PCI Compliance
Quick Definition
A set of security standards (PCI DSS) that any business accepting credit card payments must follow to protect cardholder data from breaches and fraud.
What Is PCI Compliance?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card networks (Visa, Mastercard, Amex, Discover) to protect credit card data. If your business accepts, processes, stores, or transmits credit card information in any way, you must be PCI compliant. There are no exceptions based on business size.
The standards are organized into 12 requirements across six categories: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. For most small businesses, the practical requirements boil down to: use a PCI-compliant payment processor (Square, Stripe, etc.), never store credit card numbers in plain text (or at all, if possible), keep your POS systems updated, use strong passwords, and complete an annual Self-Assessment Questionnaire (SAQ).
PCI compliance levels range from Level 1 (processing over 6 million transactions/year โ requires annual third-party audit) to Level 4 (under 20,000 e-commerce or 1 million total transactions/year โ requires annual SAQ). Most small businesses are Level 4, which is the simplest level. Many modern payment processors handle most of the compliance burden for you โ when you use Stripe or Square's hosted payment forms, card data never touches your servers, dramatically reducing your PCI scope.
Why It Matters for Small Businesses
Non-compliance can be devastatingly expensive. If a data breach occurs and you're not PCI compliant, you face fines from the card networks ($5,000-$100,000 per month), the cost of the breach itself (forensic investigation, customer notification, credit monitoring โ averaging $150+ per compromised record), potential lawsuits from affected customers, and loss of the ability to accept credit cards. Even without a breach, non-compliant businesses may face monthly non-compliance fees from their payment processor ($20-$100/month). The good news is that for most small businesses using modern POS systems and hosted payment forms, achieving compliance is straightforward and mostly handled by your payment processor.
Example
Kate runs a boutique with both a physical store and an online shop. Her physical POS (Square) is PCI compliant โ Square handles all card data processing. For her online store, she uses Stripe's hosted checkout form โ card numbers go directly to Stripe's servers, never touching Kate's website. She completes her annual SAQ-A (the simplest form for merchants who outsource all card processing) in about 30 minutes. Total cost of PCI compliance: $0 (Square and Stripe include compliance in their service). Contrast this with a restaurant that stores card numbers in an Excel spreadsheet for phone orders โ one breach could cost $50,000+ in fines and remediation, plus the loss of customer trust.
Key Takeaways
- โ Every business accepting credit cards must be PCI compliant โ no exceptions by size
- โ Use a PCI-compliant processor (Square, Stripe, etc.) that handles card data for you
- โ Never store credit card numbers in spreadsheets, notebooks, or unencrypted files
- โ Complete your annual Self-Assessment Questionnaire โ it takes 30-60 minutes for most small businesses
How Holdings Helps
Holdings is fully PCI compliant and handles cardholder data security so you don't have to โ one less compliance headache for your business.
Related Terms
Payment Processing Fees
The fees you pay every time a customer pays by credit card, debit card, or digital payment โ typically 1.5-3.5% of the transaction amount plus a flat per-transaction fee.
Chargeback
A forced reversal of a credit card payment initiated by the cardholder's bank, usually due to a dispute over the transaction โ the merchant loses the sale amount plus a penalty fee.
Business License / Occupancy Permit
Government-issued permits that authorize you to operate a business in a specific location and comply with local zoning and safety regulations.
General Liability vs Professional Liability
General liability covers physical injuries and property damage caused by your business; professional liability (E&O) covers financial losses caused by your professional mistakes or negligence.
Payment Processing Fees
The fees you pay every time a customer pays by credit card, debit card, or digital payment โ typically 1.5-3.5% of the transaction amount plus a flat per-transaction fee.
Chargeback
A forced reversal of a credit card payment initiated by the cardholder's bank, usually due to a dispute over the transaction โ the merchant loses the sale amount plus a penalty fee.
Explore More small-business Terms
Browse our complete financial glossary designed specifically for small businesses.
View All small-business Terms โ