Retail shop clerk taking a mobile credit card payment on a digital tablet.
Different levels of PCI compliance apply to companies depending on their size and sales. — Getty Images/tdub303

Members of the PCI include major credit card brands like Mastercard, Discover, American Express and Visa.

To ensure the security of customer data, these credit card providers set security standards for any business that accepts their cards as payment. These standards are called Payment Card Industry Data Security Standards (PCI DSS). Companies that adhere to these rules, which help prevent credit card fraud and the theft of consumers’ credit card data, are considered “PCI compliant.”

PCI compliance protects a customer’s name, the full primary account number (PAN), the expiration date and the card’s three- or four-digit security code, also called the card verification value (CVV). PCI-DSS standards also protect sensitive authentication data, which is data embedded within the card’s magnetic stripe or Europay, Mastercard, Visa (EMV) chip and is used to process transactions.

By protecting both cardholder and credit card data, merchants can reduce the risk of credit card fraud, which cost Americans $9.62 billion in 2019, according to data from The Nilson Report.

To help mitigate fraud, most merchant account providers require their customers to maintain PCI compliance and will check if a company is PCI compliant before allowing that merchant to use their networks.

If your business falls short of PCI compliance, you can face hefty fines. The PCI Compliance Guide says fines and penalties are not published but can range from $5,000 to $100,000 per month to the merchant. And if you don’t achieve PCI compliance, not only will fees add up, but your credit card merchant can drop you as a customer.

If you are the victim of a data breach while non-compliant, you can face legal action and additional penalties. It’s just not worth the risk.

How can you make sure your company is PCI compliant? And what steps can you take if you don’t meet PCI compliance standards right now?

PCI DSS levels explained: Who must be PCI compliant?

If your company accepts credit card payments online, by phone or at the point of sale (POS), you must be PCI compliant. The steps you must take to ensure compliance depends on the volume of credit card business your company writes and whether it is writing that business at POS or through e-commerce transactions.

Smaller merchants face fewer requirements to achieve compliance, while bigger companies that process millions of transactions per year have more stringent requirements. Merchants at Level One compliance must take the strictest security measures, while merchants at Level Four need to take fewer measures to ensure compliance.

What PCI DSS level is your business?

To determine your PCI DSS level, you’ll need to know how many credit card transactions you complete annually. If you’re not sure what level your business falls into, your POS reports, as well as reports and analytics from your e-commerce store, may be able to tell you.

All levels of PCI compliance, from one to four, take into account all credit card transactions, including online payment gateways, in-store retail POS terminals and in-app payment systems.

  • Level one: Businesses that process more than 6 million card transactions per year, regardless of channel.
  • Level two: Businesses that process 1-6 million card transactions per year, regardless of channel.
  • Level three. Businesses that process 20,000-1 million e-commerce transactions per year.
  • Level four: Businesses that process fewer than 20,000 e-commerce transactions per year or less than 1 million transactions annually from all sales channels – including e-commerce and retail.

It’s important to note that any merchant the credit card company deems to be “high risk” for any reason or any merchant that suffers a data breach resulting in security concerns about customer credit card data may be escalated to PCI DSS level one at the merchant account provider’s discretion.

The steps you must take to ensure compliance depends on the volume of credit card business your company writes and whether it is writing that business at POS or through e-commerce transactions.

The 12 PCI DSS requirements

Although Level Four businesses have fewer requirements than Level One businesses, the basics of PCI DSS requirements don’t change. The specifics for compliance may vary based on the level, but these best practices will help businesses at any level achieve PCI customer compliance for the secure storage and handling of credit card data.

The official PCI DSS Quick Reference Guide lays out 12 requirements businesses must follow to keep customer data safe:

  1. Install and maintain a firewall to protect cardholder data.
  2. Use unique passwords and other security parameters, never vendor-supplied default passwords or other security parameters.
  3. Use SSL-level encryption if cardholder data is transmitted across networks.
  4. Store cardholder data securely.
  5. Update antivirus and malware protection regularly.
  6. Maintain secure systems and applications.
  7. Restrict access to cardholder data to only users who need it.
  8. Restrict physical access to cardholder data, such as device access.
  9. Require users to log in or authenticate to access system components.
  10. Track and monitor access to network resources and cardholder data.
  11. Test security systems regularly.
  12. Create an information security policy and update it regularly.

These are relatively broad requirements, but they carry specific implications. For instance, strong passwords can be automatically generated by apps to contain random strings of numbers and letters for maximum security.

All devices including your network and any devices on the network should have firewall protection. Your in-store wireless router should be password-protected. Likewise, any computers or servers used to run your e-commerce site should be password-protected and secure.

A modern POS system makes it easy to maintain security through tokenization and encryption, protecting data whenever a sale is processed and unburdening the merchant to ensure that level of security. Merchants should not need to store cardholder information on a local hard drive or on their website server.

Similarly, never store physical copies of customers’ credit card data. Do not write down a customer’s credit card number, expiration date, or CVV unless it’s unavoidable. If it is, that information should be shredded immediately after use.

Avoid asking customers to email or text their credit card information, as these transmission methods may not be as secure as payment processing systems.

E-commerce companies that use third-party software as a service to manage and maintain their websites should be compliant as long as they don’t remove customer data from the platform to host it locally, for instance.

How to get started with PCI compliance

If you are wondering how to check if your business is PCI compliant, you can address three questions to assess your company’s security processes and see if you are PCI compliant.

This can be your starting point to see if you have appropriate security measures in place, and it might be helpful to enlist the help of compliance experts if you aren’t sure if you are PCI compliant based on the size of your company and the volume of credit card business it writes.

First, audit how you currently collect and store cardholder data. Inventory your IT assets to look for vulnerabilities a hacker could exploit to steal cardholder data:

  • Is your network secure?
  • Are systems password protected?
  • Is your antivirus and malware protection up to date?

Next, take action to address those vulnerabilities. This could include upgrading the security on your e-commerce site or moving away from storing cardholder data at all. Unless you’re using some kind of recurring billing system, there’s no need to keep cardholder data on file.

You can run loyalty programs through a person’s email or phone number, and your e-commerce platform should be able to track transactions for remarketing campaigns without storing credit card numbers or other financial data.

Lastly, submit your compliance reports to the bank or card brands with which you do business (e.g., Visa, MasterCard, American Express or Discover). You can gain additional guidance for compliance and also avoid penalties and fees that could arise from failing to adhere to PCI compliance standards.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

Follow us on Instagram for more expert tips & business owners’ stories.

Applications are open for the CO—100! Now is your chance to join an exclusive group of outstanding small businesses. Share your story with us — apply today.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.

Brought to you by
Let's Make Tea Breaks Happen! Apply for a Pure Leaf Tea Break Grant
The Pure Leaf Tea Break Grants Program for small businesses and 501(c)(3) nonprofits is now open! Apply for a chance to fund ideas that foster healthier workplace culture and norms! Ideas can be new or already underway, can come from HR, C-level, or the frontline- as long as they improve employee well-being through culture change. Learn more about the Contest, including how to enter at the link below.
Learn More

Get recognized. Get rewarded. Get $25K.

Is your small business one of the best in America? Apply for our premier awards program for small businesses, the CO—100, today to get recognized and rewarded. One hundred businesses will be honored and one business will be awarded $25,000.