PCI Compliance: A Brief Overview

By Phillip Parker|March 19, 2026

CPO was created by business owners to help others avoid unethical and expensive merchant account providers. To support the continued operation of this website we sell advertising to ethical... processors who have earned top marks in pricing, support, and business practices. Some of the recommendations found on this website may be paid placements.

If your business accepts debit or credit cards, you are required to follow the Payment Card Industry Data Security Standard (PCI DSS). This global security framework applies to every organization that processes, stores, or transmits cardholder data, regardless of size or transaction volume.

The current version, PCI DSS v4.0.1, took full effect on March 31, 2025. All 64 new requirements introduced in version 4.0 are now mandatory, with no remaining grace periods. This represents the most significant update to the standard since its creation, shifting the focus from annual checkbox compliance to continuous, risk-based security.

What Is PCI DSS?

PCI DSS is a set of security standards managed by the PCI Security Standards Council, which was founded in 2006 by American Express, Discover, JCB International, Mastercard, and Visa. The standard exists to protect cardholder data throughout the entire transaction lifecycle, from the moment a card is swiped, tapped, or entered online to the point it reaches the payment processor.

Despite widespread awareness of PCI requirements, compliance rates remain low. According to Verizon’s 2024 Payment Security Report, only about 14.3% of organizations achieved full PCI DSS compliance in 2023, down from 43.4% in 2020.

Key Changes in PCI DSS v4.0.1

The jump from PCI DSS v3.2.1 to v4.0 introduced several major changes that every merchant should understand.

Customized Approach: Organizations can now meet security objectives using innovative controls and new technologies rather than following only the prescriptive requirements. This gives businesses more flexibility in how they achieve compliance.

Multi-Factor Authentication (MFA): MFA is now required for all access to the Cardholder Data Environment (CDE), not just remote administrative access as in previous versions.

Payment Page Script Management: Organizations must inventory and authorize every script executing on their payment pages and implement tamper and change detection mechanisms with alerting.

Stronger Encryption: Hashes used to render Primary Account Numbers (PANs) unreadable must now use keyed cryptographic hashes of the entire PAN.

Scope Documentation: PCI DSS scope must be formally documented and confirmed at least once every 12 months, along with targeted risk analysis for any requirement where flexibility is allowed.

Merchant Compliance Levels

The card brands classify merchants into four levels based on annual transaction volume. Each level has different validation requirements.

Level 1 (over 6 million transactions per year): Requires an annual on-site audit by a Qualified Security Assessor (QSA), quarterly network scans by an Approved Scanning Vendor (ASV), and a formal Report on Compliance (ROC).

Level 2 (1 million to 6 million transactions per year): Requires an annual Self-Assessment Questionnaire (SAQ) and quarterly ASV network scans.

Level 3 (20,000 to 1 million transactions per year): Requires an annual SAQ and quarterly ASV network scans. No external audit is required.

Level 4 (fewer than 20,000 transactions per year): Requires an annual SAQ with specific requirements determined by the acquiring bank. Most small businesses fall into this category.

Encryption

One of the most important things a business can do to protect cardholder information is encrypt the data from the moment it is captured, whether swiped at a terminal, tapped via contactless payment, or submitted online. The data should remain encrypted throughout the entire transmission to the processor.

The goal of encryption is to make the data practically unusable if intercepted by unauthorized parties. Any unencrypted information sent in plain text can be easily stolen.

Limit the Cardholder Data Environment

Every location where you store, process, or transmit customer card data is part of your Cardholder Data Environment (CDE). This includes physical locations like file cabinets, digital systems like databases and servers, and cloud-based platforms.

Under PCI DSS v4.0.1, you must formally document your CDE scope and confirm it at least annually. By limiting where cardholder data exists, you reduce your attack surface and simplify compliance.

Tokenization

As an add-on to encryption, tokenization replaces sensitive card data with a unique, randomly generated identifier called a token. The token is stored in a secured central server and can be used to reference the original transaction for returns, recurring billing, and other follow-up actions.

The token itself is meaningless to outside entities. By using tokenization, customer data does not need to be stored locally, adding another layer of security because the sensitive information is secured centrally while the tokens serve as the reference points for transactions.

Outsource to a PCI-Compliant Provider

Many small businesses achieve PCI compliance by working with a third-party payment processor that handles the security requirements on their behalf. A PCI-compliant processor will encrypt transactions, manage tokenization, and maintain the security infrastructure so merchants do not have to.

This approach significantly reduces the merchant’s compliance burden and is especially practical for Level 4 businesses with limited IT resources. To find a provider, check out our recommended credit card processors.

Consequences of Non-Compliance

Non-compliance with PCI DSS can result in significant financial penalties. Card brands fine acquiring banks, which pass those costs along to the merchant. Fines typically start at $5,000 to $10,000 per month and can escalate to $50,000 to $100,000 or more per month for prolonged non-compliance.

Beyond fines, non-compliant businesses may face increased transaction fees, mandatory forensic investigations, termination of their merchant account, and legal liability from affected cardholders. A data breach caused by non-compliance can be devastating enough to shut down a small business entirely.

Self-Assessment Questionnaires

Most small businesses validate their PCI compliance by completing a Self-Assessment Questionnaire (SAQ). The type of SAQ you need depends on how you accept payments.

SAQ A is for e-commerce or mail/phone order merchants that fully outsource all payment processing to a PCI-compliant third party. SAQ B is for merchants using only standalone terminals with no electronic cardholder data storage. SAQ C applies to merchants with a payment application connected to the internet. SAQ D is the most comprehensive and covers all other merchants.

For complete details and the latest SAQ forms, visit the PCI Security Standards Council Document Library.

About The Author

Phillip Parker

CPO Creator & Founder

Since 2009, I have researched over 1,000 merchant services providers and published hundreds of payment education-related articles. This work has received national recognition, and my expertise in payments is regularly sought by large media outlets such as CNN, MSN, and INC Magazine, among dozens of others.

Shortly after graduating from college, I was recruited into a sales role with a credit card processor. Only later did I realize that the so-called "training" centered on selling expensive processing agreements... layered with hidden fees and long-term contracts. In my earliest transactions, I unknowingly steered friends and family into costly arrangements after they trusted my recommendation. When I fully understood the structure of what I had been selling, I resigned immediately and committed myself to exposing those practices. That commitment became the foundation of this website.

As Has Appeared In

About Us

CardPaymentOptions.com

Established 2009

This website was launched in 2009 as a modest blog dedicated to exposing questionable marketing and pricing practices within the credit card processing industry and how they negatively impact small business owners. What began as a side project has since evolved into a widely recognized platform advocating for transparency, accountability, and ethical standards in merchant services.

You Should Also Read

A depiction of Merchant Account Chargeback fees

Merchant Account Chargebacks: How They Affect Your Business

A chargeback is essentially a transaction reversal that's initiated by a credit card holder through their bank. This happens when the cardholder disputes a charge on their account, claiming something went wrong with the transaction.

Here is the illustration depicting the concept of Ticket Size in a business setting

Merchant Account Average Ticket Size

The Average Ticket Size (ATS) measures the average amount spent by customers per transaction and serves as a metric for businesses to understand purchasing behaviors and adjust their pricing strategies accordingly.

a depiction of merchant account batch fees

Merchant Account Batch Fees: How They Affect Your Business

Merchant account batch fees are charges imposed by payment processors to consolidate and settle credit and debit card transactions at the end of each business day. These fees are a standard part of the financial operations for businesses that accept credit card payments. Understanding batch fees is important as they can affect transaction costs.