Risk & Compliance Terms

What Is PCI DSS? A Merchant's Guide

Payment Card Industry Data Security Standard — the mandatory security requirements all merchants must follow to protect cardholder data.

The Complete Definition

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards established by the Payment Card Industry Security Standards Council (PCI SSC) — a body founded by Visa, Mastercard, American Express, Discover, and JCB. Any business that processes, stores, or transmits cardholder data must comply with PCI DSS.

PCI DSS has 12 core requirements organized into six control objectives:

1. **Build and maintain a secure network**: Install firewalls, change default passwords 2. **Protect cardholder data**: Protect stored data, encrypt data in transit 3. **Maintain a vulnerability management program**: Antivirus, secure systems 4. **Implement strong access control**: Restrict access to cardholder data 5. **Monitor and test networks**: Track access, test security regularly 6. **Maintain an information security policy**: Address information security for employees and contractors

There are four levels of PCI compliance based on annual transaction volume: - **Level 1**: Over 6 million transactions/year → annual on-site audit (QSA) - **Level 2**: 1–6 million transactions/year → annual Self-Assessment Questionnaire (SAQ) - **Level 3**: 20,000–1 million e-commerce transactions/year → SAQ - **Level 4**: Under 20,000 e-commerce or under 1 million other transactions → SAQ

Most small merchants qualify for Level 4 and complete an SAQ annually. PCI compliance is the merchant's responsibility, though processors and ISOs typically provide guidance and tools.

How PCI DSS Affects Your Processing Costs

PCI non-compliance carries significant financial risk. Penalties for non-compliance range from $5,000–$100,000 per month. A data breach while non-compliant can result in card network fines, forensic investigation costs, and liability for fraudulent charges.

Beyond fines, the reputational damage from a breach can devastate a small business. Customers who have their card data stolen are unlikely to return.

The good news: for most small merchants using modern payment terminals and not storing card data, PCI compliance is achievable through an annual SAQ and basic security practices.

PCI DSS Example

A small restaurant's PCI compliance path:
1. Confirm they don't store card data (they don't — terminal handles everything)
2. Determine their PCI level: Level 4 (under 1 million transactions/year)
3. Complete the appropriate SAQ form (SAQ B-IP for integrated terminals)
4. Ensure their terminal uses encryption and is listed on PCI's approved device list
5. Submit the SAQ and attestation to their acquirer annually
6. Pay the annual PCI compliance fee to their processor ($50-$150/year)

Common Questions About PCI DSS

What happens if I'm not PCI compliant?

Non-compliant merchants pay monthly non-compliance fees ($10–$50+/month) from their processor, are liable for card data breaches, may face card network fines, and risk losing their merchant account. Compliance is mandatory, not optional.

Does using a payment processor mean I'm automatically PCI compliant?

No. Your processor is compliant, but you must be separately compliant. If you use a terminal that doesn't store card data and complete your annual SAQ, you're likely compliant. But compliance is the merchant's responsibility.

How long does PCI compliance take?

For most small merchants, completing the annual Self-Assessment Questionnaire takes 30-60 minutes. Larger merchants with complex IT environments may spend weeks on compliance activities.

What is PCI SAQ?

SAQ stands for Self-Assessment Questionnaire. It's the compliance validation tool for merchants who don't need an on-site audit. There are multiple SAQ types (A, B, B-IP, C, C-VT, D) depending on how you accept cards and whether you store card data.

Related Terms

PCI ComplianceEncryptionTokenizationMerchant AccountHigh-Risk Merchant

How Liberty Bancard Handles PCI DSS

Liberty Bancard provides PCI compliance guidance and tools to all merchants. Our annual PCI compliance fee covers your SAQ support, compliance monitoring, and breach assistance. We make PCI compliance straightforward for merchants without in-house IT.

PCI Compliance SupportGet a Free Consultation

Continue learning: Browse all 60 payment processing terms in our Payment Processing Glossary, or upload your statement for a free analysis of your current processing costs.