If your business handles Visa, Mastercard, and credit card information from other major payment brands, you need to be Payment Card Industry (PCI) compliant.
PCI compliance refers to a set of 12 requirements developed and enforced by the biggest payment providers. The requirements are designed to help retailers protect customers’ financial information from data breaches and leaks.
While PCI compliance is not a law, merchants that sign contracts with credit card brands do agree to uphold PCI standards.
So, whether your customers purchase items using contactless payment at a physical POS, or through an online checkout in your ecommerce store, you need to know what PCI compliance is, and how to fulfill its 12 security-enhancing criteria.
What is PCI compliance?
The PCI Data Security Standards (PCI DSS) are a set of best practices designed to protect cardholder information and prevent fraud, which any retailer who accepts credit card payments agrees to uphold.
PCI compliance means maintaining these standards, which include security measures such as regularly updating software, installing password protection, and keeping a data access log.
The standards were created in 2006 by the PCI Security Standards Council (PCI SSC) and are continually refined. The PCI council was formed by major payment brands, including Mastercard, Visa, Discover, and American Express. They require all retailers interacting with their services to be PCI-compliant.
PCI DSS compliance levels
Most payment brands divide retailers into PCI “levels” depending on the amount of transactions they process annually. Payment brands may require additional actions from merchants based on their PCI level.
You’ll need to check agreements made with payment processing services or contact your acquiring bank to determine the PCI level that applies to your business. Payment brands may classify merchants under differing PCI levels.
As an example, here’s how Mastercard defines its four PCI levels:
💡 Did you know? All stores powered by Shopify are Level 1 PCI compliant by default.
Who must be PCI compliant?
If your business accepts credit cards as a form of payment, your software and hosting must be PCI compliant.
Any type of business that handles, accepts, transmits, or stores payment card data, no matter the size or processing volume, must be PCI compliant.
(Even if you only process two credit card transactions per month, you must comply with PCI requirements.)
If you operate a third-party payment processor, you may store or directly handle credit card data. However, because that customer data passes through your server, you still need to comply with PCI requirements.
Retailers who aren’t PCI-compliant put their customers and business at risk. As well as breaching agreements with payment providers, non-compliant businesses are more likely to lose customer data, which can mean expensive penalties, reparations, and loss of trust.
12 retailer requirements for PCI compliance
PCI compliance is a continuous process to keep customer data safe. To remain compliant, retailers must follow 12 key requirements and many sub-requirements.
Here are the latest PCI compliance standards from PCI DSS version 4.0:
- Use firewalls
- Install password protection
- Protect cardholder data
- Encrypt transmitted cardholder data
- Use antivirus software
- Update software regularly
- Restrict cardholder data access
- Unique IDs to access data
- Restrict physical access to data
- Create and maintain access logs
- Regularly test security systems
- Create and document policies
💡 To stay on the right side of Payment Card Industry regulations, you can keep a PCI Compliance checklist for your business. In addition, the PCI SSC produces resources to help merchants uphold compliance.
1. Use firewalls
Installing firewalls helps you build and maintain a secure network. PCI compliance requires merchants to install and maintain a firewall configuration to protect cardholder data.
2. Install password protection
Merchants need to protect sensitive card data with strong password protection. Avoid using vendor-supplied defaults for system passwords and other security measures. Set up your own unique passwords that would be hard for attackers to guess or calculate.
3. Protect cardholder data
Business owners need to take all precautions to protect cardholder data from theft or attacks. Data must be stored in a safe place that’s not vulnerable to a breach. Teach team members about security and how to protect cardholder data through mandatory training programs.
4. Encrypt transmitted cardholder data
To better prevent data theft and attacks, merchants must encrypt the transmission of cardholder data across open and public networks. That way, should an attacker get hold of your data, they can’t (easily) use it.
5. Use antivirus software
Install antivirus software on your computers and regularly update it to protect your hardware from viruses. Regularly test that your antivirus software is active.
6. Update software regularly
Software providers often update their software to include new security features. Using the latest software updates helps ensure you’re protecting sensitive data to the best of your abilities.
7. Restrict cardholder data access
Restrict access to cardholder data to those who actually need it. Instead of granting your whole team access to cardholder data, only give access credentials to those working in financial departments.
💡 TIP: With Shopify POS, you can assign different roles and permissions to set boundaries on what store staff can do in your POS system without manager approval—like changing a product’s price or applying a custom discount to a sale.
8. Unique IDs to access data
Provide a unique ID to each person with data access. When employees leave, make sure to change usernames and passwords immediately to prevent data leaks. Set complex passwords for your employees to prevent people from guessing access credentials.
9. Restrict physical access to data
Limit physical access to data to those team members who require access for their job. Avoid storing sensitive cardholder data on computers or on paper.
10. Create and maintain access logs
Track and monitor all access to network resources and cardholder data with up-to-date access logs. That way, if you suffer a data breach it may be easier to trace its source.
11. Regularly test security systems
Before you experience a data breach or theft, know how strong or weak your security systems are so you can make necessary changes before it’s too late. Regularly test your security systems with cybersecurity professionals to evaluate whether they can withstand an attempted attack.
12. Create and document policies
Maintain a complete set of policies that explain your business approach to information security for employees and contractors. Update policies frequently so that all team members know and understand expectations when it comes to data security.
Benefits of being PCI compliant
Keeping PCI compliance may mean spending on software and security enhancements, but it will save you from paying penalties or losing customers due to lack of trust.
Here are the top reasons for staying PCI-compliant:
- Maintains secure systems
- Keeps you prepared for regulation changes
- Lowers the risk of data breaches and fines
Maintain secure systems
In its latest data security report, tech firm Thales found that 37% of survey respondents had suffered a data breach in the past 12 months.
Most merchants aren’t cybersecurity experts and may be unsure of where to begin when it comes to creating and maintaining secure systems. Following PCI compliance requirements can help businesses build solid security foundations and reduce the threat of data breaches.
Be prepared for new regulations
If you’re already PCI-compliant, it will be easier to meet future data security requirements. Next time additional regulations come into play, it’ll be a case of making adjustments to your current security framework, as opposed to starting from scratch.
Reduce data breaches and fines
Following each of the 12 PCI DSS compliance requirements helps you prevent data breaches in the first place. But if you’re compliant and your business still suffers a data breach, the fines and penalties associated usually will be lower.
Difficulties if you are not PCI compliant
While PCI compliance isn’t a law, not meeting the PCI requirements can result in costly fines, loss of reputation, and damage to customer relationships.
These are some of the difficulties you may face if you don’t earn PCI compliance:
- Loss of ability to accept credit card payments
- Customer data and trust may be compromised
- Risk of expensive fines
Lose the ability to accept credit card payments
Payment Card Industry Data Security Standards are part of the contractual agreement between retailers and payment processors. So, while it’s possible to operate in a state of non-compliance, retailers who disregard PCI standards may be fined and prosecuted.
Risk customer data and trust
Would you shop at a business if you knew it was likely your credit card information would get stolen? Probably not. Customer trust and confidence can impact your business’s profitability. People are less likely to shop with you if they don’t feel confident in your ability to protect their data.
If you suffer a data breach, or your customers don’t feel confident in your security, you may lose sales. In fact, 66% of customers will stop buying if companies experience a data breach.
Conversely, sharing PCI compliance status shows your customers that you’re serious about security and are actively working to protect their payment data.
Pay expensive fines
Because PCI compliance is included in the terms and conditions of payment processors, failing to stay compliant can lead to expensive fines.
Fines are usually charged monthly and calculated based on retailer transaction volume. For large retailers, that can mean tens of thousands of dollars lost each month.
Data breaches can also cost your business money and customer trust.
Between the price of replacing credit cards, paying fines, investigating security weaknesses, and compensating customers, the average data breach sets retail businesses back $4.45 million.
Even for small businesses with lower transaction volume, the price of non-compliance can be crippling when things go wrong.
How to satisfy PCI DSS requirements
When it’s time to satisfy PCI DSS requirements, you can choose from three options:
- Complete a self-assessment questionnaire
- Hire a qualified security assessor
- Train an internal security assessor
Complete self-assessment questionnaire
For retail business owners who feel confident checking their security systems and making necessary updates, self-assessment may be the right choice.
A self-assessment questionnaire (SAQ) is usually less expensive and time-consuming than other options. Depending on your business size and type, you’ll have to choose the correct SAQ.
David Lee, the founder of the home furnishing business Neutypechic, prefers to use an SAQ to stay compliant because it reassures him that none of his customers’ data has leaked.
“I constantly check whether my firewall is secure or not, so no financial information of my clients is leaked,” David says. “This has allowed me to effectively meet the security protocols and monitor my online server.”
Hire a qualified security assessor
For retail businesses that want an independent assessment of their security systems, or who operate complex systems, a qualified security assessor may be the right option.
A qualified security assessor is an external third-party expert who’s trained to evaluate the security of your business. They provide detailed reports on their findings and give recommendations for making PCI improvements.
Train an internal security assessor
An internal security assessor is an employee of your business who’s responsible for assessing and lowering security risks. This option is best for businesses that want to have someone dedicated to PCI compliance within their organization.
Larger retail businesses with established systems and security processes may prefer to use an Internal security assessor. The benefit of satisfying PCI compliance through an internal security assessor is that they already know your business’s systems and security procedures.
By employing an internal security assessor, you can evaluate your business’s security systems more frequently, which will help you prevent data breaches.
Ensure your retail business is PCI-compliant
Whether you’re opening a brick-and-mortar store or setting up a pop-up shop, at some point you’ll have customers who want to pay with a credit card. To accept credit card payments, you’ll need to be PCI-compliant. To make PCI compliance easier, choose a POS provider that is already PCI-compliant.
Remember, all stores using Shopify payments are automatically PCI-compliant to the highest level. Shopify’s Level 1 PCI certification covers your store, shopping cart, and web hosting.