Ecommerce data breaches have steadily climbed, with three-quarters of businesses reporting a net increase in attacks since 2020.
Securing cardholder data is a top priority for online businesses processing payment transactions. The first step is meeting PCI compliance requirements, which ensure adherence to strict security standards.
What is PCI compliance?
PCI compliance is the adherence to the security standards outlined in the Payment Card Industry Data Security Standard (PCI DSS). These standards ensure companies that process, store, or transmit credit card information are taking the necessary steps to secure cardholder data and prevent data breaches, fraud, and unauthorized access. Cardholder data refers to payment details for debit, credit, and prepaid cards, as well as all associated personal information, like names and addresses.
The specific PCI compliance requirements depend on the size of your company and the number of credit card transactions you process per year. PCI compliance levels determine the specific requirements and validation procedures. These four levels of PCI compliance are laid out by the key members of the PCI DSS, and other card brands may have variations on these categories.
There are four levels:
PCI Compliance Level 1
The highest level of compliance, required for companies who process more than six million transactions per year and payment facilitators who process more than 300,000 transactions per year.
PCI Compliance Level 2
Required for companies that process between one million and six million transactions per year and payment facilitators who process fewer than 300,000 transactions per year.
PCI Compliance Level 3
Required for companies that process 20,000 to one million transactions per year.
PCI Compliance Level 4
Required for companies that process up to 20,000 transactions per year.
While PCI compliance is not enforced at the federal level, non-compliance has legal implications. In some states—like Nevada—PCI compliance is mandated by law. Credit card companies and numerous banks incorporate PCI compliance requirements in their terms of service. Non-compliance can result in severe penalties, fines, and legal consequences.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. These are the requirements you must meet to remain PCI compliant. PCI DSS was created by the Payment Card Industry Security Standards Council (PCI SSC), which was founded as an independent organization in 2006 by Visa, Mastercard, American Express, Discover, and JCB.
PCI SSC created the PCI DSS to improve and standardize existing security checks and balances in the industry. It aims to ensure ecommerce businesses meet the technical, operational, and security requirements needed to keep cardholder data safe.
Ecommerce platforms like Shopify are fully PCI compliant by default, ensuring all businesses remain up-to-date with requirements in perpetuity. Individual modules within the platform—like Shopify Payments—also fulfill all PCI compliance requirements, regardless of the number of transactions you process.
12 requirements of PCI DSS Compliance
Install and maintain a secure network
Apply secure configurations to all system components
Protect stored account data
Protect cardholder data during transmission over public networks
Protect systems and networks from malicious software
Develop and maintain secure systems and software
Restrict access to system components and cardholder data on a need to know basis
Identify users and authenticate their access
Restrict physical access to cardholder data
Monitor and log access to systems and cardholder data
Regularly test networks and security systems
Maintain and support information security with policies and programs
PCI DSS requirements are operational, technical, and procedural instructions that help protect cardholder data from malicious actors. Here are six objectives for PCI DSS compliance:
1. Install and maintain a secure network
Implement network security controls and tools like firewall configurations and anti-virus software. Validate and allow only trusted traffic into your cardholder data environment, and create a secure systems zone for card data storage. Regularly test security systems to ensure they remain compliant.
2. Apply secure configurations to all system components
Hackers often try to breach systems by using default password settings to access sensitive information. Ensure system passwords and other security parameters are unique and aren’t set to the vendor-supplied default.
Make sure your team uses strong passwords to access software that handles customer payment information. Apply secure configurations like password protocols, two-factor authentication (2FA), restricted sharing, and permission restrictions.
3. Protect stored account data
Ensure cardholder and account data is stored in a protected environment. Enhance data security by implementing policies and processes that minimize risk. These include:
Point-to-point encryption (P2PE): P2PE is a secure data transmission method that protects sensitive information during its journey from one point to another. Truncation: Truncation protects cardholder data by removing or masking a portion of sensitive information, making it unreadable and reducing the risk of unauthorized access or fraud. For example, storing parts of a password or credit card number. Masking: Modifying and storing sensitive data in such a way that it’s unusable or of little value to potential hackers. For example, only including part of a customer’s credit card number on a receipt. Hashing: Converting sensitive information, like credit card numbers, into a fixed length and irreversible alphanumeric string makes it difficult for attackers to reverse-engineer the original data.
4. Protect cardholder data during transmission over public networks
Ensure cardholder and account data is encrypted when transmitted across open, public networks.
5. Protect systems and networks from malicious software
Set up processes for identifying, classifying, remediating, and mitigating system vulnerabilities using a combination of employee training, data security processes, and monitoring tools. This includes protecting all systems against malware and updating antivirus software regularly.
6. Develop and maintain secure systems and software
Avoid hacks with the help of vendor-provided security patches, monitoring your software lifecycle (SLC), and implementing secure coding techniques.
You can help ensure data security is maintained by creating a specialized team to oversee auditing your store’s network and data management practices. This team conducts regular audits to identify potential vulnerabilities and implement security improvements.
7. Restrict access to system components and cardholder data on a need to know basis
Ensure critical data is only accessible by authorized systems and individuals on a need-to-know and need-to-use basis.
8. Identify users and authenticate their access
Use login IDs to authenticate those with access to the network. Set permissions for each ID that restrict access, create user privileges, and track who is doing what with stored cardholder data.
For example, a company may only grant access to unencrypted credit card data to a core group of employees on the data security team. All other employees are either not granted access to personal information or shown only truncated versions of the data to help with customer inquiries and order fulfillment.
9. Restrict physical access to cardholder data
Use security systems to lock away devices that store sensitive data and restrict physical access to areas of the store where these devices are kept. Set up surveillance cameras to monitor spaces that might be vulnerable to a physical breach.
10. Monitor and log access to systems and cardholder data
Track network access points, activity, time stamps, and change logs—records of what is changed or updated in the system—to audit customer data usage.
This is useful in the event of a data breach. When these occur, network security teams reverse engineer the path through which the nefarious actor entered the system. Tracked access points, activities, time stamps, and change logs provide breadcrumbs to those teams, helping them determine how the hacker gained access to the system and what they did once inside.
11. Regularly test networks and security systems
Stress test your network security. For example, simulate spikes in traffic to your ecommerce store or imitate attacks on the network. This lets you identify weak points, outdated software or applications, and other vulnerabilities.
12. Maintain and support information security with policies and programs
Establish a dedicated information security policy for all employees outlining:
Technological requirements for network security, including firewalls, anti-virus software, and password protections Best practices for network usage, data usage, and data storage Key roles and responsibilities across the organization, including data security leaders Identify requirements for all staff members, including data classification guidelines, using strong passwords, following data handling procedures, and undergoing regular security training Processes for identifying and reporting potential vulnerabilities in data security, including phishing scams and improper data transfers
This provides a baseline of technical and operational requirements designed to protect cardholder data and ensure consistent data security measures globally.
Consequences of non-compliance
PCI compliance is obligatory for businesses that collect and handle cardholder data through major credit card issuers like Visa, Mastercard, American Express, Discover, and JCB or transacting through banks that enforce compliance. Each includes its own language about PCI compliance in its service agreement outlining what businesses must do to remain compliant and the consequences of non-compliance.
Failure to comply with the PCI data security standard while transacting through these companies can open you up to potential fines levied by banks or payment card companies. These range from hundreds of dollars per month for small businesses to hundreds of thousands of dollars per month for larger enterprises.
Fines resulting from PCI non-compliance can be intricate. In case of a breach at an online store, the credit card brand may investigate the processing bank to assess their level of PCI compliance for the involved business. Should they discover non-compliance on either the bank or the business’s part, fines may be imposed on the bank. The bank may transfer these fines to the offending company, which could face higher transaction fees or termination of the transaction agreement. Fines can also be levied by the acquiring bank, but not the card brands directly.
Monetary penalties aren’t the only risk of non-compliance with PCI DSS. Companies that fail to protect stored cardholder data put themselves—and their customers—at risk of potential data breaches and hacks. A data breach can have far-reaching consequences, including identity theft, damage to the company’s reputation, loss of customers, and potential lawsuits, insurance claims, and government fines.
According to IBM’s Cost of Data Breach Report 2023, the average cost of a data breach across all industries reached $4.45 million in 2023. These costs factor in:
Time committed to identifying, patching, and remediating the effects of the data breach
Financial losses to the company due to system outages and customer turnover
Long-term loss of reputation and trust amongst customers
How to become PCI compliant
Determine your PCI compliance level
Map the flow of cardholder data
Fill out the Self-Assessment Questionnaire (SAQ)
Fill out the Attestation of Compliance (AOC)
Scan your network used to process payments
Submit all documents to key stakeholders
Undergo regular assessments and validations
You have two choices for becoming PCI compliant: Using an ecommerce platform that manages compliance for you (like Shopify), or managing the process yourself.
For companies that want to manage PCI compliance themselves, there are seven requirements:
1. Determine your PCI compliance level
Find out how many credit card transactions you process annually to determine which PCI compliance level you need to meet. Shopify’s compliance covers all four PCI compliance levels and applies to every store using the platform.
2. Map the flow of cardholder data
Take stock of all applications, systems, and people who work with stored credit card data to form a complete picture of where information is collected, how it’s used, and where potential vulnerabilities lie.
3. Fill out the Self-Assessment Questionnaire (SAQ)
The Self-Assessment Questionnaire (SAQ) is a self-assessment form for secure payment card handling to validate your PCI compliance. Primarily for smaller businesses, the SAQ allows you to verify your compliance with PCI DSS requirements for your level. If you fall short, you can take steps to achieve compliance, which could include security investments, upgrades, or maintenance.
4. Fill out the Attestation of Compliance (AOC)
The Attestation of Compliance (AOC) is a form you complete and submit to the PCI SSC to declare that your business complies with your level’s requirements. This form ensures and validates that you’ve fulfilled every compliance step.
5. Scan your network used to process payments
A thorough scan of your network is required to validate security and compliance. This process involves internal network scans (which audit data security within the network) and external network scans (which stress test the network against simulated outside threats and attacks).
These scans aim to identify and address potential vulnerabilities. Some compliance levels require these scans to be completed by an outside firm designated as an Approved Scanning Vendor (ASV). These may be required quarterly, and can cost a few hundred dollars per year.
6. Submit all documents to key stakeholders
In addition to the PCI SSC, you may need to submit documents to your partner banks, credit card companies, and any other vendor with contractual PCI requirements. Each bank and credit card company has requirements based on its terms of service. Consult your service agreement for more information about what information is required and when.
7. Undergo regular assessments and validations
PCI compliance requires annual assessments and validations, either internally or through third-party auditors. The specific requirements and who is in charge of performing the network audits depend on your PCI compliance level.
Level 1 merchants that process more than six million transactions per year are required to have an annual on-site review by a Qualified Security Assessor. This can cost between $10,000 and $50,000 per year, and doesn’t include the cost of required security upgrades or maintenance.
Start selling in-person with Shopify POS
Shopify POS is the easiest way to start selling in-person. Take your brand on the road and accept payments, manage inventory and payouts, and sell everywhere your customers are—farmer’s markets, pop-up events and meetups, craft fairs, and anywhere in between.
PCI compliance requirements FAQ
How often do I need to be PCI compliant?
PCI compliance must be validated every year. It’s an ongoing requirement for all merchants who accept payment card data to process payments.
How long does it take to become PCI compliant?
The time required to achieve PCI compliance varies based on factors like system complexity, company size, desired compliance level, and the duration of necessary steps. Typically, companies can achieve compliance within one day to a few weeks.
How much does it cost to become PCI compliant?
The cost of PCI compliance depends on various factors, including:
Internal resources required to manage PCI compliance
Your compliance level, which dictates if you need to use external vendors
Your organization’s size, existing security culture, and network security
Fees associated with using PCI-compliant platforms or payment facilitators
Most platforms, like Shopify, include PCI compliance in the cost of the platform.
Is PCI compliance enough to ensure the security of my business?
PCI compliance is crucial to securing cardholder data in online transactions, but it shouldn’t be viewed as the sole solution. Consider it a single layer of security within a comprehensive security program that addresses all areas where data is collected and exchanged.
What is a PCI compliance audit?
A PCI compliance audit is an evaluation conducted by a qualified security assessor (QSA) or an internal security assessor (ISA) to verify a company is adhering to the Payment Card Industry Data Security Standard (PCI DSS). This audit is required for larger businesses, known as Level 1 merchants, that process more than six million credit card transactions annually. Smaller businesses may also choose to undergo an audit to ensure they are following best practices for securing cardholder data. The QSA or ISA will provide a Report on Compliance (ROC) detailing whether the company is compliant with each requirement of the PCI DSS.
A compliance audit includes:
Reviewing the company’s policies and procedures
Examining the company’s IT environment
Conducting interviews with staff
Performing vulnerability scans and penetration testing