Payment Card Security

PCI Compliance Requirements Explained Simply

If your business accepts card payments, your merchant agreement likely requires you to follow PCI DSS. Here's what that means in simple terms.

Call (330) 587-9583Get Started

Important Disclaimer:

NHM LLC is not a QSA (Qualified Security Assessor). This page provides general information about PCI compliance requirements for educational purposes only and does not constitute professional PCI compliance assessment or certification services. Your payment processor, acquiring bank, card brands, QSA, or legal/compliance advisor determines your specific validation obligations.

What is PCI-DSS?

PCI-DSS (Payment Card Industry Data Security Standard) is a set of security standards created by major credit card companies (Visa, Mastercard, American Express, Discover) to protect cardholder data. If you accept, process, store, or transmit credit card information, you must comply.

Who Needs to Comply?

Every business that:

  • Accepts credit or debit card payments
  • Stores cardholder data
  • Processes card payments
  • Transmits card data

This includes retailers, restaurants, e-commerce sites, service businesses, and anyone who takes card payments.

Compliance Levels

Merchant validation levels vary by card brand, payment processor, and transaction volume. As a simplified example, higher-volume merchants may require annual assessments, while many smaller merchants validate with an SAQ. Confirm your exact level and validation steps with your acquiring bank or processor.

Level 1: Over 6 million transactions per year - annual on-site assessment required

Level 2: 1-6 million transactions per year - annual self-assessment questionnaire (SAQ)

Level 3: 20,000-1 million e-commerce transactions per year - annual SAQ

Level 4: Less than 20,000 e-commerce transactions or up to 1 million total transactions per year - annual SAQ

Most small businesses are Level 3 or 4 and can complete a Self-Assessment Questionnaire (SAQ).

The Standard

The 12 PCI Requirements (Simplified)

1

Install and maintain firewall configuration

Use firewalls to protect your network and card data.

2

Don't use vendor-supplied defaults

Change default passwords and security settings on all systems.

3

Protect stored cardholder data

If you store card data, encrypt it. Better yet, don't store it if you don't need to.

4

Encrypt transmission of card data

Use encryption (SSL/TLS) when transmitting card data over public networks.

5

Use and regularly update antivirus software

Keep antivirus software updated on all systems that handle card data.

6

Develop and maintain secure systems

Keep software updated and patch security vulnerabilities promptly.

7

Restrict access to cardholder data

Only give access to employees who need it for their job.

8

Assign unique IDs to each person

No shared accounts. Each person gets their own login credentials.

9

Restrict physical access

Secure physical access to areas where card data is stored or processed.

10

Track and monitor access

Log access to cardholder data and review logs regularly.

11

Regularly test security systems

Test security systems and processes regularly.

12

Maintain a security policy

Have written security policies that employees must follow.

How to Work Toward PCI DSS Validation

1

Assess Your Current State

Understand how you currently handle card data and where you might be vulnerable.

2

Identify Which SAQ Applies

Determine which Self-Assessment Questionnaire (SAQ) applies to your business type.

3

Implement Required Controls

Put security controls in place to meet the 12 requirements.

4

Complete Your SAQ

Fill out the appropriate SAQ documenting your compliance.

5

Check Scan Requirements

If you have in-scope internet-facing systems, arrange required external vulnerability scans with an Approved Scanning Vendor (ASV), typically quarterly and after significant changes.

6

Submit Compliance Documentation

Submit your SAQ and scan results to your payment processor.

7

Maintain Compliance

Compliance is ongoing, not a one-time task. Maintain security controls and update documentation regularly.

Costs of Non-Compliance

Failing to comply can result in:

    Fees and assessments: Card brands or acquiring banks may impose costs, higher processing requirements, or remediation obligations depending on the issue.
  • Loss of ability to accept cards: Card companies can terminate your merchant account
  • Liability: You may be liable for fraud losses
  • Reputation damage: Breaches hurt customer trust
  • Legal costs: Lawsuits from affected customers

Benefits of Compliance

Beyond avoiding fines, compliance provides:

Better security: Protects your business and customers
Customer trust: Customers trust secure businesses
Reduced liability: Lower risk if a breach occurs
Business reputation: Demonstrates you take security seriously

Get PCI DSS Support

Don't risk payment disruption or unclear card-data obligations. Contact us to discuss how we can help you implement PCI DSS security controls, prepare SAQ documentation, and coordinate with your processor or assessor where needed.

Call (330) 587-9583Contact Us