What is PCI DSS Compliance?

Levels Explained & How to Comply

What is PCI DSS?

Accepting credit and debit card payments comes with a critical responsibility. As a merchant, you must securely store, process, and transmit cardholder data at all times.

That is exactly what the PCI Data Security Standard — known as PCI DSS — exists to govern. The PCI Security Standards Council develops and maintains these requirements. Their mission is clear: protect merchants and customers from data breaches that could damage their finances and reputation.

Crucially, compliance is not optional. Every business that processes credit card transactions must meet PCI DSS requirements. On top of that, every business must certify its compliance on an annual basis.

To learn more about the standards body, visit the PCI Security Standards Council.

How to be PCI Compliant

Becoming PCI compliant starts with understanding your specific obligations. Two key factors determine what you need to do: the size of your business and the number of card transactions you process each year. Based on those factors, PCI groups merchants into four levels. Here is how each one breaks down:

Beyond transaction volume, how you process payments also matters. Different compliance requirements apply depending on your payment method:

  • Card-not-present transactions (mail order or telephone order)
  • Online (eCommerce) transactions
  • Card-present transactions (point of sale or mobile swipe device)
  • A combination of the above

As a result, your first step is understanding your own payment environment. Ask yourself: what equipment do you use? Who are your banking and technology partners? How do all these pieces connect? The answers will shape your entire compliance approach.

Meeting PCI Compliance Requirements

PCI DSS version 3.0 organizes its rules around six core principles. Together, those principles support 12 specific requirements — and more than 200 detailed procedures.

The requirements below apply to most low-volume merchants. Specifically, these are the obligations for Level 4 merchants.

The Six Core Principles and 12 Requirements

Principle 1: Build and maintain a secure network.

  • Requirement 1: Install and maintain a firewall to protect cardholder data.
  • Requirement 2: Never use vendor-supplied default passwords or other default security settings.

Principle 2: Protect cardholder data.

  • Requirement 3: Protect all stored cardholder data.
  • Requirement 4: Encrypt cardholder data whenever you transmit it across open, public networks.

Principle 3: Maintain a vulnerability management program.

  • Requirement 5: Use antivirus software — and update it regularly.
  • Requirement 6: Develop and maintain secure systems and applications.

Principle 4: Implement strong access control measures.

    • Requirement 7: Restrict access to cardholder data based on business need.
    • Requirement 8: Assign a unique ID to every person with computer access.
  • Requirement 9: Restrict physical access to cardholder data.

Principle 5: Regularly monitor and test your networks.

  • Requirement 10: Track and monitor all access to network resources and cardholder data.
  • Requirement 11: Test your security systems and processes regularly.

Principle 6: Maintain an information security policy.

  • Requirement 12: Create and maintain a policy that addresses information security for all staff.

SAQ Forms, Scanning, and Non-Compliance Penalties

Fortunately, not every merchant carries the same compliance workload. If you are a low-volume merchant (Level 4) and you process transactions by phone, mail, or web, you can use the short Self-Assessment Questionnaire A — commonly called SAQ-A. If you process retail transactions instead, you will use SAQ-B.

However, higher-volume merchants have additional obligations. Level 1 and Level 2 merchants must also complete a quarterly scan of their systems. Many third-party services offer these scans for a fee.

As for non-compliance, the consequences are significant. Payment card brands enforce these penalties directly:

  • Loss of the right to process credit card transactions
  • Fines of up to $25,000 per month for minor violations
  • Fines of up to $500,000 for violations that result in lost or stolen financial data

PCI Compliance for Card-Not-Present Transactions

EMV chip technology has made card-present transactions far more secure. Because of that, criminals have shifted their focus elsewhere. Today, they increasingly target card-not-present channels — such as mail order, telephone order, and eCommerce.

Telephone-based payments, in particular, now represent a growing area of fraud risk. For that reason, businesses must carefully evaluate and protect their telephone payment environments.

The PCI Security Standards Council has published a dedicated resource to help merchants do exactly that. The guide explores potential risks and security challenges within telephone-based card payment environments. It also helps merchants understand how different technologies can affect their compliance scope. Read the full guidance: Protecting Telephone-Based Payment Card Data

Reduce Your PCI Scope with P2PE 

One of the most powerful tools available to merchants is Point-to-Point Encryption — or P2PE. Here is how it works.

P2PE encrypts cardholder data the moment a customer swipes, dips, or taps their card at the point of interaction (POI). An encryption key built into the device handles this instantly. From that point forward, the data stays encrypted until it reaches the secure decryption environment — typically the acquirer, processor, or gateway.

This approach delivers two key benefits. First, it makes stolen data nearly worthless to criminals, because they simply cannot read it. Second — and just as importantly — it dramatically reduces your compliance burden.

Specifically, merchants who use validated P2PE solutions receive a significant reduction in the size of their cardholder data environment (CDE). Furthermore, the number of applicable PCI DSS requirements decreases as well. In short, P2PE is one of the most effective ways to protect customers, protect your business, and simplify your compliance program — all at once.

Preparing for PCI DSS Version 4

In March of 2022, the PCI council released version 4 of PCI DSS, introducing several changes meant to strengthen payment card account data security. There has been a grace period for implementation, but as of March 31 of this year, phase one of the new standards must be in place, with phase two due March 2025.

Most organizations are prepared for the upcoming changes and have been working to make the necessary updates. You should still familiarize yourself with PCI DSS Version 4.0 and understand the changes from the prior version.

Building a Complete Payment Security Strategy
PCI DSS compliance is only one piece of the payment security puzzle. Learn how subscription businesses can protect customer data, prevent fraud, reduce chargebacks, and strengthen recurring payment security in our Payment Security Guide for Subscription Businesses.

Frequently Asked Questions

What is PCI DSS compliance?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect cardholder data during storage, processing, and transmission. It applies to any business that accepts credit or debit card payments and helps prevent data breaches and fraud.

Who needs to be PCI DSS compliant?

Any business that processes, stores, or transmits cardholder data must be PCI DSS compliant. This includes merchants of all sizes, and compliance must be validated annually regardless of transaction volume.

What are the different PCI DSS compliance levels?

PCI DSS defines four compliance levels based on annual transaction volume:

  • Level 1: Over 6 million transactions
  • Level 2: 1–6 million
  • Level 3: 20,000–1 million
  • Level 4: Fewer than 20,000
    Each level has different validation requirements.

What are the core requirements of PCI DSS?

PCI DSS includes six core principles with 12 requirements, such as:

  • Building secure networks
  • Protecting cardholder data
  • Managing vulnerabilities
  • Controlling access
  • Monitoring networks
  • Maintaining security policies
    These ensure a comprehensive approach to payment security.

What happens if a business is not PCI compliant?

Non-compliance can lead to serious penalties, including monthly fines up to $25,000, larger fines up to $500,000 for data breaches, and even the loss of the ability to process credit card payments.

How can businesses reduce PCI DSS scope and risk?

Businesses can reduce PCI DSS scope and risk by using technologies like Point-to-Point Encryption (P2PE), which encrypts cardholder data at the point of interaction so it remains unreadable during transmission. This lowers exposure to breaches and reduces compliance requirements.

 

Related Resources:

Payment Security Guide for Subscription-Based Businesses

How You Can Prepare for PCI DSS Version 4

Chargebacks911 Article: PCI-DSS Compliance, Protecting Customers’ Data Means Merchants are Protecting Themselves, too.

Whitepaper: “Impact of PCI P2PE on PCI DSS Compliance & Scope Reduction

P2PE Explained Video: P2PE YouTube video.

Payway P2PE Overview: payway.com/features/secure-payment-processing/point-to-point-encryption

Subscribe

Every post in your inbox