Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements to protect cardholder data from fraud and breaches. It was created in 2006 by the major credit card companies—Visa, Mastercard, and American Express—to have a common security standard.

Any business that processes, stores, or transmits credit card information, whether it’s a small coffee shop with a point-of-sale system or a large eCommerce retailer processing thousands of transactions daily, must comply with PCI DSS.

PCI compliance requirements

PCI compliance means a business implements the necessary security measures to protect cardholder data and follow guidelines to meet PCI DSS guidelines. Keep in mind that compliance is an ongoing process, so make sure to stay up to date with PCI DSS standards.

To be PCI compliant, businesses must follow these security best practices:

1. Secure Networks – Firewalls and security configurations to block unauthorized access.
2. Protect Cardholder Data – Encrypt stored payment information and limit access.
3. Vulnerability Management – Regularly update and patch security systems.
4. Strong Access Controls – Restrict payment data access with unique login credentials.
5. Monitor and Test Networks – Regular security audits and vulnerability scans.
6. Information Security Policy – Train employees on compliance requirements and data security best practices.

For example, a restaurant taking phone orders might write card details on paper before entering them into the system, or an online boutique stores unencrypted credit card numbers in its database after purchases. If the credit card information is not destroyed immediately after or stored using encryption, it violates PCI DSS rules. Organizations that don’t comply with PCI DSS standards can face monthly fines ranging from $5,000 to $100,000.

What are the 4 levels of PCI compliance?

Businesses are categorized into four PCI compliance levels based on the number of credit card transactions they process per year:

• Level 1: Merchants processing over 6 million transactions annually. They must complete an annual PCI audit and quarterly network scan by an Approved Scanning Vendor (ASV).
• Level 2: Merchants processing 1 million to 6 million transactions per year. They must complete a Self-Assessment Questionnaire (SAQ) and regular security scans.
• Level 3: Merchants processing 20,000 to 1 million eCommerce transactions annually. They must complete an SAQ and vulnerability scan.
• Level 4: Merchants processing fewer than 20,000 eCommerce transactions or up to 1 million transactions annually. They typically complete an SAQ and periodic security scans.

A large retailer like Walmart is Level 1, requiring extensive security audits. In 2024, Walmart was estimated to have 255 Million weekly customer visits. Imagine if Walmart did not prioritize its security and was attacked, leaking the payment details of 255 Million people. It would be chaos. Therefore, Walmart’s security is regularly audited and held to high standards.

On the other hand, a small handmade jewelry store selling online would be considered Level 4. The small jewelry store will have fewer compliance requirements but still needs to follow PCI DSS guidelines to protect customer data.

PCI compliance is mandatory for businesses that accept credit card payments regardless of size. Following these standards helps prevent fraud, protect sensitive payment information, and build customer trust.