For customers· 4 min read

PCI Compliance Requirements: What Merchants Must Know

Learn PCI DSS compliance obligations for payment processing. Understand security standards, audits, and liability when choosing a merchant services provider.

If you accept card payments—whether in-store, online, or mobile—you're legally required to meet Payment Card Industry (PCI) Data Security Standard (DSS) compliance. Non-compliance can result in fines ranging from $5,000 to $100,000 per month, data breach liability, and loss of payment processing privileges. Understanding what compliance actually means will protect your business, customers, and bottom line.

What PCI Compliance Actually Is

PCI DSS is a set of security standards created by major card networks (Visa, Mastercard, American Express, Discover, JCB) to protect cardholder data. It applies to any business that stores, transmits, or processes payment card information—including your payment processor, but critically, also you.

Compliance isn't a one-time checkbox. It's an ongoing framework covering network security, access controls, data encryption, monitoring, and incident response. Your responsibility level depends on your business size and transaction volume.

Merchant Levels: Know Where You Stand

Payment Card Industry classifies merchants into four compliance levels based on annual card transaction volume:

  • Level 1: Over 6 million transactions annually. Highest security requirements; quarterly security assessments and annual PCI DSS audits required.
  • Level 2: 1–6 million transactions yearly. Quarterly self-assessment questionnaires (SAQ) instead of full audits.
  • Level 3: 20,000–1 million online transactions per year. Self-assessment and simpler documentation.
  • Level 4: Fewer than 20,000 online transactions annually or under 1 million in-person transactions. Basic SAQ compliance.

Most small businesses fall into Level 3 or 4, but check with your payment processor—they can confirm your exact classification.

Core Requirements You Can't Ignore

Network Security & Encryption You must use TLS 1.2 or higher to encrypt cardholder data in transit. SSL/TLS certificates should come from trusted certificate authorities. If you're using older payment terminals or outdated software, upgrade now—many processors will disable support for unencrypted connections in 2025.

Access Controls Restrict who in your organization can view or process payment data. Create unique user IDs for each staff member with payment access, change default passwords immediately, and disable accounts for terminated employees within 24 hours. This sounds basic, but weak access controls are the leading cause of data breaches.

Data Storage Limitations Never store sensitive authentication data (card security codes, full magnetic stripe data) after transaction authorization—not even encrypted. Store only the last four digits of the card number, expiration date, and cardholder name if absolutely necessary for business operations.

Monitoring & Logging Implement systems that track and log all access to cardholder data. Review logs regularly for unauthorized or suspicious activity. Your payment processor's dashboard should provide transaction history, but you're responsible for monitoring your end.

Vulnerability Management Run quarterly vulnerability scans (external scans are mandatory for Level 1 merchants; smaller merchants still need them annually). Install security patches promptly, maintain updated antivirus software, and remove unnecessary services from servers processing payments.

Practical Compliance Steps

1. Audit Your Current Setup Document where cardholder data lives: payment terminals, POS systems, cloud storage, email, backups. Many breaches happen in unexpected places like archived customer emails.

2. Choose Compliant Payment Processing Work with PCI DSS Level 1 certified processors. They handle tokenization (replacing card data with unique reference codes), reducing your liability. Many modern providers—including those you can compare on Mercoly—bundle compliance tools into their standard service.

3. Complete Your Self-Assessment Download the appropriate SAQ from the PCI Security Standards Council based on your merchant level. Allow 1–2 weeks for completion if you're unfamiliar with the framework.

4. Get Attestation After self-assessment, submit your SAQ to your processor by their deadline (usually annually, sometimes quarterly for Level 1). Keep proof of submission.

5. Budget for Support If you have servers storing data, hire a Qualified Security Assessor (QSA) for formal audits—costs typically run $3,000–$10,000 annually for small merchants. For self-assessment, budget $500–$2,000 in consulting time if your team isn't security-savvy.

Frequently Asked Questions

Q: What happens if my business gets breached but I'm PCI compliant? Compliance significantly limits your liability—the card networks may waive penalties, and you're protected by liability caps. Non-compliant breaches expose you to massive fines and lawsuits.

Q: Can my payment processor guarantee I'm compliant? No single vendor makes you compliant; it's a shared responsibility. Your processor handles their systems; you handle yours—access controls, staff training, monitoring. Choose a processor transparent about their compliance documentation and willing to answer security questions.

Q: Do I need PCI compliance if I use Square or PayPal? Yes, but their requirements are lighter. These services tokenize data automatically, so you meet compliance through their infrastructure rather than managing encrypted servers yourself. You still need strong passwords, secure access controls, and monitoring.

Start your compliance journey today—compare Payment Processing & Merchant Services providers who prioritize security standards and can walk you through the process step-by-step.

Looking for Payment Processing & Merchant Services?

Compare trusted Payment Processing & Merchant Services providers on Mercoly — browse profiles, products, and services and reach out in one place.

Related articles

More in Financial Services & Advisory · Payment Processing & Merchant Services