Table of contents
Violating PCI compliance can lead to hefty fines for you and your business. Learn more about PCI DSS Compliance and see how Square protects you for free.
Intro to PCI compliance
When it comes to a growing business, the safety and security of sensitive information and data is likely top of mind — especially when it comes to payments.
New advances in commerce and payments technology are often accompanied by new rules and regulations to help ensure that both businesses and consumers are protected. Enter the Payment Card Industry Data Security Standard (PCI DSS), a standard put forth by the five largest credit card companies to help reduce costly consumer and bank data breaches.
Understanding PCI DSS compliance can feel overwhelming for business decision makers. In this guide we break down the need-to-knows of PCI DSS compliance and walk you through the steps you need to safeguard your business and your customers.
Six frequently asked questions about PCI compliance
What does PCI DSS compliance mean?
PCI DSS compliance means that a business meets the requirements for organizations and sellers to accept, store, process, and transmit cardholder data safely and securely during credit card transactions in order to prevent fraud and data breaches.
Who needs PCI DSS compliance certification?
Although there is technically no such thing as PCI certification, sellers of all sizes, service providers, banks, and any other organizations that process credit card payments need to prove that they are PCI compliant.
What are the PCI DSS compliance levels?
There are four levels of PCI compliance. Each level has unique requirements for a business to validate its compliance. The level under which your business falls is based on your total annual transaction volume. The first level includes merchants processing over 6 million card transactions a year. The second, between 1 and 6 million. The third level includes merchants handling 20,000 to 1 million transactions a year and the fourth includes merchants handling fewer than 20,000 transactions a year.
What does it cost to be PCI DSS compliant?
The fees to become PCI compliant and to maintain that standing annually can range from $1,000 to more than $50,000 annually, depending on the size of your business.
Am I responsible for a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?
No. The PCI DSS Self-Assessment Questionnaire is a checklist ranging from 19 to 87 pages, created and distributed by the PCI Security Standards Council (PCI SSC). It’s used as a mechanism for sellers to self-validate their PCI DSS compliance. Square does not require sellers to complete an SAQ or to self-validate since Square hardware and software complies with the PCI DSS.
Is there a PCI noncompliance fee?
Yes, there are fees associated with PCI noncompliance. If your business does not comply with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more.
PCI compliance: a deep dive
Square seller or not, it’s still a good idea to understand PCI compliance. Adhering to it protects the safety of your customers’ financial information and of your business.
PCI compliance checklist
| # | Compliance requirement |
| 1 | Install and maintain a firewall configuration to protect cardholder data. |
| 2 | Do not use vendor-supplied defaults for system passwords and other security parameters. |
| 3 | Protect stored cardholder data. |
| 4 | Encrypt transmission of cardholder data across open, public networks. |
| 5 | Use and update antivirus software regularly. |
| 6 | Develop and maintain secure systems and applications. |
| 7 | Restrict access to cardholder data by business need-to-know. |
| 8 | Assign a unique ID to each person with computer access. |
| 9 | Restrict physical access to cardholder data. |
| 10 | Track and monitor all access to network resources and cardholder data. |
| 11 | Test security systems and processes regularly. |
| 12 | Maintain a security policy and ensure that all personnel are aware of it. |
This PCI compliance checklist was retrieved in July 2023 and may not be up to date, so be sure you’re compliant by selling with Square or by visiting the PCI Security Standards Council website.
Understanding the history of the PCI DSS
The PCI DSS was born in 2006. As the Internet era began to reach maturity, companies that chose to leverage its power started to bring their payment processing systems online, connecting them wirelessly to both their physical and virtual terminals. Meanwhile, consumers grew more comfortable using credit cards to make purchases online.
The historical relevance of these security standards is critical to how and why PCI standards evolved. These new avenues of commerce exposed businesses and consumers to new risks, and the opportunity for fraudsters to steal credit card information from insecure networks and payment systems became more prevalent.
As a response to increasing data theft, the five largest credit card brands — Visa, Mastercard, Discover, American Express, JCB — implemented the PCI DSS to prevent costly consumer and bank data breaches. It was with the advent of this regulation and the PCI Security Standards Council that PCI compliance became an important step in regulating the security of the credit card payment industry.
To help manage compliance standards, the payment brands established the PCI SSC as an independent body, meant to “monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals.”
It’s important to note that the credit card companies made PCI compliance a self-regulated mandate, meaning they shifted the liability of maintaining compliance for all parts of the payment processing life cycle to sellers and organizations.
So while the Council sets the standards and establishes requirements for sellers to adhere to, —such as PCI-compliant applications and self-assessment questionnaires (SAQ) or checklists.
Before we explore PCI compliance standards in more depth, it’s important to note that credit cards are safe by and large. Thanks to new rules and standards, such as EMV chip cards, they are getting even more secure (we’ll talk more about this later). Still, even the biggest brands remain at risk for large data breaches related to credit cards.
Whether you’re an enterprise corporation or have a small side business, you’ve probably heard the term PCI DSS. By maintaining PCI compliance you can help defend your business against hackers who can get hold of sensitive cardholder data and use it to impersonate cardholders or steal their identities.
What is PCI DSS compliance?
PCI DSS refers to payment security standards that ensure all sellers accept, store, process, and transmit cardholder data safely and securely during a credit card transaction.
Any merchant with a merchant ID that accepts payment cards must follow PCI-compliance regulations to protect against data breaches. The requirements range from establishing data security policies for your business and employees to removing card data from your processing system and payment terminals.
Cardholder or payment data covers information such as the full primary account number (PAN), the cardholder’s name, the credit card service code, and the expiration date. Sellers are responsible for protecting sensitive authentication data in the magnetic-stripe data (e.g., CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and more).
The credit card diagram above displays where unique and sensitive cardholder data is contained on a credit card. Organizations that collect, process, store, or transmit payment card transactions must complete and maintain the rigorous processes of verifying PCI compliance. It is important to note that entities involved with payment card transactions must never store sensitive authentication data after authorization. This includes the three- or four-digit security code printed on the front or back of a card; the data stored on a card’s magnetic stripe or chip (also called “full track data”); or the personal identification number (PIN) entered by the cardholder.
PCI standards apply to:
- Card readers
- Point-of-sale systems
- Store networks and wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
- Online payment applications and shopping carts
Becoming PCI compliant and maintaining that compliance can be a complex process. It involves implementing security controls; hiring a pricey third-party consultant to install costly software and hardware; and signing an expensive and binding contract under which you agree to the bank’s terms for annual PCI compliance, completing annual self-assessments, and more.
Please refer to the PCI Small -Merchant Guide to Safe Payments to learn more about how to better protect payment card data and your business.
What are the PCI DSS compliance levels and requirements?
If your business accepts payment cards with any of the five members of the PCI SSC credit card brands — Visa, Mastercard, Discover, American Express, Discover, JCB — then you are required to be PCI compliant within various levels, as determined by your transaction volume.Sixty-five percent of small businesses miss the mark on minimum compliance requirements.Keep in mind, not all compliance reporting requirements are the same — they can differ based on your processing volume. Sellers with a higher volume of transactions are required to work with internal security assessors (ISA), qualified security assessors (QSA), and PCI-approved scan vendors (ASV).
There are four different levels of compliance. Each level stipulates the requirements for which sellers are responsible. The PCI Council deems the pass mark is compliance with 100% of criteria. Due to this complicated responsibility, many larger companies choose to work with a PCI-compliance consultant on standards and how to meet these PCI-compliant level requirements.
Every seller falls into one of the four categories, depending on their transaction volume during a 12-month period. While each credit card brand has slightly differing criteria, generally the PCI-compliance levels are as follows:
PCI compliance levels
| Merchant level | Applicable to | PCI requirements* |
|---|---|---|
| 1 | Sellers that process 6M+ transactions per year; any merchant that has had a data breach or an attack that resulted in an account data compromise; any merchant identified by any card association as Level 1. |
Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) — known as a Level 1 onsite assessment — or by an internal auditor if signed by officer of the company. Quarterly network scan by ASV. Attestation of Compliance form. |
| 2 | Sellers that process 1M–6M transactions per year. |
Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains. Complete and obtain evidence of a passing vulnerability scan with a PCI SSC ASV. Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool). Submit the SAQ evidence of a passing scan (if applicable), the Attestation of Compliance, and any other requested documentation to your acquirer. |
| 3 | Sellers that process 20,000–1M eCommerce transactions per year. |
Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains. Complete and obtain evidence of a passing vulnerability scan with a PCI SSC ASV. Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool). Submit the SAQ, evidence of a passing scan (if applicable), the Attestation of Compliance, and any other requested documentation to your acquirer. |
| 4 | Sellers that process fewer than 20,000 eCommerce transactions and all other sellers that process up to 1M transactions per year. |
Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains. Complete and obtain evidence of a passing vulnerability scan with a PCI SSC ASV. Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool). Submit the SAQ, evidence of a passing scan (if applicable), the Attestation of Compliance, and any other requested documentation to your acquirer. |
*Each of the five payment brands has its own data security programs that require merchants to safeguard credit card processing data. Here’s a helpful example of the Visa PCI DSS requirements.
What does it cost to be PCI compliant?
Becoming and maintaining a PCI-compliant business can be costly, depending on the type and size of your company and the compliance level to which you are held.
Level 4: $60–$75 per month and up
Your cost includes an ASV, who should complete a regular network or website scan, the completion of a Self-Assessment Questionnaire (SAQ), and an Attestation of Compliance by you or your staff.
Level 3: $1,200 a year and up
Your cost includes regular scans by ASV and increases based on the size of your computer network and number of IP addresses, plus the cost of completing the annual Self-Assessment Questionnaire and an Attestation of Compliance.
Level 2: $10,000 a year and up
Your cost includes regular scans by ASV and increases based on the size of your computer network and number of IP addresses, plus the cost of completing the annual Self-Assessment Questionnaire and an Attestation of Compliance.
Level 1: $50,000 a year and up
Your cost includes a regular network scan by an Approved Scanning Vendor, an annual Report on Compliance by a Qualified Security Assessor, and an Attestation of Compliance.
Are there different types of PCI compliance?
When it comes to PCI compliance, there is a wide range of variance that you are leveraging and should be aware of:
PCI DESV: The PCI Designated Entities Supplemental Validation (DESV) standard is a series of additional validation procedures to provide greater insight and assurance that an organization’s PCI DSS controls are maintained effectively through validation of Business-as-Usual (BAU) processes, increased validation, and scoping consideration.
PCI MPoC: PCI Mobile Payments on COTS (MPoC) is a newer standard that builds on the existing PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC), which address security requirements for solutions that allow merchants to accept cardholder PINs or contactless payments with smartphones or mobile devices.
PCI PTS: PCI Pin Transaction Security (PTS) is a security standard for terminals and other hardware devices designed to handle PIN data.
PCI PIN: PCI Personal Identification Number (PIN) is a security standard that protects PIN data, including the secure management, processing, and transmission of it for online and offline card transactions.
PCI SPoC: PCI Software-based PIN Entry on COTS (SPoC) is a standard that applies to apps running on devices (iPad, mobile phone) that may need to accept PINs to complete transactions. Square takes these apps through a rigorous certification process to ensure the integrity of all data that resides in the apps. There are a few steps that we ask you to keep in mind.
PCI 3DS: PCI Three Domain Secure (3DS) is a messaging protocol that allows consumers to authenticate themselves with a card issuer when making card-not-present purchases.
Square takes care of PCI compliance for your business
Square complies with the PCI DSS so you do not need to validate your state of compliance individually.
- Our hardware and readers have end-to-end encryption out of the box, with no configuration required and at no additional cost, without monthly fees or annual assessment requirements. We maintain PCI-compliant software at no additional cost to you, with no monthly contracts or long-term commitments. Provided you use Square for all storage, processing, and transmission of your customers’ card data, you don’t need to take any steps to validate your PCI compliance to Square, and you don’t need to pay any PCI-compliance fees.
- Square is the merchant of record for every transaction. We deal with the banks on your behalf, including for PCI compliance, regulation, and processing. We advocate on your behalf to make sure that simple errors, honest mistakes, and disputes are resolved equitably.
- Square takes a technical approach to security that is designed to protect you and your customers. We adhere to industry-leading PCI standards to manage our network, to secure our web and client applications, and to set policies across our organization. The Square integrated payment system provides end-to-end encryption for every transaction at the point of swipe, dip, or tap and tokenizes data once it reaches our servers. Plus, we monitor every transaction from acceptance to payment, innovate in fraud prevention continuously, and protect your data like our business depends on it.
In addition to PCI Compliance, Square is also SOC 1, 2, and ISO27001 compliant.
What are the consequences for noncompliance?
If you don’t know the rules around PCI compliance or the consequences for being noncompliant, you’re not alone. In fact, 30% percent of small businesses report that they don’t know the penalties for noncompliance with PCI DSS 3.0. While PCI compliance is not a law, that doesn’t mean being out of compliance isn’t a big deal. In fact, a 2019 Verizon Data Breach Incident Report found that there were almost 42,068 data security incidents this year. So it’s more important than ever that your payment processing life cycle is secure. If your business does not comply with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more.
Penalties are not highly publicized, but they can be destructive for businesses. For example, if your company violates PCI-compliance standards, credit card brands may levy fines from $5,000 to $100,000 per month to your acquiring bank. The banks often pass this cost along to the merchant and can terminate contracts or increase fees for transactions in response to breaches and violations.
Aside from the financial cost, there are also other potential liabilities that can affect your business. According to PCI Security Standards, failing to comply with PCI standards and resulting data breaches could result in:
- Lost confidence, so customers go to other merchants
- Diminished sales
- Cost of reissuing new payment cards
- Fraud losses
- Higher subsequent costs of compliance
- Legal costs, settlements, and judgments
- Fines and penalties
- Termination of ability to accept payment cards
- Lost jobs (CISO, CIO, CEO, and dependent professional positions)
- Going out of business
