Any business—whether online or brick and mortar—that processes credit card payments needs seriously keep their systems safe and secure from bad actors on the web. The stakes are incredibly high, with the average cost of a data breach in 2023 reaching $4.45 million (an increase of 15.3% from the previous year). A PCI DSS compliance checklist can help protect your business and customers. This means that virtually every business today, from restaurants to retail outlets, from online stores to hair salons, needs to understand the concept of PCI DSS compliance. This article will explore the topic of PCI compliance, clarify specific steps you need to take, and compliance levels you need to know. Feeling overwhelmed? We got you. We’ll close out with an actionable (and simple) free checklist you can use to start down the path of PCI DSS compliance. Let’s dive in.
What is PCI DSS compliance?
PCI DSS compliance is a set of requirements outlined by the Payment Card Industry Data Security Standard (PCI DSS). It’s intended to ensure that all companies who process, store, or transmit credit card information do so in a secure environment that’s protected from bad actors—aka hackers. Launched in 2006, PCI DSS compliance was designed to improve existing processes, checks, and balances that protect cardholder data. The goal is to make credit card transactions more secure and reliable for consumers. How? By ensuring that vendors meet a series of technical, operational, and security requirements that keep payment data safe.
PCI DSS: an overview PCI DSS stands for Payment Card Industry Data Security Standard. The organization behind this standard is called the Payment Card Industry Security Standards Council (PCI SSC). They’re an independent body created by Visa, Mastercard, American Express, Discover, and JCB. PCI DSS compliance applies to any organization—large or small—that stores, processes, or transmits credit card data using any of the companies mentioned above.
Why is PCI DSS compliance important?
Becoming—and remaining—PCI DSS compliant protects both your business and the customers who pay for your products or services. It’s a series of requirements that reduces the likelihood that you’ll experience a data breach, which can put your company and your customers at risk.
Benefits of PCI DSS compliance.
- Protect sensitive data. PCI DSS compliance ensures that businesses handle and store payment card information properly, reducing the risk of it falling into the wrong hands.
- Avoid financial penalties. Non-compliance can result in fines, penalties, and canceled contracts from major credit card companies and banks, putting your payment processing and operations at risk. This is on top of potential fines and penalties associated with a data breach. All of this can be financially crippling—especially for a small business.
- Reduce the risk of data breaches. Implementing robust security measures—either yourself or via payment processors and platforms that you use—helps secure your sensitive data, reducing the likelihood of damaging data breaches.
- Help your customers trust you. Becoming and remaining PCI DSS compliant signals to your customers that your business is committed to protecting their payment card information. This not only builds loyalty from your customer base, but also directly impacts sales. The Baymard Institute, for example, found that 18% of online abandoned carts stemmed directly from the user not trusting the site with their credit card information.
- Avoid costly business disruptions. Above all, PCI DSS compliance ensures that you can continue to operate as a business, without costly disruptions and distractions related to data security. You don’t have to worry about possible closures or canceled payment processing services that can deal a significant blow to your business.
The benefits of PCI compliance far outweigh the negatives. Let’s explore some of the potential issues of not being compliant with this security standard.
What happens if you’re not PCI compliant?
First off, processing credit card payments through Visa, Mastercard, American Express, Discover, and JCB, while not being PCI compliant is a breach of your contractual obligations with those companies. If they find out, you’re exposed to potential legal issues, canceled contracts, and potentially even fines levied by those companies. Beyond that, some potential risk factors of not being PCI compliant include:
- Opening yourself to potential data breaches and hacks, which can expose you to regulatory fines.
- Potential loss of customer trust and loyalty—especially from repeat customers.
- Loss of sales, relationships, and reputations as a result of the above.
- Potential lawsuits, insurance claims, canceled accounts, payment card issuer fines, and government fines, depending on the scale of the breach and your liability.
Did you know? About 20% of organizations that experienced a data breach recently paid $250,000 or more in regulatory fines. Source: IBMAs mentioned earlier, PCI compliance is a requirement for any organization that accepts, handles, stores, or transmits cardholder data. This data includes debt, credit, or prepaid cards, and the personal information associated with each. The size of your business, and the number of transactions you process does not exempt you from being compliant. But, it does dictate the level of compliance—and the scale of the security measures—that you need to have in place. For smaller companies who operate through reputable payment vendors or online platforms like Shopify, Square, or other established companies, PCI compliance is likely already built in. Businesses with their own platforms, or a patchwork of independent services used to process payments, will likely need to explore what they need to do to become PCI compliant. In this case, using a PCI DSS compliance manager may help make things easier.
Is PCI compliance legally required?
Federally in the United States, no. It’s not enforced by the government, as per the American Bar Society. Some states, however, do enforce these standards as a legal requirement. Nevada, for example, has PCI compliance written into their state laws. But, while PCI compliance may not be legally required through the government, it is a contractual requirement when doing business with most major credit card companies—and many financial institutions—so it would be wise to have a PCI DSS compliance policy in place.
The PCI DSS 12 requirements.
Any company that wants to become PCI compliant needs to understand the 12 core requirements. This is the industry-standard checklist that all companies who process card payments need to follow to meet PCI DSS compliance goals. Again, many existing payment and e-commerce platforms on the market today come PCI compliant out of the box. If you don’t use one of those, then your IT team will need to become intimately familiar with the following PCI DSS compliance requirements.
1. Install and maintain a secure network.
Businesses must install network security controls (NSCs). This means installing a firewall to create a highly secure environment. This is where you'll store cardholder data, and only allow known and trusted traffic to enter it.
2. Apply secure configurations through your system.
This means applying industry standard password requirements for all users who have access to cardholder data. This includes setting requirements for character length and types in passwords, requiring two-factor authentication (2FA), and prompting password resets at regular intervals.
3. Protect stored account data.
Anyone who stores or transmits cardholder data should ensure that they have protection methods in place to obfuscate and ensure that data. This includes using point-to-point encryption, truncation, masking, and hashing. Best practices include not storing unnecessary personal information, truncating stored cardholder data, and no sending sensitive information through unsecured channels.
4. Encrypt cardholder data.
Use encryption methods to protect cardholder data at all times—both at rest and when it’s being transmitted over networks that are vulnerable to attack.
5. Protect systems and networks from malicious software.
Ensure that all computers, systems, and networks that have access to cardholder data are equipped with industry-standard anti-malware and anti-virus software. Hackers often use malware and viruses like Trojans, spyware, worms, ransomware, and malicious links to infiltrate computer systems and steal sensitive data.
6. Maintain secure systems and software.
Many hacks occur due to outdated software or missed security patches. This requirement dictates that you should ensure all software and systems that come into contact with cardholder data remain up-to-date with all patches and updates.
7. Deploy proper access control.
Ensure that cardholder data is only accessible by authorized systems and users, and only on a need-to-know basis. Create rules that give specific access and privileges to personnel depending on their role and responsibilities as it relates to cardholder data.
8. Identify and authenticate users.
Install user authentication checks that require anyone trying to access your system to verify their identity. For example, they may be required to provide proof of identification to verify who they are, and then use 2FA methods to login each time after.
9. Restrict physical access to cardholder data.
This is an important one for brick and mortar stores. Restrict physical access to cardholder data by removing and locking up hard copies or any physical drives that contain that information. This can also mean securing any computers that have access to cardholder data, and ensuring that only required personnel can use that device.
10. Track all access to system components and cardholder data.
Logging tools should also be deployed across your systems so that you can track user activities and access to sensitive data. This should include the ability to track and identify all users who access or alter data. While you may not need to use this tool all the time, it’s invaluable when and if a breach occurs.
11. Test security regularly.
Implement tools, processes, and test networks to stress test your security often. Make it a regular and ongoing priority at your company to maintain good security hygiene. It's a good idea to ensure that you’re regularly auditing and verifying your security posture.
12. Create secure organizational policies and programs.
Lastly, make sure that all of your security standards, rules, and procedures are documented in writing (preferably in an employee handbook). Educate your employees on the importance of maintaining tight security, and what role they play in protecting cardholder data.
Learn which PCI DSS levels fit your business.
While PCI compliance may seem like a huge burden, the good news is that the scope of the requirements largely depend on how many payments you process per year. Small businesses likely will fall into a lower PCI compliance level, meaning their requirements are much easier to manage than those for large, multinational corporations. Here’s a breakdown of the PCI DSS compliance levels.
PCI Compliance Level 1
The highest compliance level. This is for companies who process more than six million transactions per year. This includes all payment facilitators that process more than 300,000 transactions per year. Requirements for this level include:
- A yearly self-assessment using the the PCI SSC SAQ.
- Quarterly vulnerability scans by an approved scanning vendor or vulnerability management program.
- Completing and submitting an attestation of compliance form.
- A Qualified Security Assessor to complete an Annual Report on Compliance and a quarterly network scan and attestation of compliance.
PCI Compliance Level 2
This is for companies that process between one million and six million transactions per year. It includes payment facilitators that process fewer than 300,000 transactions per year. Requirements for this level include:
- A yearly self-assessment using the the PCI SSC SAQ.
- Quarterly vulnerability scans by an approved scanning vendor.
- Completing and submitting an attestation of compliance form.
PCI Compliance Level 3
This is for small businesses who process 20,000 to one million transactions per year.
- A yearly self-assessment using the the PCI SSC SAQ.
- Quarterly vulnerability scans by an approved scanning vendor.
- Completing and submitting an attestation of compliance form.
PCI Compliance Level 4
The lowest compliance level. This is for companies that process fewer than 20,000 transactions per year.
- A yearly self-assessment using the the PCI SSC SAQ.
- Quarterly vulnerability scans by an approved scanning vendor.
- Completing and submitting an attestation of compliance form.
Note: Payment facilitators are services that provide the infrastructure necessary for their customers to begin accepting card payments. Shopify, for example, is a payment facilitator. Determining your level of PCI compliance requirements is as easy as taking a look at your payment processing platform to see how many transactions you process in a typical year. This will help you select the appropriate compliance level, and the steps you need to take next.
Protect cardholder data with the PCI DSS compliance checklist.
We know how compliance can seem like one more headache to add to your list as a small business owner. To make it easier, we’ve put together a free, downloadable PCI DSS compliance checklist that you can use to navigate the process. Download the checklist now to get started. Remember—if you’re using a payment facilitator, POS, or payment processing platform like Shopify, Square, or any other major tool, you’re likely already PCI compliant. Consult your licensing agreement with those vendors if you’re unsure, or reach out to your account manager to confirm. Download the PCI DSS compliance checklist (PDF). Still worrying about compliance? Homebase knows that small business compliance involves more than just PCI DSS. Our all-in-one app for managing your hourly team has built-in payroll tools to help accurately calculate what you need to stay compliant in your state, and when in doubt, our HR Pro team can help you with any compliance questions. Get started with Homebase for free today.
Share post on
Homebase Team
Remember: This is not legal advice. If you have questions about your particular situation, please consult a lawyer, CPA, or other appropriate professional advisor or agency.