PCI Compliance
PCI compliance refers to meeting the security standards set by the Payment Card Industry Data Security Standard (PCI DSS). If your business accepts, processes, stores, or transmits credit card information, you're required to follow these standards. PCI compliance protects your customers' card data f
PCI Compliance Definition
PCI compliance refers to meeting the security standards set by the Payment Card Industry Data Security Standard (PCI DSS). If your business accepts, processes, stores, or transmits credit card information, you're required to follow these standards. PCI compliance protects your customers' card data from breaches and fraud.
PCI Compliance in Practice — Example
An online boutique processes about 500 credit card transactions per month through Shopify. To maintain PCI compliance, she uses Shopify's built-in payment processing (which handles most PCI requirements), ensures her website uses HTTPS, doesn't store card numbers in any spreadsheets or emails, and completes an annual Self-Assessment Questionnaire (SAQ). Her payment processor confirms her compliance status each year.
Why PCI Compliance Matters for Your Business
A data breach can destroy a small business. Beyond the direct costs of a breach — which average over $100,000 for small companies — you face potential fines from card networks, lawsuits from affected customers, and devastating reputational damage.
PCI compliance isn't just a checkbox — it's the minimum standard for protecting your customers and your business. Non-compliance can result in fines of $5,000 to $100,000 per month from card brands, and your payment processor can terminate your account entirely. Most small businesses achieve compliance easily by using reputable payment processors that handle the heavy lifting.
How PCI Compliance Works
PCI DSS has 12 core requirements organized into six categories:
| Category | Requirements |
|---|---|
| Build Secure Network | 1. Install firewalls 2. Change default passwords |
| Protect Cardholder Data | 3. Protect stored data 4. Encrypt transmissions |
| Manage Vulnerabilities | 5. Use antivirus 6. Maintain secure systems |
| Access Control | 7. Restrict data access 8. Authenticate users |
| Monitor & Test | 9. Restrict physical access 10. Track and log access |
| Security Policy | 11. Test systems regularly 12. Maintain security policy |
Your compliance level depends on transaction volume:
| Level | Annual Transactions | Requirement |
|---|---|---|
| Level 4 | Under 20,000 (e-commerce) | SAQ + quarterly scans |
| Level 3 | 20,000 – 1 million | SAQ + quarterly scans |
| Level 2 | 1 – 6 million | SAQ + quarterly scans |
| Level 1 | Over 6 million | Annual on-site audit |
PCI Compliance vs SOC 2
PCI compliance specifically covers credit card data security and is mandatory for any business accepting card payments. SOC 2 is a broader security framework for service organizations that covers data handling practices in general. A business might need both if it processes payments and provides SaaS services.
FAQ
Q: Do I need PCI compliance if I use a third-party payment processor?
A: Yes, but your scope is greatly reduced. Using processors like Stripe or Square means they handle most PCI requirements. You still need to complete an SAQ confirming you follow basic security practices.
Q: What happens if I'm not PCI compliant?
A: You risk fines from card networks ($5,000-$100,000/month), increased transaction fees, and potential loss of your ability to accept card payments. If a breach occurs, liability costs multiply.
Related Terms
> Need a business bank that actually makes sense? Holdings offers free checking, 1.75% APY, and AI-powered bookkeeping — all in one place. Open a free account →
Related Terms
Net income is the total profit your business earns after subtracting all expenses — including operating costs, interest, taxes, depreciation, and amortization — from total revenue. It's the "bottom line" on your income statement and the most comprehensive measure of your business's profitability.
Accounts receivable (AR) is the money owed to your business by customers who have received goods or services but haven't paid yet. It's listed as a current asset on your balance sheet because it represents cash you expect to collect soon.
A credit memo (or credit memorandum) is a document issued by a seller to a buyer that reduces the amount the buyer owes. It's essentially the opposite of an invoice — instead of requesting payment, it acknowledges that money is owed back to the customer. Credit memos are used for returns, billing er
An EIN (Employer Identification Number), also called a Federal Tax ID Number, is a unique nine-digit number assigned by the IRS to identify your business for tax purposes. It's formatted as XX-XXXXXXX and is required for hiring employees, opening business bank accounts, filing tax returns, and estab