Payment Card Security

PCI Compliance Requirements Explained Simply

If your business accepts credit card payments, you need to comply with PCI-DSS. Here's what that means in simple terms.

Call (330) 587-9583Get Started

PCI Compliance Requirements

Important Disclaimer:

NHM LLC is not a QSA (Qualified Security Assessor). This page provides general information about PCI compliance requirements for educational purposes only and does not constitute professional PCI compliance assessment or certification services.

We'll explain PCI compliance requirements simply so you can understand what your business needs to do to comply with PCI-DSS standards. This simple explanation of PCI compliance requirements will help you understand the basics and take the first steps toward compliance.

What is PCI-DSS?

PCI-DSS (Payment Card Industry Data Security Standard) is a set of security standards created by major credit card companies (Visa, Mastercard, American Express, Discover) to protect cardholder data. If you accept, process, store, or transmit credit card information, you must comply.

Who Needs to Comply?

Every business that:

  • Accepts credit or debit card payments
  • Stores cardholder data
  • Processes card payments
  • Transmits card data

This includes retailers, restaurants, e-commerce sites, service businesses, and anyone who takes card payments.

Compliance Levels

There are four compliance levels based on transaction volume:

  • Level 1: Over 6 million transactions per year - annual on-site assessment required
  • Level 2: 1-6 million transactions per year - annual self-assessment questionnaire (SAQ)
  • Level 3: 20,000-1 million e-commerce transactions per year - annual SAQ
  • Level 4: Less than 20,000 e-commerce transactions or up to 1 million total transactions per year - annual SAQ

Most small businesses are Level 3 or 4 and can complete a Self-Assessment Questionnaire (SAQ).

The 12 PCI Requirements (Simplified)

1

Install and maintain firewall configuration

Use firewalls to protect your network and card data.

2

Don't use vendor-supplied defaults

Change default passwords and security settings on all systems.

3

Protect stored cardholder data

If you store card data, encrypt it. Better yet, don't store it if you don't need to.

4

Encrypt transmission of card data

Use encryption (SSL/TLS) when transmitting card data over public networks.

5

Use and regularly update antivirus software

Keep antivirus software updated on all systems that handle card data.

6

Develop and maintain secure systems

Keep software updated and patch security vulnerabilities promptly.

7

Restrict access to cardholder data

Only give access to employees who need it for their job.

8

Assign unique IDs to each person

No shared accounts. Each person gets their own login credentials.

9

Restrict physical access

Secure physical access to areas where card data is stored or processed.

10

Track and monitor access

Log access to cardholder data and review logs regularly.

11

Regularly test security systems

Test security systems and processes regularly.

12

Maintain a security policy

Have written security policies that employees must follow.

Common Compliance Mistakes

  • Storing card data unnecessarily: Don't store what you don't need
  • Weak passwords: Use strong, unique passwords everywhere
  • Outdated software: Keep everything updated
  • No encryption: Encrypt card data in transit and at rest
  • No access controls: Limit who can access card data
  • No logging: Log access to cardholder data
  • No security policy: Have written security policies

How to Achieve Compliance

1. Assess Your Current State

Understand how you currently handle card data and where you might be vulnerable.

2. Identify Which SAQ Applies

Determine which Self-Assessment Questionnaire (SAQ) applies to your business type.

3. Implement Required Controls

Put security controls in place to meet the 12 requirements.

4. Complete Your SAQ

Fill out the appropriate SAQ documenting your compliance.

5. Get a Network Scan

Have an Approved Scanning Vendor (ASV) scan your systems quarterly.

6. Submit Compliance Documentation

Submit your SAQ and scan results to your payment processor.

7. Maintain Compliance

Compliance is ongoing, not a one-time task. Maintain security controls and update documentation regularly.

Costs of Non-Compliance

Failing to comply can result in:

  • Fines: $5,000 to $100,000 per month until compliant
  • Loss of ability to accept cards: Card companies can terminate your merchant account
  • Liability: You may be liable for fraud losses
  • Reputation damage: Breaches hurt customer trust
  • Legal costs: Lawsuits from affected customers

Benefits of Compliance

Beyond avoiding fines, compliance provides:

  • Better security: Protects your business and customers
  • Customer trust: Customers trust secure businesses
  • Reduced liability: Lower risk if a breach occurs
  • Business reputation: Demonstrates you take security seriously

Get PCI Compliant Today

Don't risk fines or lose your ability to accept card payments. Contact us to discuss how we can help you achieve and maintain PCI compliance.

Call (330) 587-9583Contact Us