The payment card industry, or PCI, is made up of major credit card brands like Mastercard, Discover, American Express, and Visa that set the security standards for a business that handles credit card information.

PCI compliance, therefore, refers to the practice of adhering to the Payment Card Industry Data Security Standards (PCI DSS). These standards intend to protect consumers’ credit card data from being stolen.

In addition to benefiting your consumers, PCI compliance is required by most merchant account providers. Businesses, regardless of their size, must be PCI compliant, or they risk fees and penalties. Here’s how to make sure your business is PCI compliant.

[Read more: 16 Common Credit Card Processing Terms and Definitions]

Which businesses need PCI compliance (and which don’t)

In short, if you accept payments from major credit cards — Mastercard, Visa, Discover, or American Express — either online or in-person, you need to be PCI DSS compliant.

There are few exceptions to PCI compliance. “If you’re a manufacturer of PIN pads and other devices for accepting credit cards or a software developer or organization that integrates applications that interact with cardholder data, you are probably not required to comply with PCI DSS,” wrote Strike Graph, an artificial intelligence compliance management platform.

PCI DSS compliance isn’t mandated by federal law. However, your payment processor or merchant service provider requires PCI compliance. 

The four levels of PCI compliance

One reason merchants struggle to ensure PCI compliance is that there are four levels of compliance, each with different standards. The four levels are set based on how many payment card transactions a business handles each year.

  • Level 1: This comprises businesses that process more than 6 million e-commerce transactions each year.
  • Level 2: This category encompasses businesses that process 1 to 6 million e-commerce transactions annually.
  • Level 3: This level includes businesses that process 20,000 to 1 million e-commerce transactions a year.
  • Level 4: This level is for businesses that process less than 20,000 e-commerce transactions per year, or less than 1 million transactions annually from all sales channels (e.g., e-commerce and retail).

If you’re not sure what level your business falls into, your point-of-sale (POS) reports may tell you. “All credit card transaction volumes your organization processes are aggregated across multiple channels (i.e., in-store retail point-of-sale terminals and online payment gateways) and summed up to determine an appropriate PCI compliance level,” explained BigCommerce.

Businesses that meet the Level 1 threshold have more stringent PCI compliance requirements to meet than businesses in Level 4. While this article will address the requirements for businesses in Level 4, it’s worth knowing that any business, regardless of the number of annual transactions, can be moved to Level 1 if it experiences a data breach.

[Read more: A Quick Guide to Data Management, Protection and Storage]

PCI compliance is not always straightforward. One of the most common missteps businesses make is underestimating the scope of compliance requirements.

The 12 PCI DSS Requirements

The official PCI DSS Quick Reference Guide lays out 12 requirements that businesses should follow to keep customer data safe.

  1. Install a firewall to protect cardholder data.
  2. Do not use vendor-supplied defaults for passwords and other security parameters.
  3. Encrypt any cardholder data that’s transmitted across open, public networks.
  4. Store cardholder data securely.
  5. Regularly update antivirus programs and malware protection.
  6. Maintain secure systems and applications.
  7. Restrict access to cardholder data only to those who need it in your business.
  8. Restrict physical access to cardholder data (e.g., device access).
  9. Require users to log in or authenticate to access system components.
  10. Track and monitor access to network resources and cardholder data.
  11. Test security systems regularly.
  12. Create and regularly update an information security policy.

These are relatively broad requirements, but they do have specific implications. For instance, make sure you’re using strong, regularly updated passwords (“12345” is an example of a weak password). Add firewall protection to your network and computers, and make sure your in-store wireless router is password-protected.

One of the easiest ways to ensure PCI compliance is to use a modern POS system. “Modern payment processing systems use tokenization and encryption to protect this data when a sale is processed,” explained Merchant Maverick. “There’s never a good reason for you to store this information digitally — either on your hard drive or your website’s server. This goes double for physically storing credit card information. Never write down a customer’s credit card number, expiration date, or CVV unless it’s absolutely necessary.”

Updates to the PCI DSS in 2024

The most recent version of the PCI DSS went into effect on March 31, 2025. While the 12 high-level requirements remain the same, merchants must also comply with these additional requirements:

  • Passwords must be complex. The new version requires passwords to be a minimum of 12 characters that include a combination of alphanumeric characters. (Previously, passwords were a minimum of seven characters.) If you don’t use multifactor authentication, you must change passwords every three months.
  • Passwords can no longer be hard-coded into scripts, files, or custom code. Hard-coded passwords are those written directly in code. “Hard-coding passwords is generally seen as bad practice in software development as it poses a security risk should an attacker ever gain access to the source code,” wrote KPMG.
  • Internal vulnerability scans must use credentialed scans. Basically, when your organization performs internal security scans, the scanners must log in with credentials rather than scanning from the outside as an anonymous user.

“Compliance with the new standard is not optional; but which parts of the standard you need to comply with depends on how you process transactions,” wrote KPMG. If you’re unsure how to comply with these changes, consult an expert.

How to get started with PCI compliance

Not sure if your business is 100% PCI compliant? You can enhance the security of your customer data in three steps.

First, audit the cardholder data you currently collect, inventory your information technology assets, and assess the processes you have in place for collecting customer information. Analyze these elements of your business operations for any vulnerabilities that a hacker could exploit to steal cardholder data.

Next, take action to address those vulnerabilities. This could include upgrading the security on your e-commerce site or moving away from storing cardholder data at all. Unless you’re using some kind of recurring billing system, there’s no need to keep cardholder data on file. Loyalty programs can be run simply by using someone’s email or transaction history, which doesn’t require storing PINs and card numbers.

Lastly, submit your compliance reports to the bank or card brands with which you do business (e.g., Visa, Mastercard, American Express, or Discover). This will help you avoid any penalties or fees that can quickly add up by not maintaining PCI compliance.

Common PCI compliance mistakes

PCI compliance is not always straightforward. One of the most common missteps businesses make is underestimating the scope of compliance requirements. Make sure you identify all the systems where you handle cardholder data; overlooking even one system can result in a breach or noncompliance penalties. Make sure you account for all third-party vendors and service providers too.

Continuous monitoring is another area in which businesses stumble. “Relying solely on point-in-time compliance checks can leave your business exposed to security vulnerabilities that arise between assessments. These intermittent reviews often fail to catch new threats or changes in the network, making your compliance efforts inadequate,” wrote TrustNet, a cybersecurity and compliance company.

Finally, human error is a major contributor to noncompliance. Make sure your employees follow best practices for password management, as well as the principle of least privilege. Poor password management presents a significant vulnerability. Add multifactor authentication, require regular password updates, and consider implementing a password manager to improve access control.

The principle of least privilege states that users should have the minimum level of access to perform their job function. Actively manage access to files, systems, and data to make sure the only people who have access are those who need it.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.

Brought to you by
Payments for Modern Businesses
Move money at the speed of your business. Coinbase Business helps companies send fast, efficient USDC payments – streamlining global payouts, reducing fees, and keeping operations running without delays.
Learn More
Published