What Is PCI Compliance? A Guide for Small-Business Owners

PCI compliance helps businesses protect their customers' card data.

Many, or all, of the products featured on this page are from our advertising partners who compensate us when you take certain actions on our website or click to take an action on their website. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here's how we make money.

Updated · 6 min read
Profile photo of Kurt Woock
Written by Kurt Woock
Lead Writer
Profile photo of Christine Aebischer
Assistant Assigning Editor
Fact Checked
Profile photo of Lisa Anthony
Co-written by Lisa Anthony
Lead Writer

The Payment Card Industry Security Standards Council’s latest version of the PCI Data Security Standard will go into effect March 31, 2024, following a two-year transition period. In response to industry feedback, the updated standards include new requirements around passwords and phishing, as well as additional guidance concerning security maintenance. It also gives businesses room to validate PCI compliance in new ways. For more details, visit the PCI DSS Summary of Changes in PCI Security Standards Council’s document library.

PCI compliance, or payment card industry compliance, refers to a set of 12 security standards that businesses must use when accepting credit card payments and transmitting, processing and storing the related data. It involves requirements such as encryption of cardholder data, managing firewalls, updating antivirus software and assigning unique IDs to each person with computer access.

The PCI Security Standards Council, an independent body created by the card networks in 2006, manages PCI security standards while the enforcement of these standards falls to the card networks and payment processing companies. Every business, regardless of the number of card transactions processed, must be PCI compliant. The card networks (Visa, Mastercard, American Express, etc.) can be contacted directly for information about their specific PCI compliance programs.

PCI Security Standards Council. How do I contact the payment card brands. Accessed Mar 8, 2024.

Is PCI compliance required by law?

No, merchant compliance is not determined or enforced by the government. And, while the PCI Security Standards Council manages security standards and looks for ways to improve security, it doesn’t enforce compliance either. Instead, the steps a business must take to be PCI compliant are in the terms of the contract or agreement with its merchant services provider or payment service provider and the card networks.

While the broad intent of these requirements is the same from one provider to the next, details about implementation can vary. Not following the proper procedures can lead to serious problems, including tens of thousands of dollars in fines issued by card networks.

Basics of PCI compliance

PCI compliance can be especially frustrating for business owners who have little expertise or interest in cybersecurity. However, current payment networks are built on chains of trust.

"The result is that someone needs to take responsibility," says Gary Glover, vice president of assessments at SecurityMetrics, a cybersecurity company specializing in PCI compliance matters. "Ultimately, it falls on the person who takes the card. Over the years, it will be easier. In five to 10 years, hopefully, merchants will be out of scope because the system is more secure."

But until then, merchants need to understand the following:

  • PCI compliance isn’t a one-time exercise; it’s a task that must be completed each year.

  • Compliance requirements vary by business size and by the number of card transactions each year.

  • Compliance rules divide businesses into four groups that vary slightly by card network. For example, Visa classifies Level 4 merchants as those that process fewer than 20,000 online card transactions or up to 1 million total transactions per year. Larger businesses generally have more burdensome requirements.

  • The type of payment service a business uses can also affect the amount of work required to be compliant each year.

  • Merchant account providers offer businesses the special type of bank account needed to accept card payments, which is called a merchant account. If you have this type of account, PCI compliance-related requirements are usually written into the terms and conditions of your agreement.

  • Payment service providers, such as Square or Stripe, replace the need for a business to have its own merchant account and often take on some compliance responsibilities. Businesses that accept payments with a PSP must still be PCI compliant, but it’s generally easier compared with businesses with merchant accounts.

Advertisement
NerdWallet rating 

5.0

/5
NerdWallet rating 

5.0

/5
NerdWallet rating 

5.0

/5

Payment processing fees 

0.40% + 8¢

plus interchange, in-person; 0.50% + 25¢ plus interchange, online.

Payment processing fees 

2.7% + 5¢

in-person; 2.9% + 30¢ online.

Payment processing fees 

2.6% + 10¢

in-person; 2.9% + 30¢ online.

Monthly fee 

$0

Monthly fee 

$0

Monthly fee 

$0

Starts at $0/month for unlimited devices and locations.

The 12 PCI compliance requirements

Here are the 12 PCI compliance requirements from the PCI Security Standards Council.

PCI Security Standards Council. The Prioritized Approach to Pursue PCI DSS Compliance. Accessed Mar 8, 2024.

  1. Install and maintain a firewall. That includes testing network connections, restricting connections to untrusted networks and other efforts.

  2. Change vendor-supplied default passwords and security settings. This includes enabling only necessary services, removing functionality where warranted, encrypting access and other efforts.

  3. Protect stored cardholder data. That includes having policies for disposing of data, limiting what is stored, avoiding storing certain types of data and other efforts.

  4. Encrypt cardholder data when transmitting it across open, public networks. Among other things, don't send unprotected account numbers via email, instant messaging, text, chat or other end-user messaging technology.

  5. Use and regularly update antivirus software. That means performing and documenting periodic scans, as well as ensuring the software is running and other activities.

  6. Develop security systems and processes. This means creating processes to find and take action on vulnerabilities, as well as other efforts.

  7. Restrict access to cardholder data to a need-to-know basis. That requires defining the access certain roles need, as well as creating user privileges and control systems, among other things.

  8. Assign user IDs to everybody with computer access. Businesses should also ensure there's a way to authenticate users, document their policies in this area and take other actions.

  9. Restrict physical access to cardholder data. This means using cameras or other tools to monitor who is in sensitive areas of the business or handling certain equipment, for example.

  10. Track and monitor who accesses networks and cardholder data. That means having an audit trail, using time-stamped tracking tools, reviewing logs for suspicious activity and other activities.

  11. Regularly test systems and processes. Test and inventory wireless access points, do quarterly vulnerability scans and monitor traffic, among other things.

  12. Have a policy on information security. That means writing, publishing and disseminating a policy at least once a year that lays out usage rules for certain technologies and explains everyone's responsibilities, among other things.

How to become PCI compliant

To become PCI compliant, small businesses typically must fill out a self-assessment form in addition to meeting the requirements listed above. Larger businesses usually need to hire third-party auditors to assess them. These businesses may also have to submit additional paperwork and hire an outside firm to scan their networks.

Although the PCI compliance requirement is universal, validation requirements and assessments may be slightly different, depending on the card network. The type of annual assessment required depends on a few factors, including the volume of card transactions.

A business falls into one of four category levels. For example, the following are the compliance levels for Visa:

  • Level 1 merchants are those that process more than 6 million Visa transactions per year across all channels, or are global merchants identified as Level 1.

  • Level 2 merchants are those that process between 1 million and 6 million Visa transactions per year across all channels.

  • Level 3 merchants are those that process 20,000 to 1 million e-commerce Visa transactions per year.

  • Level 4 merchants are those that process fewer than 20,000 e-commerce Visa transactions, or those processing up to 1 million total annual Visa transactions.

Merchants that have had a hack or cyber attack that led to data loss may be moved to a higher validation level by Visa.

Groups involved in PCI compliance

There are four layers of groups involved in PCI compliance, beginning with the card networks that created it down to the individual businesses that accept customer payments.

Card networks

Each card network, like Visa and Mastercard, creates its own set of specific requirements, guided by the security standards set by the PCI Security Standards Council.

The PCI Security Standards Council

American Express, Discover, JCB International, Mastercard and Visa founded this organization in 2006. It creates broad security standards, certifies vendors, and tests and certifies payment technology.

Merchant account providers or payment service providers

Businesses use merchant account providers or payment service providers to gain the ability to accept card payments. In addition to following the rules set by each card provider, they also function as de facto administrators of PCI compliance for businesses by including specific PCI compliance-related requirements in the terms of their contracts or agreements.

Business owners

Every business must meet the requirements set forth by its merchant account or payment service provider. Meeting the requirements means your business is in compliance. If you aren’t in compliance, you could face hefty fees or even lose your merchant account.

The cost of PCI compliance

Some payment processors charge PCI compliance fees. In return, you might receive compliance-related services, like access to consultants who help you complete requirements.

  • National Processing, for example, charges a $79.95 annual fee for PCI compliance. 

  • Dharma Merchant Services doesn’t have a PCI compliance charge, but there is a $39.95 monthly fee for noncompliance.

  • Adyen, Payline, Square and Stripe don’t have specific charges for PCI compliance.

  • Some companies don’t have any information listed on their website, or they may have vague “service fees” that may or may not include PCI-related items.

Weighing the cost of this fee, if any, against the services you receive can play a role in choosing a credit card processing company. Even if your payment partner doesn’t charge you a fee, becoming PCI compliant usually costs something. Level 4 merchants can expect to pay hundreds of dollars annually to hire an approved scanning vendor to test their network, complete the questionnaire and help address any issues.

Tips for becoming PCI compliant

Given the technical nature of data security, completing the assessment questionnaire can be challenging for small-business owners who must address all the issues before submitting it. The following steps can make the process easier.

Practice good data hygiene

Much of the advice on securing data mirrors best practices you might already be familiar with when securing your own personal devices, including:

  • Use strong passwords.

  • Keep software updated. Older point-of-sale terminals can be particularly vulnerable. Newer cloud-based systems are built with strong encryption, and typically receive updates automatically.

  • Store only what you need. You probably don’t need to store physical copies of receipts.

  • Don’t click on suspicious links.

  • Only use card readers and payment software that are validated by the PCI Security Standards Council.

  • Educate employees about the importance of protecting cardholder data.

Take the paperwork seriously

Self-assessment questionnaires are technical in nature and can frustrate business owners, Glover says. Some people are tempted to simply check yes to all the questions on the questionnaire without giving the questions much thought.

“People just get frustrated,” Glover says. “We see this a lot. This is a business risk you’re taking.” He says that if a business owner does this and is later compromised, penalties are often stiffer. If you’re unsure of how to handle these questionnaires, consider asking your payment processor for clarification or seeking help from an outside agency.

Use systems that make compliance easier

The point-of-sale, or POS, system that you use can make PCI compliance easier. Using an up-to-date cloud-based POS system with built-in payment processing services and in-house hardware can minimize security risks. These end-to-end systems are usually secure, low-maintenance and often include PCI compliance support.

Some business owners piece together an array of products and services from different companies, but these systems can be less secure and often depend on the owner keeping everything up-to-date.

Compliance resources checklist

Understand your business

  • Find out which level your business falls under.

  • Find out which assessment you must use.

Talk to your payment processor about:

  • The specific compliance requirements in your contract.

  • Whether it has consultant recommendations should you need help.

  • Whether you are paying a PCI compliance fee.

  • Compliance services it provides or recommends.

Get help from experts

Use resources on the PCI Security Standards Council website to learn more about securing customer data.

For help finding an approved scanning vendor or someone to help with your assessment, talk to your financial partners or use the vendor lists PCI Security Standards Council keeps.

PCI Security Standards Council. PCI Qualified Professionals Listings Overview. Accessed Mar 8, 2024.

Need a PCI-compliant payment processor?

Explore NerdWallet’s list of top credit card processing companies to start securely accepting credit card payments both in-person and online. 

New elevated offer

 
American Express® Business Gold Card
American Express

American Express® Business Gold Card

Rates and Fees

NerdWallet Rating  
4.6
Bonus Amount  

100,000

Read Review
Apply now

on American Express' website

MORE LIKE THISSmall Business