Table of contents
When you’re building a business, the safety and security of your and your customers’ sensitive information and data is likely top of mind — especially when it comes to payments. This is true for all types of businesses, from a small neighbourhood cafe to a multi-location retail chain.
Advances in commerce and payments technology are often accompanied by new rules and regulations to help ensure both businesses and consumers are protected. This is the basis behind the Payment Card Industry Data Security Standard (PCI DSS), a global standard created by the five largest credit card companies in 2006 to help reduce costly consumer and bank data breaches. Any business that processes credit card payments must comply to these standards, or face costly fines if breaches happen.
In this guide, we break down the need-to-knows of PCI DSS compliance and walk you through the steps you need to safeguard your business and customers.
What is PCI compliance? A deep dive
PCI compliance definition
PCI compliance is the process of adhering to a set of requirements outlined by the Payment Card Industry Data Security Standard (PCI DSS) to ensure all companies who process, store or transmit credit card information do so in a secure environment that’s protected from bad actors like hackers.
Any merchant with a merchant ID that accepts payment cards must follow PCI compliance regulations to protect cardholder data against breaches. The requirements range from establishing data security policies for your business and employees to removing card data from your processing system and payment terminals.
With the recent update to PCI DSS v4.0, the standard now requires targeted, risk analysis each year to ensure that the business is addressing the most pressing threats to their specific payment environment. The update also introduced stronger requirements for securing e-commerce payment pages, mandating that merchants have tools in place to continuously check web pages for vulnerabilities and suspicious activity like a high-volume of credit card attempts from a single card at the same time, or multiple transactions from different locations.
Understanding the history of the Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) was born just as the Internet emerged as a necessary and valuable tool for businesses of all sizes. Specifically, it was created to protect consumers and businesses who process cardholder data through the internet or connected POS systems.
As the Internet matured and e-commerce began to hit its stride, more companies began to bring their payment processing systems online. This meant connecting them wirelessly to both their physical and virtual payment terminals, like in-store POS systems and online stores. Meanwhile, consumers grew more comfortable using credit cards to make purchases both online and offline. Today, in countries like Canada, credit and debit card transactions are by far the most-used means of paying for goods and services.
This historical context is critical to how and why PCI standards evolved. These new avenues of commerce exposed businesses and consumers to more and more risks. As new payment channels emerged, opportunities for fraudsters to steal credit card information from insecure networks and payment systems became more prevalent.
As a response to increasing data theft, the five largest credit card brands — Visa, Mastercard, Discover, American Express, JCB — implemented the Payment Card Industry Data Security Standard (PCI DSS) to prevent costly consumer and bank data breaches.
It was with the advent of this standard that the PCI Security Standards Council was created to govern it. The body was set up to meant to “monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals.”
The PCI DSS standard has evolved over time, as new threats emerge and the payments landscape changes. To-date, the most recent standard is PCI DSS v4.0.1, which became fully enforceable as of March 2025.
It’s important to note that the credit card companies made PCI compliance a self-regulated mandate. This means the liability of maintaining compliance for all parts of the payment processing life-cycle lies with the sellers and organizations, not the credit card companies.
Before we explore PCI compliance in more depth, it’s also important to note that by and large, credit cards are safe and secure for the majority of transactions. But, even so, brands can still be at risk of data breaches related to credit cards. This is why PCI compliance standards exists: to provide deeper and standardized safeguards around one of the most-used payments means in the world to keep both businesses and consumers safe.
Where do PCI standards apply?
PCI-DSS standards apply to:
- Card readers
- Point-of-sale systems
- Store networks and wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
- Online payment applications and shopping carts
“Cardholder” or payment data covers information like the full primary account number (PAN), the cardholder’s name, and the credit card service code and expiration date. Sellers are also responsible for protecting sensitive authentication data in the magnetic-stripe data (e.g., CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and more).
Organizations that collect, process, store, or transmit payment card transactions must complete and maintain the rigorous processes of achieving and verifying PCI compliance.
Important note: Entities involved with payment card transactions must never store sensitive authentication data after payment authorization. This includes the 3 or 4 digit security code printed on the front or back of a card, the data stored on a card’s magnetic stripe or chip (also called “Full track data”), or personal identification numbers (PIN) entered by the cardholder.
As you can probably guess, becoming PCI compliant and maintaining that compliance annually can be a complex process. It can involve implementing security controls, potentially hiring a pricey third-party consultant to install software and hardware needed to secure your payment ecosystem, and signing an expensive and binding contract under which you agree to the credit card provider’s and bank’s terms for annual PCI compliance. All that starts with completing annual self-assessments to determine the level of PCI compliance you need, which can be time-consuming and confusing for smaller businesses that don’t have intricate knowledge of PCI requirements. That’s why many businesses trust payment processors like Square — all Square products are PCI compliant so businesses don’t have to worry about keeping their customer’s data safe.
Need some help? You can refer to the PCI Small Merchant Guide to Safe Payments to learn more about how to better protect payment card data and your business.
What is PCI-SPoC compliance?
PCI-SPoC (Software-based PIN Entry on Commercial Off-the-Shelf Devices) is a security standard that regulates the use of apps running on devices like mobile phones or tablets that may need to accept PINs to complete transactions. Square takes these apps through a rigorous certification process to ensure the integrity of all data that resides in them in order to connect your devices to hardware such as Square Reader to take payments.
What are the PCI compliance levels and requirements?
Any business that accepts card payments through any of the five members of the PCI SSC (American Express, Discover, JCB, Mastercard and Visa) must be PCI compliant.
The specific PCI compliance requirements that you’re expected to meet vary depending on the size of your business and the number of transactions you process each year.
In general, there are 12 PCI DSS requirements that you should know, including:
- Use a firewall. Set up and maintain a firewall (or network security control) to protect the card-processing environment.
- Change system defaults. Never use vendor-supplied default passwords or security settings on systems you manage.
- Protect stored data. Do not store sensitive cardholder data, such as the full Primary Account Number (PAN) unless absolutely necessary, and protect it with strong methods like encryption.
- Encrypt data in transit. Encrypt cardholder data when transmitting it across public networks (like the internet).
- Use antivirus technology. Protect all systems from malicious software (malware) and regularly update your anti-malware programs.
- Update software. Keep all operating systems and software that touch card data secure by installing all necessary security patches and updates promptly.
- Limit access to systems. Restrict access to cardholder data to only those employees who have a “business need-to-know.”
- Assign unique IDs. Give a unique ID to every person with access to cardholder data and ensure strong authentication (like Multi-Factor Authentication).
- Restrict physical access: Limit physical access to your payment devices, hard copies of receipts, and any systems that process or store card data.
- Monitor and log user activity. Track and monitor all access to network resources and cardholder data with audit logs.
- Regularly test security: Regularly test and audit your security systems and processes to find and fix vulnerabilities.
- Maintain a security policy: Document, maintain, and share a formal security policy that all employees must follow, including security awareness training.
Your PCI compliance level, as shown in the table below, outlines your reporting requirements and whether you can handle compliance internally, or if you must consult a third-party expert.
For example, sellers with a higher volume of transactions are required to work with internal security assessors (ISAs), qualified security assessors (QSAs), and PCI-approved scan vendors (ASVs). Smaller businesses that process a lower volume of transactions can handle compliance auditing internally, but are still required to meet the requirement standards.
There are four different levels of compliance, which stipulate the requirements for which sellers are responsible. The PCI Council deems the pass mark for compliance is meeting 100% of criteria .so there’s no room for error.
Every seller falls into one of the four categories depending on their transaction volume during a 12-month period. While each credit card brand has its own slightly different criteria, generally the PCI-compliance levels are as follows*:
PCI compliance levels
| Merchant Level | Applicable to | PCI Requirements* |
|---|---|---|
| 1 |
1) Sellers that process over 6M transactions per year 2) Any merchant that has had a data breach or attack that resulted in an account data compromise 3) Any merchant identified by any card association as Level 1 |
Annual Onsite Assessment (Report on Compliance) by a Qualified Security Assessor (QSA) or internal auditor. Quarterly network scan by an Approved Scan Vendor (ASV). Submission of Attestation of Compliance (AOC) form. |
| 2 | Sellers that process 1M to 6M transactions per year |
Complete the PCI DSS Self-Assessment Questionnaire (SAQ) according to the instructions it contains Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV) Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool) Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer |
| 3 | Sellers that process 20,000 to 1M e-commerce transactions per year |
Complete the PCI DSS Self-Assessment Questionnaire (SAQ) according to the instructions it contains Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV) Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool) Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer |
| 4 | Sellers that process fewer than 20,000 e-commerce transactions and all other sellers that process up to 1M transactions per year |
Complete the PCI DSS Self-Assessment Questionnaire (SAQ) according to the instructions it contains. Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV) Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool) Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer |
*Each of the five payment brands has its own data security programs that require merchants to safeguard credit card processing data. Here’s a helpful example of Visa’s PCI DSS requirements.
What does it cost to be PCI compliant?
Without the support of a PCI-compliant payment processor, becoming and maintaining a PCI-compliant business can be costly, depending on the type and size of your company and the compliance level to which you are held. Costs can come from hiring approved vendors, application and licensing fees, third-party consultants, and even additional hardware and software to make you compliant.
It’s important to note that the cost of PCI compliance pales in comparison to the potential cost of a high-profile data breach, which we’ll explore in the next section. In Canada, costs associated with data breaches—which can include fines, lost revenue, reputational damage and the cost of replacing or upgrading systems— hit a record average of $6.98 million in 2025.
Here are the typical cost ranges for PCI compliance by level.
Level 4: $80 to $100per month and up
Your cost includes an Approved Scanning Vendor (ASV), who should complete a regular network or website scan, and completion of a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance by you or your staff.
Level 3: $1,700 per year and up
Your costs include regular scans by ASVs. The cost of these scans can increase based on the size of your computer network and number of IP addresses. This total cost also includes the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.
Level 2: $15,000 to $70,000 per year
Your costs include regular scans by ASVs. The cost for each scan can increase based on the size of your computer network and number of IP addresses. This total also includes the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.
Level 1: $70,000 per year and up
Your costs include a regular network scan by an Approved Scanning Vendor, an annual Report on Compliance by a Qualified Security Assessor, and an Attestation of Compliance.
Take care when speaking to service providers that charge expensive fees but only satisfy a portion of your PCI requirements.
PCI non-compliance consequences
If you don’t know the rules around PCI compliance or the consequences for being noncompliant, you’re not alone. While PCI compliance is not enforced as a law at the federal level in Canada, processing card payments over a system that’s not compliant opens you to a host of potential risks, fines and contact violations.
Data breaches
These standards are in place for a reason and choosing not to follow them means your systems simply aren’t equipped to handle the many security threats that exist today. The cost of a data breach can climb into the millions, making PCI compliance the logical and financially responsible choice for your business.
Breach of contract
All major credits cards, including Visa, Mastercard, American Express, Discover and JCB have PCI compliance written into any service level agreement or contract you would have signed to start processing their payments. Same goes for many processing banks, with TD as a prime example for Canadians. If they find out you’re not PCI compliant, they’re within their rights to issue legal warnings or action, cancel contracts and potentially even levy fines.
Regulatory action
A data breach resulting from non-compliance can put you in direct violation of Canada’s privacy legislation—specifically the Personal Information Protection and Electronic Documents Act (PIPEDA). This is a federal law, and requires businesses to safeguard customer information, including cardholder data, using security measures appropriate to its sensitivity. A failure to apply the PCI standards could be viewed by the Office of the Privacy Commissioner of Canada (OPC) as a failure to apply adequate safeguards, potentially leading to public scrutiny, compliance orders and heavy fines of up to $100,000 per violation.
Aside from the financial and regulatory costs, there are also other potential liabilities that could affect your business. According to PCI Security Standards, failing to comply with PCI standards and resulting data breaches could result in:
- Lost confidence, so customers go to other merchants
- Diminished sales
- Cost of reissuing new payment cards
- Fraud losses
- Higher subsequent costs of compliance
- Legal costs, settlements, and judgments
- Fines and penalties
- Termination of ability to accept payment cards
- Lost jobs (CISO, CIO, CEO, and dependent professional positions)
- Going out of business
So, while PCI compliance might seem like a hassle and the costs involved can be onerous, the risks and potential damage associated from non-compliance are far more severe.
PCI compliance best practices
Maintaining PCI compliance yourself requires continuous effort, testing, and reporting to stay aligned the PCI DSS standards. As threats evolve, so do these standards, making compliance an always-on mandate for your business.
Here are some PCI compliance best practices to help you keep up:
- Reduce your scope. Minimize the number of systems, applications and networks that store, process or transmit cardholder data. The smaller your Cardholder Data Environment (CDE) is, the simpler and less costly compliance becomes.
- Don’t store what you don’t need. Only retain cardholder data (like a Primary Account Number or PAN) for a legitimate business purpose and for the shortest time necessary. Never store the full magnetic stripe data, CVV2, or PIN data.
- Use strong access controls. Restrict physical and digital access to the CDE on a strict “need-to-know” basis. Assign a unique ID to every individual with access and implement Multi-Factor Authentication (MFA) for all remote access into the network and all access to the CDE.
- Secure your systems. Install and maintain firewalls and secure configurations, changing all vendor-supplied default passwords and security settings immediately upon installation.
- Apply patches promptly. Keep all operating systems, software and payment applications up-to-date with the latest security patches to fix vulnerabilities that hackers could exploit.
- Monitor and test regularly. Conduct quarterly network vulnerability scans by an Approved Scanning Vendor (ASV) and regularly test all security systems and processes to ensure they’re functioning effectively.
- Train employees. Make data security and PCI compliance a company-wide responsibility. All personnel must receive regular training on security policies, how to handle cardholder data securely, and how to spot phishing and other social engineering attempts.
Square takes care of PCI compliance for your business
Square complies with the Payment Card Industry Data Security Standard (PCI DSS) on your behalf so you do not need to individually validate your state of compliance.
- Our hardware/readers have end-to-end encryption out of the box with no configuration required and at no additional cost — without monthly fees or annual assessment requirements. We maintain PCI compliant software at no additional cost to you, with no monthly contracts or long-term commitments. Providing you use Square for all storage, processing, and transmission of your customers’ card data, you don’t need to take any steps to become PCI compliant when using Square, and you don’t need to pay any PCI-compliance fees. However, using any third-party payment integration or custom solution that touches card data may mean that you need to handle parts of PCI compliance yourself.
- Square is the merchant of record for every transaction. We deal with the banks on your behalf and take care of PCI compliance, regulation and processing. We advocate on your behalf to make sure that simple errors, honest mistakes and disputes are resolved equitably.
- Square takes a technical approach to security that is also designed to protect both you and your customers. We adhere to industry-leading PCI standards, including the latest PCI DSS v4.0 requirements, to manage our network, secure our web and client applications, and set policies across our organization. Square’s integrated payment system provides end-to-end encryption for every transaction at the point of swipe, dip or tap and tokenizes data once it reaches our servers. Plus, we monitor every transaction, continuously innovate in fraud prevention, and protect your data like our business depends on it — because it does.
Square meets PCI standards across software, hardware, and payment processing. For mobile transactions involving a PIN, Square implements solutions certified under the new PCI MPoC (Mobile Payments on COTS) standard, ensuring PIN security is protected even on commercial off-the-shelf devices.
Ready to learn more about accepting payments for your business securely? With Square POS, you can easily accept card payments, gain powerful sales insights and manage your team efficiently in an all-in-one solution. Learn more about Square POS.
PCI Compliance FAQs
What does PCI DSS compliance mean?
PCI DSS stands for Payment Card Industry Data Security Standard, which sets the requirements for organizations and sellers to safely and securely accept, store, process and transmit cardholder data during credit card transactions to prevent fraud and data breaches.
Who needs PCI DSS compliance certification?
Although there is technically no such thing as ‘PCI certification”, sellers of all sizes, service providers, banks and any other organization that processes credit card payments need to prove they are PCI compliant.
What are the PCI DSS compliance levels?
There are four levels of PCI compliance; each level has unique requirements for a business to validate its compliance. The level under which your business falls is based on your total annual transaction volume.
What does it cost to be PCI DSS compliant?
The fees to become PCI compliant, and maintain that standing annually, can range from approximately $1,500 per year to over $70,000 per year, depending on the size of your business.
Am I responsible for a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?
The PCI DSS Self-Assessment Questionnaire is a checklist ranging from 19 to 87 pages, created and distributed by the PCI Security Standards Council. It’s used as a mechanism for sellers to self-validate their PCI DSS compliance.
Square sellers are not responsible for this SAQ, or for self-validating, since Square’s hardware and software complies with the Payment Card Industry Data Security Standard (PCI DSS) on your behalf.
Is there a PCI non-compliance fee?
Yes, there are typically fees and costs associated with PCI noncompliance. If your business does not comply with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more. Non-compliant businesses are likely in breach of contract with their credit card or banking partners, which could result in legal action or levied fines.
