When you accept credit or debit cards as payment, there are PCI compliance guidelines to process the card securely. Is your small business PCI compliant?
Advertiser Disclosure: Our unbiased reviews and content are supported in part by
affiliate partnerships, and we adhere to strict
guidelines to preserve editorial integrity.
So, what is PCI compliance, and what does it have to do with your retail or restaurant business?
PCI compliance is important to any business that takes payment, and even if you might not know much about payment security, we’re here to help! Read on to learn more about the basics of PCI compliance and how you can secure your business and peace of mind.
What Is PCI Compliance?
Payment Card Industry-Data Security Standard PCI DSS Compliance rules are a set of standardized measures that were created by major credit card companies to protect customers’ card numbers and personal information. These rules apply to any business that accepts debit or credit card payments regardless of industry or location. PCI compliance ensures that payment data stays secure for the entire payment lifecycle.
These rules and regulations have been updated multiple times since they were created in 2006. PCI DSS 4.0 was released in March 2022 and will replace PCI DSS 3.2.1 in March 2025.
What Does PCI Stand For?
PCI is a shortened version of the acronym PCI-DSS and is most commonly used when discussing Payment Card Industry-Data Security Standard compliance. The governing body for all PCI-related matters is the Payment Card Industry Security Standards Council which aims to protect sensitive credit card data.
Any organization or seller, regardless of size, that accepts, stores, processes, and transmits cardholder data during a credit card transaction must follow the most recent version of the PCI-DSS rules.
Who Makes These Policies?
The five major credit card companies (American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc.) make up the Executive Committee.
Other large brands like Square, one of the largest payment services providers, sit on the board and contribute to the council in a consulting role to help formulate policy pertaining to new technology and updating best practices.
Because of the constantly evolving risks, new policies are always being implemented. As PCI security standards evolve, so must merchants and their best practices.
What Is PCI Scope?
PCI scope defines the people, processes, and technologies that interact with or could otherwise impact the security of the cardholder data, according to the PCI SSC.
Any of your equipment, software, or hardware that processes, stores, or transmits cardholder data is considered “in scope” and must be PCI compliant.
Some credit card processors take care of PCI compliance for you, which can reduce your PCI scope and what you personally have to due in order to remain PCI compliant. We’ll talk more about payment service providers (PSPs) and how they limit your PCI scope later on.
Payment methods you accept may also increase or decrease your scope. If you store credit card data on your servers to use for recurring billing, your scope is going to be greater than if your customer used a digit wallet for in-person purchases. This is because you have to make sure that you are storing the card data safely, but when you accept a digital wallet payment from Google Pay or Apple Pay, your business doesn’t come into contact with any credit card data directly through a process called credit card tokenization.
eCommerce businesses can reduce the scope of their PCI compliance requirements by using a hosted payment page offered by their provider rather than having customers check out directly through their business’s websites.
What Are Merchant Risk Levels?
Merchant risk levels determine what kind of tasks you’re going to have to complete in order to maintain PCI compliance as a business. Risk levels are defined by the number of transactions your business processes annually and don’t factor in your overall processing volume.
The merchant risk levels are defined as:
- Level 1: companies that process over 6 million credit card transactions per year, or companies that experienced a breach resulting in data loss within the last year
- Level 2: companies that process 1-6 million credit card transactions per year
- Level 3: companies that process 20,000-1 million credit card transactions per year
- Level 4: companies that process fewer than 20,000 credit card transactions per year
As a small business owner, your business is most likely going to be considered a level 4. It’s important to note that if you’ve ever suffered a data breach, you will be escalated to a higher merchant level to reflect that added risk.
Do I Have To Be PCI Compliant?
If your business accepts debit or credit card payments, yes, you will need to be PCI compliant.
Your specific compliance requirements can range from easy to complex (and expensive) depending on how you accept card payments and the size of your business.
Understanding Your PCI Compliance Obligation
As we mentioned briefly above, risks are higher for larger businesses because of the number of transactions they process. This is why the merchant risk level exists.
It’s your responsibility as a business owner to know which merchant risk level your business falls under and what the specific PCI compliance requirements are for that level.
Contrary to popular belief, just because you are a small business doesn’t mean that you’re too small for cybercriminals and fraudsters to make you a target. In reality, lax security efforts make you more likely to suffer from a data breach. Small to mid-sized businesses make up the majority of data breach victims and are often unable to bear the costs associated with responding to the breach.
Note: The individual payment processing companies, not the PCI SSC, determine the enforcement of compliance and non-compliance penalties, even though the card networks are the ones who mandate compliance. The PCI Council recommends that merchants direct any questions regarding non-compliance penalties or enforcement of compliance to their processors, as they’ll best be able to assist you.
Am I PCI Compliant?
More likely than not, if you’re reading this article, you run a level 4 business. Most of the PCI-DSS is broken down into specific goals with corresponding actions you need to take to make sure you are remaining compliant.
We recommend doing a quarterly scan, and an annual Self-Assessment Questionnaire (SAQ). Then fix any vulnerabilities and report them to the appropriate acquiring bank and card brand. Read our quick guide to PCI compliance for small businesses to learn more.
The PCI Council breaks down what SAQs your business needs to complete based on the types of transactions your company does. Here is how the processing methods are broken down:
- Shopping cart with the entire internet presence outsourced
- Shopping cart with the payment page entirely outsourced
- Shopping cart with the payment page partially outsourced (some elements hit merchant page)
- Shopping cart with direct post (merchant hosts) payment page
- Shopping cart payment page not outsourced
- POS terminal
- Virtual terminal manual entry
- Virtual terminal card reader
The PCI Council lays out what merchants need to do based on the scope factors above. Merchants who don’t have the in-house expertise typically hire a Qualified Security Assessor (QSA) vetted and approved by the PCI Council to perform on-site assessments, determine the required PCI scope, and make recommendations.
Essentially, security assessors are independent consultants who adhere to the PCI Data Security Standard Assessment Procedures. You can learn more about QSAs and access a list of qualified companies and individuals on the PCI Security Standards Council website.
How Do I Make Sure My Business Is PCI Compliant?
You will need to work with your payment processor in order to remain PCI compliant. There are some steps they will have to complete for you and others you will complete on your own. You are ultimately responsible for meeting the PCI compliance requirements, not your processor.
Best Practices
Best practices you need to do on your own include:
- Maintain A Secure Network: Make sure your firewall is properly configured and up-to-date, never use default/duplicate passwords, use anti-virus software and keep it updated, track and monitor access points to your network by testing your networks, and maintain and follow information security policies.
- Protect Cardholder Data: Use encryption or tokenization for all transactions (or find a Payment Service Provider that does this for you), used a hosted payment page, and only store payment/card information in a secure and up-to-date program.
- Implement Strong Access Measures: Create unique IDs for all employees, only issue them on a need-to-know basis, and keep a record of permissions issued. Consider changing shared passwords after an employee leaves the business.
To learn more about the actionable steps to take for PCI compliance, read our complete guide to PCI-DSS compliance.
Another easy way to ensure PCI compliance is to use a PSP like Square or PayPal, which will handle almost all compliance requirements for you. They will also complete security scans on your account as needed and should also be able to assist you in completing and filing SAQs when required.
PCI Compliance For Brick & Mortar Businesses
If you have a storefront, you’ll need to consider both the software and the hardware you use to process payments. Any equipment that touches credit card information will need to be PCI compliant, but you need to consider the end-to-end security of every transaction.
Tokenization is the current “gold standard” in easily adoptable security features, reducing the scope of PCI compliance requirements by keeping credit card data off the merchant’s website or processing hardware entirely. Mobile wallets that rely on NFC technology tokenize data before passing it to the payment processing network. Almost all payment processors in the industry today offer tokenization, and most include it as a standard feature.
Securing your Wi-Fi networks and following general network security practices are critical to maintaining PCI compliance over the long term. It’s also worth mentioning again that if your staff ever takes an order over the phone or remotely, never write the numbers down or store them with unsecured software. Advise your team to always record the credit card number directly into the payment software at the virtual terminal — not on a pad of paper, in a word processing document, or anything else.
PCI Compliance For Online Businesses
Whether your business is eCommerce-only or you just have an online sales channel, your PCI compliance requirements will depend primarily on whether or not any cardholder data passes through your servers or goes into your site during the checkout process. If any data does pass through your website or server during checkout, your PCI scope increases, and you have more of an obligation.
To reduce your PCI compliance obligations, you can choose a merchant services provider that offers a hosted checkout page. This option simplifies PCI compliance but requires customers to (temporarily) leave your site to complete the checkout process. Hosted payment pages are popular with small eCommerce businesses that often don’t have the resources to tackle the additional PCI compliance burden that comes with a fully self-hosted website.
If you want to safely store your returning customers’ credit card information, so they don’t need to type it in every time they place an order, you’ll need to have a PCI-compliant vault. Today, most of the leading POS systems on the market offer this service as a standard feature.
You can also accept payments using invoices. If you send an invoice through a PCI-compliant payment processor, the provider can generate a “pay now” link for you. Your customer then completes the transaction via a secure domain, requiring no extra work on your part. You don’t need a website of your own, because the invoice software links to a site hosted by your payment processor.
PCI Compliance For Mobile Businesses
You may be happy to know that many mobile point-of-sale (mPOS) apps are automatically PCI compliant, so you don’t need to jump through any additional hoops to take payments! The best mobile POS payment apps work by encrypting the card data as soon as the card is inserted, tapped, or swiped, so the payment data never touches your phone or device. It’s all routed through a secure network maintained by the processor offsite.
Am I PCI Compliant Through My Point Of Sale?
Potentially, yes! A lot of credit card processors take care of PCI compliance for you. This ultimately reduces your PCI scope and makes your life easier.
Square is a PSP (payment service provider) that acts as a merchant of record on your behalf. This way, you never store or transmit the card data through your own system, it’s all through Square’s PCI compliant hardware and software.
If you are curious about what your payment processor offers as far as PCI compliance and payment security measures, inquire with them directly. If your company requires a customized solution or you need to store credit card data on your servers, however, you’ll need to understand more about PCI or hire an outside firm that does.
Again, just because you are PCI compliant through your PSP doesn’t mean your system is completely secure. Make sure that your employees understand the importance of only entering or storing payment information in your PCI compliant software.
Are You Ready To Become PCI Compliant?
The main takeaway we want to stress is that PCI compliance is never a one-and-done event. Think of it as a continual process of assessing, remediating, and reporting.
Whether you handle PCI compliance matters in-house or get outside help from a third-party vendor, there will always be an effort (and cost) involved. It’s also a critical part of accepting payments for merchants because keeping a secure system is the best way to safeguard customers and your livelihood.
FAQs: What Is PCI Compliance?
Does my business have to be PCI compliant?
If your business accepts debit or credit cards as payment, yes, you must be PCI compliant.
What does PCI stand for?
PCI is a shortened version of the acronym PCI-DSS and is most commonly used when discussing Payment Card Industry-Data Security Standard compliance.
Is Square PCI compliant?
Yes, most payment service providers are PCI compliant. These companies run customer payment information through their PCI compliant hardware and software which means you never store or transmit the card data through your own system.
