What is PCI compliance? Everything you need to know

Payment Card Industry (PCI) compliance follows certain requirements launched in 2006 that are designed to ensure the safety and security of credit card data. Credit card processors mandate all companies that accept credit card payments to adhere to these requirements.

Featured credit card processing offers

Stax

Learn More

Via Stax’s website

Monthly fee

$99

Swiped transaction fee

7¢ to 10¢ + interchange rate

Merchant One

Learn More

Via Merchant One’s website

Monthly fee

$13.95

Swiped transaction fee

0.29% to 1.55% per transaction

Payment Depot

Learn More

Via Payment Depot’s webiste

Free Trial

No

Offers

$0 Setup & No Cancellation Fees

Pricing

Customized Interchange+ Pricing – Rates as low as 0.2% – 1.95%

Clover

Learn More

Via Clover’s website

Monthly fee

$14.95

Swiped transaction fee

2.6% + 10¢

What is PCI DSS compliance?

Payment Card Industry Data Security Standards (PCI DSS) compliance ensures companies adhere to a set of 12 requirements developed by the PCI Security Standards Council. This essentially forms the backbone of a company’s data security policy, ensuring customer data is processed, stored and transmitted securely.

12 PCI DSS requirements in 2024

Companies must follow these 12 PCI DSS compliance requirements as set out by the PCI Security Standards Council:

1. Firewalls: Implement network security like a firewall to protect data from external attack.
2. Password configuration: Ensure all components of the system are appropriately protected with secure passwords and two-factor authentication, and that vendor-supplied default passwords and configurations are removed and/or replaced. 
3. Data storage: Store all cardholder data securely, with protocols for storing, disposing and not capturing specific categories of data.
4. Data transmission: Protect cardholder data when transmitting over open, public networks using strong encryption. 
5. Antivirus software: Install reputable antivirus software and keep it regularly updated to protect your network from malware, phishing and other threats.
6. System maintenance: Develop processes to ensure your network and systems are secure, as well as protocols for detecting and acting on vulnerabilities and breaches.
7. Restrict systems access: Assign access to system and cardholder data on a need-to-know premise, and define access requirements by role.
8. User IDs: Authenticate user access and assign all users who have access to data with unique IDs. 
9. Physical access: Install security measures like cameras and keycodes to monitor and restrict access to physical cardholder data.
10. Access logging: Log, track and monitor all access to system data and components.
11. Regular testing: Ensure all aspects of network security are tested on a regular basis, with scans, inventory and monitoring. 
12. Implement policies: Create and implement data security and policies, and run programs to explain responsibility among personnel. 

How to be PCI DSS compliant? 

To ensure a business achieves and maintains compliance with PCI Data Security Standards, it must:

• Adhere to PCI requirements: Meet all the above 12 requirements as set out by the PCI Security Standards Council.
• Assess systems: Run a thorough examination of the business’s security protocols and systems to find and resolve any vulnerabilities. This also includes hiring a third-party service to test the security of the network used to process payments if required. 

Use the table below to see which PCI DSS Self-Assessment Questionnaire (SAQ) is right for your business:

SAQ FORM	WHO IS IT FOR?	WHO IS IT NOT FOR?
A	Merchants who have fully outsourced all payments to compliant third-party providers, accepting exclusively card-not-present transactions. For example, e-commerce or telephone-order merchants, where no cardholder data is kept on the merchant’s system	Merchants accepting face-to-face transactions
A-EP	E-commerce merchants who accept payments via their own website as well as outsourcing payments to compliant third-party providers. The distinction here is the presence of a website that can affect the transaction’s security level, rather than all aspects of the payment being handled by a third party	Merchants outside of e-commerce
B	Merchants that only process credit cards via standalone terminal, phone, fax or imprint machines, therefore collecting and storing no electronic data	E-commerce merchants
B-IP	Merchants that only process payments via standalone terminals that are linked to a payment processor via an internet connection, also collecting and storing no electronic data	E-commerce merchants
C-VT	Merchants who accept payments via keyboard entry into an online virtual payment terminal with a third-party provider, collecting and storing no electronic data	E-commerce merchants
C	Merchants who accept payments via a payment application system connected to the internet, such as a mobile device or point-of-sale (POS) system	E-commerce merchants
D	All other merchants, such as e-commerce websites without direct post or third-party payment service	All of the above
P2PE	Merchants that use hardware payment terminals with a valid PCI SSC certified point-to-point encryption provider	E-commerce

See MoreSee Less

What should I ask my payment processor?

When looking for a payment processor, remember to ask the following questions to ensure you’re working with a trustworthy and compliant provider:

1. Are they PCI compliant? Ask to see their PCI DSS Attestation of Compliance and check if they’re listed on MasterCard or Visa’s individual registries. 
2. How do they protect data and prevent fraud? Ask about their data security protocols and processes, and ensure their answers are as specific as possible, with robust measures in place. How is data stored? Is it local, and if so, is it compliant with PCI DSS protocol? Is data encrypted before being transmitted?
3. Will they protect you during a breach? In the event of a security or data breach, will they offer any protection? Are they insured against breaches, and will they take responsibility if they’re at fault?
4. When will they be available? A payment processor’s customer service and support options are crucial when it comes to resolving issues, so ensure you know when they’re reachable and by what channels.

We’ve included a handy PCI compliance checklist you can download as a PDF file and reference whenever you need.

PCI Compliance Checklist

Use our checklist to ensure your business maintains compliance with PCI Data Security Standards:

✅ Determine your PCI level: Determine which PCI level your business is at with regard to the number of transactions it makes a year, using the requirements of each credit card issuer you will accept payments from.

✅ Organise and manage a secure network of user data: Use network security controls like firewalls to protect your data, and ensure all systems are protected with strong passwords and authentication processes.

✅ Protect all cardholder data: Protect all cardholder data while stored as well as transmitted via open public networks.

✅ Manage data vulnerability: Install and keep antivirus software up to date, with regular maintenance of network security vulnerabilities. 

✅ Control and restrict access to data: Restrict both virtual and physical access to data, and ensure all users with access are authenticated with unique ID.

✅ Monitor and test network security: Ensure all access to data and systems is monitored and logged, and test data security regularity.

✅ Maintain consistency with regards to data security: Create and enact specific data security policies to maintain consistency and assist in appropriate responses to events and situations. 

✅ Question your provider: Ask your credit card processor about their compliance and adherence to data security requirements.

Benefits and disadvantages of being PCI compliant

Here are the benefits of ensuring your payment processor is PCI compliant, and why they outweigh any possible drawbacks:

BENEFITS OF BEING PCI COMPLIANT	DRAWBACKS OF BEING PCI COMPLIANT	DRAWBACKS OF NOT BEING PCI COMPLIANT
👍 Reduced risk of data breaches	❓ Can be costly to set up and maintain	👎 Increased risk of data breaches
👍 Avoidance of costly penalties	❓ Requires constant assessment to ensure systems are up to date and fully protected	👎 Possible fines and penalties
👍 Improved reputation and customer trust		👎 May not be able to process credit card transactions in the future
		👎 Damage to reputation and customer trust

See MoreSee Less

Should my credit card processor be compliant?

In short, yes, you should ensure your credit card processor is fully compliant with PCI Data Security Standards. There were 1,802 data compromises in the USA in 2022, affecting 422 million individuals in the country — only beaten by the 1,862 in the previous year and much higher than the 1,108 in 2020. With so many businesses adopting online payment processors, ensuring your customers’ data is protected is vital.

Penalties for noncompliance can cost thousands per month, not to mention the potential cost of lawsuits brought against merchants and businesses. There are also investigations that may need to be conducted, and the cost of business lost as a result of a damaged reputation.

PCI compliant service providers

Through expert analysis, we’ve chosen the top five credit card processors, all of which are PCI compliant — see our table below:

PROVIDER	PCI COMPLIANT	BEST FOR	READ OUR REVIEW
Square	Yes: Service provider level 1	Our overall top pick for the best credit card processor	Square review
PROVIDER Square PCI COMPLIANT Yes: Service provider level 1 BEST FOR Our overall top pick for the best credit card processor READ OUR REVIEW Square review
Stripe	Yes: Service provider level 1	APIs and integrations	Stripe review
PROVIDER Stripe PCI COMPLIANT Yes: Service provider level 1 BEST FOR APIs and integrations READ OUR REVIEW Stripe review
PayPal	Yes: Service provider level 1	Digital wallets	PayPal review
PROVIDER PayPal PCI COMPLIANT Yes: Service provider level 1 BEST FOR Digital wallets READ OUR REVIEW PayPal review
Helcim	Yes: Service provider level 1	Volume-based discounts	Helcim review
PROVIDER Helcim PCI COMPLIANT Yes: Service provider level 1 BEST FOR Volume-based discounts READ OUR REVIEW Helcim review
Paysafe	Yes: Service provider level 1	High-risk businesses	Paysafe review
PROVIDER Paysafe PCI COMPLIANT Yes: Service provider level 1 BEST FOR High-risk businesses READ OUR REVIEW Paysafe review

Featured credit card processing offers

Stax

Learn More

Via Stax’s website

Monthly fee

$99

Swiped transaction fee

7¢ to 10¢ + interchange rate

Merchant One

Learn More

Via Merchant One’s website

Monthly fee

$13.95

Swiped transaction fee

0.29% to 1.55% per transaction

Payment Depot

Learn More

Via Payment Depot’s webiste

Free Trial

No

Offers

$0 Setup & No Cancellation Fees

Pricing

Customized Interchange+ Pricing – Rates as low as 0.2% – 1.95%

Clover

Learn More

Via Clover’s website

Monthly fee

$14.95

Swiped transaction fee

2.6% + 10¢

Frequently asked questions (FAQs)