PCI Compliance Checklist
If your business accepts credit or debit cards, you are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This guide breaks down what PCI compliance means in practical terms, which requirements apply to your business, and how to stay compliant without hiring a security team.
What Is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements created by Visa, Mastercard, American Express, Discover, and JCB. It applies to every organization that stores, processes, or transmits cardholder data — which means every merchant that accepts cards, regardless of size.
PCI DSS is not a law, but it is enforced through the card network rules that govern your merchant agreement. If you are found to be non-compliant, your processor can assess fines, increase your processing rates, or in severe cases, terminate your account. If a data breach occurs while you are non-compliant, you can be held liable for the full cost of fraud losses, forensic investigations, and card reissuance.
PCI Compliance Levels
Visa and Mastercard define four merchant levels based on annual transaction volume. Your level determines how you validate compliance.
Requires an annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), plus quarterly network scans by an Approved Scanning Vendor (ASV). Typically large retailers, airlines, and eCommerce platforms.
Requires an annual Self-Assessment Questionnaire (SAQ) and quarterly ASV scans. Some acquirers may require an on-site assessment at their discretion.
Requires an annual SAQ and quarterly ASV scans. This level applies specifically to eCommerce merchants.
Requires an annual SAQ and may require quarterly ASV scans depending on the acquirer. This is where the vast majority of small and mid-sized businesses fall.
The 12 PCI DSS Requirements in Plain English
PCI DSS is built on 12 core requirements organized into 6 goals. Here is what each one means for your business.
Build and Maintain a Secure Network
1. Install and maintain network security controls
Use firewalls (or equivalent) to protect your network. Do not use vendor-supplied default passwords on routers, firewalls, or any network equipment.
2. Apply secure configurations to all system components
Change all default passwords, remove unnecessary services, and harden every system that touches cardholder data. This includes POS terminals, servers, and workstations.
Protect Cardholder Data
3. Protect stored account data
Do not store cardholder data unless absolutely necessary. If you must store it, encrypt it. Never store the CVV, PIN, or full magnetic stripe data after authorization.
4. Protect cardholder data during transmission
Encrypt cardholder data whenever it is sent over public networks (the internet, Wi-Fi). Use TLS 1.2 or higher. Never send card numbers via email, chat, or SMS.
Maintain a Vulnerability Management Program
5. Protect all systems against malware
Install and regularly update anti-virus or anti-malware software on all systems commonly affected by malware, including POS workstations.
6. Develop and maintain secure systems and software
Apply security patches within one month of release. If you develop custom payment software, follow secure coding practices and test for vulnerabilities.
Implement Strong Access Controls
7. Restrict access to cardholder data by business need
Only employees who need cardholder data to do their job should have access. Use role-based access controls.
8. Identify users and authenticate access
Every person with computer access must have a unique ID. No shared accounts. Use strong passwords or multi-factor authentication for access to systems with cardholder data.
9. Restrict physical access to cardholder data
Lock up POS terminals, servers, and paper records. Limit physical access to areas where cardholder data is stored. Use cameras or access logs where appropriate.
Regularly Monitor and Test Networks
10. Log and monitor all access to cardholder data
Maintain audit logs of all access to network resources and cardholder data. Review logs regularly for suspicious activity. Retain logs for at least one year.
11. Test security of systems and networks regularly
Run quarterly vulnerability scans (via an ASV for external scans). Conduct annual penetration testing. Test intrusion detection systems regularly.
Maintain an Information Security Policy
12. Support information security with policies and programs
Create and maintain a written security policy that addresses all PCI DSS requirements. Train all employees on security awareness annually. Assign responsibility for security management.
Self-Assessment Questionnaire (SAQ) Types
Not every merchant fills out the same questionnaire. The SAQ type you need depends on how you accept and process card payments.
SAQ A — Card-Not-Present, Fully Outsourced
For eCommerce or mail/telephone order merchants who have fully outsourced all cardholder data functions to a PCI DSS-validated third party. The card data never touches your systems. This is the simplest SAQ with only 22 requirements. If you use a hosted payment page (like Stripe Checkout or a PaySec hosted form), this likely applies to you.
SAQ A-EP — eCommerce with Partial Outsourcing
For eCommerce merchants whose website controls the checkout experience but submits card data directly to a third-party processor via JavaScript or an API redirect. Your server never stores card data, but your website could be compromised to intercept it. More requirements than SAQ A, including vulnerability scanning.
SAQ B — Imprint or Standalone Dial-Out Terminals
For merchants using only imprint machines or standalone dial-out terminals that are not connected to the internet. These terminals connect directly to the processor over a phone line. Increasingly rare but still applicable for some brick-and-mortar businesses.
SAQ C — Payment Application Connected to the Internet
For merchants with POS systems or payment terminals connected to the internet but that do not store cardholder data electronically. The most common SAQ for retail merchants using modern IP-connected terminals.
SAQ D — All Other Merchants
The most comprehensive SAQ, covering all 12 PCI DSS requirements. Required for merchants who store cardholder data electronically, process payments through their own systems, or do not fit into any other SAQ category. This is the most complex questionnaire and may require professional assistance to complete accurately.
Compliance Requirements Checklist
Use this timeline to stay on top of your PCI obligations throughout the year.
Monthly Tasks
Review access logs for systems that store or process cardholder data
Verify that all security patches released in the prior month have been applied
Confirm anti-virus/anti-malware definitions are up to date on all relevant systems
Review user accounts and disable any that are no longer needed
Inspect POS terminals for signs of tampering or skimming devices
Quarterly Tasks
Run external vulnerability scans through an Approved Scanning Vendor (ASV)
Run internal vulnerability scans on networks and systems in the cardholder data environment
Review and update firewall and router rule sets
Verify that wireless networks are scanned for unauthorized access points
Test intrusion detection / prevention systems
Annual Tasks
Complete your Self-Assessment Questionnaire (SAQ) and submit the Attestation of Compliance (AOC) to your acquirer
Conduct a formal risk assessment identifying threats to cardholder data
Perform or commission a penetration test of your cardholder data environment
Review and update your written information security policy
Conduct security awareness training for all employees
Review all third-party service provider PCI compliance status
Verify that encryption keys are rotated per your key management policy
Update your network diagram and cardholder data flow diagram
Common PCI Compliance Mistakes
Even well-intentioned merchants make these errors. Avoid them to stay compliant and reduce your risk.
Storing card data in spreadsheets or email
Writing down full card numbers, emailing them to colleagues, or keeping them in an Excel file violates PCI DSS. Use tokenization instead — store a token that references the card without exposing the actual number.
Using default passwords on POS systems
Many POS terminals and back-office systems ship with default credentials (admin/admin, 1234, etc.). Attackers know these defaults. Change every default password during initial setup.
Ignoring the annual SAQ
Many merchants are never informed that they need to complete an annual Self-Assessment Questionnaire. Their processor silently charges a monthly non-compliance fee instead of helping them become compliant. Ask your processor which SAQ applies to you and complete it.
Connecting POS terminals to unsecured Wi-Fi
Payment terminals should be on a dedicated, segmented network — not on the same Wi-Fi your customers or employees use for browsing. Network segmentation limits the blast radius if any device is compromised.
Not inspecting terminals for tampering
Skimming devices can be installed on terminals in seconds. Train staff to inspect terminals at the start of each shift for loose parts, unusual overlays, or extra wires.
How PaySec Simplifies PCI Compliance
PaySec is built to reduce your PCI compliance burden so you can focus on your business rather than security checklists.
- -P2PE-certified terminals. Our point-to-point encryption terminals encrypt card data at the point of interaction. With P2PE, card data never exists in plaintext in your environment, which can reduce your SAQ scope from hundreds of questions to as few as 33 (SAQ P2PE).
- -Tokenization for recurring payments. When you store a card on file for repeat customers, PaySec replaces the actual card number with a non-reversible token. Even if your system is breached, the tokens are useless to attackers.
- -PCI-certified payment gateway. Our gateway is PCI DSS Level 1 certified and undergoes annual audits by a Qualified Security Assessor. When you process through PaySec, the heaviest security lifting is handled on our infrastructure.
- -Free SAQ assistance. Our compliance team helps you determine which SAQ applies to your business and walks you through completing it at no additional charge.
- -No PCI non-compliance fees. We do not charge monthly PCI fees or non-compliance penalties. Instead, we help you become compliant.
Non-Compliance Penalties
The consequences of PCI non-compliance are severe and multi-layered. Understanding them underscores why compliance is not optional.
Monthly Non-Compliance Fines
Card networks can fine acquiring banks $5,000 to $100,000 per month for non-compliant merchants. These fines are passed through to the merchant.
Increased Processing Rates
Many processors increase interchange rates or add surcharges for merchants who have not validated PCI compliance. This effectively raises your cost of acceptance.
Breach Liability
If a data breach occurs while you are non-compliant, you can be liable for: forensic investigation costs ($20,000 to $50,000+), cost of reissuing compromised cards ($3 to $10 per card), fraud losses on compromised cards, notification costs to affected cardholders, and legal fees.
Account Termination
In extreme cases, your processor can terminate your merchant account entirely, leaving you unable to accept card payments. Being placed on the MATCH list (Member Alert to Control High-Risk Merchants) can make it difficult to get a new merchant account for up to five years.
Need Help With PCI Compliance?
PaySec merchants get free compliance assistance, P2PE terminals, and zero PCI fees. Let our team simplify your compliance journey.