Card transactions changed the world for the better, especially when online payments were introduced.
But having all that sensitive information floating around cyberspace opened up a whole new can of worms, both for merchants processing transactions and customers paying for goods or services over the internet.
And so, the Payment Card Industry Data Security Standard (PCI DSS) was born as a way to regulate the payment industry and ensure protection against harmful attacks and data breaches.
PCI DSS has been in practice for over twenty years and isn’t going anywhere any time soon.
This article includes everything you need to know about understanding PCI DSS compliance, including requirements, updates to the standards, the four compliance levels, and how to ensure compliance as a merchant or business.
Keep reading for an in-depth look at PCI DSS requirements and what that can mean for your business.
PCI DSS (Payment Card Industry Data Security Standard) is a set of strict standards created by major credit card companies in 2004.
It was designed to help secure the payment industry and ensure best practices for card transactions. PCI standards are regularly updated and apply to any merchant (or business) that stores, handles, or processes credit card payments to protect sensitive cardholder information.
The PCI Data Security Standards have twelve specific requirements that all entities that handle cardholder data are responsible for following. Businesses fall into four compliance levels based on the number of annual credit card transactions they process. Higher transaction numbers lead to more intense security measures and PCI audits.
If businesses do not comply with PCI, it can result in huge penalties, like hefty fines, massive liability issues, and the loss of the ability to accept card payments. This is why it’s essential for businesses to fully understand and align their security efforts with PCI DSS.
Have questions about compliance? PCI Proxy has answers.
Any business that works with credit card information in any capacity must comply with PCI DSS, regardless of industry or business size.
This includes:
• Merchants: According to the PCI Security Standards website: “Any entity that accepts payment cards bearing the logos of any PCI SSC Participating Payment Brand as payment for goods and/or services”.
• Service Providers: Help businesses store, process, or transmit cardholder data on behalf of another entity.
• Financial Institution: such as acquirers and payment processors—have specific PCI compliance obligations that facilitate transactions between merchants and customers. This includes banks and third-party payment providers like PayPal or Planet.
Even small businesses must comply with PCI DSS—there are no exceptions. However, companies with lower liability may have less stringent compliance conditions than massive corporations.
The twelve requirements of PCI DSS are organised under six high-level goals.
There are also a whopping 300+ sub-requirements for PCI DSS that dive deep into security systems. Businesses with a higher compliance level need to be more aware of these sub-requirements, as they may not apply to the smaller guys. However, it’s still worth being informed that they exist.
Here is an overview of the twelve PCI DSS requirements, grouped by their goals.
• Requirement 1: Install & Maintain a Secure Firewall
Under the first PCI DSS requirement, all merchants need a firewall that allows the business to keep up with communications while keeping out unauthorized access. Most vendors include a basic firewall to protect their products from malicious attacks. However, merchants must remember to change the default settings to strengthen the firewall’s security under this PCI requirement.
• Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords & Security Parameters
This might seem like a no-brainer, but the next requirement for PCI DSS is to change all default system credentials for routers, POS systems, databases, and beyond. In other words, businesses should create unique, customized passwords rather than continue using the preset passwords provided by the vendor.
• Requirement 3: Protect Stored Account Data
This requirement concerns safeguarding stored cardholder information, that is, if it’s stored in the first place. Merchants are strongly discouraged from storing credit card numbers unless absolutely necessary. If they do need to store sensitive information, merchants must use encryption or tokenization for the card numbers under PCI DSS. Beyond the standard card number, businesses should never store sensitive authentication data, including a CVV/CVC code or PINs, after authorisation is complete. This is why you, as a customer, are asked to verify your back of card code for each online purchase, even if using a stored card on file.
• Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
Because credit card processing is digital, merchants must have super-strong encryption protocols before sending credit card data over the Internet. This is done through Transport Layer Security (TLS), and under PCI DSS 4.0, all merchants must use TLS 1.2 or higher to protect customer payment information. Beyond TLS, all businesses must do their best to secure their WiFi and never transmit sensitive data over unsecured networks. You wouldn’t want someone listening in on your private phone calls. Your customers don’t want their data eavesdropped on either.
• Requirement 5: Use & Regularly Update Anti Virus Software
PCI requirements five and six are all about creating and upholding a strong ecosystem that works together to protect cardholder data. Part of the PCI vulnerability management program, all merchant systems that touch payment data require anti-virus and anti-malware software. All software should be kept up to date to stay ahead of any potential cyber threats.
• Requirement 6: Develop & Maintain Secure Systems & Applications
As roll-outs happen frequently, merchants are responsible for patching and updating their software to run the most recent (and secure) version. If a security vulnerability pops up, merchants need to address it immediately to prevent any exploitation during the downtime. These software updates mainly affect operating systems, POS systems, and payment applications, while web applications can be kept secure through firewalls and additional authentication methods.
• Requirement 7: Restrict Access to Cardholder Data to Need-to-Know Basis
There’s no reason an entire company should be able to access cardholder data. Businesses should create role-based access control (RBAC) so that only employees whose positions directly relate to payment data can access the secure information. Just put yourself in a customer’s shoes – would you want everyone at Amazon to know your credit card number?
• Requirement 8: Assign a Unique ID to Each Person with Computer Access
This requirement is self-explanatory – all employees must have their own unique username and password, often with multi-factor authentication. Shared logins must be avoided, and clear logs must be used to track who accessed what data and when.
• Requirement 9: Restrict Physical Access to Cardholder Data
Along with requirement 7, all customer payment data must be physically secured in locked services, restricted access areas, or a combination of security methods. If a merchant uses POS, it needs to be protected from tampering with a passcode, ID card access, or another security feature that keeps visitors away from sensitive information.
• Requirement 10: Track & Monitor All Access to Network Resources & Cardholder Data
A crucial aspect of PCI DSS compliance is that all access to payment systems needs to be logged in so that it can be traced back to a specific transaction, user, or event in case of a breach. You can kind of think of this requirement as a sign in sheet at a hotel gym that requires visitors to write out their name and time of entry/exit in case of any funny business. To fulfill this PCI requirement, all merchants need to have audit logs for all transactions and security events. Businesses can catch on to suspicious activity using Security Information and Event Management (SIEM) tools that provide continuous logging.
• Requirement 11: Regularly Test Security Systems & Processes
What use is a security system if it doesn’t work properly? Under PCI DSS, all businesses need to perform routine security checks to uncover any weaknesses in an internal security system. Businesses with a more significant compliance burden require more in-depth tests to qualify for an Attestation of Compliance (necessary for merchants under Level 1 compliance). These tests include quarterly vulnerability scans and annual penetration tests, which assess firewalls, anti-virus software, and other security measures to ensure that protections are working at their best in the event of an attack.
• Requirement 12: Maintain a Policy That Addresses Information Security for All Personnel
Finally, the last PCI DSS goal only has one requirement: all businesses must have a clear written security policy outlining compliance responsibilities. Beyond just laying out the steps, it’s the responsibility of each company to train its employees on best practices surrounding security and fraud protection, as well as implementing strict internal standards to follow. This written security policy should also include specific instructions for responding to a data breach (also known as incident response procedures). Thus, if any sensitive information is compromised, the business has a clear plan for resecuring it.
When PCI DSS was first created in 2004, it was impossible to anticipate the evolution of payments, especially considering the digital aspect, which makes up the majority of the industry today. To keep up with the rapidly changing world, PCI DSS continually updates to stay ahead of ever-evolving threats.
A new PCI DSS, version 4.0, was introduced in 2024 and will be implemented in March 2025. This update aims to give businesses much more flexibility in achieving compliance while maintaining the highest level of security.
While PCI DSS 4.0 revamps quite a lot, here are the most significant changes merchants should be aware of:
With PCI DSS 4.0, businesses have the freedom to implement “customized controls” rather than following the basic prescriptive list of PCI security measures.
Businesses that go this route are responsible for proving that their custom security solutions are just as strong as the standard PCI requirements. This enables merchants to get creative in alternative protective measures that may be better suited to their unique industry, goals, and budget.
Multi-factor authentication (MFA) was already common practice with most businesses, but it’s now required under PCI DSS 4.0 for all merchant employees who access cardholder data.
In addition to MFA, businesses must adopt more complex passphrases and stricter identity verification procedures to ensure that only authorized users can access sensitive information.
Cloud-based services are all the rage, but this modern method of transmitting and storing information comes with a unique set of security challenges.
With PCI DSS 4.0, businesses need to use the most up-to-date cryptographic tools to ensure all stored cardholder data is encrypted to the best of the merchant’s ability. It’s required to use TLS 1.2 or higher for encrypting transmitted payment data, which essentially doubles down on cardholder protections in cloud-based environments.
Assessing risk is a crucial part of PCI DSS. With Version 4.0, all companies are required to complete penetration testing once a year. This, along with continuous monitoring and automated security alerts, helps catch threats in real-time.
Many businesses rely on third parties to process transactions, store data, and assist in crucial aspects of the payment industry. While this dramatically lowers the operating burden for many merchants, it creates significantly more opportunities for data breaches.
PCI DSS 4.0 requires third-party service providers (like payment processors and SaaS vendors, for example) to achieve compliance alongside merchants, creating clear standards for all players involved in any step of the credit card transaction process. No weak links allowed!
PCI DSS is broken down into four compliance levels based on the annual number of credit card transactions a business processes. With more transactions comes stricter security, audit, and reporting requirements – this is where the compliance levels come in since merchants of different sizes have different reporting requirements.
Here’s an overview of the four levels of the PCI Data Security Standard to understand where your business might fall:
This level includes the most stringent security requirements and applies to merchants processing over six million transactions annually (including payment processors and large enterprises), as well as service providers managing more than 300,000 transactions annually.
As with all PCI compliance levels, the actual number of transactions depends on the specific credit cards the merchant accepts. So, this six-million transaction threshold may be lower for merchants who accept American Express payments (only 2.5 million are necessary for Level 1 compliance requirements).
Level 1 also applies to any business that has been the victim of a data breach or targeted attack, regardless of the number of transactions or amount of stored data.
Compliance Requirements:
PCI Level 2 has slightly less rigorous reporting requirements and applies to merchants who process between one and six million transactions per year. These businesses are still required to submit an SAQ and an AOC but don’t necessarily need QSA verification.
Compliance Requirements:
In some cases, merchants who fall under Level 2 compliance may still be required to complete a QSA review or audit, depending on the payment brand’s requirement.
Level 3 encompasses merchants who, in general, process between 20,000 and one million transactions per year. PCI verification requirements for Level 3 are essentially the same for merchants categorized as Level 2. The key difference is in the number of annual transactions processed.
Business Examples: Online stores, subscription-based services, SaaS, and online tools
Compliance Requirements:
Level 3 compliance does not require any external assessments, onsite audits, or PCI compliance ROCs. It also does not require penetration testing. However, some businesses may choose to complete PCI compliance auditing or verification to further secure customer card data and boost the reputation of the business.
Finally, Level 4 is for merchants processing fewer than 20,000 e-commerce transactions per year and up to one million card transactions through other channels (in-store, phone payments, etc....). This distinction is important as the latter widely applies to local small businesses.
Level 4 compliance has the loosest regulations, leaving merchants mainly up to the compliance requirements of their bank. These merchants generally do not need to submit ROC or AOC forms and do not require onsite audits.
Compliance Requirements:
So, at this point, you’re probably scratching your head and wondering, “how do I actually achieve PCI compliance?” Here are six steps to get you started on your PCI DSS journey:
Step 1: Determine Your Compliance Level – Evaluate your annual transaction volume to understand whether your business is responsible for an SAQ or a full PCI audit.
Step 2: Secure Your Payment Environment – Align your business with PCI DSS best practices by implementing security measures like firewalls, intrusion detection systems, and anti-malware to protect your cardholder data. If you aren’t already, you should also use end-to-end encryption or tokenization to secure transactions.
Step 3: Strengthen Access Controls – Change all passwords from ‘HappyFrog1234’ to long, complex, custom passphrases. Use multi-factor authentication, unique IDs, and role-based access control right off the bat and invest in logging and monitoring infrastructure to identify and deal with data breaches immediately.
Step 4: Regular Security Testing & Risk Assessments – It doesn’t stop after implementing security measures. As a business, you should frequently test your entire security system to uncover any shortfalls and keep all software up to date. It’s also essential to have real-time monitoring for unusual activity to detect fraud or system compromise.
Step 5: Train Employees and Enforce Policies – It’s one thing to have security systems, but it’s another thing to teach employees how to use them. Businesses need to ensure that everyone with access to payment information is highly aware of internal security policies and how to keep customer data protected. Employees should also know how to identify a data breach and the immediate response steps.
Step 6: Document Everything – The best practice you can take as a merchant is to monitor and log everything related to cardholder data. Keep clear documentation of all security measures, risk assessments, and compliance audits to track past protection activities and improve them in the future.
If a business fails a PCI DSS audit, it can have very serious consequences on the merchant side, including:
Steep fines from payment networks: Visa, Mastercard, and other card networks can fine businesses for not complying with PCI DSS. These fines range from $5,000 to $100,000 per month that the business operates outside of compliance requirements. If a data breach occurs because a merchant is not complying with PCI, these fines can extend past millions of dollars depending on the amount of cardholders affected.
Higher transaction fees or inability to process payments: If your business is considered a “high-risk merchant” by payment processors, they may raise their transaction fees on you. In more severe cases, payment processors can strip a business of the ability to process card payments entirely. You can imagine what a disastrous situation it is for a merchant to lose credit card payments for their business.
Legal liability and lawsuits: Not complying with PCI can lead to lawsuits from customers, banks, or regulatory bodies if there is a breach. Because a business fails to protect cardholder data, it can be held responsible financially for the outcome of the breach, including fraud charges and identity theft damages.
Degraded trust and reputation damage: More than anything, a failed PCI audit signals weak security on the business side. This can lead to a loss of customer confidence in a business (who wants to shop with a merchant if there’s a risk their identity will be stolen?). Beyond the customer side, data breaches often cause PR disasters for companies that can take years to recover from.
The key takeaway is to ensure PCI compliance and pass audits to maintain a strong business reputation in the eyes of card networks, financial institutions, and consumers.
In-house compliance is an excellent option for businesses with the budget (and bandwidth) for an internal security team that can handle all aspects of PCI DSS. Large enterprises typically take this route because they can invest in long-term compliance infrastructure. However, even businesses that operate on a massive scale use and benefit from third-party PCI DSS solutions.
For example, a third-party PCI solution can assist an in-house team with faster, more thorough compliance alignment without needing to hire additional staff members or allocate significant resources to accomplish compliance at the enterprise level.
While PCI DSS cannot be outsourced entirely, a third-party solution is an excellent method of reducing the scope with which a business must comply. Merchants and service providers are still required to undergo annual audits, but third-party PCI solutions help mitigate the more strenuous, costly, and time-consuming aspects of compliance by offering services like:
Overall, third-party solutions reduce the operational burden for merchants, especially those with a more significant compliance burden.
As we come to the close of this article, you’ve probably deduced that PCI DSS is made up of endless complex details that can either make or break your business. Rather than struggling through it alone, PCI Proxy helps make matters simple.
Through our targeted offerings, we eliminate the need for merchants to handle credit card information, which greatly reduces the scope of applicable requirements a business needs to be assessed on during the annual audit. This makes achieving compliance much more straightforward, simple, and cost-effective.
We also have a robust network of leading Qualified Security Assessors (QSAs) who are prepared to help you tackle any outstanding PCI DSS requirements to achieve a full certification. No vendor lock-in – only customizable, flexible solutions ready to work for you.
If your business can’t afford to spend months laboring away over PCI DSS, PCI Proxy is the ultimate solution to achieve compliance without the headache. Click here to see how we can reduce your compliance scope today.
You run your business; we’ll handle the compliance side. Deal?
There are a few main takeaways to remember about PCI DSS requirements and compliance:
First, understand your compliance level so that you are aware of the PCI DSS requirements for your business.
Second, closely review the PCI DSS requirements and goals, especially the new changes for 2025.
Finally, determine whether your business will form an internal compliance team or work with a third-party service to achieve PCI certification. Remember, failure to comply with PCI DSS can have far-reaching ramifications, including hefty fines and significant reputational damage.
Keeping these items in mind is the best way to ensure your business is protected from data breaches and security threats, giving both customers and the merchant peace of mind when completing credit card transactions.
.svg)
