Written by Rob Binns Reviewed by Ruairi Shirlow Updated on 18 October 2024 On this page Key Takeaways What Is PCI Compliance? Who Does PCI Compliance Apply To? The 12 Requirements for PCI Compliance PCI Compliance Levels Cost of PCI Compliance Consequences of Non-Compliance Tips for Maintaining PCI Compliance Verdict FAQs Expand Getting a card reader is just one of several requirements for processing card payments. Before you can swipe, dip, or tap a customer’s card, you need to ensure your business has security measures in place to prevent card information from being stolen.The process of adopting these security measures is known as payment card industry (PCI) compliance, and it’s absolutely essential for every business that accepts card payments. Failure to achieve PCI compliance can result in penalties from your merchant account provider and leave your business exposed to data theft.In this guide, we’ll explain what PCI compliance involves, including the costs, consequences, and tips to ensure your business is fully compliant. Key TakeawaysPCI compliance involves meeting a set of 12 security requirements to protect customers’ card data from hacks. If your business accepts card payments in person, online, or over the phone, PCI compliance is mandatory.Businesses fall into one of four PCI compliance levels depending on their card transaction volume. Each level has its own requirements for validating PCI compliance.PCI compliance costs vary from a few hundred pounds to £40,000 per year, depending on the size of your business and your validation requirements.Failure to comply with PCI requirements can result in steep penalties and leave your business vulnerable to costly data breaches. What Is PCI Compliance?PCI compliance refers to a set of 12 security standards (detailed below) that businesses must adopt in order to accept credit and debit card payments. They’re designed to protect customers’ card information against hacks and data breaches.PCI compliance standards are written by the PCI Security Standards Council, an organisation created in 2006 by Visa, Mastercard, American Express, Discover, and JCB. The standards are enforced by merchant account providers. Who Does PCI Compliance Apply To?PCI compliance is required for all businesses that accept credit or debit card payments in any form. Compliance applies if you:Take card payments in person using a card reader or point-of-sale system.Take card payments online using a payment gateway.Take card payments over the phone using a virtual terminal.Even if your business only processes a few card transactions per month, you must still be PCI compliant. PCI compliance is also required regardless of whether you store customers’ card information or not. The 12 Requirements for PCI ComplianceTo be PCI compliant, your business’ card payments system must meet the following 12 requirements:Use firewalls: You must use a firewall on your business’ Wi-Fi network. A firewall prevents unauthorised access to your network and serves as the first line of defence against the theft of customers’ card data.Use strong passwords: You must not use the default password for software or equipment used to process card payments, such as routers, modems, and point-of-sale systems. In addition to changing the default passwords, you must keep a list of all devices and software that rely on passwords for security.Protect stored card data: Your business should only store essential cardholder data, such as card numbers needed to process recurring transactions. Any card data you store must be protected using a combination of encryption, and you must have a plan for the safe disposal of data that is no longer needed.Encrypt card data during transmission: When sending card data over public networks—such as sharing card information between devices—that data must be encrypted. Never send unencrypted card data by email, text, or a messaging app.Use antivirus software: You must use antivirus software on any devices that store customers’ card information and run periodic malware scans.Maintain secure systems: You must have processes in place for identifying and addressing software vulnerabilities. This could include installing updates, running antivirus scans, and requiring new passwords every few months.Restrict access to cardholder data: Cardholder data should only be accessible to employees who need to view it for a specific purpose. You can assign varying levels of permissions to different software users, and you must document who in your business has access to cardholder information.Create a unique ID for each employee: Employees with access to a computer that stores card information (including your point-of-sale system) must have a unique login ID. You can’t use a single user ID and password that multiple employees share.Restrict physical access to devices: Devices that store cardholder data should be kept in secure locations, such as in a locked room or drawer. Consider using security systems like cameras. You should also keep a log of access to physical storage devices such as hard drives.Monitor access to cardholder data: You are required to use audit logs to track when cardholder information is accessed and by who within your organisation.Perform regular vulnerability tests: Update your device and password inventory, perform vulnerability scans, and test wireless access points at least once per quarter.Document your security policies: You must have written documentation of your business’ security practices and policies for PCI compliance. PCI Compliance LevelsWhile all businesses that process credit card payments must be PCI compliant, the requirements for proving compliance vary. For example, large businesses with high annual card transaction volumes are subject to more rigorous compliance checks than small businesses that only process a low number of card payments.There are four levels of PCI compliance with different validation requirements.Level 1Businesses that process more than six million debit and credit card transactions per year fall into PCI Level 1. This level also includes businesses that suffered a data breach exposing cardholder information.To validate compliance, businesses in Level 1 must complete an internal PCI compliance audit at least once per year. They must also undergo quarterly network vulnerability scans by an external security vendor approved by the PCI Security Standards Council and complete an annual self-assessment questionnaire.Level 2Businesses that process between one and six million card transactions per year fall into PCI Level 2. These businesses must undergo a quarterly network scan by an external security vendor and an annual audit by an external auditor. They must also complete an annual self-assessment questionnaire.Level 3Level 3 includes businesses that process between 20,000 and one million online card payments per year. Businesses in Level 3 must undergo a quarterly network scan by an external security vendor and complete an annual self-assessment questionnaire.Level 4Level 4 includes businesses that process fewer than 20,000 online card payments per year, or up to one million card payments across all channels. Businesses in Level 4 only need to undergo a quarterly network scan by an external security vendor. An annual self-assessment questionnaire is recommended but not required. Cost of PCI CompliancePCI compliance costs can vary widely depending on the size of your business, the PCI level you fall into, and the merchant account provider you choose.In general, larger businesses will pay more for PCI compliance because they have larger computer networks that require more security measures. For instance, antivirus software for hundreds of computers costs more than for just a few. Similarly, quarterly network scans—required for all PCI levels—become more expensive the bigger your business’ network is.Here’s a rough guideline of PCI compliance costs based on PCI level, which correlates with business size:Level 1: £40,000 or more per yearLevel 2: £4,000 to £30,000 per yearLevel 3: £750 to £3,500 per yearLevel 4: £150 to £375 per yearSmall businesses in Level 4 may be able to lean on their merchant account provider to achieve PCI compliance at no additional cost. For example, Square and Zettle both offer free PCI compliance assistance with your merchant account. Other merchant account providers offer access to PCI consultants, network scanning, and digital access controls for a small monthly fee. Consequences of Non-ComplianceFailure to meet PCI compliance requirements can result in fines from your merchant account provider. These are expensive, and they increase for every month your business remains out of compliance. For example, for Level 1 businesses that are out of compliance, the fine is £7,500 per month for the first three months, £37,500 per month for the next three months, and £75,000 per month for every month thereafter.Worse, repeated issues with PCI non-compliance can cause your merchant account to be suspended. If that happens, your business will no longer be able to accept card payments.In addition to penalties for non-compliance, there are other potentially huge costs. For instance, if your business is hacked and suffers a data breach because of weak or non-compliant security measures, it’s likely your customers may lose trust in your business and go elsewhere. It also puts your business at risk of costly lawsuits. Tips for Maintaining PCI ComplianceThere are a few actions you can take to make PCI compliance easier.Get PCI compliance through your merchant account. Choose a merchant account provider that offers help with PCI compliance. Even if there’s a monthly fee, it’s well worth it to make sure your business is compliant and safe from costly penalties.Implement strong digital hygiene. It’s important to be diligent about your business’ cybersecurity. For example, always use strong passwords and require employees to change them frequently. Ensure software is up to date with the latest security patches. Educate employees about phishing and install monitoring software to detect unusual activity on your network.Use an end-to-end point-of-sale system. Using a point-of-sale system and card readers from a single hardware provider can make it easier to integrate equipment in a way that’s PCI-compliant. For example, hardware from a single provider is usually designed to keep data encrypted during transfer and can enable you to use a single set of digital employee IDs across all your devices. If you mix and match different pieces of hardware and software to process payments, it’s a good idea to hire a PCI consultant to ensure your configuration is secure.Limit what data you store: Only store card data that’s essential for your business to operate smoothly. This can reduce the number of devices you need to manage for PCI compliance and your potential liability in the event of a data breach. Verdict PCI compliance is mandatory for all businesses that process debit and credit cards. To maintain compliance, your business must meet 12 security standards designed to protect customers’ card data against potential hacks.Businesses must verify compliance through quarterly network scans and audits, with requirements varying based on annual transaction volume. While PCI compliance carries some costs, it’s much cheaper than the penalties for non-compliance or dealing with a data breach.For more information on accepting credit and debit cards at your business, check out our complete guide to taking card payments. FAQs How do I know if my business is PCI compliant? You can complete a PCI self-assessment questionnaire to assess whether your business complies with PCI requirements. Your merchant account provider may also be able to offer additional support, such as access to a PCI compliance consultant. What are the most common PCI violations? A lack of user access permissions is the most common PCI violation. Access permissions are required to limit card data access only to users who need it for a specific purpose. A lack of firewalls on businesses’ internal Wi-Fi networks is another common violation. Is PCI compliance legally required? PCI compliance isn’t a legal requirement. Rather, it’s mandated by the PCI Security Standards Council, which is made up of all the major credit card companies. PCI compliance is absolutely necessary to process card transactions. Failure to comply can result in steep penalties and suspension of your merchant account. Written by: Rob Binns Services Expert Rob writes mainly about the payments industry, but also brings to the table industry-specific knowledge of CRM software, business loans, fulfilment, and invoice finance. When not exasperating his editor with bad puns, he can be found relaxing in a sunny (socially-distanced) corner, with a beer and a battered copy of Dostoevsky. Reviewed by: Ruairi Shirlow Business Services Researcher Ruairi uses his 3+ years of research experience to uncover insights which can help Expert Market provide the best business solutions for their users. He has done this by meeting with business owners to find out what is important to them and what challenges they face on a daily basis. Ruairi specialises in tools that can be used to grow your business and has done research for a wide range of categories on Expert Market, such as EPOS, Website Builders, and Merchant Accounts.