Blog > The Ultimate PCI Compliance Guide | Why it’s Essential + 10 Expert Tips

The Ultimate PCI Compliance Guide | Why it’s Essential + 10 Expert Tips

By |Published On: March 5th, 2021|

While payment security looks a little different for each merchant, it continues to remain a top priority across all industries. To help with this, businesses look to PCI compliance standards for guidance. Although these standards offer a lot of direction to better protect cardholder data, they are not foolproof against all cybersecurity attacks.

To meet evolving compliance standards and better prepare for growing cyber threats, we brought in 10 industry experts to help you build the strongest infrastructure possible.

What is PCI compliance?

PCI (Payment Card Industry) compliance is a fancy way of saying your business is following proper security measures to successfully accept, process, and store credit card payments. PCI compliance is not legally required but is mandatory in certain cases.

The Payment Card Industry Data Security Standard (PCI DSS) defines these security requirements. The PCI Security Standards Council (PCI SSC) — established by Visa, American Express, Discover, Mastercard, and JCB International credit card providers in 2006 — is responsible for upholding these standards, ensuring merchants meet them, and managing data security worldwide.

Check out this video below to learn more about PCI compliance.

PCI compliance: Levels, assessments, and requirements

PCI levels are typically determined by merchants’ annual transactions and business size:

  • Level 1: Merchants who process over six million transactions per year and service providers that process over 300,000 credit card transactions annually. (Typically large businesses.)
  • Level 2: Merchants who process between one and six million transactions per year and service providers who process fewer than 300,000 transactions annually. (Typically mid-to-large-sized businesses.)
  • Level 3: Merchants who process between 20,000 and one million transactions per year. (Typically small-to-mid-sized businesses.)
  • Level 4: Merchants who process fewer than 20,000 transactions per year. (Typically small businesses.)

PCI Levels

PCI validation assessments

A merchant’s PCI compliance level determines its annual and quarterly validation requirements. Depending on your level, here are some of the validation forms you may have to complete:

PCI DSS requirements

The PCI Security Standards Council provides merchants with a general list of security standards to follow to become PCI compliant:

PCI overviewIn addition to these 12 security standards, each compliance level has separate requirements merchants must complete:

Level 1 merchants are required to provide:

  • A Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor
  • Quarterly scans by an Approved Scanning Vendor (ASV)
  • An Attestation of Compliance (AOC) completed by a QSA

Level 2 merchants are required to provide:

  • Self-Assessment Questionnaire (SAQ) completed by the merchant
  • Quarterly scans completed by an Approved Scanning Vendor (ASV)
  • An AOC completed by a QSA
  • Sometimes an additional PCI scan

Level 3 merchants are required to provide:

  • An SAQ completed by the merchant
  • Quarterly scans completed by an ASV
  • An AOC completed by a QSA

Level 4 merchants are required to provide:

  • An SAQ completed by the merchant
  • Quarterly scans completed by an ASV

PCI compliance benefits: A surefire way to limit breaches & save your business

“PCI Compliance is a widely accepted and expected information security standard. It gives your brand much-needed credibility and certifies your ability to handle card data and transactions. To the layman, it gives an assurance that their card details will be handled securely.”

Bram Jansen

While PCI compliance offers the obvious benefit of enhanced security, it can provide additional, sometimes unexpected advantages to your business.

Some of the top benefits of PCI compliance include:

  • Lower risk of breaches
  • Improved customer experience
  • Enhanced brand reputation
  • Increased operational efficiency

Lower risk of breaches

Since the purpose of the PCI DSS is to improve payment security, it would make sense that PCI compliance would also decrease the likelihood of breaches, fines, and lawsuits.

This decrease occurs because merchants create a more secure IT infrastructure that protects cardholder information through solutions like firewalls, encryption, tokenization, and more. By reducing these risks, you’re also reducing the potential for future fines (from acquiring banks, governments, etc.) and lawsuits (from retailers, credit card processors, customers, etc.).

Learn more about the risks of payment data breaches in this podcast below.

Improved customer experience

Merchants should prioritize their customers and take the necessary steps to make their experience the best it can be. If customers don’t trust your site, they probably won’t purchase from you.

A PwC report shows 87% of consumers say they’ll take their business elsewhere if they don’t trust a company to handle their data responsibly. By maintaining compliance, you’re putting the security of your customer first and providing a safer shopping experience. In turn, this will promote more confidence and trust to purchase.

Enhanced brand reputation

Customer experience and trust directly relate to brand reputation. By improving customer experience and trust through compliance, customers’ perception of your business will increase too.

This positive impact can influence customers to make return purchases, spread the word about your business and its products, and leave positive reviews, all of which can impact the growth of your business.

Increased operational efficiency

“PCI DSS compliance can offer operational efficiency by mapping the controls to other regulatory and security compliance frameworks that your business is obligated to adhere to and be audited against. Too often I find that controls are written in a vacuum and not designed with all applicable organization compliance needs. Whether PCI DSS is the first compliance framework your organization is implementing, or you’re adding it to an existing compliance program, designing controls with mapping in mind can lead to greater operational efficiency.”

Adam Brennick

Adam Brennick
Compliance Professional

After implementing the necessary PCI compliance protocols and software, businesses can improve their operational efficiency by using the extra time and resources that would’ve been spent on handling preventable security breaches to tackle high-priority tasks. Merchants can also use their compliance to meet other security regulations and standards.

Compliance requirements like penetration testing and vulnerability scans allow merchants to fulfill additional security standards such as the SOC 2 (Service Organization Control), ISO 27001 (International Organization for Standardization), and other global regulations.

How to become PCI compliant and avoid thousands of dollars in fines

PCI DSS Compliant

“You can’t secure what you don’t know about. Know your environment, what data you have, where that data exists, and who has access to it. Then, minimize your attack surface. The cardholder data environment (CDE) needs to be segmented off from other areas of your network. It becomes much easier to be compliant with the PCI DSS when the CDE is walled off. Reduce your compliance scope and you’ll have an easier job being compliant.”

Paul Caiazzo

After your business has identified its PCI level and the applicable standards and validation requirements, your team can work together to better secure payment data and become PCI compliant.

The Security Standards Council (SSC) simplifies the process of becoming PCI compliant into three steps:

  • Assess: Review cardholder data, assets, and business operations to identify any vulnerabilities or risks.
  • Repair: Actively work to reduce risks and vulnerabilities and eliminate excess cardholder data.
  • Report: Compile and submit the required information to acquiring banks and card companies.

To further help businesses become compliant, the PCI SSC has compiled a prioritized list for businesses to follow. Once these steps have been taken, your business can undergo a PCI self-assessment to make sure all data and security measures have been properly implemented. Merchants can also complete a vulnerability scan to double-check their security.

Costs of PCI compliance

PCI compliance costs vary based on many factors of your business. These costs can increase or decrease depending on:

  • Business size and number of annual transactions
  • Type of business and industry
  • Level of security already put in place (or lack thereof)
  • Whether or not the acquiring bank helps front some of the costs
  • Company morale and employees’ willingness to adapt and learn security measures

SecurityMetrics estimates PCI compliance costs to average around $300 annually for small businesses and $70,000 annually for large businesses. These cost differences fluctuate so dramatically because of the various assessment requirements and levels of compliance.

the cost of pci dss compliance

Penalties of non-compliance

“I think being compliant is enough to save money. If any breaches were to happen, you will be in a lot more trouble and paying so much more than you would now to mitigate it.”

Ethan Taub

Ethan Taub
CEO at Goalry

The threat of the non-compliance penalties your business can face greatly outweighs the cost of being PCI compliant. While the PCI SSC doesn’t enforce these non-compliance penalties, the five major credit card brands — Visa, Mastercard, Amex, Discover, JCB International — do.

A merchant’s acquiring bank is responsible for keeping them PCI compliant through an annual Self-Assessment Questionnaire (SAQ) and Report on Compliance (ROC). If the bank and its merchant fail to uphold PCI compliance, they are both liable to fines and penalties levied by the major credit card companies.

If a data breach occurs, the major credit card branches will determine if a merchant is upholding PCI DSS compliance and to what extent. Fines ranging anywhere from $5,000 to $100,000 per month can be placed on a business until full compliance is reached. Banks can and most likely will fine their merchants using additional fees or service charges.

Merchants who choose to not comply are subject to repeat fines. They also open themselves up to negligence lawsuits from banks, customers, card processing companies, and more.

How to improve PCI compliance and secure a foolproof infrastructure

“PCI compliance needs to be an ongoing initiative, not something a business only looks at once a year when they send in their Self-Assessment Questionnaire (SAQ) or every three years right before an audit.”

Tracy Fox

To improve PCI compliance, merchants must monitor many moving parts, like current events, new security technology, updated compliance standards, and changing demands for online payments.

Merchants can take the following additional actions to improve PCI compliance to build sustainable PCI compliance programs and secure cardholder data:

Compile a comprehensive inventory list (vendors, equipment, digital tools, etc.)

Knowing the ins and outs of your business and its assets can help you fix any gaps in security and eliminate outdated tools that no longer serve your organization. This auditing can also help merchants save more money by finding services and software that are all-in-one solutions.

Test your network systems regularly to ensure they’re working properly

Running regular assessments lets you test your systems, networks, and protocols to find any weaknesses or vulnerabilities that need to be addressed. It’s not enough to