PCI Compliance: A Brief Overview

Does your organization already accept debit and credit cards? If the answer is yes, you need to follow the Payment Card Industry Data Security Standard (PCI DSS).

The purpose of PCI DSS is to create an information security standard worldwide for all businesses that process and store credit card and user data for their organization. Every couple of years the process is changed, and the last review was in late 2010.

In a study done by the National Retail Federation (NRF), most businesses stated that they care about the security of their customers and think that keeping their clients’ information safe is good for business. However, less than half of the respondents claim to be PCI compliant. It is no surprise that maintaining an up-to-date security system and securing clients’ information can be costly and time consuming, but a data breach can be detrimental to a business and even cause it to shut down completely.

So what can a business do to protect its customer’s card information?



One of the most important things a business can do to protect a cardholder’s information is encrypt the data from the moment it is swiped at the payment terminal, typed into a keypad, or submitted online. Once the credit card data has been pulled, it should remain encrypted all the way to the processor.

The key to encryption is to make the data practically unusable for thieves if they were to intercept it. Any unencrypted information sent in plain text can be easily intercepted and stolen.


Limit the Cardholder Data Environment

Every place that you store customer data as it relates to credit cards is called the “Cardholder Data Environment” or “CDE” for short. This can be on your computer or in a file cabinet, or any place else. Wherever you store customer credit card data, it must be protected in order to fall under PCI compliance. By limiting the access to CDEs, you can help protect your clients and keep within compliance requirements.



As an add-on to encrypting files, tokenization adds a unique number (token) to a transaction and is stored in a secured central server. The token replaces the credit card number and customer data and allows for further transactions to be referenced and posted using the token, such as returns and recurring transactions. The token itself is a random number assigned to the particular data set and is worthless to outside entities. It only serves as a reference point for prior transactions.

By using tokenization the customer data does not need to be stored locally and adds another level of security because the important information is secured in a central location while the tokens become the “public face” of the transactions.



Finally, an organization that wants to be PCI compliant, but does not have the time or money to invest in it, can work with a third party provider that offers PCI Compliant equipment and payment gateways. By working with an outside PCI compliant payment processor, transactions will be encrypted and assigned a token automatically without any extra work for the merchant. To find a PCI compliant provider, check out our recommended credit card processors.

See the PCI Compliance Self-Assessment Questionnaire (Retail).

See the PCI Compliance Self-Assessment Questionnaire (E-commerce).

Thank you for reading my review. I hope that it has helped you with your research.

Why I'm Qualified to Write About Credit Card Processing and Merchant Account Services

I'm a former credit card processing sales director who left the industry because I didn't like how it takes advantage of small business owners. It feeds like a leech on businesses and thrives by imposing fees that are nearly impossible to comprehend. Seeing a need for change, I left and built this website help business owners better understand the industry, research merchant services providers, and get refunds of excessive merchant account fees. My experience of working "behind the curtain" in the industry, and using that knowledge for good, has resulted in millions of dollars returned to hard-working small business owners as well as enterprise-level companies.

From the time that I starting working in the merchant services industry to when I left to create this website, I've been on the pulse of payments for nearly 15 years. It didn't seem fair to keep this "insider" knowledge to myself. To lift the fog, I've reviewed hundreds of companies, read thousands of user reviews, and learned the pricing tricks of every provider. If you have questions about credit card processing, you can find the answers on this website.

How I Can Help You

I specialize in helping businesses get refunds of excessive fees and have recovered $1,567,184 this year alone! Submit a recent statement below to find out if you are getting overcharged. I'll take a look at it for free. If I find fees that can be refunded, hire me on contigency. I only get compensated if I put money back into your pocket.

Submit a Statement

  • Accepted file types: jpg, png, pdf, xls, xlsx.

No Reviews Yet Leave Your Review Below

Leave a Review

Your email address will not be published. Required fields are marked *

Please do not use profanity or ALL CAPITAL LETTERS in your review. Reviews must provide a detailed account of your experience. By submitting a review or comment to CPO, you are agreeing to our Comment Policy.