What is PCI compliance? Everything you need to know
Updated 1:56 p.m. UTC Oct. 24, 2023
Editorial Note: Blueprint may earn a commission from affiliate partner links featured here on our site. This commission does not influence our editors' opinions or evaluations. Please view our full advertiser disclosure policy.
Payment Card Industry (PCI) compliance follows certain requirements launched in 2006 that are designed to ensure the safety and security of credit card data. Credit card processors mandate all companies that accept credit card payments to adhere to these requirements.
What is PCI DSS compliance?
Payment Card Industry Data Security Standards (PCI DSS) compliance ensures companies adhere to a set of 12 requirements developed by the PCI Security Standards Council. This essentially forms the backbone of a company’s data security policy, ensuring customer data is processed, stored and transmitted securely.
12 PCI DSS requirements in 2024
Companies must follow these 12 PCI DSS compliance requirements as set out by the PCI Security Standards Council:
- Firewalls: Implement network security like a firewall to protect data from external attack.
- Password configuration: Ensure all components of the system are appropriately protected with secure passwords and two-factor authentication, and that vendor-supplied default passwords and configurations are removed and/or replaced.
- Data storage: Store all cardholder data securely, with protocols for storing, disposing and not capturing specific categories of data.
- Data transmission: Protect cardholder data when transmitting over open, public networks using strong encryption.
- Antivirus software: Install reputable antivirus software and keep it regularly updated to protect your network from malware, phishing and other threats.
- System maintenance: Develop processes to ensure your network and systems are secure, as well as protocols for detecting and acting on vulnerabilities and breaches.
- Restrict systems access: Assign access to system and cardholder data on a need-to-know premise, and define access requirements by role.
- User IDs: Authenticate user access and assign all users who have access to data with unique IDs.
- Physical access: Install security measures like cameras and keycodes to monitor and restrict access to physical cardholder data.
- Access logging: Log, track and monitor all access to system data and components.
- Regular testing: Ensure all aspects of network security are tested on a regular basis, with scans, inventory and monitoring.
- Implement policies: Create and implement data security and policies, and run programs to explain responsibility among personnel.
How to be PCI DSS compliant?
To ensure a business achieves and maintains compliance with PCI Data Security Standards, it must:
- Adhere to PCI requirements: Meet all the above 12 requirements as set out by the PCI Security Standards Council.
- Assess systems: Run a thorough examination of the business’s security protocols and systems to find and resolve any vulnerabilities. This also includes hiring a third-party service to test the security of the network used to process payments if required.
Use the table below to see which PCI DSS Self-Assessment Questionnaire (SAQ) is right for your business:
SAQ FORM | WHO IS IT FOR? | WHO IS IT NOT FOR? |
---|---|---|
A
| Merchants who have fully outsourced all payments to compliant third-party providers, accepting exclusively card-not-present transactions. For example, e-commerce or telephone-order merchants, where no cardholder data is kept on the merchant’s system
| Merchants accepting face-to-face transactions
|
A-EP
| E-commerce merchants who accept payments via their own website as well as outsourcing payments to compliant third-party providers. The distinction here is the presence of a website that can affect the transaction’s security level, rather than all aspects of the payment being handled by a third party
| Merchants outside of e-commerce
|
B
| Merchants that only process credit cards via standalone terminal, phone, fax or imprint machines, therefore collecting and storing no electronic data
| E-commerce merchants
|
B-IP
| Merchants that only process payments via standalone terminals that are linked to a payment processor via an internet connection, also collecting and storing no electronic data
| E-commerce merchants
|
C-VT
| Merchants who accept payments via keyboard entry into an online virtual payment terminal with a third-party provider, collecting and storing no electronic data
| E-commerce merchants
|
C
| Merchants who accept payments via a payment application system connected to the internet, such as a mobile device or point-of-sale (POS) system
| E-commerce merchants
|
D
| All other merchants, such as e-commerce websites without direct post or third-party payment service
| All of the above
|
P2PE
| Merchants that use hardware payment terminals with a valid PCI SSC certified point-to-point encryption provider
| E-commerce
|
What should I ask my payment processor?
When looking for a payment processor, remember to ask the following questions to ensure you’re working with a trustworthy and compliant provider:
- Are they PCI compliant? Ask to see their PCI DSS Attestation of Compliance and check if they’re listed on MasterCard or Visa’s individual registries.
- How do they protect data and prevent fraud? Ask about their data security protocols and processes, and ensure their answers are as specific as possible, with robust measures in place. How is data stored? Is it local, and if so, is it compliant with PCI DSS protocol? Is data encrypted before being transmitted?
- Will they protect you during a breach? In the event of a security or data breach, will they offer any protection? Are they insured against breaches, and will they take responsibility if they’re at fault?
- When will they be available? A payment processor’s customer service and support options are crucial when it comes to resolving issues, so ensure you know when they’re reachable and by what channels.
We’ve included a handy PCI compliance checklist you can download as a PDF file and reference whenever you need.
PCI Compliance Checklist
Use our checklist to ensure your business maintains compliance with PCI Data Security Standards:
✅ Determine your PCI level: Determine which PCI level your business is at with regard to the number of transactions it makes a year, using the requirements of each credit card issuer you will accept payments from.
✅ Organise and manage a secure network of user data: Use network security controls like firewalls to protect your data, and ensure all systems are protected with strong passwords and authentication processes.
✅ Protect all cardholder data: Protect all cardholder data while stored as well as transmitted via open public networks.
✅ Manage data vulnerability: Install and keep antivirus software up to date, with regular maintenance of network security vulnerabilities.
✅ Control and restrict access to data: Restrict both virtual and physical access to data, and ensure all users with access are authenticated with unique ID.
✅ Monitor and test network security: Ensure all access to data and systems is monitored and logged, and test data security regularity.
✅ Maintain consistency with regards to data security: Create and enact specific data security policies to maintain consistency and assist in appropriate responses to events and situations.
✅ Question your provider: Ask your credit card processor about their compliance and adherence to data security requirements.
Benefits and disadvantages of being PCI compliant
Here are the benefits of ensuring your payment processor is PCI compliant, and why they outweigh any possible drawbacks:
BENEFITS OF BEING PCI COMPLIANT | DRAWBACKS OF BEING PCI COMPLIANT | DRAWBACKS OF NOT BEING PCI COMPLIANT |
---|---|---|
👍 Reduced risk of data breaches
| ❓ Can be costly to set up and maintain
| 👎 Increased risk of data breaches
|
👍 Avoidance of costly penalties
| ❓ Requires constant assessment to ensure systems are up to date and fully protected
| 👎 Possible fines and penalties
|
👍 Improved reputation and customer trust
| 👎 May not be able to process credit card transactions in the future
| |
👎 Damage to reputation and customer trust
|
Should my credit card processor be compliant?
In short, yes, you should ensure your credit card processor is fully compliant with PCI Data Security Standards. There were 1,802 data compromises in the USA in 2022, affecting 422 million individuals in the country — only beaten by the 1,862 in the previous year and much higher than the 1,108 in 2020. With so many businesses adopting online payment processors, ensuring your customers’ data is protected is vital.
Penalties for noncompliance can cost thousands per month, not to mention the potential cost of lawsuits brought against merchants and businesses. There are also investigations that may need to be conducted, and the cost of business lost as a result of a damaged reputation.
PCI compliant service providers
Through expert analysis, we’ve chosen the top five credit card processors, all of which are PCI compliant — see our table below:
PROVIDER | PCI COMPLIANT | BEST FOR | READ OUR REVIEW | |||||
---|---|---|---|---|---|---|---|---|
Square | Yes: Service provider level 1 | Our overall top pick for the best credit card processor | Square review | |||||
| ||||||||
Stripe | Yes: Service provider level 1 | APIs and integrations | Stripe review | |||||
| ||||||||
PayPal | Yes: Service provider level 1 | Digital wallets | PayPal review | |||||
| ||||||||
Helcim | Yes: Service provider level 1 | Volume-based discounts | Helcim review | |||||
| ||||||||
Paysafe | Yes: Service provider level 1 | High-risk businesses | Paysafe review | |||||
|
Frequently asked questions (FAQs)
PCI compliance is not legally required in the U.S., but merchants and processors will likely find themselves fined by credit card companies for being noncompliant. If a merchant continues to be noncompliant, they could lose the ability to process transactions altogether.
For smaller businesses, PCI compliance costs typically start at a few hundred dollars a year, mostly encompassing SAQs, scanning and testing, staff training and potentially more for software and hardware. Larger businesses that require on-site audits can expect to pay tens of thousands of dollars due to the scale of operations that require assessment and action.
Businesses and merchants will have a level based on the number of transactions they process annually and the credit card provider.
Visa and Mastercard use the same levels:
American Express uses a slightly different structure:
PCI compliance is enforced by the PCI SSC Council’s founding members, American Express, Discover, JCB, Mastercard and Visa.
Blueprint is an independent publisher and comparison service, not an investment advisor. The information provided is for educational purposes only and we encourage you to seek personalized advice from qualified professionals regarding specific financial decisions. Past performance is not indicative of future results.
Blueprint has an advertiser disclosure policy. The opinions, analyses, reviews or recommendations expressed in this article are those of the Blueprint editorial staff alone. Blueprint adheres to strict editorial integrity standards. The information is accurate as of the publish date, but always check the provider’s website for the most current information.
-
Citi Merchant offers: Everything you need to know
Credit card processing Louis DeNicola
-
SumUp vs. Square: Differences, pros and cons in 2024
Credit card processing Sarah Li Cain
-
Square vs. Shopify: Differences, pros and cons in 2024
Credit card processing Lauren Swift
-
Cities and states with the most fraud complaints in 2024
Credit card processing Mehdi Punjwani
-
Junk fees Americans hate most
Credit card processing Mehdi Punjwani
-
Best credit card machine for small business in 2024
Credit card processing Sierra Campbell
-
Best retail POS systems in 2024
Credit card processing Sierra Campbell
-
Toast vs. Square: Differences, pros and cons in 2024
Credit card processing Gina Ponce
-
Best payment gateways in 2024
Credit card processing Alison Kilian
-
Best restaurant POS systems in 2024
Credit card processing Mehdi Punjwani
-
Best Square alternatives in 2024
Credit card processing Mehdi Punjwani
-
What is a merchant account? Everything you need to know
Credit card processing Sarah Li Cain
-
Best Stripe alternatives in 2024
Credit card processing Jessica Elliott
-
How to accept credit card payments in 2024
Credit card processing Joshmi Joseph
-
PayPal Braintree vs. Stripe: Differences, pros and cons in 2024
Credit card processing Eric Rosenberg