperwork. Smaller businesses can assess themselves. There are multiple self-assessment questionnaires. You can find them in the PCI Security Standards Council’s document library. Which you use depends on how you handle card data.
- Complete the self-assessment questionnaire. Your merchant bank or payment processor should be able to help if you run into issues. That includes if you’re unsure which form to use.
- Repeat the process. PCI compliance isn’t a one-time exercise. Businesses should complete this task each year.
Is PCI compliance required by law?
No, the government does not require PCI compliance. Your payment processor or merchant service provider does.
These companies act as de facto administrators of PCI compliance for businesses. They include specific PCI compliance requirements in your contract or agreement.
What are the requirements to be PCI compliant?
Businesses must meet the following 12 requirements to be PCI compliant:
1. Install and maintain a firewall
Test network connections and restrict connections to untrusted networks, among other efforts.
2. Change vendor-supplied default passwords and security settings.
Enable only necessary services. This includes removing functionality where warranted and encrypting access.
3. Protect stored cardholder data
Limit what you store, and avoid storing certain types of data in general. You also need policies for disposing data, among other efforts.
4. Encrypt cardholder data when transmitting it across open, public networks.
Among other things, don't send unprotected account numbers via messaging technology. This includes email, instant messaging, text and chat.
5. Use and regularly update antivirus software
Ensure the software is running. Perform and document periodic scans, among other activities.
6. Develop security systems and processes
Create processes to find and act on vulnerabilities, as well as other efforts.
7. Restrict access to cardholder data to a need-to-know basis
Define the access certain roles need. Create user privileges and control systems, among other things.
8. Assign user IDs to everybody with computer access
Ensure you have a way to authenticate users. Take actions like documenting your policies in this area.
9. Restrict physical access to cardholder data
Monitor access to sensitive areas of the business or certain equipment, for example. You can do this with cameras or other tools.
10. Track and monitor who accesses networks and cardholder data
Have an audit trail, and use time-stamped tracking tools. Review logs for suspicious or unusual activities.
11. Regularly test systems and processes
Test and inventory wireless access points. Do quarterly vulnerability scans and monitor traffic, among other things.
12. Have a policy on information security
Write, publish and share this policy at least once a year. It should outline technology usage rules and explain responsibilities, among other things.
Ready to choose a payment processor?
Here are NerdWallet's top picks for credit card processing companies. Each of them should be able to walk you through their PCI compliance process and maybe even take on some of the application work for you.
Do PCI compliance requirements change?
Yes. The latest version of the PCI Data Security Standard went into effect March 31, 2024.
For more details, visit the PCI DSS Summary of Changes in the council’s document library.
Who sets PCI compliance standards?
The PCI Security Standards Council creates the broad security standards. American Express, Discover, JCB International, Mastercard and Visa founded this council in 2006.
But each card network sets its own requirements, too. For instance, Mastercard and American Express have different cutoffs for level 1 merchants.
Mastercard puts businesses with more than 6 million annual Mastercard and Maestro transactions in that bucket.
How much does PCI compliance cost?
Many popular payment processors for small businesses do not charge PCI compliance fees. These include Square, Stripe and PayPal.
Others only require non-compliant businesses to pay. For example, Dharma Merchant Services charges a $39.95 monthly fee for this situation.
There may be more costs involved, though. Level 4 merchants may need to pay third parties to scan and test their networks, for instance. Other fees may be associated with completing the questionnaire and fixing existing issues.
How to become PCI compliant
Becoming PCI compliant may seem challenging given the technical nature of data security. But taking the following steps can make the process easier.
Practice good data hygiene
Lots of this advice is similar to best practices for securing your own personal devices. It includes:
- Use strong passwords.
- Keep software updated. Older point-of-sale terminals can be particularly vulnerable. Newer cloud-based systems are built with strong encryption, and typically receive updates automatically.
- Store only what you need. You probably don’t need physical copies of receipts, for instance.
- Don’t click on suspicious links.
- Only use card readers and payment software validated by the PCI Security Standards Council.
- Educate employees about protecting cardholder data.
Take the paperwork seriously
Take your time completing the self-assessment questionnaire. Your information should be accurate in case there's a compliance violation in the future. If you need help, ask your payment processor. You can also consult an outside agency.
Use systems that make compliance easier
To reduce security risks, make sure your POS system’s software is up to date. It 's also helpful to opt for a solution with built-in payment processing and in-house hardware.
End-to-end systems are usually secure and low maintenance. Plus, they often include PCI compliance support.
Compliance resources checklist
Understand your business
- Find out which level your business falls under. How many transactions your business completes each year determines this. You can ask your payment processor for details or visit the PCI Security Standards Council’s website for more information.
- Find out which assessment to use.
Talk to your payment processor
- Understand the specific compliance requirements in your contract.
- Ask for consultant recommendations should you need help.
- Check whether you are paying a PCI compliance fee.
- Find out if it provides or recommends compliance services.
Get help from experts
Use resources on the PCI Security Standards Council website to learn more about securing customer data.
For help, talk to your financial partners or use the PCI Security Standards Council’s vendor lists.
Article sources
NerdWallet writers are subject matter authorities who use primary,
trustworthy sources to inform their work, including peer-reviewed
studies, government websites, academic research and interviews with
industry experts. All content is fact-checked for accuracy,
timeliness and relevance. You can learn more about NerdWallet's
high standards for journalism by reading our
editorial guidelines.
-
1. -
2. -
3. -
4. -
5. -
6.
FEATURED
Best Payment Processing Companies
| Product | Payment processing fees | Monthly fee | |
|---|---|---|---|
 Square Nerdwallet Rating on Square's website | 2.6% + 15¢ in-person; 2.9% + 30¢ online. | $0 Starts at $0/month for unlimited devices and locations. | on Square's website |
 Helcim Nerdwallet Rating on Helcim's website | 0.40% + 8¢ plus interchange, in-person; 0.50% + 25¢ plus interchange, online. | $0 | on Helcim's website |
 Stripe Payments Nerdwallet Rating on Stripe's website | 2.7% + 5¢ in-person; 2.9% + 30¢ online. | $0 | on Stripe's website |
 Shopify POS Nerdwallet Rating on Shopify's website | 2.6% + 10¢ in-person; 2.9% + 30¢ online (Basic plan). | $39 and up for e-commerce plans with POS Lite; Can upgrade to POS Pro for an extra $89. | on Shopify's website |
More like this
