PCI Compliance
PCI compliance refers to meeting the security standards set by the Payment Card Industry Data Security Standard (PCI DSS). If your business accepts, processes, stores, or transmits credit card information, you're required to follow these standards. PCI compliance protects your customers' card data f
PCI Compliance Definition
PCI compliance refers to meeting the security standards set by the Payment Card Industry Data Security Standard (PCI DSS). If your business accepts, processes, stores, or transmits credit card information, you're required to follow these standards. PCI compliance protects your customers' card data from breaches and fraud.
PCI Compliance in Practice — Example
An online boutique processes about 500 credit card transactions per month through Shopify. To maintain PCI compliance, she uses Shopify's built-in payment processing (which handles most PCI requirements), ensures her website uses HTTPS, doesn't store card numbers in any spreadsheets or emails, and completes an annual Self-Assessment Questionnaire (SAQ). Her payment processor confirms her compliance status each year.
Why PCI Compliance Matters for Your Business
A data breach can destroy a small business. Beyond the direct costs of a breach — which average over $100,000 for small companies — you face potential fines from card networks, lawsuits from affected customers, and devastating reputational damage.
PCI compliance isn't just a checkbox — it's the minimum standard for protecting your customers and your business. Non-compliance can result in fines of $5,000 to $100,000 per month from card brands, and your payment processor can terminate your account entirely. Most small businesses achieve compliance easily by using reputable payment processors that handle the heavy lifting.
How PCI Compliance Works
PCI DSS has 12 core requirements organized into six categories:
| Category | Requirements |
|---|---|
| Build Secure Network | 1. Install firewalls 2. Change default passwords |
| Protect Cardholder Data | 3. Protect stored data 4. Encrypt transmissions |
| Manage Vulnerabilities | 5. Use antivirus 6. Maintain secure systems |
| Access Control | 7. Restrict data access 8. Authenticate users |
| Monitor & Test | 9. Restrict physical access 10. Track and log access |
| Security Policy | 11. Test systems regularly 12. Maintain security policy |
Your compliance level depends on transaction volume:
| Level | Annual Transactions | Requirement |
|---|---|---|
| Level 4 | Under 20,000 (e-commerce) | SAQ + quarterly scans |
| Level 3 | 20,000 – 1 million | SAQ + quarterly scans |
| Level 2 | 1 – 6 million | SAQ + quarterly scans |
| Level 1 | Over 6 million | Annual on-site audit |
PCI Compliance vs SOC 2
PCI compliance specifically covers credit card data security and is mandatory for any business accepting card payments. SOC 2 is a broader security framework for service organizations that covers data handling practices in general. A business might need both if it processes payments and provides SaaS services.
FAQ
Q: Do I need PCI compliance if I use a third-party payment processor?
A: Yes, but your scope is greatly reduced. Using processors like Stripe or Square means they handle most PCI requirements. You still need to complete an SAQ confirming you follow basic security practices.
Q: What happens if I'm not PCI compliant?
A: You risk fines from card networks ($5,000-$100,000/month), increased transaction fees, and potential loss of your ability to accept card payments. If a breach occurs, liability costs multiply.
Related Terms
> Need a business bank that actually makes sense? Holdings offers free checking, 1.75% APY, and AI-powered bookkeeping — all in one place. Open a free account →
Related Terms
Bank reconciliation is the process of comparing your internal accounting records with your bank statement to make sure they match. When they don't — and they often won't — you identify the differences (outstanding checks, pending deposits, bank fees, errors) and adjust your records accordingly. It's
Net profit margin is the percentage of revenue that remains as profit after all expenses have been deducted. It tells you how many cents of every dollar in revenue your business actually keeps as profit. A 15% net profit margin means you keep $0.15 of every $1 earned.
ACH (Automated Clearing House) is an electronic network for processing financial transactions in the United States. It handles direct deposits, bill payments, and bank-to-bank transfers in batches, making it a low-cost alternative to wire transfers and paper checks.
A remittance is a transfer of money, typically sent to another party as payment for goods, services, or obligations. The term is most commonly used for international money transfers — when someone sends money across borders. In business, remittance also refers to the payment information sent alongsi