PCI Compliance for Merchants: What You Actually Need to Do (2026)

If you accept credit card payments, PCI compliance isn't optional — it's a requirement. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data from breaches and fraud. Every business that stores, processes, or transmits credit card information must meet these standards, regardless of size.

Despite its importance, PCI compliance remains one of the most misunderstood aspects of running a business that accepts card payments. Many merchants treat it as a checkbox exercise, pay the annual PCI compliance fee on their processing statement, and never think about it again. That approach exposes your business to significant financial and legal risk.

This guide breaks down everything you need to know about PCI DSS compliance: what it requires, how to achieve it, what it costs, and what happens when you fall short.

What Is PCI DSS?

The Payment Card Industry Data Security Standard — commonly referred to as PCI DSS — is a set of security requirements created and maintained by the PCI Security Standards Council (PCI SSC). The council was founded in 2006 by the five major card networks: Visa, Mastercard, American Express, Discover, and JCB International.

PCI DSS applies to every entity involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. If your business touches cardholder data in any way, PCI DSS applies to you.

The current version is PCI DSS v4.0.1, which became mandatory on March 31, 2025, replacing version 3.2.1. Version 4.0 introduced a more flexible, outcome-based approach to security, allowing organizations to implement customized controls that meet the intent of each requirement.

What Counts as Cardholder Data?

PCI DSS protects two categories of data:

| Data Type | Examples | Can Be Stored? | |-----------|----------|----------------| | Cardholder Data (CHD) | Primary Account Number (PAN), cardholder name, expiration date, service code | Yes, if encrypted and protected | | Sensitive Authentication Data (SAD) | Full magnetic stripe data, CVV/CVC, PIN/PIN block | Never after authorization |

The Primary Account Number is the defining element. If you store, process, or transmit the PAN, PCI DSS requirements apply in full.

PCI Compliance Levels: Where Does Your Business Fall?

PCI compliance requirements scale with your transaction volume. The card networks define four merchant levels, with Level 1 being the most stringent.

Visa and Mastercard Merchant Levels

| Level | Annual Transaction Volume | Validation Requirements | |-------|--------------------------|------------------------| | Level 1 | Over 6 million transactions/year | Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), quarterly network scans by an Approved Scanning Vendor (ASV) | | Level 2 | 1 million to 6 million transactions/year | Annual Self-Assessment Questionnaire (SAQ), quarterly ASV scans | | Level 3 | 20,000 to 1 million e-commerce transactions/year | Annual SAQ, quarterly ASV scans | | Level 4 | Fewer than 20,000 e-commerce or up to 1 million total transactions/year | Annual SAQ, quarterly ASV scans (recommended) |

Most small and mid-size businesses fall into Level 3 or Level 4. However, any merchant that has experienced a data breach can be escalated to Level 1 regardless of transaction volume. American Express and Discover have their own level definitions, though they generally align with the Visa/Mastercard structure.

Key Distinction: E-Commerce vs. Brick-and-Mortar

Notice that the thresholds for Level 3 specifically call out e-commerce transactions. Card-not-present transactions carry higher fraud risk, which is why online merchants face stricter classification thresholds. A brick-and-mortar store processing 500,000 card-present transactions falls into Level 4, while an online store with the same volume would be Level 2.

The 12 PCI DSS Requirements

PCI DSS is organized into six goals and 12 requirements. Every compliant organization must meet all 12.

Goal 1: Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain network security controls. You must implement firewalls (or equivalent network security controls under v4.0) to protect cardholder data. This includes defining rules that restrict inbound and outbound traffic to what's necessary for business operations, and segmenting your cardholder data environment (CDE) from the rest of your network.

Requirement 2: Apply secure configurations to all system components. Default passwords and settings provided by vendors are well-known to attackers. You must change all default credentials, remove unnecessary services and protocols, and document your configuration standards.

Goal 2: Protect Account Data

Requirement 3: Protect stored account data. If you must store cardholder data, encrypt it using strong cryptography. Implement data retention policies that limit storage duration. Never store sensitive authentication data after authorization — this includes full track data, CVV codes, and PINs.

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks. Use TLS 1.2 or higher for transmitting cardholder data over the internet. Never send unencrypted PANs via email, chat, or SMS.

Goal 3: Maintain a Vulnerability Management Program

Requirement 5: Protect all systems and networks from malicious software. Deploy anti-malware solutions on all systems commonly affected by malware. Keep anti-malware mechanisms current, active, and generating audit logs.

Requirement 6: Develop and maintain secure systems and software. Apply critical security patches within 30 days of release. If you develop payment applications, follow secure coding guidelines such as those from OWASP. Under PCI DSS v4.0, web-facing applications require a web application firewall (WAF) or equivalent protection.

Goal 4: Implement Strong Access Control Measures

Requirement 7: Restrict access to system components and cardholder data by business need to know. Implement role-based access control (RBAC). Only employees whose job functions require access to cardholder data should have it.

Requirement 8: Identify users and authenticate access to system components. Assign unique IDs to every user. Under PCI DSS v4.0, multi-factor authentication (MFA) is required for all access to the cardholder data environment, not just remote access.

Requirement 9: Restrict physical access to cardholder data. Use facility entry controls, visitor logs, and physical security measures to prevent unauthorized physical access to systems that store cardholder data.

Goal 5: Regularly Monitor and Test Networks

Requirement 10: Log and monitor all access to system components and cardholder data. Implement automated audit trails that record all access to cardholder data. Retain audit logs for at least 12 months, with at least 3 months immediately available for analysis.

Requirement 11: Test security of systems and networks regularly. Conduct quarterly vulnerability scans by an Approved Scanning Vendor (ASV). Perform annual penetration testing. Under v4.0, implement a change-and-tamper-detection mechanism on payment pages.

Goal 6: Maintain an Information Security Policy

Requirement 12: Support information security with organizational policies and programs. Maintain a comprehensive security policy that addresses all PCI DSS requirements. Conduct annual security awareness training for all personnel. Implement an incident response plan and test it annually.

Self-Assessment Questionnaires (SAQ): Which One Do You Need?

For Level 2, 3, and 4 merchants, PCI compliance validation is done through a Self-Assessment Questionnaire. The SAQ you need depends on how you accept and process card payments.

| SAQ Type | Who It's For | Number of Requirements | |----------|-------------|----------------------| | SAQ A | E-commerce or mail/phone merchants who fully outsource cardholder data processing. No electronic storage, processing, or transmission of CHD on merchant systems. | ~30 questions | | SAQ A-EP | E-commerce merchants whose website doesn't receive CHD but affects the security of the payment page (e.g., redirecting to a processor's hosted page). | ~190 questions | | SAQ B | Merchants using imprint machines or standalone dial-out terminals with no electronic cardholder data storage. | ~40 questions | | SAQ B-IP | Merchants using standalone IP-connected PTS-approved payment terminals with no electronic CHD storage. | ~80 questions | | SAQ C-VT | Merchants manually entering single transactions via a virtual terminal on an isolated computer. | ~80 questions | | SAQ C | Merchants with payment applications connected to the internet but no electronic CHD storage. | ~160 questions | | SAQ D | All other merchants, and any merchant that doesn't fit the criteria above. Also for service providers. | ~330 questions | | SAQ P2PE | Merchants using validated point-to-point encryption (P2PE) solutions with no electronic CHD storage. | ~30 questions |

Choosing the Right SAQ

The goal is to qualify for the simplest SAQ possible, which means minimizing your contact with cardholder data. Here's the practical guidance:

• If you only sell online and use a hosted payment page (like Stripe Checkout or PayPal's hosted solution), you likely qualify for SAQ A — the simplest form.
• If you have a retail store using modern terminals, look into SAQ P2PE if your terminal vendor offers a validated P2PE solution, or SAQ B-IP for standalone IP-connected terminals.
• If you use a virtual terminal to key in phone orders, SAQ C-VT applies.
• If none of the above fit, you're looking at SAQ D, which covers nearly every PCI DSS requirement.

How Much Does PCI Compliance Cost?

PCI compliance costs vary dramatically based on business size, complexity, and current security posture.

Costs for Small Businesses (Level 4)

| Cost Item | Typical Range | |-----------|---------------| | Annual PCI compliance fee (charged by processor) | $79–$120/year | | SAQ completion (self-service) | $0 (your time) | | SAQ completion (with consultant help) | $500–$2,000 | | Quarterly ASV scans (4 per year) | $100–$500/year | | SSL/TLS certificate | $0–$200/year | | Security awareness training | $0–$500/year | | Total estimated annual cost | $200–$2,500/year |

Costs for Mid-Size Businesses (Level 2-3)

| Cost Item | Typical Range | |-----------|---------------| | SAQ completion with consultant | $2,000–$10,000 | | Quarterly ASV scans | $500–$2,000/year | | Penetration testing | $5,000–$30,000/year | | WAF or security tools | $1,200–$12,000/year | | Staff training and policy development | $2,000–$5,000/year | | Total estimated annual cost | $10,000–$50,000/year |

Costs for Large Enterprises (Level 1)

| Cost Item | Typical Range | |-----------|---------------| | QSA-led audit (Report on Compliance) | $50,000–$500,000+ | | Penetration testing | $20,000–$100,000+ | | Continuous monitoring and SIEM | $50,000–$200,000/year | | Dedicated compliance staff | $80,000–$150,000/year per FTE | | Total estimated annual cost | $200,000–$1,000,000+/year |

The PCI Compliance Fee on Your Statement

Most payment processors charge an annual or monthly PCI compliance fee, typically $79 to $120 per year. This fee covers access to the processor's compliance portal where you complete your SAQ. Some processors also charge a PCI non-compliance fee — usually $19.95 to $39.95 per month — if you haven't completed your SAQ. Always complete your SAQ to avoid this unnecessary monthly charge.

Penalties for PCI Non-Compliance

Non-compliance with PCI DSS carries serious consequences, and they get much worse if you experience a data breach.

Fines and Assessments

The card networks can impose fines on your acquiring bank, which passes those fines to you through your merchant agreement. Typical fine structures:

• $5,000 to $100,000 per month for ongoing non-compliance
• $50 to $90 per cardholder for compromised records in a breach
• Increased transaction fees imposed by card networks post-breach
• Mandatory forensic investigation costs: $20,000 to $50,000+

Other Consequences

Beyond fines, non-compliance can result in:

• Loss of card acceptance privileges. Visa and Mastercard can revoke your ability to accept their cards. For most businesses, this is existential.
• Lawsuit liability. Customers and banks affected by a breach can sue for damages. Without PCI compliance, your legal defense is significantly weakened.
• Brand damage. Breach notifications destroy consumer trust. Studies show 65% of consumers avoid businesses after a data breach.
• Mandatory Level 1 reclassification. After a breach, you'll be treated as a Level 1 merchant regardless of size, meaning full QSA audits going forward.

Real-World Breach Costs

The average cost of a payment card data breach for a small business is $120,000 to $200,000. For mid-size businesses, breach costs typically range from $500,000 to several million dollars. Many small businesses that experience a significant data breach never recover — an estimated 60% close within six months.

How to Become PCI Compliant: Step-by-Step

Step 1: Determine Your Merchant Level

Check your annual transaction volume across all card brands. Your payment processor can provide this information. Remember that e-commerce and card-present transactions may be counted separately for level determination.

Step 2: Identify Your SAQ Type

Based on how you accept payments, determine which SAQ applies to your business. When in doubt, consult your payment processor or a Qualified Security Assessor. If you're unsure, your processor's compliance portal will typically guide you to the correct SAQ.

Step 3: Scope Your Cardholder Data Environment

Identify every system, network, and process that stores, processes, or transmits cardholder data. This includes:

• Point-of-sale terminals and software
• Payment applications and servers
• Network infrastructure connecting these systems
• Any system that could impact the security of the CDE

The smaller your CDE scope, the fewer PCI requirements apply, and the easier compliance becomes. Network segmentation is one of the most effective ways to reduce scope.

Step 4: Complete the SAQ

Work through every question honestly. A completed SAQ is an attestation — you're signing a legal document stating your compliance. Common areas where businesses fail:

• Password policies: Not enforcing complexity and rotation requirements
• Patch management: Running outdated software with known vulnerabilities
• Access control: Too many employees with access to cardholder data
• Logging: Not maintaining or reviewing audit logs

Step 5: Conduct Vulnerability Scans

Schedule quarterly scans with an Approved Scanning Vendor. You need four passing scans per year for compliance. ASV scans check your external-facing IP addresses and domains for known vulnerabilities. Popular ASV providers include Qualys, Trustwave, SecurityMetrics, and Sysnet.

Step 6: Remediate Issues

Address any vulnerabilities identified during your SAQ completion or ASV scans. Document all remediation actions. For Level 1 merchants, your QSA will want to see evidence of remediation.

Step 7: Submit Your Attestation of Compliance

Complete the Attestation of Compliance (AOC) that accompanies your SAQ or ROC. Submit it to your acquiring bank or payment processor. Most processors have an online portal for submission.

Step 8: Maintain Compliance Year-Round

PCI compliance is not a once-a-year activity. Ongoing maintenance includes:

• Quarterly ASV vulnerability scans
• Regular review and update of security policies
• Prompt patching of discovered vulnerabilities
• Annual security awareness training for staff
• Annual penetration testing (required for most levels)
• Immediate incident response if a breach is suspected

PCI Compliance Best Practices for Merchants

Reduce Your Scope

The single most impactful thing you can do for PCI compliance is reduce the scope of your cardholder data environment. Strategies include:

• Use tokenization. Replace card numbers with tokens that have no exploitable value. Most modern processors offer tokenization automatically.
• Use a hosted payment page. Instead of collecting card data on your own website, redirect customers to a PCI-compliant hosted page (like Stripe Checkout, PayPal, or your processor's hosted form).
• Use P2PE terminals. Point-to-point encryption encrypts card data at the terminal before it ever reaches your network, effectively removing your POS system from PCI scope.
• Segment your network. Isolate systems that handle cardholder data from the rest of your network using firewalls and access controls.

Don't Store What You Don't Need

Many breaches occur because merchants stored cardholder data they never needed in the first place. Ask yourself:

• Do you actually need to store card numbers for recurring billing, or can your processor handle that?
• Are old transaction records with full card numbers still on your systems?
• Do employees email or fax credit card information?

If you can avoid storing cardholder data entirely, your PCI compliance burden drops dramatically.

Keep Software Updated

Unpatched software is one of the most common entry points for attackers. Ensure your POS systems, payment applications, operating systems, and any internet-facing software are kept current with security patches.

Train Your Team

Human error is a factor in a significant percentage of data breaches. Train all employees who handle payment card data on:

• Recognizing phishing attacks
• Proper handling of cardholder data
• Password security best practices
• What to do if they suspect a breach

PCI DSS v4.0: What Changed?

PCI DSS v4.0 introduced several significant changes that merchants should be aware of:

Customized Approach

Version 4.0 introduces a "customized approach" as an alternative to the traditional "defined approach." Instead of implementing a specific control exactly as described, organizations can design their own controls that meet the stated security objective. This requires more documentation but offers flexibility for organizations with mature security programs.

Expanded MFA Requirements

Multi-factor authentication is now required for all access to the cardholder data environment, not just remote access. This is a significant change for organizations that previously only required MFA for VPN connections.

Enhanced E-Commerce Security

New requirements target e-commerce skimming attacks (like Magecart). Merchants must implement mechanisms to detect unauthorized changes to payment page scripts and HTTP headers. This specifically addresses the growing threat of JavaScript-based attacks on checkout pages.

Targeted Risk Analysis

Several requirements now mandate documented, targeted risk analyses to determine the frequency of certain activities (like log reviews and password changes) rather than prescribing fixed intervals.

Phishing Protections

For the first time, PCI DSS explicitly requires anti-phishing mechanisms and security awareness training that covers phishing and social engineering.

Frequently Asked Questions About PCI Compliance

Is PCI compliance legally required?

PCI DSS is not a government law — it's a contractual requirement from the card networks (Visa, Mastercard, etc.) enforced through your merchant agreement. However, some states have incorporated PCI DSS standards into state law, and many data breach notification laws reference PCI compliance. From a practical standpoint, you cannot accept card payments without agreeing to PCI compliance.

Do I need PCI compliance if I use Square, Stripe, or PayPal?

Yes, but your compliance burden is significantly reduced. These platforms handle most of the heavy lifting by managing cardholder data on their PCI-certified infrastructure. As a merchant using these services, you'd typically qualify for SAQ A (the simplest questionnaire) because you never directly handle card data.

How long does PCI compliance take?

For a small business completing SAQ A, the process can take a few hours. For a large enterprise undergoing a full QSA audit for Level 1 compliance, expect 3 to 12 months of preparation and assessment.

Can I be PCI compliant and still get breached?

Yes. PCI compliance is a minimum security baseline, not a guarantee of security. Compliance reduces your risk significantly but doesn't eliminate it. A compliant organization will, however, be in a much stronger position to detect, respond to, and recover from a breach.

What's the difference between PCI compliance and PA-DSS?

PA-DSS (Payment Application Data Security Standard) applied to payment application vendors, not merchants. It was retired in October 2022 and replaced by the PCI Software Security Framework (SSF), which includes the Secure Software Standard and the Secure Software Lifecycle (SLC) Standard.

Next Steps for Your Business

PCI compliance might feel overwhelming, but for most small businesses, it's manageable with the right approach:

1. Contact your processor and access their PCI compliance portal
2. Complete your SAQ — for most small businesses, this takes less than an hour
3. Schedule your ASV scans — your processor likely offers these or can recommend a vendor
4. Review your data practices — stop storing what you don't need
5. Train your staff — even a 30-minute annual training session reduces risk significantly

The investment in PCI compliance is small compared to the potential cost of a data breach. Treat it not as a regulatory burden but as a fundamental business practice that protects your customers, your revenue, and your reputation.