The Payment Card Industry (PCI) refers to the collection of organizations, standards, and security requirements that govern how businesses handle credit and debit card data. At its core is the PCI Data Security Standard (PCI DSS), a set of 12 security requirements that any business accepting, processing, storing, or transmitting cardholder data must follow. Whether you run a small online shop or a large retail chain, PCI compliance affects you if you take card payments.
Who Runs PCI and Why It Exists
The PCI Security Standards Council (PCI SSC) is the global body that develops and maintains these security standards. It was founded in 2006 by the five major credit card networks: American Express, Discover, JCB International, Mastercard, and Visa. Before the council existed, each card brand enforced its own separate security programs, which created a confusing patchwork for merchants. The council unified those efforts into a single standard.
The council’s role is to create and update the standards, but it does not enforce them directly. Enforcement falls to the individual card brands and the banks that process payments (called acquiring banks). Those institutions set the rules for how merchants in their networks must prove compliance, and they can levy fines or revoke card-acceptance privileges for businesses that fail to meet the standard.
The 12 PCI DSS Requirements
PCI DSS is organized around 12 high-level requirements. Each one breaks down into dozens of specific sub-requirements, but the top-level list gives you a clear picture of what the standard covers:
- Network security controls. Set up and maintain firewalls or equivalent protections that control traffic flowing in and out of your network.
- Secure configurations. Change default passwords and settings on all systems. Factory defaults are publicly known and easy targets.
- Protect stored data. If you must store cardholder data, encrypt it and limit how long you keep it.
- Encrypt data in transit. Any time card data travels over a public network (like the internet), it must be protected with strong cryptography, such as TLS encryption.
- Malware protection. Deploy and regularly update antivirus and anti-malware software across all systems.
- Secure software development. Build and maintain applications with security in mind, patching known vulnerabilities promptly.
- Restrict access by business need. Only employees who need cardholder data to do their jobs should be able to see it.
- User authentication. Assign unique IDs to each person with system access so that actions can be traced to individuals.
- Physical access controls. Lock down servers, filing cabinets, and any physical location where card data could be accessed.
- Logging and monitoring. Track and record all access to network resources and cardholder data so suspicious activity can be detected.
- Regular security testing. Run vulnerability scans and penetration tests on a set schedule to find weaknesses before attackers do.
- Security policies and programs. Maintain a formal information security policy and train employees on their responsibilities.
The current version is PCI DSS 4.0.1, which places a stronger emphasis on multi-factor authentication (MFA) for all access into the cardholder data environment and requires more thorough risk analysis. The standard was introduced in 2022 with a transitional grace period, but full enforcement of the new requirements began on April 1, 2025. Organizations that haven’t updated their security practices to match are now out of compliance.
Who Needs to Comply
Every business that accepts, processes, stores, or transmits credit or debit card information must comply with PCI DSS. This includes brick-and-mortar retailers, online stores, restaurants, subscription services, nonprofits that take donations by card, and any service provider that touches card data on behalf of another business. Size doesn’t matter for the basic obligation: a one-person shop selling handmade goods online is subject to PCI DSS just like a multinational retailer.
What does change with size is how you prove compliance. Card brands typically group merchants into four levels based on annual transaction volume, with Level 1 (the highest volume, generally over six million transactions per year) facing the most rigorous validation requirements.
How Businesses Prove Compliance
There are two main paths to demonstrating PCI compliance: self-assessment and formal audits.
Self-Assessment Questionnaires
Most small and mid-sized merchants validate compliance by completing a Self-Assessment Questionnaire (SAQ). The PCI SSC publishes several SAQ types, each tailored to a specific business setup. Choosing the right one depends on how you handle card data:
- SAQ A is the simplest. It’s for merchants that never touch card data directly, whether online or by phone, because they’ve outsourced all payment handling to a validated third-party processor.
- SAQ A-EP applies to e-commerce merchants that outsource payment processing but whose website could still affect the security of the transaction, for example by hosting the page where the customer enters their card number even though the data goes straight to the processor.
- SAQ B covers merchants using only old-fashioned card imprint machines or standalone dial-up terminals with no electronic data storage.
- SAQ B-IP is similar but for standalone payment terminals that connect to the processor over the internet rather than a phone line.
- SAQ C-VT is for merchants who manually key in one transaction at a time through a web-based virtual terminal hosted by a validated provider.
- SAQ C covers merchants with payment applications connected to the internet but no electronic storage of card data.
- SAQ P2PE-HW applies to merchants using hardware terminals managed through a validated point-to-point encryption solution, which means card data is encrypted the instant a card is swiped or dipped and the merchant never has access to it in readable form.
- SAQ D is the catch-all. It covers any merchant or service provider that doesn’t fit the categories above and is the longest and most detailed questionnaire.
If your business uses a modern payment processor and never stores or directly handles card numbers, you’ll likely qualify for one of the shorter questionnaires. That’s one practical reason many small businesses choose hosted payment solutions: it dramatically reduces the compliance burden.
On-Site Audits
Level 1 merchants and large service providers typically must undergo a formal audit conducted by a Qualified Security Assessor (QSA), an independent firm certified by the PCI SSC. The assessor reviews your systems, policies, and processes in detail and produces a Report on Compliance (ROC). These audits can take weeks or months and cost tens of thousands of dollars, which is why they’re generally reserved for the largest organizations.
What Happens If You’re Not Compliant
Non-compliance carries real financial consequences. If your business suffers a data breach and you weren’t PCI compliant at the time, the card brands can impose fines on your acquiring bank, which will pass those costs directly to you. Fines can range from $5,000 to $100,000 per month depending on the severity and duration of non-compliance. Beyond fines, you may be responsible for covering fraud losses, the cost of reissuing compromised cards, and forensic investigation expenses.
In extreme cases, a card brand can terminate your ability to accept its cards entirely. For most businesses, losing the ability to process Visa or Mastercard would be catastrophic. Even without a breach, some acquiring banks charge higher processing fees to merchants that can’t demonstrate compliance, so there’s an ongoing cost to ignoring the standard.
PCI Compliance for Small Businesses
If you’re a small business owner, PCI compliance can sound overwhelming, but the practical reality is usually manageable. The single most effective step is to avoid handling raw card data whenever possible. Use a payment processor that provides a hosted checkout page or a point-to-point encrypted terminal. When card numbers never pass through your systems, your compliance scope shrinks to the simplest SAQ categories, which may involve answering fewer than 30 questions rather than the 300-plus in SAQ D.
Beyond choosing the right payment setup, basic security hygiene covers most of what PCI requires of a small merchant: use strong, unique passwords; keep your software updated; restrict access to payment systems to only the people who need it; and don’t store card numbers in spreadsheets, paper files, or email. Your payment processor will often provide guidance on which SAQ applies to your setup and may offer tools to help you complete it.