PCI Compliance: What Is It and Everything Retailers Need to Know

A padlock between two avatars, representing the role of PCI compliance between retailers and customers.

If your business handles Visa, Mastercard, and credit card information from other major payment brands, you need to be Payment Card Industry (PCI) compliant.

PCI compliance refers to a set of 12 requirements developed and enforced by the biggest payment providers. The requirements are designed to help retailers protect customers’ financial information from data breaches and leaks.

While PCI compliance is not a law, merchants that sign contracts with credit card brands do agree to uphold PCI standards.

So, whether your customers purchase items usingcontactless paymentat a physicalPOS, or through anonline checkoutin your ecommerce store, you need to know what PCI compliance is, and how to fulfill its 12 security-enhancing criteria.

What is PCI compliance?

The PCI Data Security Standards (PCI DSS) are a set of best practices designed to protect cardholder information and preventfraud, which any retailer who accepts credit card payments agrees to uphold.

PCI compliance means maintaining these standards, which include security measures such as regularly updating software, installing password protection, and keeping a data access log.

The standards were created in 2006 by thePCI Security Standards Council(PCI SSC)和不断完善。一种总线标准的计谋ncil was formed by major payment brands, including Mastercard, Visa, Discover, and American Express. They require all retailers interacting with their services to be PCI-compliant.

PCI DSS compliance levels

Most payment brands divide retailers into PCI “levels” depending on the amount of transactions they process annually. Payment brands may require additional actions from merchants based on their PCI level.

You’ll need to check agreements made with payment processing services or contact your acquiring bank to determine the PCI level that applies to your business. Payment brands may classify merchants under differing PCI levels.

As an example, here’s how Mastercard defines its four PCI levels:

Mastercard PCI compliance levels table.
Mastercard

Did you know?All stores powered by Shopify are Level 1 PCI compliant by default.

Who must be PCI compliant?

If your business accepts credit cards as a form of payment, your software and hosting must be PCI compliant.

Any type of business that handles, accepts, transmits, or stores payment card data, no matter the size or processing volume, must be PCI compliant.

(Even if you only process twocredit card transactionsper month, you must comply with PCI requirements.)

If you operate athird-party payment processor, you may store or directly handle credit card data. However, because that customer data passes through your server, you still need to comply with PCI requirements.

Retailers who aren’t PCI-compliant put their customers and business at risk. As well as breaching agreements with payment providers, non-compliant businesses are more likely to lose customer data, which can mean expensive penalties, reparations, and loss of trust.

Start accepting payments fast with Shopify Payments

Skip lengthy third-party activations and go from setup to selling in one click. PCI-compliant Shopify Payments comes with your Shopify plan—all you need to do is turn it on.

发现Shopify支付

12 retailer requirements for PCI compliance

PCI compliance is a continuous process to keep customer data safe. To remain compliant, retailers must follow 12 key requirements and many sub-requirements.

Here are the latest PCI compliance standards fromPCI DSS version 4.0:

  1. Use firewalls
  2. Install password protection
  3. Protect cardholder data
  4. Encrypt transmitted cardholder data
  5. Use antivirus software
  6. Update software regularly
  7. Restrict cardholder data access
  8. Unique IDs to access data
  9. Restrict physical access to data
  10. Create and maintain access logs
  11. Regularly test security systems
  12. Create and document policies

To stay on the right side of Payment Card Industry regulations, you can keep aPCI Compliance checklistfor your business. In addition, the PCI SSC producesresourcesto help merchants uphold compliance.

1. Use firewalls

Installing firewalls helps you build and maintain a secure network. PCI compliance requires merchants to install and maintain a firewall configuration to protect cardholder data.

2. Install password protection

Merchants need to protect sensitive card data with strong password protection. Avoid using vendor-supplied defaults for system passwords and other security measures. Set up your own unique passwords that would be hard for attackers to guess or calculate.

3. Protect cardholder data

Business owners need to take all precautions to protect cardholder data from theft or attacks. Data must be stored in a safe place that’s not vulnerable to a breach. Teach team members about security and how to protect cardholder data through mandatory training programs.

4. Encrypt transmitted cardholder data

To better prevent data theft and attacks, merchants mustencryptthe transmission of cardholder data across open and public networks. That way, should an attacker get hold of your data, they can’t (easily) use it.

5. Use antivirus software

Install antivirus software on your computers and regularly update it to protect your hardware from viruses. Regularly test that your antivirus software is active.

6. Update software regularly

Software providers often update their software to include new security features. Using the latest software updates helps ensure you’re protecting sensitive data to the best of your abilities.

7. Restrict cardholder data access

Restrict access to cardholder data to those who actually need it. Instead of granting your whole team access to cardholder data, only give access credentials to those working in financial departments.

TIP:With Shopify POS, you can assign differentroles and permissionsto set boundaries on what store staff can do in your POS system without manager approval—like changing a product’s price or applying a custom discount to a sale.

8. Unique IDs to access data

Provide a unique ID to each person with data access. When employees leave, make sure to change usernames and passwords immediately to prevent data leaks. Set complex passwords for your employees to prevent people from guessing access credentials.

9. Restrict physical access to data

Limit physical access to data to those team members who require access for their job. Avoid storing sensitive cardholder data on computers or on paper.

10. Create and maintain access logs

跟踪和监视所有访问网络资源and cardholder data with up-to-date access logs. That way, if you suffer a data breach it may be easier to trace its source.

11. Regularly test security systems

Before you experience a data breach or theft, know how strong or weak your security systems are so you can make necessary changes before it’s too late. Regularly test your security systems with cybersecurity professionals to evaluate whether they can withstand an attempted attack.

12. Create and document policies

Maintain a complete set of policies that explain your business approach to information security for employees and contractors. Update policies frequently so that all team members know and understand expectations when it comes to data security.

Benefits of being PCI compliant

Keeping PCI compliance may mean spending on software and security enhancements, but it will save you from paying penalties or losing customers due to lack of trust.

Here are the top reasons for staying PCI-compliant:

  • Maintains secure systems
  • Keeps you prepared for regulation changes
  • Lowers the risk of data breaches and fines

Maintain secure systems

In itslatest data security report, tech firm Thales found that 37% of survey respondents had suffered a data breach in the past 12 months.

Most merchants aren’t cybersecurity experts and may be unsure of where to begin when it comes to creating and maintaining secure systems. Following PCI compliance requirements can help businesses build solid security foundations and reduce the threat of data breaches.

Be prepared for new regulations

If you’re already PCI-compliant, it will be easier to meet future data security requirements. Next time additional regulations come into play, it’ll be a case of making adjustments to your current security framework, as opposed to starting from scratch.

Reduce data breaches and fines

Following each of the 12 PCI DSS compliance requirements helps you prevent data breaches in the first place. But if you’re compliant and your business still suffers a data breach, the fines and penalties associated usually will be lower.

Difficulties if you are not PCI compliant

While PCI compliance isn’t a law, not meetingthe PCI requirementscan result in costly fines, loss of reputation, and damage to customer relationships.

These are some of the difficulties you may face if you don’t earn PCI compliance:

  • Loss of ability to accept credit card payments
  • Customer data and trust may be compromised
  • Risk of expensive fines

Lose the ability to accept credit card payments

Payment Card Industry Data Security Standards are part of the contractual agreement between retailers and payment processors. So, while it’s possible to operate in a state of non-compliance, retailers who disregard PCI standards may be fined and prosecuted.

Risk customer data and trust

Would you shop at a business if you knew it was likely your credit card information would get stolen? Probably not. Customer trust and confidence can impact your business’s profitability. People are less likely to shop with you if they don’t feel confident in your ability to protect their data.

If you suffer a data breach, or your customers don’t feel confident in your security, you may lose sales. In fact,66% of customerswill stop buying if companies experience a data breach.

Conversely, sharing PCI compliance status shows your customers that you’re serious about security and are actively working to protect their payment data.

data from security report
广告obe Trust Report

Pay expensive fines

Because PCI compliance is included in the terms and conditions of payment processors, failing to stay compliant can lead to expensive fines.

Fines are usually charged monthly and calculated based on retailer transaction volume. For large retailers, that can mean tens of thousands of dollars lost each month.

Data breaches can also cost your business money and customer trust.

Between the price of replacing credit cards, paying fines, investigating security weaknesses, and compensating customers, the average data breach sets retail businesses back$4.45 million.

Even for small businesses with lower transaction volume, the price of non-compliance can be crippling when things go wrong.

How to satisfy PCI DSS requirements

When it’s time to satisfy PCI DSS requirements, you can choose from three options:

  • Complete a self-assessment questionnaire
  • Hire a qualified security assessor
  • Train an internal security assessor

Complete self-assessment questionnaire

For retail business owners who feel confident checking their security systems and making necessary updates, self-assessment may be the right choice.

A self-assessment questionnaire (SAQ) is usually less expensive and time-consuming than other options. Depending on your business size and type, you’ll have to choosethe correct SAQ.

David Lee, the founder of the home furnishing businessNeutypechic, prefers to use an SAQ to stay compliant because it reassures him that none of his customers’ data has leaked.

“I constantly check whether my firewall is secure or not, so no financial information of my clients is leaked,” David says. “This has allowed me to effectively meet the security protocols and monitor my online server.”

Hire a qualified security assessor

For retail businesses that want an independent assessment of their security systems, or who operate complex systems, a qualified security assessor may be the right option.

A qualified security assessor is an external third-party expert who’s trained to evaluate the security of your business. They provide detailed reports on their findings and give recommendations for making PCI improvements.

Train an internal security assessor

An internal security assessor is an employee of your business who’s responsible for assessing and lowering security risks. This option is best for businesses that want to have someone dedicated to PCI compliance within their organization.

Larger retail businesses with established systems and security processes may prefer to use an Internal security assessor. The benefit of satisfying PCI compliance through an internal security assessor is that they already know your business’s systems and security procedures.

By employing an internal security assessor, you can evaluate your business’s security systems more frequently, which will help you prevent data breaches.

Ensure your retail business is PCI-compliant

Whether you’re opening abrick-and-mortar storeor setting up apop-up shop, at some point you’ll have customers who want to pay with a credit card. To accept credit card payments, you’ll need to be PCI-compliant. To make PCI compliance easier, choose a POS provider that is already PCI-compliant.

Remember, all stores using Shopify payments are automatically PCI-compliant to the highest level. Shopify’s Level 1 PCI certification covers your store, shopping cart, and web hosting.

收集和在线支付立即在人

Every Shopify plan includes built-in payment processing with quick payouts and low rates. Skip lengthy third-party activations, accept all popular payment methods, and start taking payments online and in-person faster.

PCI compliance FAQ

What does "PCI compliant" mean?

Being PCI compliant means you’ve fulfilled a set of standards established by the Payment Card Industry Data Security Standards Council. PCI standards are designed to protect cardholder information and prevent fraud. Businesses that process, store, or transmit credit card information need to be PCI-compliant.

What is required to be PCI compliant?

In order to be PCI compliant, organizations must adhere to the Payment Card Industry Data Security Standard (PCI DSS). This standard is designed to protect cardholder data and ensure secure processing of payment transactions. Requirements include maintaining a secure network, protecting cardholder data, regularly monitoring and testing networks, and implementing strong access control measures.

Is PCI compliance legally required?

No, PCI compliance is not legally required. However, many companies and organizations are obligated to adhere to the Payment Card Industry Data Security Standard (PCI DSS) due to contractual agreements with payment card processors. In most cases, failing to comply with PCI DSS can result in fines and/or the termination of payment card processing services.