What Is PCI Compliance and Why Does It Matter?

Who created PCI DSS and why it exists

PCI DSS was established by the PCI Security Standards Council (PCI SSC), an organization founded in 2006 by the five major credit card networks: Visa, Mastercard, American Express, Discover and JCB International. The goal was to provide a unified framework for protecting cardholder data across the global payments ecosystem.

Before PCI DSS, each credit card brand maintained its own security requirements, which created inconsistencies and confusion for merchants. The unified standard simplified compliance by giving businesses a single set of rules to follow, while the card brands retained the ability to enforce compliance through their individual agreements with acquiring banks and payment processors.

The core purpose of PCI DSS is to reduce payment card fraud and data breaches. Credit card data theft remains a significant threat — and small businesses are frequent targets precisely because they often lack the dedicated security infrastructure that larger companies maintain.

Who needs to be PCI compliant?

Any business that stores, processes or transmits cardholder data must comply with PCI DSS. This includes brick-and-mortar retailers, e-commerce businesses, restaurants, service providers, subscription-based businesses and any other operation that handles credit card payments in any capacity.

One of the most common misconceptions is that PCI compliance only applies to large businesses. In actuality, the standard applies to every merchant regardless of how many transactions they process. A small coffee shop running a few hundred card transactions per month has the same fundamental obligation to protect cardholder data and abide by PCI DSS as a national retail chain processing millions of transactions per year. The scope and rigor of the compliance requirements — known as PCI compliance levels — vary by business volume, but the obligation itself is universal.

It’s also worth noting that PCI compliance extends beyond merchants. Service providers that handle cardholder data on behalf of other businesses, such as payment processors, hosting providers and managed IT services, are also subject to PCI DSS requirements.

PCI compliance levels

PCI DSS compliance validation requirements are commonly organized into four merchant levels based on annual transaction volume, though these levels are defined and enforced by individual card networks and acquiring banks rather than the PCI Security Standards Council. Your PCI compliance level influences how you must validate compliance.

• Level 1 typically applies to merchants processing more than 6 million card transactions annually across all sales channels. These merchants generally undergo an annual on-site assessment conducted by a Qualified Security Assessor (QSA) and must complete quarterly network vulnerability scans by an Approved Scanning Vendor (ASV).
• Level 2 includes merchants processing between 1 million and 6 million transactions per year. These organizations usually complete an annual Self-Assessment Questionnaire (SAQ) and quarterly ASV scans, although some may be required to undergo an on-site assessment depending on card brand or acquiring bank requirements.
• Level 3 applies to merchants processing between 20,000 and 1 million e-commerce transactions annually. Validation typically includes an annual SAQ and quarterly ASV scans.
• Level 4 covers merchants processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually across other channels. These merchants generally complete an annual SAQ, and ASV scans may be required depending on how cardholder data is handled and the specific SAQ type used.

It’s important to note that acquiring banks and payment processors may define these levels slightly differently or impose additional requirements. Always confirm your specific obligations with your processor.

>> Read Related Article: Payment Processing Laws and Regulations

The 12 PCI DSS requirements

PCI DSS is built around 12 core requirements organized under six broad goals. While the standard’s technical language can be dense, its underlying principles are straightforward. Here’s what each requirement means in practical terms for a small business.

Build and maintain a secure network and systems.

• Requirement 1: Install and maintain network security controls. This means using firewalls or other network security controls to restrict and monitor traffic, protecting systems that handle cardholder data from unauthorized access. 
• Requirement 2: Apply secure configurations to all system components. Don’t use vendor-supplied default passwords or settings. Change default credentials on routers, POS systems and any other devices connected to your network, and ensure systems are configured in accordance with security best practices.

Protect cardholder data.

• Requirement 3: Protect stored cardholder data. If you must store credit card data, it must be encrypted using strong cryptography and properly protected with secure key management. However, PCI DSS strongly encourages minimizing storage altogether — most small businesses have no legitimate need to retain full card numbers after authorization. 
• Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks. Any time card data is transmitted across networks such as the internet or wireless connections, it must be encrypted using strong protocols, such as TLS, to prevent interception. 

Maintain a vulnerability management program.

• Requirement 5: Use up-to-date and properly configured anti-malware tools or other automated mechanisms to protect systems that could be affected by malware — especially those involved in processing or storing cardholder data. 
• Requirement 6: Develop and maintain secure systems and software. Keep all systems and applications patched and up to date, following a defined vulnerability and patch management process. For custom applications that handle payment data, follow secure development practices throughout the software lifecycle, including secure coding, testing and change control. 

Implement strong access control measures.

• Requirement 7: Restrict access to cardholder data. Access must be limited to only those employees who need it to perform their job responsibilities, based on business need-to-know and enforced through role-based access controls. 
• Requirement 8: Each user must have a unique ID, and strong authentication must be enforced, including multifactor authentication where applicable. Access should be properly managed throughout the user lifecycle, including secure provisioning, changes and account removals. 
• Requirement 9: Restrict physical access to cardholder data. Physical access to systems and areas where cardholder data is stored or processed must be controlled through mechanisms such as locks, badges and restricted access areas. Organizations must also monitor physical access and securely manage any physical media that contains cardholder data. 

Regularly monitor and test networks.

• Requirement 10: Log and monitor all access to system components and cardholder data. Maintain audit logs that track all user activity, authentication attempts and system changes across in-scope environments. These logs must be regularly reviewed and protected to ensure suspicious activity can be detected and investigated. 
• Requirement 11: Test the security of systems and networks regularly. This includes running vulnerability scans — such as quarterly external scans by an ASV where applicable — and conducting internal vulnerability scans. Businesses must also perform periodic penetration testing of in-scope systems and validate segmentation controls if network segmentation is used. 

Maintain an information security policy.

• Requirement 12: Support information security with organizational policies and programs. Maintain a comprehensive information security policy that defines security responsibilities across the organization. This should include supporting procedures such as risk management, incident response, acceptable use and third-party management. Provide regular security awareness training to all employees and review policies at least annually, updating them as needed. 

How to become PCI compliant

Achieving PCI compliance is a structured process, and for most small businesses, it’s more manageable than it may initially appear. Here’s what the process generally looks like.

1. Determine your merchant level. Your annual transaction volume determines which PCI compliance level applies to your business, which in turn determines the validation requirements. Most small businesses fall under Level 4. If you’re unsure, your payment processor can confirm your classification.

2. Identify the appropriate Self-Assessment Questionnaire. The PCI SSC offers several SAQ types, each tailored to different payment environments. For example, SAQ A is designed for merchants that fully outsource all cardholder data functions to PCI-compliant third parties and do not electronically store, process or transmit cardholder data. 

Meanwhile, SAQ D is the most comprehensive and applies to merchants that store, process or transmit cardholder data directly, or that do not qualify for any other SAQ type. Your processor or QSA can help you determine which SAQ applies to your setup.

3. Complete the SAQ. The questionnaire walks you through each applicable PCI requirement and asks whether your business meets it. Be honest — the SAQ is a self-assessment, and misrepresenting your compliance status exposes you to liability.

4. Conduct vulnerability scans if required. Depending on your SAQ type, you may need to complete quarterly network vulnerability scans performed by an Approved Scanning Vendor. These scans check your internet-facing systems for known vulnerabilities.

5. Submit your Attestation of Compliance. Once the SAQ is complete and you’ve completed any required scans, you submit your Attestation of Compliance (AOC) to your acquiring bank or payment processor. This is your formal declaration that you meet PCI DSS requirements.

6. Maintain compliance on an ongoing basis. PCI compliance is not a one-time event. Requirements must be met continuously, and the SAQ and any applicable scans must be completed annually. Changes to your payment environment — such as adding an online store or switching POS systems — may require re-evaluation of your SAQ type and compliance posture.

Costs of PCI compliance

The cost of PCI compliance varies significantly depending on your merchant level, the complexity of your payment environment and your current security setup. For most small businesses at Level 4, the costs are modest.

SAQ completion itself has no direct cost if you handle it on your own, though some businesses hire a consultant or QSA to assist. Quarterly ASV scans typically cost between a few hundred dollars and more than $1,000 per year, depending on the provider, the number of IP addresses or domains in scope, and the complexity of the environment. Costs vary widely based on how many systems must be scanned and how the vendor structures pricing.

If your compliance assessment reveals gaps — outdated software, missing firewall configurations, inadequate access controls, etc. — remediation costs will depend on the scope of the fixes required.

Many payment processors bundle PCI compliance support into their services, sometimes at no additional cost and sometimes as a monthly compliance fee (typically $5-$15 per month). These programs often include the SAQ tool, ASV scanning and guidance through the process. If your processor charges a PCI compliance fee, confirm exactly what it covers — some include meaningful support, while others are essentially administrative charges with little value in return.

What happens if you’re not PCI compliant?

Non-compliance carries several significant risks, and the consequences increase substantially if a data breach occurs while you’re not in PCI DSS compliance. Here are the potential damages if you’re not PCI compliant.

• Fines: Card brands may impose penalties through acquiring banks if you fail to maintain PCI DSS compliance. These fines vary widely depending on the duration and severity of non-compliance, and they are ultimately passed down to the merchant by the acquiring bank or payment processor. In many cases, penalties can increase significantly if non-compliance contributes to a data breach. 
• Increased breach liability: If your business suffers a data breach while not in compliance, you may be held responsible for a range of costs, including card replacement fees, forensic investigation expenses, chargebacks and fraud losses. While liability depends on the circumstances of the breach and card brand investigations, non-compliance can significantly increase your financial exposure. 
• Loss of card payment acceptance: In severe cases, your acquiring bank or payment processor may terminate your merchant account, preventing you from accepting credit card payments. In some situations, businesses may also be placed on the MATCH list (Member Alert to Control High-Risk Merchants), a shared industry database that can make it difficult to obtain future payment processing services. 
• Reputational damage: A publicized data breach erodes customer trust. For small businesses that depend on repeat customers and local reputation, a breach can have lasting consequences that extend well beyond the immediate financial impact. Once the public knows you’ve failed to maintain credit card data security, your company’s reputation will be tarnished, and customers will be reluctant to do business with you again.

How your payment processor helps with PCI compliance

One key way to simplify PCI compliance for small businesses is to work with a highly rated payment processor. Modern credit card processing companies and POS providers handle much of the security burden on your behalf, significantly reducing the scope of what you need to manage directly. The best vendors offer these features to aid PCI DSS compliance:

• Tokenization replaces actual card numbers with randomly generated tokens that have no exploitable value if intercepted. When your processor uses tokenization, your systems never store the actual card data, dramatically reducing your PCI scope.
• Point-to-point encryption (P2PE) encrypts card data at the moment of capture (the card reader) and keeps it encrypted until it reaches the processor’s secure decryption environment. A PCI-validated P2PE solution can simplify your SAQ to the shortest and simplest version available.
• Hosted payment pages for online transactions keep card data entry on the processor’s servers rather than yours. If your e-commerce customers enter their card information on a payment page hosted by your processor (rather than directly on your website), your PCI compliance obligations are significantly lighter.

When evaluating or renegotiating with a payment processor or POS provider, ask the vendor specific questions about their PCI compliance support: Do they offer tokenization and P2PE? Do they provide a PCI compliance program, including SAQ guidance and ASV scanning? Is there a PCI-related service fee, and if so, what does it include? Do they maintain their own PCI DSS certification, and at what level? The answers to these questions can make the difference between PCI compliance feeling like a burdensome obligation and a routine part of doing business.

PCI compliance best practices for small businesses

Beyond meeting the formal PCI DSS requirements, several best practices help small businesses maintain strong credit card data security and stay compliant with minimal friction.

1. Don’t store cardholder data unless absolutely necessary. This is the single most effective way to reduce your PCI scope and your risk. If you don’t hold credit card data, it can’t be stolen from you. Rely on your processor’s tokenization and vault services instead of keeping card numbers on file.

2. Use tokenization and P2PE. These technologies are available through most modern processors and POS systems. If your current credit card processing setup doesn’t support them, it may be worth switching to a processor and point-of-sale system that does.

3. Keep all software and systems updated. This includes your POS software, operating systems, routers, firewalls and any other technology connected to your payment environment. Unpatched software is one of the most common attack vectors.

4. Train your employees. Employees should understand basic security practices: recognizing phishing attempts, handling card data appropriately, using strong and unique passwords, and knowing who to contact if they suspect a security issue. Annual security awareness training is a PCI requirement, but it also makes good business sense.

5. Review your security practices regularly. Don’t treat PCI compliance as a once-a-year checkbox exercise. Periodically review who has access to payment systems, if all software is current and whether your payment environment has changed in ways that affect your compliance.

6. Work with PCI-compliant vendors. Any third party that touches your cardholder data must also be PCI-compliant. This includes your payment processor, hosting provider, e-commerce platform and any other service providers with access to your business’s payment data. Ask for documentation of their compliance status before signing any partnership agreements.

PCI compliance is non-negotiable

PCI compliance is a non-negotiable requirement for any business that accepts credit card payments, but it doesn’t have to be overwhelming. For most small businesses, the combination of a modern payment processor that handles the heaviest security lifting and a basic commitment to good security hygiene is enough to meet the PCI DSS requirements and protect your customers’ data.

However, keep in mind that the effort required scales with your business. A sole proprietor using a cloud-based POS solution with built-in tokenization and hosted payment pages may need only to complete a short SAQ once a year. A multi-location business with a more complex payment environment will need to invest more time and resources. Either way, the cost of compliance is far less than the cost of a breach.

Start by confirming your merchant level with your processor, identifying the right SAQ for your payment setup and taking advantage of the compliance tools your processor likely already offers. From there, PCI compliance becomes a manageable, routine part of running your business.