PCI Compliance
PCI Compliance — Definition & Guide
PCI compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS) — a set of security requirements all businesses must follow when they accept, store, or transmit cardholder data. It is not a government law but a contractual requirement enforced by card networks. The PCI Security Standards Council publishes and maintains the full standard, which is updated periodically as threats evolve.
PCI compliance means your business meets the security requirements designed to protect cardholder data from theft and fraud. Every business that accepts card payments — regardless of size — is required to comply. The level of compliance required depends on how many transactions you process annually and how your systems handle card data.
For most small merchants, compliance is achieved by completing an annual Self-Assessment Questionnaire (SAQ) and confirming that your terminals and payment systems meet basic security requirements. Larger merchants with more complex environments may require a formal audit by a Qualified Security Assessor (QSA).
Non-compliance doesn’t just mean fines — it means increased liability. If a data breach occurs while you are out of compliance, card networks can hold you responsible for card reissuance costs, fraud losses, and forensic investigation fees. These costs can easily exceed $100,000 for a single incident at a small business.
Here is the flow of a typical annual compliance cycle:
Most small merchants fall into SAQ categories A, A-EP, B, or C-VT depending on how they accept payments. Card-present only merchants with no electronic cardholder data storage typically have the simplest compliance path. E-commerce merchants and those with custom integrations face more complex requirements.
Over 6 million transactions/year. Requires annual on-site audit by a QSA and quarterly network scans.
1–6 million transactions/year. Annual SAQ and quarterly network scans required.
20,000–1 million e-commerce transactions/year. Annual SAQ and quarterly scans.
Under 20,000 e-commerce or up to 1 million other transactions/year. Annual SAQ recommended.
No — it is a contractual requirement set by card networks, not a government law. However, non-compliance can result in significant fines from your processor and card networks, plus full liability for breach costs.
A Self-Assessment Questionnaire is the most common compliance method for small merchants. You answer a series of questions about your security practices and attest to meeting the standard. Different SAQ types apply to different business models.
Liability for card reissuance, fraud losses, and forensic investigation costs can fall entirely on the merchant. Fines from card networks can reach $500,000 per incident. Compliant merchants have significantly reduced liability exposure.
Partially. Processors that use point-to-point encryption and tokenization reduce your compliance scope significantly — cardholder data never enters your environment. But you still must complete your annual SAQ and confirm your systems meet requirements. Your processor should provide guidance on which SAQ type applies to your setup.
PCI Non-Compliance Fees Add $20-$30/Month. Most Merchants Are Paying Them Without Knowing.
Send us your last processing statement. We will identify any PCI non-compliance fees, check whether your processor is providing self-assessment support, walk through what compliance actually requires for your environment, and show you what a fair effective rate looks like once you’re compliant.
Request a Free Statement ReviewNo obligation • For glossary readers comparing pricing models and processor options • Response within one business day