What is PCI Compliance? How to Secure Your Payment Environment

Last year, the average data breach in the US cost businesses $4.35 million—the highest total cost ever, up from $4.24 million in 2021 and $3.86 million in 2020.

As these incidents become increasingly commonplace, it’s important for organizations—particularly merchants with ecommerce operations and interact with sensitive payment information—not to get complacent when it comes to their security measures. Finance teams especially have a part to play in keeping their customers’ data safe, as stewards of the company’s payment flows.

Data breaches take many shapes, with sensitive payment information—like cardholder data—often being exposed. While it’s impossible to guarantee that your business will never fall victim to a breach, by adhering to PCI compliance requirements, you can minimize the likelihood that it will happen.

When it comes to handling customers’ credit card information, the Payment Card Industry Security Standards Council (PCI SSC) has established rules that businesses must follow to ensure basic protection for consumers and minimize chances of fraud or breaches occurring within the payment ecosystem.

In this guide, you’ll learn what it means to be PCI compliant, how to become PCI compliant, and how to maintain payment security compliance.

Jump to a section of interest:

• Section 1—What is PCI compliance?
• Section 2—What is the PCI Security Standards Council?
• Section 3—What are the 4 levels of PCI compliance?
• Section 4—What are the PCI DSS self-assessment questionnaires?
• Section 5—How to become PCI compliant?
• Section 6—What are the risks of not adhering to PCI compliance requirements?
• Section 7—Why should you partner with a secure ERP-embedded payment processor?

What is PCI compliance?

PCI compliance refers to whether a merchant adheres to the technical and operational requirements established by the PCI SSC to ensure safe handling of cardholder data.

PCI compliance focuses on three core elements of merchants’ business:

1. How merchants obtain and handle sensitive credit card data from their customers—and how those details are collected and securely transmitted.
2. How merchants securely store credit card data, including their processes for encrypting, monitoring, and security testing access to credit card data.
3. How merchants continuously monitor and ensure security controls—forms, questionnaires, vulnerability scanning services, audits, etc.—are in place.

1. How merchants obtain and handle credit card data:

To ensure the highest level of security, it’s best if customers’ payment information never touches your servers. Using a PCI compliant third-party payment processing software that securely tokenizes customers’ payment information (meaning the data is turned into a random string of characters so that it can’t be viewed) is a great way to minimize your contact with sensitive data.

2. How merchants store credit card data:

The goal of the PCI Data Security Standards—more on this below—is to minimize the scope of the cardholder data environment. This means that all the people, processes, and technologies that store, process, or transmit credit card information have been pared down to only those most vital to facilitating transactions.

Here are some examples of what’s considered in-scope for PCI compliance:

• The card readers you use to accept in-person payments
• Your point of sale systems
• Any networks or wireless access routers used to send payment information
• Anywhere payment card data is stored or transmitted (includes paper-based records)
• Applications and software used to accept payments online

Anything that comes into contact with cardholder data at any point is considered in-scope for PCI compliance. Because anything within the payment ecosystem that touches cardholder data must be confirmed as compliant with PCI guidelines, it’s in your best interest to limit which people, devices, and systems have access to sensitive cardholder or authentication information for the sheer benefit of making things easier on your team.

3. How merchants continuously monitor security controls:

PCI compliance is an ongoing effort, requiring businesses to give evidence that they’re meeting required security protocols annually. It’s important to understand that security is not a one and done process—systems need to be continuously monitored for potential vulnerabilities, and as cyber threats continue to evolve so should your defense methods.

What is the PCI Security Standards Council?

The PCI SSC was established in 2006 when five of the major credit card brands—Visa, Mastercard, American Express, Discover, and Japan Credit Bureau—came together to create global standards for how companies should manage credit card data. Prior to this, each of the card brands kept their own separate sets of requirements.

The PCI Data Security Standards—what PCI DSS stands for—are the rules established to govern how businesses manage cardholder data to ensure secure payment processing. These are updated every three years. Rather than the PCI SSC, it’s the card brands and acquiring banks who handle enforcing PCI compliance.

The most recent version of the standards is PCI DSS v4.0. (Click here for a full list of what’s new.) This version looks to:

• Meet the evolving security needs of the payment industry
• Promote security as a continuous process
• Add flexibility for different methodologies
• Enhance validation methods

Who does PCI DSS apply to?

If your business receives income from cards—debit, credit, prepaid, etc.—you are responsible for PCI compliance. Even if everything is outsourced.

• Official PCI Security Standards Council response—The PCI Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational practices for system components included in or connected to environments with cardholder data. If you accept or process payment cards, PCI DSS applies to you.

What are the 4 levels of PCI compliance?

There are varying levels of PCI compliance requirements (with Level 1 being the most stringent and Levels 2 to 4 having fewer requirements) based on factors like the volume of credit card transactions your business processes annually. Here’s a breakdown of what each of these PCI levels mean:

PCI level 1:

This is the highest level of PCI compliance security requirements, intended for merchants that process over 6 million credit card transactions every year.

PCI level 2:

This PCI compliance level is intended for merchants that process between 1 and 6 million credit card transactions every year.

PCI level 3:

This PCI compliance level is intended for merchants that process between 20,000 and 1 million ecommerce transactions every year.

PCI level 4:

This PCI compliance level is intended for merchants that process fewer than 20,000 ecommerce transactions or up to 1 million total transactions (regardless of the payment acceptance channel) yearly.

Below are a series of charts further explaining each PCI compliance level:

More advice about PCI levels:

• If a merchant experiences a data breach that results in account data being compromised, they may have to adhere to a higher level of PCI compliance security requirements, regardless of how many card transactions they process.
• Merchants within Level 1 must be assessed by a third party to be considered PCI compliant (through what’s known as a Qualified Security Assessor), while merchants in Levels 2 to 4 can self-evaluate their PCI compliance through a Self-Assessment Questionnaire (SAQ)—more on this below.
• To validate that your business is PCI compliant, you’ll need to fill out an SAQ every year. The specific SAQ form you complete will depend on the environment you accept credit cards in—face-to-face, ecommerce, or by mail or telephone (also known as “card-not-present”)—and the method used to send the information (e.g., via the internet or not). For every payment environment you support, you’ll fill out a separate SAQ. To receive a passing mark for PCI compliance means you’ve met 100% of the criteria outlined in your respective SAQ.
• For the most up-to-date PCI compliance information for individual card networks, click on your preferred card brand:
  • Visa
  • Mastercard
  • American Express

What are the PCI DSS self-assessment questionnaires?

There are nine different SAQ forms. If you want to be PCI compliant, you’ll need to fill out a separate form for every payment integration method:

1. SAQ A
2. SAQ A-EP
3. SAQ B
4. SAQ B-IP
5. SAQ C-VT
6. SAQ C
7. SAQ P2PE-HW
8. SAQ D (for merchants)
9. SAQ D (for service providers)

1. SAQ A

You’ll fill out this form if you accept payments through card-not-present (ecommerce or mail telephone order), where you outsource all cardholder data functions to a secure third party and you don’t store, process, or send cardholder data on your systems or premises.

2. SAQ A-EP

You’ll fill out this form if you accept payments through ecommerce channels, where your website doesn’t directly receive cardholder data, you outsource all payment processing to a secure third party, and you don’t store, process, or send cardholder data on your systems or premises.

3. SAQ B

You’ll fill out this form if you accept payments through imprint machines and/or card reader terminals that send data through a phone line and don’t store cardholder data.

4. SAQ B-IP

You’ll fill out this form if you accept payments through an internet-based standalone card reader terminal (not connected to other devices on the network) that doesn’t store cardholder data.

5. SAQ C-VT

You’ll fill out this form if you accept payments by entering a single transaction at a time manually or through a secure virtual terminal solution and you don’t electronically store cardholder data.

6. SAQ C

You’ll fill out this form if you accept payments through a payment application system connected to the internet (does not include ecommerce) installed on a computer and any accompanying devices like card readers and you don’t electronically store cardholder data.

7. SAQ P2PE-HW

You’ll fill out this form if you accept payments through a hardware payment terminal included in a PCI-validated solution with point-to-point encryption (P2PE) that doesn’t store cardholder data.

8. SAQ D (for Merchants)

You’ll fill out this form if you accept payments through a method not listed in the descriptions above.

9. SAQ D (for Service Providers)

You’ll fill out this form if you’re a service provider eligible to complete an SAQ.

How to become PCI compliant?

PCI compliance should be an ongoing effort year-round, beyond the annual certification. Even if your security measures passed an evaluation, if these are not continuously monitored, they could be out of compliance by the time your business is the target of a breach.

To assess and maintain payment security compliance is to ensure continuous effort. The PCI SSC describes PCI compliance as an ongoing three-step process:

1. PCI compliance step 1: Assess—Before your annual assessment, start by taking inventory of all your business’ IT systems and processes involved in handling card data or sensitive authentication data, looking for any potential vulnerabilities. You’ll want to document all the people, systems, and processes in scope for PCI compliance.
2. PCI compliance step 2: Remediate—When you discover vulnerabilities, you’ll want to address them right away—don’t wait until it’s too late. Only store cardholder data if it’s necessary, and in that event, take essential steps to secure that data.
3. PCI compliance step 3: Report—Diligently compile the required reports—either a Report on Compliance or a Self-Assessment Questionnaire, depending on the nature of your business and how you accept and process card payments—and submit them to the proper acquiring banks and card brands.

What are the 12 PCI DSS requirements?

The PCI Data Security Standards cover 12 requirements that must be followed by any business that accepts or processes credit card payments. The PCI SSC groups these requirements into six unique buckets—or goals:

Goal 1: To build and maintain a secure network

• PCI DSS Requirement 1: Install and maintain firewalls to protect cardholder data
• PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Goal 2: To protect cardholder data

• PCI DSS Requirement 3: Protect stored cardholder data
• PCI DSS Requirement 4: Encrypt transmission of cardholder data across any open or public network

Goal 3: To maintain a vulnerability management program

• PCI DSS Requirement 5: Use and regularly update anti-virus software or programs
• PCI DSS Requirement 6: Develop, maintain, and update secure systems and applications

Goal 4: To implement strong access control measures

• PCI DSS Requirement 7: Restrict access to cardholder data by business need-to-know
• PCI DSS Requirement 8: Assign a unique ID to each person with system access
• PCI DSS Requirement 9: Restrict physical access to cardholder data

Goal 5: To regularly monitor and test networks

• PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data
• PCI DSS Requirement 11: Regularly test security systems and processes

Goal 6: To maintain an information security policy

• PCI DSS Requirement 12: Maintain a policy that addresses information security for employees and contractors

Below are a series of charts further explaining each PCI DSS requirement:

What are the risks of not adhering to PCI compliance requirements?

First: PCI compliance is mandatory if your business accepts credit card transactions. Those found to be PCI non-compliant are subject to fines and penalties and might lose the ability to process future credit card transactions.

Second: Although being PCI compliant doesn’t guarantee immunity from security incidents, there’s a noticeable trend of organizations being PCI non-compliant when experiencing a data breach.

In the mid-2010s, Verizon’s annual Payment Security report found that on average, of the studied companies that experienced a breach, 0% were compliant with PCI DSS at the time of the breach and 53% were confirmed to be non-compliant.

The costs of falling victim to a data breach can be considerable. If a breach involving stolen credit card information is traced back to your business, then you’re on the hook for any fines and fees associated with it (such as covering the losses and card replacement costs).

Beyond opening your business up to the potential for data breaches and the accompanying financial losses (not to mention the cost of mitigation efforts and lost sales), not meeting PCI compliance requirements can also mean:

• Losing customers’ trust—especially in case of a security breach. And the impact of customer experience on B2B payments is profound.
• Losing out on potential partnerships, as payment brands want to collaborate with companies that exemplify a commitment to security
• Damaging your brand’s reputation
• Negatively impacting buyers’ credit

While keeping your PCI compliance status up to date requires ongoing effort and prioritization from your team, the resulting protections for your business and your customers are indisputable.

Why should you partner with a secure ERP-embedded payment processor?

When you use a secure payment processor that can integrate directly with your enterprise resource planning (ERP) system, you’re able to minimize your team’s contact with sensitive payment information even further, as it’s tokenized and recorded automatically, without any manual intervention.

Versapay’s payment processing software integrates natively with leading ERPs like:

• NetSuite,
• Microsoft Dynamics 365, and
• Sage Intacct

This lets you accept payments from a variety of channels like ecommerce, point of sale, card-not-present, and over the phone. Versapay encrypts and tokenizes all payments across all channels, ensuring the data never touches your servers.

Versapay’s dedicated support team also works with you to ensure you’re following security best practices, offering their seasoned expertise to help you put controls in place to minimize potential impacts of fraudulent activity. PS—did you know that payment fraud detection capabilities can significantly boost customer experience?

In the global effort to prevent security breaches and data theft, PCI compliance is just the beginning. Investing in security—in and out of the payment environment—as a business-wide priority will help you protect your business and your customers in the long-term.

—

Want to deepen your understanding of the credit card processing lifecycle? Check out The Ultimate Guide to Credit Card Processing to learn exactly how credit card transactions are processed, understand the fees involved, and get tips for finding the best deal when looking for a payment processing solution.

Frequently asked questions about PCI compliance

1. What are the benefits of PCI compliance?

Being PCI compliant means being vigilant and ensuring there are no security gaps. This helps avoid theft of sensitive cardholder information, like social security numbers, driver’s license numbers, health information, etc.

PCI compliance is the industry standard, too, and those found to be non-compliant face substantial fines for violating the agreement and being negligent. Non-compliance leaves businesses vulnerable to payment—and other—fraud, data breaches, and theft.

2. Who must be PCI compliant?

If you generate revenue from debit, credit, prepaid—or any other type of—cards, then you must be PCI compliant. PCI compliance applies to all entities storing, processing, and/or transmitting cardholder data.

3. What are the PCI DSS compliance levels?

There are 4 PCI levels: Level 1, Level 2, Level 3, and Level 4. The PCI compliance requirements per level vary based on factors like credit card transaction volume processed annually.

4. Is there a PCI non-compliance fee?

Yes, there is a PCI non-compliance fee. They begin at $5,000.00 but can grow to $500,000.00 per incident. Additionally, businesses having compromised information must inform those affected individuals—in writing—that fraudulent charges might occur.

5. What does PCI DSS stand for?

PCI DSS stands for PCI Data Security Standards. These are the rules established to govern how businesses manage cardholder data to ensure secure payment processing.

About Versapay

Versapay is the leader in Collaborative Accounts Receivable. The Versapay Collaborative AR Network is the first solution that empowers the genius of teams by bridging the gap between suppliers and buyers through a shared, digital experience. Versapay is based in Toronto, Canada with offices in Atlanta and Miami, United States.