PCI compliance refers to a set of security standards that any business accepting credit or debit card payments must follow to protect cardholder data. The standards are formally called the Payment Card Industry Data Security Standard (PCI DSS), and they’re maintained by the PCI Security Standards Council, a body founded by Visa, Mastercard, American Express, Discover, and JCB. Whether you run a small online shop or a large retail chain, these requirements apply to you if you store, process, or transmit card payment information.
What PCI DSS Actually Covers
PCI DSS is organized around 12 core requirements, grouped into six broader goals. Together, they form a security framework designed to keep card numbers, expiration dates, and verification codes safe from theft at every point in a transaction.
- Build and maintain a secure network: Install and maintain firewalls to protect cardholder data, and change default passwords on all systems. Vendor-supplied passwords (like “admin” or “password1”) are easy targets for attackers.
- Protect cardholder data: Encrypt stored card data using strong cryptography, and encrypt card data whenever it travels across open or public networks. If someone intercepts the data in transit, encryption makes it unreadable.
- Maintain a vulnerability management program: Use and regularly update antivirus software, and develop secure applications and systems. This means patching known software vulnerabilities promptly rather than leaving outdated code in place.
- Implement strong access controls: Restrict access to cardholder data on a need-to-know basis, assign unique IDs to each person with computer access, and restrict physical access to systems that store card data. No shared logins, no unlocked server rooms.
- Regularly monitor and test networks: Track and monitor all access to network resources and cardholder data through logging, and regularly test security systems through vulnerability scans and penetration testing.
- Maintain an information security policy: Create and enforce a company-wide policy that addresses information security for all employees and contractors.
These requirements scale in complexity depending on your business size, but every merchant handling card data must address all 12 in some form.
Merchant Levels and What They Require
Card brands categorize merchants into four levels based on annual transaction volume. Your level determines how you validate compliance: whether you can self-assess or need a formal audit by a Qualified Security Assessor (QSA).
- Level 1: More than 6 million card transactions per year. Requires an annual on-site audit by a QSA and quarterly network scans by an Approved Scanning Vendor (ASV).
- Level 2: 1 million to 6 million transactions per year. Typically requires an annual Self-Assessment Questionnaire (SAQ) and quarterly ASV scans. Some card brands may require an on-site assessment.
- Level 3: 20,000 to 1 million e-commerce transactions per year. Requires an annual SAQ and quarterly ASV scans.
- Level 4: Fewer than 20,000 e-commerce transactions or up to 1 million total transactions per year. Requires an annual SAQ and quarterly ASV scans, though enforcement often comes through your payment processor.
The Self-Assessment Questionnaire is a checklist you fill out to verify your security practices meet PCI DSS standards. There are several versions of the SAQ depending on how you accept payments. A business that only uses a third-party payment page (where customers type their card number on Stripe’s or PayPal’s site, not yours) fills out a much shorter questionnaire than a business that stores card data on its own servers.
The Current Standard: PCI DSS 4.0.1
PCI DSS version 4.0.1 is the current standard, and all of its requirements became mandatory on March 31, 2025. The previous version (3.2.1) is fully retired. If your business was still operating under the older framework, you need to update your practices now.
Version 4.0 introduced several significant changes. It added requirements for multi-factor authentication on all access to cardholder data environments, not just remote access. It expanded encryption requirements and introduced more rigorous password policies, including a minimum length of 12 characters where systems support it. It also shifted toward a “customized approach,” allowing businesses to meet security objectives through alternative methods as long as they can demonstrate the controls are equally effective.
What Using a Payment Processor Changes
If you use a third-party payment processor or gateway like Stripe, Square, or Braintree, a significant portion of PCI requirements shift to that provider. When customers enter their card details directly on the processor’s hosted payment page, you never touch the raw card data, which dramatically reduces your compliance scope.
But “reduced scope” doesn’t mean “no responsibility.” You’re still responsible for securing your own website so attackers can’t redirect customers to a fake payment page. You’re responsible for any cardholder data that passes through your systems, even temporarily. And you’re responsible for completing the appropriate SAQ for your setup. Your payment processor handles the heavy infrastructure security, but the overall compliance obligation stays with you as the merchant.
When choosing a processor, confirm they are PCI DSS Level 1 certified. Most major processors are, and they publish their compliance certificates. The responsibility matrix between you and your processor depends on your specific integration. A fully hosted checkout (where customers leave your site to pay) puts far more responsibility on the processor than an API-based integration where card data passes through your server before reaching the processor.
Costs of Compliance and Non-Compliance
For small businesses at Level 4, the direct cost of PCI compliance is relatively modest. Many payment processors include basic compliance tools in their service, and completing an SAQ is free. If you need quarterly vulnerability scans from an ASV, expect to pay roughly $100 to $500 per year depending on the provider. Larger businesses requiring on-site QSA audits can spend $50,000 or more annually.
The cost of non-compliance is far steeper. Many payment processors charge a monthly non-compliance fee, typically $20 to $100 per month, if you haven’t completed your SAQ or vulnerability scans. These fees are often buried in your processing statement under labels like “PCI non-validation fee.”
Beyond monthly fees, the real financial risk comes from a data breach. Card brands can levy fines of up to $500,000 per incident when a merchant that wasn’t PCI compliant suffers a breach. On top of fines, you may be responsible for the cost of reissuing compromised cards, fraud losses, forensic investigations, and legal liability. For a small business, a single breach can be financially devastating.
How to Get and Stay Compliant
Start by identifying how your business accepts card payments. Do customers swipe or tap at a terminal? Do they enter card numbers on your website? Do you store any card data after a sale? Your answers determine which SAQ version applies to you and how much of the PCI DSS framework you need to implement directly.
Next, reduce your scope as much as possible. The simplest way to minimize PCI obligations is to never store, process, or transmit raw card data yourself. Use a hosted payment page or a point-to-point encrypted terminal, and your compliance burden drops significantly. If you currently store card numbers in a spreadsheet, a local database, or paper files, stop. There’s almost never a legitimate business reason to retain full card numbers after a transaction processes.
Complete the appropriate SAQ annually through your payment processor’s portal or through the PCI Security Standards Council’s website. Schedule quarterly ASV scans if your setup requires them. Train employees who handle payments on security basics: recognizing phishing emails, never sharing login credentials, and reporting suspicious activity.
Finally, treat compliance as ongoing rather than a once-a-year checkbox. Review access permissions when employees leave, apply security patches promptly, and test your systems regularly. PCI DSS 4.0.1 emphasizes continuous security over point-in-time assessments, and the businesses that treat it as a daily practice rather than an annual task are the ones that avoid breaches.