Square Guide

What is PCI Compliance? What You Need to Know

Introduction to PCI Compliance

When it comes to a growing business, the safety and security of your and your customers’ sensitive information and data is likely top of mind—especially when it comes to payments.

Credit card with EMV chip

New advances in commerce and payments technology are often accompanied by new rules and regulations to help ensure that both businesses and consumers are protected. Enter the Payment Card Industry Data Security Standard (PCI DSS), a standard put forth by the five largest credit card companies to help reduce costly consumer and bank data breaches.

Understanding PCI DSS compliance can feel overwhelming for business decision makers. In this guide, we break down the need-to-knows of PCI DSS compliance and walk you through the steps you need to safeguard your business and customers.

In this guide:

Six Frequently Asked Questions About PCI Compliance

What does PCI DSS compliance mean?

PCI DSS stands for Payment Card Industry Data Security Standard, which sets the requirements for organizations and sellers to safely and securely accept, store, process, and transmit cardholder data during credit card transaction to prevent fraud and data breaches.

Who needs PCI DSS compliance certification?

Although there is technically no such thing as “PCI certification,” sellers of all sizes, service providers, banks, and any other organizations that process credit card payments need to prove they are PCI compliant.

What are the PCI DSS compliance levels?

There are four levels of PCI compliance; each level has unique requirements for a business to validate its compliance. The level under which your business falls is based on your total transaction volume, annually.

What does it cost to be PCI DSS compliant?

The fees to become PCI compliant, and maintain that standing annually, depends on the size of your business, the level of security you already have in place and the technology you use. Any of these things may need to be addressed, upgraded or overhauled completely in order to make your business completely PCI compliant.

Am I responsible for a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?

The PCI DSS Self-Assessment Questionnaire is a checklist ranging from 19 to 87 pages, created and distributed by the PCI Security Standards Council. It’s used as a mechanism for sellers to self-validate their PCI DSS compliance. Square sellers are not responsible for this SAQ, or for self-validating, since Square’s hardware and software complies with the Payment Card Industry Data Security Standard (PCI DSS) on your behalf.

Is there a PCI noncompliance fee?

Yes, there are typically fees associated with PCI noncompliance. If your business does not comply with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more.

Square makes powering business of every size simple.

Competitive, custom rates

Call or email us to get your rate and learn how to reduce your total cost of ownership with Square.

API and partner integrations

Connect your existing services with Square, or use your Square data to build custom apps.

Serious about security

Process payments with industry-leading hardware and software that follow PCI standards.

Learn more

PCI Compliance: A Deep Dive

Understanding the history of the Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) was born in 2006, just as the Internet emerged as a necessary and valuable tool for businesses of all sizes. As the Internet era began to reach maturity, companies that chose to leverage its power began bringing their payment processing systems online, connecting them wirelessly to both their physical and virtual terminals. Meanwhile, consumers grew more comfortable using credit cards to make purchases both online and off.

The historical relevance of these security standards is critical to how and why PCI standards evolved. These new avenues of commerce exposed businesses and consumers to more and more risks—and the opportunity for fraudsters to steal credit card information from insecure networks and payment systems became more prevalent.

As a response to increasing data theft, the five largest credit card brands—Visa, Mastercard, Discover, American Express, JCB—implemented the Payment Card Industry Data Security Standard (PCI DSS) to prevent costly consumer and bank data breaches. It was with the advent of this regulation, and the PCI Security Standards Council, that PCI compliance became—and still is—an important step in regulating the security of the credit card payment industry.

To help with managing compliance standards, the payment brands also established the PCI Security Standards Council as an independent body, meant to “monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals.”

It’s important to note, however, that the credit card companies made PCI compliance a self-regulated mandate—meaning they shifted the liability of maintaining compliance for all parts of the payment processing life cycle to sellers and organizations.

So, while the Council is responsible for setting the standards and establishing requirements for sellers to adhere to—such as PCI-compliant applications and self-assessment questionnaires (SAQs) or checklists—the payment brands are responsible for enforcing them among sellers and organizations that accept credit cards.

EMV chip card dip

Before we begin to explore PCI compliance standards in more depth, it’s important to note that by and large, credit cards are safe, and with EMV contactless and chip and PIN payments being the standard they are more secure than ever before (we’ll talk more about that later). But even the biggest brands can still be at risk for large data breaches related to credit cards.

Whether you’re an enterprise corporation or have a small side-business, you’ve probably heard the term PCI DSS. By maintaining PCI compliance, you can help defend your business against hackers who can get hold of sensitive cardholder data and use it to impersonate cardholders or steal their identity.

What is PCI DSS compliance?

The Payment Card Industry Data Security Standard (PCI DSS) refers to payment security standards that ensure all sellers safely and securely accept, store, process, and transmit cardholder data (also known as your customers’ credit card information) during a credit card transaction.

Any merchant with a merchant ID that accepts payment cards must follow these PCI-compliance regulations to protect against data breaches. The requirements range from establishing data security policies for your business and employees to removing card data from your processing system and payment terminals.

“Cardholder” or payment data covers information such as the full primary account number (PAN), the cardholder’s name, and the credit card service code and expiration date. Sellers are also responsible for protecting sensitive authentication data in the magnetic-stripe data (e.g., CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and more).

Anatomy of a credit card

The credit card diagram above displays where unique and sensitive cardholder data is contained in a credit card. Your business should avoid storing any of the data in this diagram; if you do, then you’ll likely be required to present a good business reason for storage and demonstrate that you have the proper mechanisms in place to protect it.

To identify where your business might be vulnerable to an attack, it’s important to be aware of the places where sensitive cardholder data can be stolen from. For example, data can be stolen:

  • Compromised card readers
  • Insecure payment system databases
  • Hidden cameras recording entry of authentication data
  • A secret tap into your store’s wireless or wired network
  • Paper stored in a filing cabinet or written notes

Therefore, it’s important to secure the entire payment life cycle, from credit card acceptance to payment processing, by protecting cardholder data where it is captured at the point of sale and as it flows into the payment system to your merchant account.

Counter top signage

PCI standards apply to:

  • Card readers
  • Point-of-sale systems
  • Store networks and wireless access routers
  • Payment card data storage and transmission
  • Payment card data stored in paper-based records
  • Online payment applications and shopping carts

As you can probably guess, becoming PCI compliant and maintaining that compliance can be a complex process; it can involve implementing security controls, hiring a pricey third-party consultant to install costly software and hardware, and signing an expensive and binding contract under which you agree to the bank’s terms for annual PCI compliance, completing annual self-assessments, and more.

Square makes powering business of every size simple.

Competitive, custom rates

Call or email us to get your rate and learn how to reduce your total cost of ownership with Square.

API and partner integrations

Connect your existing services with Square, or use your Square data to build custom apps.

Serious about security

Process payments with industry-leading hardware and software that follow PCI standards.

Learn more

What are the PCI compliance levels and requirements?

If your business accepts payment cards with any of the five members of the PCI SSC credit card brands (American Express, Discover, JCB, Mastercard, and Visa), then you are required to be PCI compliant within various levels, as determined by your transaction volume.

Sixty-five percent of small businesses miss the mark on minimum compliance requirements.

Keep in mind, not all compliance reporting requirements are the same—they can differ based on your processing volume. For example, sellers with a higher volume of transactions (as described in the matrix below) are required to work with internal security assessors (ISAs), qualified security assessors (QSAs), and PCI-approved scan vendors (ASVs).

There are four different levels of compliance; these levels stipulate the requirements for which sellers are responsible. The PCI Council deems the pass mark is compliance with 100 percent of criteria. Because of this complicated responsibility, many larger companies choose to work with a PCI-compliance consultant on standards and how to meet these PCI-compliant level requirements.

Every seller falls into one of the four categories depending on their transaction volume during a 12-month period. While each credit card brand has its own slightly different criteria, generally the PCI-compliance levels are as follows*:

PCI compliance levels

Merchant Level Applicable to PCI Requirements*
1 1) Sellers that process over 6M transactions per year

2) Any merchant that has had a data breach or attack that resulted in an account data compromise

3) Any merchant identified by any card association as Level 1
Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)—also commonly known as a Level 1 onsite assessment—or internal auditor if signed by officer of the company

Quarterly network scan by Approved Scan Vendor (ASV)

Attestation of Compliance form
2 Sellers that process 1M to 6M transactions per year Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains

Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)

Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer
3 Sellers that process 20,000 to 1M e-commerce transactions per year Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains

Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)

Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer
4 Sellers that process fewer than 20,000 e-commerce transactions and all other sellers that process up to 1M transactions per year Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains.

Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)

Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer

EMV chip card

What are the consequences for noncompliance?

If you don’t know the rules around PCI compliance or the consequences for being noncompliant, you’re not alone.

While PCI compliance is not a law, that doesn’t mean being out of compliance isn’t a big deal. In fact, in 2015 90% of large organisations suffered data security incidents, with 74% of smaller businesses also being affected by poor data security. So it’s more important than ever that your payment processing life cycle is secure.

If your business does not comply with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more if a breach occurs.

In fact, 30% percent of small businesses report that they don’t know the penalties for noncompliance with PCI DSS 3.0.

Penalties are not highly publicised, but they can be destructive for businesses. For example, in January 2017 alone £170,000 of fines were handed out. Banks often pass this cost along to the merchant and can terminate contracts or increase fees for transactions, in response to breaches and violations.

Aside from the financial cost, there are also other potential liabilities that could affect your business. According to PCI Security Standards, failing to comply with PCI standards and resulting data breaches could result in:

  • Lost confidence, so customers go to other merchants
  • Diminished sales
  • Cost of reissuing new payment cards
  • Fraud losses
  • Higher subsequent costs of compliance
  • Legal costs, settlements, and judgments
  • Fines and penalties
  • Termination of ability to accept payment cards
  • Lost jobs (CISO, CIO, CEO, and dependent professional positions)
  • Going out of business

Paying with credit card

What does it cost to be PCI compliant?

According to a recent IHL Service Report via Business Wire, today “the PCI process takes up to 55% of the total data security budget for retailers. Yet, until 75% of a given retailer’s card transactions are EMV compliant, the EMV costs are additive to what retailers are already paying for PCI compliance. Retailers have to do both.”
Becoming and maintaining a PCI-compliant business can be costly, depending on the type and size of your company and the compliance level to which you are held.
By level, the costs typically range from:

Level 4: £60 per month and up

Your cost includes an Approved Scanning Vendor (ASV), who should complete a regular network or website scan, and completion of a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance by you or your staff.

Level 3: £1000 a year and up

Your costs include regular scans by ASVs and increase based on the size of your computer network and number of IP addresses, plus the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.

Level 2: £8,000 to £40,000 a year

Your costs include regular scans by ASVs and increase based on the size of your computer network and number of IP addresses, plus the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.

Level 1: £50,000 and up

Your costs include a regular network scan by an Approved Scanning Vendor, an annual Report on Compliance by a Qualified Security Assessor, and an Attestation of Compliance.

Watch out for predatory service providers that charge expensive fees but only satisfy a portion of your PCI requirements.

Square takes care of PCI compliance for your business

Square complies with the Payment Card Industry Data Security Standard (PCI DSS) on your behalf so you do not need to individually validate your state of compliance.

Sellers who use Square to accept and process payments don’t have to worry about maintaining PCI compliance for three reasons:

  1. We provide PCI-compliant hardware and software at no additional cost—without monthly fees or annual assessment requirements. We maintain PCI-compliance standards on your behalf at no cost to you, with no long-term contracts or commitments. Providing you use Square for all storage, processing, and transmission of your customers’ card data, you don’t need to take any steps to become PCI compliant when using Square, and you don’t need to pay any PCI-compliance fees.

  2. Square is the merchant of record for every transaction. We deal with the banks on your behalf and take care of PCI compliance, regulation, and processing. We advocate on your behalf to make sure that simple errors, honest mistakes, and disputes are resolved equitably.

  3. Square’s technical approach to security is also designed to protect both you and your customers. We adhere to industry-leading PCI standards to manage our network, secure our web and client applications, and set policies across our organization. Square’s integrated payment system provides end-to-end encryption for every transaction at the point of swipe and tokenizes data once it reaches our servers. Plus, we monitor every transaction from point of acceptance to payment, continuously innovate in fraud prevention, and protect your data like our business depends on it—because it does.


    Square meets PCI standards across software, hardware, and payment processing. For chip and PIN countries, we are working on evolving mobile security standards alongside the card schemes and PCI Council, where we are a member of the Board of Advisors. Just as there was previously no standard for card readers that plug into mobile phones, there currently is no PCI standard for mobile PIN entry. Square is, and has always been, committed to innovating with payments industry leaders to make secure card payments accessible to all.

Square makes powering business of every size simple.

Competitive, custom rates

Call or email us to get your rate and learn how to reduce your total cost of ownership with Square.

API and partner integrations

Connect your existing services with Square, or use your Square data to build custom apps.

Serious about security

Process payments with industry-leading hardware and software that follow PCI standards.

Learn more