skip to Main Content
  • Blog
  • Understanding PCI Compliance

Understanding PCI Compliance

A person sit next to a table with a laptop, credit card, and cash

Understanding PCI compliance is essential for any business that accepts card payments, but what is PCI Compliance? PCI DSS (Payment Card Industry Data Security Standard) is a set of standards established by the PCI Security Standards Council with the aim of protecting credit card data and reducing the risk of fraud.

Any business that accepts card payments must comply with the guidelines and requirements set, which means handling and maintaining cardholder’s information including card details in a way that keeps them secure.

PCI Compliance Covers 6 Main Areas:

Build and Maintain a Secure Network and Systems

  • Install and maintain a firewall
  • Don’t use vendor defaults for passwords and security parameters

Protect Cardholder Data

  • Securely stored cards
  • Encrypt transmission of cardholder data

Maintain a Vulnerability Management Program

  • Protect against malware and regularly update anti-virus software
  • Develop and maintain security systems and applications

Implement Strong Access Control Measures

  • Restrict cardholder data on a need-to-know basis
  • Identify and authenticate access to systems
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel

Who Is Subject to PCI Compliance?

The PCI council created PCI Self-Assessment Questionnaires to validate your compliance. There are four different levels of PCI compliance. Which level of compliance your organization must meet is based primarily on the volume of credit card transactions you process in a 12 month period.

Level 1

Organizations that process more than 6 million transactions via Visa or MasterCard, or more than 2.5 million for American Express. OR have experienced a data breach. OR are deemed Level 1 by a card association, such as Visa, MasterCard or Amex.

Level 1 PCI DSS Requirements:

Level 2

Organizations that process between 1 to 6 million transactions annually.

Level 2 PCI DSS Requirements:

Level 3

Organizations that process between 20,000 to 1 million online transactions annually. OR organizations that process less than 1 million total transactions annually.

Level 3 PCI DSS Requirements:

Level 4

Organizations that process fewer than 20,000 online transactions annually. OR Organizations that process 1 million or fewer total transactions annually.

Level 4 PCI DSS Requirements:

Page 18 of the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire will help you choose the right SAQ and AOC for your organization.

PCI Compliance May Not Cover All Requirements

To find out more about what payment compliance means for your business, read Payment Processing Compliance Explained.


Photo by Sora Shimazaki for Pexels.

Related Articles

Subscribe Via Email

Thank You!

You’ve Been Subscribed.

Back To Top xandr