Payment Card Security: PCI Standards
By Susan Buckner, J.D. | Legally reviewed by Aviana Cooper, Esq. | Last reviewed June 06, 2024
Editorial Note: We earn a commission from affiliate partner links on FindLaw. Commissions do not affect the editorial integrity of our legal content.
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
Businesses that use credit or debit card payments must follow the data protection standards created by the PCI Security Standards Council. Major credit card companies established this organization to protect businesses, consumers, and banks from security breaches. All credit card companies and any business that accepts payments from them must follow payment card industry data security standards (PCI DSS).
The major credit card companies (Visa, Mastercard, American Express, and Discover) want to avoid cardholder data breaches and loss of trust. Large and small businesses must follow these guidelines to transact with any signatory bank.
The Federal Trade Commission (FTC) has not issued a formal mandate or regulation requiring PCI compliance. Compliance has the force of law based on convenience and legal precedent. A business does not have to be PCI compliant, but it will not be able to do business with credit cards, a necessity in e-commerce.
Meeting PCI DSS Standards
Merchants handling payment cards should contact the PCI Security Standards Council for a complete list of PCI DSS requirements. To ensure full compliance, there are 12 key requirements, 78 base requirements, and 400 test procedures. Small businesses can find compliance difficult, and PCI recommends hiring an auditor or PCI assessor to help with the process.
There are four categories of PCI merchants. Business owners can determine their category by reviewing their credit card transactions and determining the number each company assigns to those transactions. For instance, Visa Level 4 merchants process fewer than 1 million total Visa transactions each year.
Companies must complete a self-assessment questionnaire to meet the PCI data security standards. This determines which of the four categories the company falls into and what level of compliance is necessary.
Three-Step Summary of PCI DSS Compliance
The 12 key requirements have three basic steps. This can make PCI compliance for small businesses easier than simultaneously trying to meet all 12 conditions. Reviewing your business data management systems with these three core concepts makes compliance easier.
- Assessment — Review your IT infrastructure for vulnerabilities. Identify weak points and likely areas for data breaches. PCI compliance extends to all parties involved in credit card data processing, including third-party transmission agents.
- Remediation — The next step is repairing vulnerabilities when you have located them. A PCI Approved Scanning Vendor must perform a network scan for some merchant accounts. Be sure your system components and security software can resist hacking and data leaks.
- Reporting — PCI compliance includes regular reports to PCI, banks, and credit and debit card companies. Carry out regular network scans. Compliance is not a one-time duty. Businesses must stay vigilant and compliant for the life of the company. Quarterly and annual assessments are mandatory.
Small business owners can get help for compliance through PCI and the Small Business Administration. Any company that carries out e-commerce transactions needs PCI compliance to do business today.
Compliance Requirements and How To Meet Them
The 12 basic PCI requirements protect customer credit card information, deter hackers, and limit access to payment processing. Businesses should have other cybersecurity measures in place. These depend on their business needs and the nature of their companies.
- Maintain robust firewalls. Conduct regular tests of network connections. Limit or block connections to unauthorized or unrecognized networks, and prevent installation of potential malware or spyware.
- Change default passwords. Strong passwords are a must. One industry survey found that more than 50% of all users left the default password and user name on vendor hardware. Defaults are usually "admin" and "password," so change these immediately. Limiting functionality for some users or features is essential.
- Encrypt cardholder data. Protect stored data and transmitted data during transmission and in storage. Use end-to-end encryption for all credit card numbers and cardholder data.
- Protect stored data. Secure electronic and paper data and destroy it when no longer needed. IT and legal must work together on an information security policy that complies with PCI requirements and state and federal data storage and disposal laws.
- Use reliable antivirus software. Run regular updates and system scans. Quarantine any viruses or malicious software and report them to the software provider.
- Develop in-house security systems. Businesses should have their own security reporting processes. Employees should have methods of locating and taking action on vulnerabilities and reporting data breaches.
- Limit access to cardholder data. Payment data access should be on a need-to-know basis. Companies should define the roles, responsibilities, and access requirements for each area that handles cardholder information and payment processing.
- Assign unique IDs for all computer access. Use two-level authentication for any computer use and access to cardholder information.
- Limit physical access to account numbers and other cardholder information. Log and record use of point-of-sale (POS) hardware.
- Audit use of networks and cardholder data. Ensure the security of all data and hardware by reviewing your software and hardware logs and validation.
- Test all systems and processes. PCI requires quarterly testing for all members and annual onsite inspections for Level 4 merchants. Businesses should perform their own vulnerability scans and check for access breaches regularly.
- Create a written information security policy. Update your policy at least once a year. Explain everyone's duties and responsibilities for protecting data and reporting vulnerabilities.
More Tips and Suggestions
Third parties are also required to be PCI compliant. Some credit card companies, such as Visa, maintain a list of PCI-compliant service providers. Businesses should use these providers for POS transactions.
Do not store the magnetic encoded card information. This may contain more than the card numbers. Never keep the CVV security code (the 3-digit code on the back of the card).
Industry research suggests that changing in-house passwords every 30 days does not protect your data. It may be harmful since employees cannot remember randomly generated passwords. Microsoft recommends adopting data protection policies that don't need regular password changes.
For more information (written for a consumer audience), see Paying for Goods Online and Tips for Safe Online Shopping.
If You're Not PCI Compliant
There are no legal penalties for non-compliance. Businesses are not required to use credit cards for payment, although it would be difficult in today's online world. Even Venmo and PayPal are PCI compliant, as are their vendors.
For PCI-compliant merchants, the penalties for failing to maintain compliance can be stiff. Fines range from $ 5,000 to $10,000 per month until you have corrected the issue. Repeated problems can lead to removing the attestation of compliance. It can also remove your ability to accept credit card transactions.
Companies that depend on credit card processing to conduct business should follow the PCI regulations and maintain good data security.
Implementing Payment Card Security Measures: Get Legal Help
You must follow payment card security standards if you sell goods online using credit cards. But, since not all situations are the same, you may need professional help. Contact a business and commercial law attorney in your area for legal assistance.
Next Steps
Contact a qualified business attorney to help you address you business's operational needs.
Help Me Find a Do-It-Yourself Solution
Stay up-to-date with how the law affects your life
Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.
FindLaw will earn a commission if you purchase business formation products through these affiliate links.
Meet FindLaw's trusted partner LegalZoom, an industry leader in online business formations
Kickstart your LLC in minutes!
Join the millions who launched their businesses with LegalZoom.
LLC plans start at $0 + state fees.
Prefer to work with a lawyer?