PCI Compliance Requirements Explained Simply
If your business accepts credit card payments, you need to comply with PCI-DSS. Here's what that means in simple terms.
Important Disclaimer:
NHM LLC is not a QSA (Qualified Security Assessor). This page provides general information about PCI compliance requirements for educational purposes only and does not constitute professional PCI compliance assessment or certification services.
What is PCI-DSS?
PCI-DSS (Payment Card Industry Data Security Standard) is a set of security standards created by major credit card companies (Visa, Mastercard, American Express, Discover) to protect cardholder data. If you accept, process, store, or transmit credit card information, you must comply.
Who Needs to Comply?
Every business that:
- Accepts credit or debit card payments
- Stores cardholder data
- Processes card payments
- Transmits card data
This includes retailers, restaurants, e-commerce sites, service businesses, and anyone who takes card payments.
Compliance Levels
There are four compliance levels based on transaction volume:
Level 1: Over 6 million transactions per year - annual on-site assessment required
Level 2: 1-6 million transactions per year - annual self-assessment questionnaire (SAQ)
Level 3: 20,000-1 million e-commerce transactions per year - annual SAQ
Level 4: Less than 20,000 e-commerce transactions or up to 1 million total transactions per year - annual SAQ
Most small businesses are Level 3 or 4 and can complete a Self-Assessment Questionnaire (SAQ).
The Standard
The 12 PCI Requirements (Simplified)
Install and maintain firewall configuration
Use firewalls to protect your network and card data.
Don't use vendor-supplied defaults
Change default passwords and security settings on all systems.
Protect stored cardholder data
If you store card data, encrypt it. Better yet, don't store it if you don't need to.
Encrypt transmission of card data
Use encryption (SSL/TLS) when transmitting card data over public networks.
Use and regularly update antivirus software
Keep antivirus software updated on all systems that handle card data.
Develop and maintain secure systems
Keep software updated and patch security vulnerabilities promptly.
Restrict access to cardholder data
Only give access to employees who need it for their job.
Assign unique IDs to each person
No shared accounts. Each person gets their own login credentials.
Restrict physical access
Secure physical access to areas where card data is stored or processed.
Track and monitor access
Log access to cardholder data and review logs regularly.
Regularly test security systems
Test security systems and processes regularly.
Maintain a security policy
Have written security policies that employees must follow.
How to Achieve Compliance
Assess Your Current State
Understand how you currently handle card data and where you might be vulnerable.
Identify Which SAQ Applies
Determine which Self-Assessment Questionnaire (SAQ) applies to your business type.
Implement Required Controls
Put security controls in place to meet the 12 requirements.
Complete Your SAQ
Fill out the appropriate SAQ documenting your compliance.
Get a Network Scan
Have an Approved Scanning Vendor (ASV) scan your systems quarterly.
Submit Compliance Documentation
Submit your SAQ and scan results to your payment processor.
Maintain Compliance
Compliance is ongoing, not a one-time task. Maintain security controls and update documentation regularly.
Costs of Non-Compliance
Failing to comply can result in:
- Fines: $5,000 to $100,000 per month until compliant
- Loss of ability to accept cards: Card companies can terminate your merchant account
- Liability: You may be liable for fraud losses
- Reputation damage: Breaches hurt customer trust
- Legal costs: Lawsuits from affected customers
Benefits of Compliance
Beyond avoiding fines, compliance provides:
Get PCI Compliant Today
Don't risk fines or lose your ability to accept card payments. Contact us to discuss how we can help you achieve and maintain PCI compliance.