Is PCI compliance required by law?
No, PCI compliance is not required by government law. However, when your business agrees to accept credit cards, compliance with PCI DSS becomes a contractual obligation with your payment processor and card networks.
It is a common source of confusion for business owners, and the distinction matters. Here is why.
The PCI Security Standards Council
In 2006, the five major card brands (American Express, Discover, MasterCard, Visa, and JCB International) formed the PCI Security Standards Council, an organization dedicated to promoting awareness of and adherence to payment security standards.
In pursuit of that goal, the PCI Security Standards Council formed the PCI Data Security Standard (PCI DSS), a set of rules and standards for businesses to follow to make sure they’re safely storing customer credit card information.
Any business that transmits, stores, handles, or accepts credit card data, regardless of size or processing volume, must comply with the PCI DSS Standards.
If you only process three credit card transactions a month, you must comply with PCI standards. If you use a third-party payment processor, you must comply with PCI standards. If you don’t store credit card data but it passes through your server, you must comply with PCI standards.
If your business accepts credit cards as a form of payment, then you must be PCI compliant.
Is PCI Compliance legally required?
No, not by government law.
No federal or state legislation explicitly mandates PCI compliance by name. However, when your business agrees to accept credit cards, compliance with PCI DSS becomes a contractual obligation with your payment processor and card networks. Visa, Mastercard, American Express, Discover, and JCB all require it through the PCI Security Standards Council. If you accept credit cards, you agreed to follow these rules whether you realized it or not.
Any business that transmits, stores, handles, or accepts credit card data must comply, regardless of size or transaction volume. If you process three transactions a month or three million, the requirement applies equally.
Some business owners wonder if they can get around the requirements. They cannot. Non-compliance puts your customers at risk, exposes your business to significant financial penalties, and can result in losing your ability to accept credit cards entirely.
What happens if you are not PCI compliant? 6 consequences merchants can face
Non-compliance with PCI DSS does not just put your customers at risk — it puts your entire business at risk. The consequences can range from manageable fines in the early months to business-threatening penalties the longer non-compliance continues. Here is a breakdown of what merchants can face:
1. Monetary fines. Payment processors and card brands charge non-compliance fines to offset the potential losses caused by insufficient payment security. Fines are tiered based on how long a merchant remains non-compliant:
- 1 to 3 months of non-compliance: $5,000 to $10,000 per month
- 4 to 6 months of non-compliance: $25,000 to $50,000 per month
- 7 or more months of non-compliance: $50,000 to $100,000 per month
- Fines resulting from a breach: $50 to $90 per affected customer, depending on transaction volume
2. Increased exposure to fraud and data breaches. PCI compliance requires merchants to implement firewalls, data encryption, secure storage, antivirus software, and routine security scans. Without these measures in place, businesses become significantly more vulnerable to cyber attacks targeting sensitive credit card data including card numbers, names, addresses, and security codes.
3. Credit card processing restrictions. Card brands and processors can impose restrictions on non-compliant merchants, including limitations on which cards can be accepted, transaction amount caps, or termination of processing capabilities altogether. Losing the ability to accept credit cards entirely is one of the most operationally damaging outcomes of non-compliance.
4. Negative legal implications. Data breaches resulting from non-compliance can expose merchants to lawsuits from affected customers, typically filed on grounds of negligence. Card issuers may also pursue legal action against merchants for the cost of reissuing compromised cards and reimbursing fraud victims.
5. Loss of revenue. Revenue losses from non-compliance can compound quickly. PCI fines, breach-related legal costs, card brand restrictions, and customers taking their business elsewhere all contribute to financial damage that can be difficult to recover from.
6. Diminished brand reputation and trust. Once a breach occurs, rebuilding customer trust is a long and difficult process. Customers expect businesses to handle their payment data responsibly, and non-compliance signals that those expectations are not being met. The reputational damage from a publicized breach often outlasts the direct financial costs.
Your business will have to pay penalties and fines that vary based on how long you remain non-compliant, ranging from $5,000 per month for short-term violations up to $100,000 per month for merchants who remain out of compliance for seven months or more. Breach-related fines add an additional $50 to $90 per affected customer on top of that.
PCI non-compliance fines are just the beginning of the overall damage caused by noncompliance. Understanding the consequences makes the case for compliance clear. The next step is knowing how to get there and stay there.
If you’re not PCI compliant, you run the risk of losing your merchant account, which means you won’t be able to accept credit card payments at all. Your business could also be placed in the Member Alert to Control High-Risk Merchants (MATCH) List, making you ineligible to obtain a new merchant account for several years.
On top of that, a data breach could cost you thousands of dollars in damages, lose the respect and trust of your customers, and decimate your reputation.
There are a variety of penalties for not being PCI compliant, so it’s always best to be as fully compliant as possible to avoid expensive fines and other losses.
How can I be PCI compliant?
PCI compliance is an ongoing process that requires regular evaluations and assessments of current systems and practices. It’s not a “set it and forget it” project — it’s a continual effort to keep cardholder data safe.
That being said, PCI compliance can be overwhelming. There are many requirements that can be confusing and difficult to implement. Fortunately, you don’t have to do it on your own. You can use third-party products and services as part of your larger PCI compliance strategy.
Many third-party payment gateways adhere to the PCI DSS so you don’t have to worry about it on your end. These payment gateways use data security methods like tokenization that allow you to store “tokens,” or non-sensitive credit card data elements, on your local servers instead of the actual information. This allows for quick and easy access to data (for repeat customers, for example), without actually storing any information.
Using these payment gateways can remove some of the PCI compliance burden from your business, but remember that third-party solutions are not a silver bullet. You’re still responsible for your security and must commit to testing, strengthening, and updating it over time.
The bottom line
If your business accepts credit cards, then you must be PCI compliant. It’s as simple as that.
So don’t let fear or confusion keep you from tackling PCI compliance. In the long run, PCI compliance will protect you and your customers from data breaches, and the costs and damages associated with them.
One of the easiest ways to maintain compliance is by choosing a payment processor that’s already PCI Level 1 certified and integrates directly with your accounting or ERP system. Whether you’re looking for a NetSuite credit card processing integration, Acumatica payment processing, or a Sage Intacct payment gateway, working with a certified provider reduces your PCI scope and keeps sensitive card data off your systems entirely.
Solutions like EBizCharge use tokenization to replace card data with secure tokens, so your business never stores sensitive information. This approach simplifies compliance, protects your customers, and lets you focus on running your business instead of managing security checklists.
It’s important to always remember, PCI compliance is not just legally required — it’s necessary for the safety of both businesses and customers.
