PCI-DSS Compliance for Small Businesses

Published 2024-02-15 by TechNet Team

The Payment Card Industry Data Security Standard (PCI-DSS) applies to any organization that stores, processes, or transmits cardholder data. Non-compliance can result in fines, increased transaction fees, or loss of payment processing ability.

Merchant Levels

• Level 4: Less than 20,000 e-commerce transactions OR up to 1 million total transactions annually (most small businesses)
• Level 3: 20,000 to 1 million e-commerce transactions annually
• Level 2: 1 to 6 million transactions annually
• Level 1: Over 6 million transactions annually

The 12 PCI-DSS Requirements

1. Install and maintain a firewall configuration
2. Don't use vendor-supplied default passwords
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

Reducing Your PCI Scope

The simplest way to reduce compliance burden is to minimize what cardholder data you handle:

• Use point-to-point encryption (P2PE) terminals
• Use tokenization for stored card data
• Use hosted payment pages for e-commerce
• Never store CVV/CVC codes
• Segment payment systems from general network

Validation Requirements

Level 4 merchants typically complete:

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly network vulnerability scans by an ASV
• Attestation of Compliance