How to Make Sure Your Business Is PCI Compliant

While accepting credit card payments makes things convenient for you and your customers, it requires extra care in protecting customer data—especially since credit card fraud cost consumers $12.5 billion in 2024.

To reduce the likelihood of fraud and data breaches, business owners must be familiar with credit card security standards and keep their business in full PCI compliance.

What does it mean to be PCI compliant?

The Payment Card Industry (PCI) consists of major credit card provider brands like Mastercard, Discover, American Express, and Visa. These providers established a set of security standards, called Payment Card Industry Data Security Standards (PCI DSS), to ensure any business using their cards keeps client credit card information secure.

Brought to you by

Celebrate Small Business Month

Join Walmart Business+ in May & get $100 in rewards. Terms & conditions apply.

Learn More

In 2006, the PCI Security Standards Council (SSC) was established as a separate body to manage and enforce PCI security standards. PCI compliance refers to adherence to the rules and standards set by this council. Meeting these standards protects important customer data (e.g., card and account numbers, security codes, names, etc.) and greatly reduces the risk of fraud.

Most credit card merchants require businesses to maintain PCI compliance. Businesses that do not meet PCI pose a large liability risk and can face fines ranging from $5,000 to $100,000 per month.

PCI DSS levels explained: Who must be PCI compliant?

If your company accepts credit card payments online, by phone or at the point of sale (POS), you must be PCI compliant. The steps you must take to ensure compliance depend on the volume of credit card business your company writes and whether it is writing that business at POS or through e-commerce transactions.

Smaller merchants face fewer requirements to achieve compliance, while bigger companies that process millions of transactions per year have more stringent requirements. Merchants at Level One compliance must take the strictest security measures, while merchants at Level Four need to take fewer measures to ensure compliance.

What PCI DSS level is your business?

To determine your PCI DSS level, you’ll need to know how many credit card transactions you complete annually. If you’re not sure what level your business falls into, your POS reports, as well as reports and analytics from your e-commerce store, may be able to tell you.

All levels of PCI compliance, from one to four, take into account all credit card transactions, including online payment gateways, in-store retail POS terminals and in-app payment systems.

• Level One: Businesses that process more than 6 million card transactions per year, regardless of channel.
• Level Two: Businesses that process 1–6 million card transactions per year, regardless of channel.
• Level Three: Businesses that process 20,000–1 million e-commerce transactions per year.
• Level Four: Businesses that process fewer than 20,000 e-commerce transactions per year or fewer than 1 million transactions annually from all sales channels—including e-commerce and retail.

It’s important to note that any merchant the credit card company deems to be “high risk” for any reason or any merchant that suffers a data breach resulting in security concerns about customer credit card data may be escalated to PCI DSS Level One at the merchant account provider’s discretion.

[Read more: Best Credit Card Payment Apps for Small Businesses]

The 12 PCI DSS requirements

Although Level Four businesses have fewer requirements than Level One businesses, the basics of PCI DSS requirements don’t change. The specifics for compliance may vary based on the level, but these best practices will help businesses at any level achieve PCI customer compliance for the secure storage and handling of credit card data.

The official PCI DSS Quick Reference Guide—aligned with version 4.0, the most recent iteration—lays out 12 requirements businesses that handle credit card data must follow to keep customer data safe:

1. Install and maintain network security controls, including firewalls and routers, cloud security groups, and intrusion detection/prevention systems.
2. Change your default passwords and apply secure settings across systems. This may include removing unused accounts, disabling unnecessary services, and regularly reviewing security settings.
3. Store cardholder data securely using encryption or tokenization, which replace or transform data to protect it from unauthorized access.
4. Use TLS 1.2 or higher-level encryption if cardholder data is transmitted across open, public networks.
5. Update antivirus and malware protection regularly.
6. Maintain secure systems and applications; apply any software patches promptly.
7. Restrict access to cardholder data to only users who need it.
8. Require multi-factor authentication (MFA), including a strong, unique password and one additional layer of verification, to access system components.
9. Restrict physical access to cardholder data, such as device access.
10. Log and monitor access to network resources and cardholder data.
11. Test security systems regularly.
12. Create an information security policy and update it regularly.

For websites with a hosted payment form or modal (e.g., a pop-up or embedded checkout), new requirements are in effect as of April 1, 2025. Any client-side scripts running on these payment pages must include additional security measures, including security headers and hashes and consistent monitoring for changes (every 10 minutes).

Overall, these are relatively broad requirements, but they carry specific implications. A modern POS system makes it easy to maintain security through tokenization and encryption, protecting data whenever a sale is processed and unburdening the merchant to ensure that level of security. Merchants should not need to store cardholder information on a local hard drive or on their website server.

[Read more: Understanding Credit Card Authorization: A Complete Overview]

How to get started with PCI compliance

If you are wondering how to check if your business is PCI compliant, you can address three questions to assess your company’s security processes.

This can be your starting point to see if you have appropriate security measures in place, and it might be helpful to enlist the help of compliance experts if you aren’t sure if you are PCI compliant based on the size of your company and the volume of credit card business it writes.

First, audit how you currently collect and store cardholder data. Inventory your IT assets to look for vulnerabilities a hacker could exploit to steal cardholder data:

• Is your network secure?
• Are systems protected with strong, unique passwords and MFA?
• Is your antivirus and malware protection up to date?

Next, take action to address those vulnerabilities. This could include upgrading the security on your e-commerce site or moving away from storing cardholder data at all. Unless you’re using some kind of recurring billing system, there’s no need to keep cardholder data on file.

You can run loyalty programs through a person’s email or phone number, limiting the need for sensitive information. Additionally, many e-commerce platforms act as secure third-party processors, which can track transactions for remarketing campaigns without storing credit card numbers or other financial data.

Lastly, submit your compliance reports to the banks or card brands with which you do business (e.g., Visa, MasterCard, American Express, or Discover). You can gain additional guidance for compliance and also avoid penalties and fees that could arise from failing to adhere to PCI compliance standards.

[Read more: A Guide to Understanding Credit Card Processing]

How to maintain ongoing PCI compliance

PCI compliance should be treated as an ongoing practice, not a one-off checklist item. These steps can help you maintain secure systems, reduce risk, and stay in good standing with your payment processors.

Determine whether you need to submit an annual SAQ

Many small businesses can validate their PCI compliance by completing a Self-Assessment Questionnaire (SAQ) each year. There are different iterations, depending on whether you accept payments in person, online, or via a third-party provider. Check with your payment brand or merchant bank (“acquirer”) to determine if you are eligible or required to submit the SAQ.

Conduct routine risk assessments

Regularly scheduled risk assessments ensure businesses keep up with ever-evolving security threats. Conduct vulnerability scans, penetration testing (i.e., simulated breaches), and ongoing risk assessments to reduce vulnerability and catch any weaknesses early.

Update your software and systems regularly

If you don’t already have one, install a firewall and quality antivirus software. Make sure these, along with your operating systems, point-of-sale systems, plug-ins, and web browsers, are all updated regularly. Finally, use a password manager and set regular password update requirements.

Monitor physical access

Implement access control on a “need-to-know” basis only. Ensure each employee has a unique ID and password, and keep a log of which authorized employees access restricted information. Monitoring devices or access control systems can assist in monitoring physical entry.

Document processing activities

Time and process transparency are of the utmost importance in the case of a breach. Keep clear records of your payment workflows and any additional processing activities; this can help road map the source of breaches and can assist with any required patchwork.

Educate and train your employees

Regular training ensures your employees have up-to-date guidance on avoiding scams and phishing attempts that would put your business security at risk. Review and update trainings and internal security policies on an ongoing basis, and host refresher courses to keep best practices front-of-mind.

Dawn Allcot contributed to this article.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.