PCI-DSS Compliance: What Every Business That Accepts Credit Cards Needs to Know

Who Needs to Worry About PCI-DSS?

If your business accepts credit card payments—in person, online, over the phone, or through a mobile reader—you’re required to comply with the Payment Card Industry Data Security Standard (PCI-DSS). It doesn’t matter if you process ten transactions a month or ten thousand. The card brands (Visa, Mastercard, American Express, Discover) mandate it, and your acquiring bank enforces it.

PCI-DSS isn’t a law in the traditional sense. It’s an industry standard with contractual teeth. Non-compliance can result in fines from your payment processor, increased transaction fees, liability for fraud losses, and in the worst case, losing your ability to accept cards entirely.

For most small and mid-sized businesses, PCI-DSS compliance is more achievable than it looks—especially when you understand what’s actually required and where to focus your effort.

The 12 PCI-DSS Requirements, Simplified

PCI-DSS is organized into six goals and twelve requirements. Here’s what each one actually means for your business.

Goal 1: Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain network security controls. You need firewalls (or equivalent) between your cardholder data environment and untrusted networks, including the internet. Firewall rules should restrict traffic to only what’s necessary, and they need to be reviewed at least every six months.

Requirement 2: Apply secure configurations to all system components. Don’t use vendor-supplied default passwords or settings. Every system that touches cardholder data—routers, POS terminals, servers—needs to be hardened according to industry-accepted standards. That means changing defaults, disabling unnecessary services, and documenting your configurations.

Goal 2: Protect Account Data

Requirement 3: Protect stored account data. The simplest way to comply? Don’t store cardholder data at all. If you must store it, encrypt it, restrict access, and have a documented retention and disposal policy. Never store sensitive authentication data (CVV, PIN data, full magnetic stripe) after authorization.

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks. Any time card data moves across the internet or wireless networks, it must be encrypted using strong protocols (TLS 1.2 or higher). This applies to your website checkout, payment APIs, and any email or messaging systems (though you should never send card numbers via email).

Goal 3: Maintain a Vulnerability Management Program

Requirement 5: Protect all systems and networks from malicious software. Deploy antivirus/anti-malware on all systems commonly affected by malware. Keep it updated. Run regular scans. This sounds basic, but auditors see gaps here constantly—especially on POS systems and back-office machines that “nobody uses for email.”

Requirement 6: Develop and maintain secure systems and software. Keep all systems patched. If you develop custom software (including your e-commerce site), follow secure coding practices. Critical security patches should be applied within 30 days of release.

Goal 4: Implement Strong Access Control Measures

Requirement 7: Restrict access to system components and cardholder data by business need to know. Not everyone in your organization needs access to payment systems. Define roles, assign minimum necessary access, and review permissions regularly.

Requirement 8: Identify users and authenticate access to system components. Every person with access gets a unique ID. No shared accounts. Passwords must meet complexity requirements (minimum 12 characters under PCI-DSS 4.0). Multi-factor authentication is required for all access into the cardholder data environment.

Requirement 9: Restrict physical access to cardholder data. Lock the server room. Secure POS terminals so they can’t be swapped or tampered with. Control and monitor physical access to any area where cardholder data is processed or stored. Inspect card readers regularly for skimming devices.

Goal 5: Regularly Monitor and Test Networks

Requirement 10: Log and monitor all access to system components and cardholder data. Logging must be enabled on all systems in the cardholder data environment. Logs need to capture who did what, when, and whether it succeeded. Review logs daily—or use automated monitoring to flag anomalies.

Requirement 11: Test security of systems and networks regularly. Run internal and external vulnerability scans quarterly. External scans must be performed by an Approved Scanning Vendor (ASV). Conduct penetration testing at least annually. Test your intrusion detection systems.

Goal 6: Maintain an Information Security Policy

Requirement 12: Support information security with organizational policies and programs. You need a formal security policy that addresses all PCI-DSS requirements, is reviewed annually, and is communicated to all relevant personnel. This includes an incident response plan, risk assessment process, and security awareness training.

Understanding SAQ Levels

Not every business needs a full on-site audit. PCI-DSS uses Self-Assessment Questionnaires (SAQs) to right-size validation based on how you handle card data.

SAQ A

For merchants that fully outsource all cardholder data functions to PCI-compliant third parties. If you use a hosted payment page (like Stripe Checkout or a payment gateway’s hosted form) and never touch card data, this is likely your SAQ. It’s the shortest and simplest—around 25 questions.

SAQ A-EP

For e-commerce merchants that partially outsource payment processing but whose website could impact the security of the transaction. If your site hosts the payment page (even if it submits directly to the processor), you may fall here.

SAQ B

For merchants using only imprint machines or standalone dial-out terminals with no electronic cardholder data storage.

SAQ B-IP

For merchants using only standalone, PTS-approved payment terminals with an IP connection to the processor. No electronic cardholder data storage.

SAQ C

For merchants with payment application systems connected to the internet but no electronic cardholder data storage.

SAQ C-VT

For merchants manually entering one transaction at a time into a virtual terminal provided by the payment processor.

SAQ D

The full questionnaire—over 300 questions. For merchants that don’t fit into any other SAQ category, or for any service provider. If you store cardholder data electronically, you’re likely here.

Scope Reduction: The Smartest Move You Can Make

The scope of your PCI-DSS assessment is determined by what systems touch, process, store, or transmit cardholder data—plus any systems connected to those systems. The wider your scope, the more expensive and complex compliance becomes.

The most effective strategy for small and mid-sized businesses is scope reduction:

• Use tokenization. Replace card numbers with tokens that are useless to attackers. Your payment processor handles the actual card data.
• Use hosted payment pages. Let your processor collect card data directly. Your servers never see it.
• Segment your network. Isolate your payment environment from the rest of your network. If your POS system is on the same flat network as your office computers, everything is in scope.
• Stop storing what you don’t need. If you’re keeping card numbers in a spreadsheet, a CRM, or paper forms—stop. Delete what you have and change your process.

Scope reduction doesn’t just make compliance easier. It reduces your actual risk. If card data isn’t on your systems, it can’t be stolen from your systems.

Common PCI-DSS Failures

After working with businesses across financial services and retail, we see the same failures come up repeatedly:

No Network Segmentation

Everything on one flat network means everything is in scope. This is the most common and most expensive mistake.

Default Credentials Still in Use

Routers, switches, POS terminals, and software platforms ship with default passwords. If you haven’t changed them, you’ll fail Requirement 2—and you’re an easy target.

Missing or Incomplete Logs

Logging is enabled but nobody reviews the logs. Or logging is enabled on some systems but not others. Requirement 10 requires comprehensive logging and regular review.

Outdated Software

Unpatched operating systems, expired antivirus, and end-of-life software are immediate findings. If the vendor no longer provides security updates, the system needs to be replaced or compensating controls need to be documented.

No Incident Response Plan

Many businesses assume they’ll “figure it out” if something happens. PCI-DSS requires a documented, tested incident response plan. You need to know who to call, what to do, and how to contain a breach before it happens.

Paper-Based Card Data

Taking card numbers over the phone and writing them on paper? That paper is now in scope. It needs to be secured, tracked, and destroyed according to PCI-DSS requirements.

PCI-DSS 4.0: What Changed

PCI-DSS 4.0 became the mandatory standard in March 2024, replacing version 3.2.1. Key changes include:

• Customized approach. Organizations can now meet objectives through alternative controls, as long as they demonstrate the control meets the stated objective. This provides flexibility but requires more documentation.
• Expanded MFA requirements. Multi-factor authentication is now required for all access into the cardholder data environment, not just remote access.
• Stronger password requirements. Minimum password length increased to 12 characters (from 7).
• Targeted risk analysis. Several requirements now mandate documented, targeted risk analyses to determine the frequency of certain activities (like log reviews and vulnerability scans).
• Client-side security. New requirements for protecting against attacks on payment pages (like Magecart-style JavaScript injection).

What Compliance Actually Costs

Costs vary widely based on your scope, SAQ level, and current state. For a small business with a narrow scope (SAQ A), annual compliance might cost a few hundred dollars for the SAQ validation plus whatever you spend on maintaining secure configurations.

For businesses with broader scope (SAQ C or D), costs can include quarterly ASV scans ($100-500/quarter), annual penetration testing ($3,000-15,000), remediation of findings, and potentially consulting help for the assessment itself.

The cost of non-compliance is almost always higher. A data breach involving card data can result in forensic investigation costs ($20,000-100,000+), fines from card brands ($5,000-100,000/month), liability for fraudulent charges, and the business impact of losing customer trust.

Getting and Staying Compliant

PCI-DSS compliance doesn’t have to be a burden. The key is understanding your scope, reducing it where possible, and building security practices into your normal operations rather than treating compliance as a once-a-year scramble.

A qualified PCI-DSS compliance partner can help you determine your SAQ level, reduce your scope, implement the right controls, and maintain compliance year over year. The goal isn’t just passing an assessment—it’s actually protecting your customers’ financial data.

Ready to Get Started?

If you accept credit cards and aren’t sure where you stand on PCI-DSS, BrightWorks IT can help. We’ll assess your current environment, identify your scope, and build a practical compliance roadmap. Request a free assessment to get started.