What Is PCI Compliance?

By: Brooke Tajer


New business owners may wonder what the term “PCI compliance” is when they hear it and be confused about why it matters for their business. PCI compliance represents adhering to the Payment Card Industry Data Security Standard (PCI DSS), which has been endorsed by all major credit card providers. This set of standards helps to maintain security for merchants that accept credit card payments, and any merchant that accepts, transmits, or stores payment card data needs to be complaint.

For a more, in-depth explanation on “what is PCI compliance,” read on below:

PCI compliance is good for your business, because having security measures in place helps to deter and prevent credit card fraud, which protects your customers and your business in a nation that is vulnerable to fraud risks. The United States is responsible for more than one-third of global credit card fraud. While the U.S. generates only 22.9 percent global purchase and cash volume, it accounts for 38.7 percent of total payment fraud. Frauds threats aren’t just external — they can happen in your business by your very own employees.

Ensuring your payment processing methods are PCI compliant helps your business stay legal and helps safeguard you from a costly breach. Here’s what to be aware of:

What Are the PCI Standards?

There are 12 basic requirements your business payment processing must meet in order to be considered PCI compliant. Any merchant services provider you use should follow all these to ensure compliance.

  1. Protect cardholder data with an effective firewall configuration.
  2. Ensure all system and security passwords are unique, and never use vendor-supplied default passwords.
  3. Ensure cardholder data is protected.
  4. Encrypt cardholder data when it is transmitted across open and public networks.
  5. Employ effective, updated anti-virus software.
  6. Make sure systems and applications are developed and maintained for security.
  7. Restrict cardholder data sharing within the business.
  8. Ensure each employee has a unique ID for computer access.
  9. Restrict physical access to cardholder data.
  10. Regularly monitor network resource access.
  11. Install, test, and maintain security systems.
  12. Create and maintain an information security policy.

All of these requirements seem like common sense for a business. They’re even simpler to implement when you use a payment processing provider that does all the work for you. You can be assured that payment security is maintained, and work on other aspects of your business.

PCI Compliance Is Non-Negotiable

Even if you process only one credit card a year, it is required by the bank you open a business account with to meet all 12 PCI compliance requirements. PCI compliance applies to merchants with physical stores and point-of-sale machines and merchants that process payments online and anywhere else. Besides credit card PCI compliance, any debit cards that can also be processed as credit cards are required to be protected.

If your business suffers a breach, and you do not meet PCI compliance standards, you may be required to pay significant fines to banks, as well as pay hefty compensation for customers, merchants, or other entities.

PCI compliance elements are also legally binding, in some cases. For example, if you store customer data, you may be violating state and federal privacy laws. Customer data that may not be stored includes unencrypted credit card numbers, card verification values, and PIN numbers. Even if a violation has not taken place, if you are storing data like this in a spreadsheet or backup, your business may be breaking the law.

How to Maintain PCI Compliance

To ensure your business stays compliant, you should request a certificate of compliance from your merchant services provider at least once a year. Everything you use to process payments, from your point of sale machines to your ecommerce store, must be PCI compliance to ensure you meet the standards.

Because you’ll be creating and updating an information security policy as part of your PCI compliant payment processing, you should make sure all employees have access to this document. Proper training and follow-ups should be implemented to ensure the mastery of PCI compliance within your business. Upload a living document of your policy to a central location, so it is always accessible for your team.

Your business can regularly conduct security tests that mimic the behavior of fraudsters, so that you can identify and quickly fix any problems. Connect your IT team with your merchant services provider, so they can work together to create an optimally secure system.

The costs involved with creating, testing, and maintaining PCI compliant payment processing for your business are worth the protection that is offered. If your business does suffer a breach, and you were not following PCI standards, you may suffer a significant financial loss, not to mention the trust of your customers and tarnishing of your business reputation. For merchant services that ensure your business stays PCI compliant, contact us.