PCI Compliance Overview

Understanding Payment Card Industry Data Security Standard requirements for businesses.

Back to Business Security

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for any business that accepts, processes, stores, or transmits credit card information.

Who Must Comply

  • All merchants accepting credit/debit cards (Visa, Mastercard, Amex, Discover)
  • Payment processors and service providers
  • Applies regardless of business size or transaction volume
  • Both in-person and online transactions

The 12 PCI DSS Requirements

1

Install and Maintain Firewall

Configure firewall to protect cardholder data. No direct public access to cardholder data.

2

Change Default Passwords

Never use vendor-supplied defaults for passwords, encryption keys, or security parameters.

3

Protect Stored Cardholder Data

Minimize storage. Encrypt primary account numbers (PAN). Never store CVV2, PIN, or magnetic stripe data.

4

Encrypt Transmission

Use strong cryptography (TLS 1.2+) for cardholder data over public networks.

5

Use Anti-Virus

Deploy and maintain anti-virus software on all systems commonly affected by malware.

6

Develop Secure Systems

Keep systems patched. Follow secure coding practices. Protect applications from vulnerabilities.

7

Restrict Access by Business Need

Limit cardholder data access to only those who need it. Implement least privilege principle.

8

Assign Unique ID

Every person with computer access must have unique ID. No shared accounts or credentials.

9

Restrict Physical Access

Protect physical access to cardholder data. Secure workstations, servers, and paper records.

10

Track and Monitor Access

Log all access to cardholder data and network resources. Review logs regularly.

11

Test Security Systems

Regular vulnerability scans and penetration testing. File integrity monitoring.

12

Maintain Security Policy

Written information security policy for all personnel. Annual risk assessment.

Merchant Levels

Level 1

6M+ transactions/year. Annual onsite audit by QSA required.

Level 2

1-6M transactions/year. Annual SAQ + quarterly scans.

Level 3

20K-1M e-commerce transactions/year. Annual SAQ + scans.

Level 4

<20K transactions/year. Annual SAQ + quarterly scans.

Reducing PCI Scope

  • Use payment service providers (Stripe, Square, PayPal) - they handle compliance
  • Implement point-to-point encryption (P2PE)
  • Use tokenization to avoid storing card data
  • Segment payment processing network from other systems
  • Never store full magnetic stripe, CVV, or PIN data

Non-Compliance Consequences

  • Fines: $5,000-$100,000 per month from card brands
  • Increased transaction fees
  • Loss of ability to accept card payments
  • Liability for breach costs if non-compliant
  • Reputational damage and customer loss