What Is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security requirements designed to ensure that all companies that accept, process, store, or transmit credit and debit card information maintain a secure environment. It was established by the major card networks — Visa, Mastercard, American Express, Discover, and JCB — through the PCI Security Standards Council.
Non-compliance doesn't just create security risks — it can result in fines, increased transaction fees, and in serious cases, the loss of your ability to accept card payments.
Who Needs to Be PCI Compliant?
If your business accepts any form of card payment — in-person, online, or over the phone — you are required to comply with PCI-DSS. This applies to businesses of all sizes, from sole traders to large enterprises.
The 12 Core Requirements of PCI-DSS
PCI-DSS is organized around 12 high-level requirements grouped into six goals:
- Install and maintain a firewall to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data — ideally, don't store it at all.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software on all systems.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data on a need-to-know basis.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an information security policy for all personnel.
Compliance Levels: Which Applies to You?
PCI-DSS compliance is divided into four levels based on annual transaction volume:
| Level | Transactions Per Year | Validation Required |
|---|---|---|
| Level 1 | Over 6 million | Annual on-site audit by QSA |
| Level 2 | 1–6 million | Annual Self-Assessment Questionnaire (SAQ) |
| Level 3 | 20,000–1 million (e-commerce) | Annual SAQ + quarterly network scan |
| Level 4 | Fewer than 20,000 (e-commerce) or up to 1 million (other) | Annual SAQ recommended |
Most small businesses fall into Level 4, which has the most straightforward compliance path.
Practical Steps for Small Businesses
Use a PCI-Compliant Payment Processor
The simplest way to reduce your compliance burden is to use a payment processor that handles the heavy lifting. When you use a hosted payment page or a certified terminal, cardholder data never touches your own systems — significantly reducing your scope.
Complete Your SAQ
The Self-Assessment Questionnaire is a set of yes/no questions that help you assess your own compliance. There are different SAQ types (A, B, C, D) depending on how you accept payments. Your payment processor can usually guide you to the right one.
Train Your Staff
Human error is one of the biggest security risks. Ensure anyone who handles payments understands basic security practices: not writing down card numbers, recognizing phishing attempts, and reporting suspicious activity.
Never Store Sensitive Card Data
Unless you have a very specific and well-secured reason, do not store the full card number, CVV, or PIN data. Most modern processors handle tokenization — replacing real card data with a token — so you never need to touch the actual numbers.
The Cost of Non-Compliance
Fines for PCI non-compliance can range from hundreds to thousands of dollars per month, depending on the card network and your processor agreement. More damaging is the reputational harm from a data breach. Proactive compliance is far less expensive than reactive damage control.