What Are the Basics of PCI DSS Compliance?

PCI DSS compliance is the process of meeting the Payment Card Industry Data Security Standard, a global framework that protects cardholder data wherever payment card transactions occur.

We cover the standard’s origins and who must comply, the 12 security requirements organized into six objectives, merchant compliance levels and step-by-step validation, SAQ types and common mistakes, and the real costs of compliance versus non-compliance.

PCI DSS was created to unify the separate security programs of major card brands into one consistent framework. Founded by American Express, Discover, JCB International, MasterCard, and Visa, the standard applies to every organization that stores, processes, or transmits cardholder data, from small businesses to enterprise merchants.

The 12 requirements span six core objectives: secure networks, data protection through encryption and access controls, vulnerability management, strong logical and physical access restrictions, continuous monitoring with regular testing, and documented information security policies.

Four merchant levels based on annual transaction volume determine specific validation requirements. Level 1 merchants need full on-site assessments, while Level 4 merchants validate through self-assessment questionnaires and quarterly scans. Choosing the correct SAQ type for your payment environment is critical; misjudging scope or selecting the wrong questionnaire ranks among the most frequent compliance errors.

Compliance costs range from $300 annually for small merchants to over $60,000 for enterprises, depending on complexity. Those figures pale against the consequences of non-compliance: monthly fines from $5,000 to $100,000 and average breach costs reaching $4.88 million in 2024.

What Is PCI DSS and Why Does It Exist?

PCI DSS is a global security standard that protects cardholder data wherever payment card transactions occur. It was created to unify the separate security programs of major card brands into one consistent framework, reducing fraud and data breaches across the payment industry.

Before PCI DSS, each card network enforced its own rules, creating confusion for merchants handling multiple brands. PCI DSS version 1.0 was officially introduced in December 2004 as an internationally uniform standard to make card transactions more secure for businesses and customers, according to Secureframe. The following year, the PCI Security Standards Council (PCI SSC) was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc. to manage and evolve the standard globally.

The standard exists because payment card fraud poses significant financial and reputational risk to every organization in the transaction chain. PCI DSS establishes a baseline of technical and operational controls, covering everything from network security and encryption to access management and regular testing. Compliance is not optional; acquiring banks and card brands require it as a condition of accepting card payments.

Since its initial release, the standard has undergone several revisions to address evolving threats. The current version, PCI DSS v4.0.1, was published on June 11, 2024 as a limited revision that clarifies requirement intent without adding or deleting requirements. For high-risk merchants in particular, maintaining PCI compliance delivers real-world benefits: reduced breach risk, stronger customer confidence, and potentially lower transaction fees.

Understanding what PCI DSS is and why it exists provides the foundation for everything that follows, from determining who must comply to navigating the 12 specific requirements.

Who Must Comply With PCI DSS Requirements?

Any organization that stores, processes, or transmits cardholder data must comply with PCI DSS requirements. This applies to merchants, service providers, and financial institutions regardless of size or transaction volume. The sections below clarify obligations for small businesses, e-commerce merchants, and high-risk merchants.

Do Small Businesses Need PCI DSS Compliance?

Yes, small businesses need PCI DSS compliance if they accept credit or debit card payments in any form. Transaction volume determines the specific compliance level and validation requirements, but no business is exempt simply because of its size.

Small businesses are frequent targets for cybercriminals precisely because attackers assume weaker security controls. According to a 2024 report by Feroot, the average cost of a data breach reached $4.88 million, with 43% of cyber attacks specifically targeting small businesses.

Even the smallest merchant accepting a single card payment falls under PCI DSS scope. Lower-volume merchants typically qualify for simplified Self-Assessment Questionnaires, which reduce the compliance burden while still enforcing essential security controls.

Do E-Commerce-Only Merchants Need PCI DSS Compliance?

Yes, e-commerce-only merchants need PCI DSS compliance. Selling exclusively online does not eliminate the obligation to protect cardholder data. In fact, online transactions carry elevated risk because card-not-present environments are more susceptible to fraud.

Compliance requirements scale with transaction volume across each card brand. American Express, for example, classifies Level 1 merchants as those processing more than 2.5 million transactions annually, requiring an annual Report on Compliance and quarterly network scans.

E-commerce merchants who outsource payment processing to PCI-compliant third parties can often reduce their scope, but they still must validate compliance through the appropriate SAQ. For many online-only businesses, ignoring PCI obligations is among the costliest mistakes, since compliance also delivers reduced breach risk and improved customer confidence.

Do High-Risk Merchants Have Additional PCI DSS Obligations?

High-risk merchants have the same core PCI DSS obligations as any other merchant, but their operating environments often trigger additional validation and monitoring requirements.

Merchants with external-facing IP addresses or those storing cardholder data must engage Approved Scanning Vendors to perform quarterly external vulnerability scans. E-commerce merchants who outsource transaction processing to PCI-compliant third parties but still maintain a website may need to complete SAQ A-EP, which carries more extensive requirements than the standard SAQ A.

High-risk industries frequently face closer scrutiny from acquiring banks and card brands, which may impose stricter reporting timelines or mandate on-site assessments earlier than standard thresholds require. Proactive compliance is not just a regulatory checkbox for these merchants; it is a practical safeguard that protects revenue and long-term processing relationships.

With compliance scope established, understanding the 12 specific PCI DSS requirements clarifies what these obligations look like in practice.

What Are the 12 Requirements of PCI DSS?

The 12 requirements of PCI DSS are a set of security controls organized into six core objectives. These objectives cover secure networks, data protection, vulnerability management, access control, monitoring, and security policies.

Build and Maintain a Secure Network and Systems

Building and maintaining a secure network and systems requires installing network security controls, applying secure configurations, and defending against malicious software. Requirement 2 of PCI DSS v4.0 specifically forbids the use of vendor-supplied default passwords on any system component.

Organizations must also develop and maintain secure software, including the timely installation of critical security patches. According to Oligo Security, Requirement 5 of PCI DSS v4.0 requires organizations to protect all systems and networks from malicious software and to regularly update anti-virus programs. Regular vulnerability scans and penetration testing validate that these defenses remain effective. Neglecting any single layer, whether firewall rules, patching schedules, or malware protection, can expose the entire cardholder data environment.

Protect Cardholder Data

Protecting cardholder data involves encrypting stored account data, securing transmissions, and controlling who can access sensitive information. Requirement 3 of PCI DSS v4.0 requires organizations to protect stored account data using strong cryptography and to ensure Primary Account Numbers (PAN) are unreadable wherever stored.

Key data protection controls include:

• Transmission encryption: Cardholder data must be protected with strong cryptography during transmission across open, public networks.
• Need-to-know access: Access to system components and cardholder data must be restricted by business need to know.
• Multi-factor authentication: PCI DSS v4.0 mandates MFA for all access into the Cardholder Data Environment (CDE).
• Audit logging: Organizations must track and monitor all access to network resources and cardholder data.

Data protection is arguably the most critical objective in PCI DSS because even strong perimeter defenses become irrelevant if the data itself is left exposed.

Maintain a Vulnerability Management Program

A vulnerability management program ensures organizations proactively identify and remediate security weaknesses before attackers exploit them. This includes deploying anti-malware solutions across all systems, keeping software current with security patches, and conducting regular vulnerability assessments. Effective vulnerability management treats security as a continuous cycle rather than a one-time checklist item.

Implement Strong Access Control Measures

Strong access control measures restrict both logical and physical access to cardholder data. According to Entrust, Requirement 9 of PCI DSS v4.0 enforces strong physical security controls to restrict physical access to cardholder data, protecting against theft, tampering, and insider threats. Logical controls complement physical ones by limiting system access based on role and business necessity. Without both layers working together, sensitive payment data remains vulnerable.

Regularly Monitor and Test Networks

Regularly monitoring and testing networks means tracking all activity within the cardholder data environment and validating security controls through scheduled assessments. Continuous log monitoring detects suspicious access patterns in real time, while periodic vulnerability scans and penetration tests confirm that defenses hold under simulated attack conditions. Organizations that skip regular testing often discover gaps only after a breach has occurred.

Maintain an Information Security Policy

Maintaining an information security policy provides the organizational framework that supports every other PCI DSS requirement. Requirement 12 of PCI DSS v4.0 requires organizations to support information security with organizational policies and programs, including performing targeted risk analyses for customized controls. Policies must define employee responsibilities, incident response procedures, and security awareness training schedules. A well-documented policy turns compliance from an abstract goal into daily operational practice.

With all 12 requirements mapped, understanding which compliance level applies to your business determines the specific validation steps you need to follow.

What Are the PCI DSS Compliance Levels for Merchants?

The PCI DSS compliance levels for merchants are four tiers based on annual transaction volume. Each level carries specific validation requirements. The sections below break down Level 1 through Level 4 merchants.

Level 1 Merchants

Level 1 merchants are businesses that process over 6 million card transactions annually across any card brand. These merchants face the most rigorous validation requirements, including an annual on-site assessment by a Qualified Security Assessor (QSA), a formal Report on Compliance (ROC), and quarterly network vulnerability scans by an Approved Scanning Vendor. Any merchant that has suffered a data breach may also be escalated to Level 1 regardless of transaction volume. For organizations at this scale, the cost and complexity of compliance are significant, but so is the risk exposure that justifies it.

Level 2 Merchants

Level 2 merchants process between 1 million and 6 million card transactions per year. Validation typically requires an annual Self-Assessment Questionnaire (SAQ) and quarterly network scans by an Approved Scanning Vendor. Some acquiring banks may still request an on-site assessment depending on the merchant’s risk profile. While the validation burden is lighter than Level 1, Level 2 merchants still handle substantial transaction volumes that demand strong cardholder data protections.

Level 3 Merchants

Level 3 merchants process between 20,000 and 1 million e-commerce transactions annually. These businesses complete an annual SAQ appropriate to their payment environment and undergo quarterly vulnerability scans. Because this tier captures many growing online businesses, correctly identifying the right SAQ type is critical. Misclassifying your payment model at this stage is one of the most common compliance mistakes.

Level 4 Merchants

Level 4 merchants are businesses processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. According to the PCI DSS Guide, Visa defines Level 4 merchants as those processing fewer than 20,000 Visa e-commerce transactions annually or up to 1 million total Visa transactions. Validation requirements include an annual SAQ and quarterly network scans, though enforcement often depends on the acquiring bank. Despite the lighter requirements, Level 4 merchants remain frequent targets for attackers precisely because smaller businesses tend to underinvest in security controls.

Understanding your merchant level determines every subsequent compliance decision, from SAQ selection to budget planning.

How Do You Become PCI DSS Compliant Step by Step?

You become PCI DSS compliant step by step by determining your merchant level, completing the correct self-assessment questionnaire, running vulnerability scans, and submitting your attestation of compliance.

How Do You Determine Your PCI Compliance Level?

You determine your PCI compliance level by identifying how many card transactions your business processes annually across each card brand. Each major card network sets its own volume thresholds, so the same merchant may fall into different levels depending on the brand.

According to the PCI DSS Guide, Visa defines Level 4 merchants as those processing fewer than 20,000 Visa e-commerce transactions annually or up to 1 million total Visa transactions. Merchants at higher levels face stricter validation requirements, including on-site assessments by a Qualified Security Assessor. Knowing your exact level before starting the compliance process prevents wasted effort on the wrong validation method.

How Do You Complete a Self-Assessment Questionnaire?

You complete a Self-Assessment Questionnaire (SAQ) by selecting the SAQ type that matches your payment environment, then answering each control question honestly. The PCI SSC offers multiple SAQ versions, and choosing the wrong one is a frequent compliance mistake.

To complete the SAQ accurately:

• Identify which SAQ type applies to your card acceptance method (in-person, e-commerce, or outsourced).
• Review every question against your actual security controls, not assumptions.
• Document compensating controls for any requirement you cannot meet directly.
• Retain all supporting evidence, including network diagrams, access logs, and encryption records.

Rushing through the SAQ or leaving questions incomplete often leads to failed validation. Treat it as a genuine security audit rather than a checkbox exercise.

How Do You Conduct a Vulnerability Scan?

You conduct a vulnerability scan by hiring an Approved Scanning Vendor (ASV) to perform quarterly external scans on all internet-facing systems within your cardholder data environment. ASVs are organizations certified by the PCI SSC to identify security weaknesses in your external network perimeter.

The scanning process typically follows these steps:

1. Inventory all external-facing IP addresses and domains that interact with cardholder data.
2. Engage a PCI SSC-approved ASV to run automated scans against those targets.
3. Review the scan report for vulnerabilities ranked by severity.
4. Remediate any issues flagged as failing, then request a rescan.

Quarterly scans are the minimum; businesses with frequent infrastructure changes benefit from monthly scanning cycles.

How Do You Submit Your Attestation of Compliance?

You submit your Attestation of Compliance (AOC) by completing the formal document that accompanies your SAQ or Report on Compliance, then delivering it to your acquiring bank or payment brand. The AOC serves as your signed declaration that all applicable PCI DSS requirements have been met.

After finalizing your SAQ and passing your ASV scans, compile the AOC along with all supporting scan results and remediation records. Submit the complete package to your acquiring bank within the deadline your processor specifies. Most acquirers accept electronic submissions through a compliance portal.

Maintaining organized records throughout the year simplifies renewal, since PCI DSS compliance is validated annually rather than achieved once. With your attestation filed, understanding the different SAQ types helps ensure you select the right one each cycle.

What Are the Different PCI DSS SAQ Types?

The different PCI DSS SAQ types are standardized self-assessment questionnaires that match specific payment environments. Each SAQ applies to a distinct method of handling cardholder data, from fully outsourced processing to complex in-house systems.

SAQ A

SAQ A applies to merchants that fully outsource all cardholder data functions to PCI DSS compliant third-party providers. These merchants never process, store, or transmit card data on their own systems. Card-not-present merchants, such as e-commerce businesses using hosted payment pages or payment redirects, typically qualify. Because no cardholder data touches the merchant’s environment, SAQ A contains the fewest requirements of any SAQ type. For businesses that can maintain full outsourcing, this is the simplest path to PCI validation.

SAQ A-EP

SAQ A-EP applies to e-commerce merchants whose websites can affect the security of payment transactions without directly handling card data. According to SecurityMetrics, SAQ A-EP is designed for e-commerce merchants who outsource transaction processing to PCI DSS compliant third-party service providers while maintaining a website that does not itself handle card data. The distinction from SAQ A is subtle but critical: if a merchant’s web server hosts the payment page elements (even partially), the site introduces risk that SAQ A does not address. SAQ A-EP carries more requirements, including quarterly vulnerability scans.

SAQ B

SAQ B applies to merchants that process cardholder data only through imprint machines or standalone, dial-out payment terminals. These devices must not connect to the internet. Brick-and-mortar businesses using basic point-of-sale terminals with phone-line connections often qualify. Because the terminal operates in isolation from networked systems, the attack surface remains minimal. SAQ B excludes any merchant that stores electronic cardholder data.

SAQ C

SAQ C applies to merchants that process cardholder data through payment application systems connected to the internet but do not store electronic cardholder data. Retail businesses using internet-connected point-of-sale terminals are common candidates. SAQ C includes requirements for network segmentation, secure configurations, and regular vulnerability management. This questionnaire covers a broader threat surface than SAQ B since internet connectivity introduces additional risk vectors.

SAQ D

SAQ D applies to all merchants and service providers that do not qualify for any other SAQ type. It covers the full set of PCI DSS requirements and is the most comprehensive self-assessment questionnaire available. Merchants that store cardholder data electronically, process payments through custom-built systems, or operate complex multi-channel environments typically fall under SAQ D. Selecting the wrong SAQ type is a frequent compliance mistake, so merchants with any doubt about their payment environment should default to SAQ D or consult a Qualified Security Assessor. With the right SAQ identified, understanding the consequences of non-compliance reinforces why accurate self-assessment matters.

What Happens If You Are Not PCI DSS Compliant?

If you are not PCI DSS compliant, your business faces financial penalties, increased breach liability, and potential loss of card processing privileges. The consequences escalate based on violation severity and duration.

• Monthly fines: Non-compliance can result in steep monthly penalties ranging from $5,000 to $100,000, depending on the severity and duration of the violation, according to Freed Maxick.
• Data breach liability: Without PCI safeguards, businesses absorb the full cost of forensic investigations, customer notification, and legal defense. The average cost of a data breach reached $4.88 million in 2024.
• Card brand restrictions: Payment card brands, such as Visa, Mastercard, and American Express, may revoke a merchant’s ability to accept card payments entirely.
• Reputational damage: Customer trust erodes quickly after a breach, often driving long-term revenue loss that exceeds the initial fines.

For high-risk merchants especially, the margin for error is smaller because acquiring banks already scrutinize these accounts more closely. Investing in compliance upfront costs far less than recovering from a preventable breach.

Understanding these risks makes it easier to budget for the actual cost of compliance.

How Much Does PCI DSS Compliance Cost?

PCI DSS compliance cost varies significantly by merchant size and complexity. Small merchants may spend as little as $300 annually, while enterprises can exceed $60,000. The sections below break down costs for small, mid-size, and enterprise merchants.

How Much Does PCI Compliance Cost for Small Merchants?

PCI compliance cost for small merchants typically ranges between $300 and $2,500 per year. According to Ampcus Cyber, annual PCI compliance costs for small merchants fall within this range, covering self-assessment questionnaires, quarterly vulnerability scans, and basic security tools.

Several factors influence where a small business lands within that range:

• Merchants using hosted payment pages (SAQ A) pay less because their compliance scope is narrower.
• Businesses that store or process card data directly require additional scanning and documentation.
• Payment processor fees for PCI compliance programs vary between providers.

For most small merchants, investing in compliance upfront is far more cost-effective than absorbing the financial damage of a data breach or non-compliance fines.

How Much Does PCI Compliance Cost for Mid-Size Merchants?

PCI compliance cost for mid-size merchants ranges from $25,000 to $90,000 annually. According to Akurateco, this budgeting range covers assessor support and penetration testing for merchants managing multiple payment environments.

The jump from small-merchant costs reflects greater complexity:

• Multiple store locations or payment channels expand the cardholder data environment scope.
• Qualified Security Assessor (QSA) consultations become necessary for validation.
• Annual penetration testing and quarterly ASV scans add recurring expenses.
• Staff training and policy documentation require dedicated resources.

Mid-size merchants should treat these costs as operational expenses rather than one-time projects, since compliance requires continuous monitoring and annual reassessment.

How Much Does PCI Compliance Cost for Enterprise Merchants?

PCI compliance cost for enterprise merchants exceeds $60,000 annually and can reach several hundred thousand dollars depending on infrastructure complexity. Large enterprises face the highest expenses because they process millions of transactions and maintain expansive cardholder data environments.

Key cost drivers at the enterprise level include:

• Full Report on Compliance (ROC) assessments conducted by QSAs.
• Dedicated internal compliance teams and security operations centers.
• Advanced intrusion detection systems, encryption infrastructure, and continuous monitoring tools.
• Remediation costs when gaps are identified during assessments.

These investments, however substantial, remain a fraction of potential breach costs. Understanding compliance expenses across all merchant sizes helps businesses budget proactively and avoid the steeper penalties of non-compliance.

What Are Common PCI DSS Compliance Mistakes to Avoid?

Common PCI DSS compliance mistakes to avoid include misjudging compliance scope, submitting incomplete documentation, and selecting the wrong SAQ type. These errors delay validation and can expose cardholder data to unnecessary risk.

According to GRSEE Consulting, common PCI DSS SAQ mistakes include misjudging the compliance scope, incomplete documentation, and selecting the incorrect SAQ type for the payment environment. Each of these errors compounds the others; a misjudged scope leads to choosing the wrong SAQ, which then produces documentation gaps assessors will flag.

The most frequent mistakes fall into three categories:

• Misjudging compliance scope. Failing to identify every system, network segment, and third-party connection that touches cardholder data leads to unprotected assets outside the assessed environment.
• Incomplete documentation. Missing policies, unsigned attestations, or undocumented compensating controls create audit failures, even when technical safeguards are in place.
• Selecting the incorrect SAQ type. Choosing an SAQ that does not match the actual payment environment, such as filing SAQ A when the website partially handles card data, invalidates the entire self-assessment.

Beyond these three core errors, merchants often treat PCI DSS compliance as a one-time project rather than an ongoing obligation. Quarterly vulnerability scans, annual reassessments, and continuous log monitoring all require sustained attention. Letting any of these lapse between validation cycles creates windows of exposure that attackers actively exploit. For high-risk merchants especially, maintaining year-round compliance discipline is far more cost-effective than remediating after a breach or facing monthly non-compliance fines.

Understanding these pitfalls makes the connection between compliance and day-to-day payment processing much clearer.

How Does PCI DSS Compliance Apply to Payment Processing?

PCI DSS compliance applies to payment processing by governing how every entity that handles cardholder data secures transactions. The sections below cover how 2Accept supports high-risk merchants and the key takeaways from PCI DSS compliance basics.

Can High-Risk Payment Processing From 2Accept Help With PCI Compliance?

Yes, high-risk payment processing from 2Accept can help with PCI compliance. 2Accept specializes in serving high-risk industries, such as telemedicine, Hemp and CBD, and firearms retail, that mainstream processors often reject. Each client receives a dedicated payment expert who provides tailored guidance on secure payment setup and ongoing compliance support.

Staying compliant matters financially. According to Freed Maxick, PCI DSS non-compliance can result in monthly fines ranging from $5,000 to $100,000 depending on the severity and duration of the violation. 2Accept addresses this risk through fraud and chargeback management tools, compliance services including website marketing screening, and white-glove support designed to keep merchants operating within PCI DSS standards. For businesses in high-risk sectors, partnering with a processor that understands both the regulatory landscape and industry-specific challenges is one of the most practical steps toward maintaining compliance.

What Are the Key Takeaways About PCI DSS Compliance Basics?

The key takeaways about PCI DSS compliance basics are the core principles every merchant should carry forward:

• PCI DSS applies to all businesses that store, process, or transmit cardholder data, regardless of size or transaction volume.
• The 12 PCI DSS requirements span network security, data encryption, access control, vulnerability management, and information security policies.
• Merchant compliance levels, from Level 1 through Level 4, determine validation requirements based on annual transaction volume.
• Selecting the correct SAQ type prevents scope misjudgment and incomplete documentation.
• Non-compliance carries significant financial and reputational consequences that far exceed the cost of maintaining compliance.

PCI DSS compliance is not a one-time task; it requires ongoing monitoring, testing, and policy updates. For high-risk merchants seeking a payment processor that prioritizes both security and personal support, 2Accept provides the tailored solutions needed to stay compliant and grow with confidence.