PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security requirements designed to protect credit and debit card data whenever it is stored, processed, or transmitted. If your business accepts card payments in any form, PCI DSS applies to you.
Who Created PCI DSS
The standard is managed by the PCI Security Standards Council, an organization founded in 2006 by the five major credit card networks: American Express, Discover, JCB International, Mastercard, and Visa. Before the council existed, each card brand maintained its own separate security program, which made compliance confusing for merchants. The council unified those programs into a single standard so businesses only need to follow one set of rules regardless of which cards they accept.
The council’s stated mission is to enhance global payment account data security by developing standards and supporting education and implementation. It publishes updated versions of PCI DSS periodically. The current version, PCI DSS 4.0, introduced more flexible approaches to meeting requirements while raising the overall security bar.
What PCI DSS Actually Requires
PCI DSS is organized around 12 core requirements grouped into six broad goals. In plain terms, the standard tells businesses to:
- Build and maintain a secure network. Install and properly configure firewalls, and change all default passwords on systems that handle card data.
- Protect cardholder data. Encrypt card numbers when they are stored and when they travel across public networks like the internet.
- Maintain a vulnerability management program. Use antivirus software and keep all systems and applications patched and up to date.
- Implement strong access controls. Restrict access to card data on a need-to-know basis, assign unique IDs to anyone with computer access, and limit physical access to systems that store card data.
- Monitor and test networks. Track and log all access to network resources and cardholder data, and regularly test security systems.
- Maintain an information security policy. Create and enforce a formal policy that addresses information security for all employees and contractors.
The specifics get granular. For example, the encryption requirement means you cannot store the full magnetic stripe data, the card verification code (the three- or four-digit number on the card), or the PIN after a transaction is authorized. Businesses that use a third-party payment processor handle less card data directly, which reduces the scope of what they need to secure, but it does not eliminate their compliance obligations entirely.
Who Needs to Comply
Every organization that stores, processes, or transmits cardholder data must comply with PCI DSS. This includes retailers, restaurants, e-commerce sites, subscription services, nonprofits that accept donations by card, and any other entity that touches card information. It also applies to service providers like payment processors, hosting companies, and software vendors that handle card data on behalf of merchants.
The level of validation you need depends on how many card transactions you process annually. Card brands generally define four merchant levels, with Level 1 applying to the largest merchants (typically those processing over six million transactions per year). Level 1 merchants must undergo an annual on-site audit by a Qualified Security Assessor, an independent professional certified by the PCI Council. Smaller merchants, those at Levels 2 through 4, can usually validate compliance by completing a Self-Assessment Questionnaire, a standardized form that walks you through the applicable requirements. Your acquiring bank or payment processor will tell you which level applies to your business and what documentation they expect.
What Happens If You Don’t Comply
PCI DSS is not a government law. It is enforced through the contracts between merchants, payment processors, and card brands. That distinction matters because the penalties come from your payment processor, not a court, and they can hit fast.
Non-compliance fines range from $5,000 to $100,000 per month depending on the severity and how long the issue persists. Payment processors may also add their own penalties, often $20 to $50 per month on top of those fines. If a data breach occurs and your business is found to be non-compliant at the time, the costs escalate sharply. Processors may charge $20 to $50 per cardholder whose data was exposed, and PCI-related penalties can reach up to $500,000 per incident. Beyond fines, you could lose the ability to accept card payments altogether, which for most businesses is an existential threat.
Even without a breach, non-compliance can lead to higher processing fees. Some processors raise rates for merchants who cannot demonstrate they meet PCI DSS requirements, treating the added risk as a cost of doing business.
How Small Businesses Handle Compliance
If you run a small business and the 12 requirements sound overwhelming, the practical reality is more manageable than it appears. Most small merchants use a third-party payment processor or a hosted payment page, which means card data never touches their own servers. This dramatically reduces the number of requirements that apply. A small retailer using a modern point-of-sale terminal and a hosted checkout page may only need to complete the shortest version of the Self-Assessment Questionnaire, which focuses on physical security, basic network hygiene, and confirming that your service providers are compliant.
The key steps for a typical small business are straightforward: use a PCI-validated payment processor, never store card numbers in spreadsheets or paper files, keep your point-of-sale software updated, use strong and unique passwords on any system connected to payment processing, and complete your annual Self-Assessment Questionnaire. Your payment processor usually provides the questionnaire and may offer tools or guidance to help you finish it.
PCI DSS and Online Businesses
E-commerce adds complexity because card data travels over the internet. If your website uses a redirect or iframe that sends customers to your payment processor’s page to enter their card details (services like Stripe Checkout or PayPal do this), your own systems never see the card number. You still need to comply with PCI DSS, but your scope is limited to securing your website against tampering, using HTTPS encryption, and ensuring your hosting environment is properly configured.
If you instead collect card numbers directly on your own website and pass them to a processor through an API, your compliance obligations increase significantly. You are now handling cardholder data in transit, which triggers additional requirements around encryption, logging, vulnerability scanning, and potentially quarterly network scans by an Approved Scanning Vendor. For most small and mid-sized online businesses, using a hosted payment form is the simplest path to keeping PCI DSS requirements manageable.