Illustration of two overlapping credit cards

PCI compliance — A 2024 guide

SkillsCategory
14 min read
Stacey Hartman

If you're running a small business and accept card payments, you’ll want to be aware of something called PCI compliance. It's not just for the big corporations — PCI compliance is about keeping all card transactions safe, no matter the size of your business. Read on to learn about what is PCI compliance for your small business and how GoDaddy can help.

Go from idea to online in minutes with GoDaddy Airo™

Get started now.

What is PCI DSS compliance?

PCI compliance refers to the technical and operational standards businesses must follow to ensure that credit card data provided by customers is protected. Formally referred to as Payment Card Industry Data Security Standard (PCI DSS), this security regulation is implemented globally to hinder credit card fraud and various other data security vulnerabilities. 

So what does it mean to be PCI compliant? Being PCI compliant means your business is doing its part to keep your customers' credit card information secure. It signifies you're following a set of guidelines, PCI DSS, which helps prevent credit card fraud and data security issues. 

Imagine you run a popular local bakery. Your delicious pastries have a loyal following and many of your customers pay using their credit cards. Being PCI compliant guarantees your hungry patrons’ credit card information is secure each and every time they purchase your baked goods. If there is a data breach and credit card data is stolen from your business, it can lead to loss of trust and serious fines, which can harm your business. 

PCI compliance isn't just important, it’s essential for every small business handling credit card transactions, ensuring their customers' peace of mind while also protecting themselves.

Is PCI compliance required by law?

While PCI compliance isn't required by federal law, it is strongly enforced by the card brands themselves (Visa, Mastercard, American Express, JCB and Discover). Failure to comply with PCI standards can result in hefty fines from these card companies, and in some cases, the ability to process card payments may be revoked. In addition to this, some states have laws mandating certain aspects of the PCI standards, so you’ll need to verify your own state laws as well.

Disclaimer: This content should not be construed as legal advice. Always consult an attorney regarding your specific legal situation.

Who is required to be PCI compliant?

PCI compliance is required for all businesses, regardless of business size, that accept, transmit or store any cardholder data. This includes any credit, debit or payment cards that are branded with one of the card logos from the five major card brands — Visa, MasterCard, American Express, Discover and JCB. 

To sum it up, if your business handles card transactions in any way, you're required to be PCI compliant.

How to know if you are PCI compliant?

Determining if you're PCI compliant often involves a Self-Assessment Questionnaire (SQA) or an audit by a Qualified Security Assessor (QSA), depending on your business's size and card transaction volume. 

The self-assessment questionnaire consists of a series of yes-or-no questions about your security practices. If a QSA is required, they'll conduct a comprehensive review of your business's card data practices to ensure they meet PCI standards. 

In both cases, you'll receive a report detailing your compliance status. If there are areas where you're not compliant, the report will offer guidance on what needs to be improved.

What are the benefits of PCI compliance?

Illustration of servers and charts with two hands in a handshake.

There's more to PCI compliance than just following a set of guidelines. Ensuring that your business adheres to these standards carries several invaluable benefits that touch various aspects of your business. Here are some standout benefits of PCI compliance every business owner should consider:

  • Building customer trust: PCI compliance boosts customer confidence as it demonstrates that their credit card data is safeguarded.
  • Protecting cardholder data: By reducing the risk of data breaches, PCI compliance adds an extra layer of protection to sensitive information. 
  • Steering clear of penalties: Compliance acts as a buffer against formidable fines and legal consequences that come with non-adherence.
  • Polishing brand image: Adhering to PCI standards can greatly enhance a business’s reputation as a trustworthy entity.
  • Navigating standards together: PCI compliance often aligns with other industry regulations, helping businesses maintain overall compliance more seamlessly.
  • Embracing peace of mind: Knowing that they are doing everything possible to guard against fraud allows merchants to operate with fewer worries about security breaches.

What are the 12 PCI compliance requirements?

Without a doubt, PCI compliance can seem complex, especially for the uninitiated. However, the true heart of what is PCI compliance really boils down to a set of 12 core requirements, designed to secure and protect cardholder data. As we delve into each of these requirements, keep in mind that these are not just rules to follow, but practical, effective steps towards safeguarding your business and your customers' trust.

  1. Install and maintain a firewall configuration to protect cardholder data: This step involves setting up a firewall to serve as a barrier between your network and potential external threats.
  2. Don't use vendor-supplied defaults for system passwords and other security parameters: Default settings can be easily targeted by cybercriminals, so altering these settings helps secure your data.
  3. Protect stored cardholder data: Any cardholder data that needs to be stored should be securely protected and encrypted.
  4. Encrypt transmission of cardholder data across open, public networks: As data can be vulnerable while being transmitted, encryption ensures it remains secure.
  5. Protect all systems against malware and regularly update anti-virus software or programs: This involves actively keeping your anti-virus software updated to combat potential malware attacks.
  6. Develop and maintain secure systems and applications: This requirement focuses on keeping all systems and applications related to cardholder data processing secure and up to date.
  7. Restrict access to cardholder data by business need-to-know: Access to cardholder data should only be granted to those who absolutely need it for their role.
  8. Identify and authenticate access to system components: Every individual with access to the system should have a unique ID to ensure actions can be traced back to specific users.
  9. Restrict physical access to cardholder data: Measures should be taken to limit physical access to systems that store cardholder data.
  10. Track and monitor all access to network resources and cardholder data: This involves setting up logging mechanisms to track user activities, which aids in the prevention, detection, or minimization of data compromise.
  11. Regularly test security systems and processes: Regular security testing helps to maintain robust defenses that keep up with current threats.
  12. Maintain a policy that addresses information security for all personnel: This requirement encourages a well-defined security policy so that everyone within the business understands their role in maintaining information security.

How to become PCI compliant

Achieving PCI compliance for your small business may seem intricate, but it can be simplified into three manageable steps: Assess, Remediate and Report. By understanding and executing these phases, you'll be well on your way to ensuring your business processes card payments securely. Let's explore these steps to help decode the pathway towards PCI compliance for small businesses.

1. Assess: The first step towards PCI compliance is understanding where your small business fits within the four levels of PCI Requirements. The four levels are determined by the volume of transactions your business processes annually. The exact thresholds will vary based on the specific card provider (Visa, American Express, JCB, Mastercard and Discover), but here are the general levels for businesses seeking PCI compliance:

Compliance levelWho this applies toRequirements
Level 1- Businesses that process over 6 million credit card transactions per year.
- Businesses that have experienced a data breach.
1. Report on Compliance (ROC) to be performed by a Qualified Security Assessor (QSA), required annually.
2. Network scans by an Approved Scanning Vendor (ASV), required quarterly.
3. Attestation of Compliance (AOC), required annually.
Level 2- Businesses processing between 1 million and up to 6 million transactions per year.1. Completion of Self-Assessment Questionnaire (SAQ), required annually.
2. Network scans by an Approved Scanning Vendor (ASV), required quarterly.
3. Attestation of Compliance (AOC), required annually.
Level 3- Businesses processing 20,000 and up to 1 million transactions per year.Same as level 2.
Level 4- Businesses processing less than 20,000 transactions per year.Same as level 2.

2. Remediate: After understanding where your business stands, the next step is remediation, which means fixing any vulnerabilities that were discovered during the assessment phase. Remediation is crucial as it helps plug security gaps and ensures more secure processes. This can involve several steps, including:

  • Updating and patching hardware and software applications to fix security vulnerabilities.
  • Restricting access to sensitive data to only necessary personnel.
  • Encrypting cardholder data both when it's stored and transmitted.
  • Regularly testing security systems and processes to ensure they are robust and updated.

3. Report: The final step in achieving PCI compliance is to report. During this phase, you need to document your compliance with a Report on Compliance (ROC) or complete the relevant SAQ, depending on your business's level. These documents provide evidence that you have assessed and remedied your business's vulnerabilities and are compliant with PCI requirements. It's important to then submit these reports to your acquiring bank and card brands as required.

How much does it cost to be PCI compliant?

The answer here isn't straightforward, as the costs can vary widely depending on the size and type of your business, the state of your current security infrastructure, and the previous level of PCI compliance. Here are some costs to consider before even applying for PCI compliance:

  • Self-assessment: For smaller businesses that qualify, self-assessment could be a low-cost way to achieve PCI compliance. This could involve purchasing a self-assessment kit for anywhere from $100 to $500.
  • Security infrastructure updates: Depending on your existing systems, you may need to invest in new hardware, software, or other security measures to meet PCI standards. The cost here could range from a few hundred to several thousand dollars.
  • Maintenance and training: Ongoing costs for maintaining secure systems and training staff in PCI security practices need to be factored in. This can range from a few hundred to several thousand dollars annually.

Once you’ve completed any necessary prework, here are the estimated costs for each business level:

  • Level 1: Level 1 businesses are required to complete a Report on Compliance (ROC), which is a detailed report on the business’ security standards, server environment and how they protect customer data. This report is compiled via onsite audit and review performed by a Qualified Security Assessor (QSA). In addition to a ROC, level 1 businesses also must complete quarterly network scans by an Approved Scanning Vendor (ASV), as well as an Attestation of Compliance. The cost for these combined requirements can range from $30k-200k per year.
  • Level 2: For a level 2 business, the requirements include quarterly ASV scans, a self-assessment questionnaire and an Attestation of Compliance. The cost for these requirements generally starts at $10k per year.
  • Level 3: Level 3 businesses require regular ASV scans, as well as the self-assessment questionnaire and an Attestation of Compliance. Because the ASV scan pricing is based on the number of IP addresses associated with your business operations, smaller businesses tend to have fewer IP addresses for the ASV to scan and thus tends to be less costly. As such, the cost for level 3 businesses generally starts around $1500 per year and goes up from there. 
  • Level 4: For small businesses, an ASV, self-assessment questionnaire and an Attestation of Compliance are required. The cost for a level 4 business tends to be under $1000 per year, but can increase depending on your specific business configuration. 

Remember, while these costs may seem significant, the cost of non-compliance, including potential fines, remediation costs and brand damage, can be much higher.

What are the risks and consequences of non-compliance?

Illustration of a seated woman surrounded by ecommerce icons.

Now that we’ve covered what is PCI compliance and the steps associated with it, it’s important that we also highlight the repercussions of non-compliance with PCI standards. Non-compliance can be serious and span multiple aspects of your business. Here are some of the key risks and consequences:

  • Financial implications: Non-compliant businesses face the risk of hefty fines from credit card companies. Moreover, businesses would also be liable to cover any costs related to fraud losses incurred by payment card issuers, investigational procedures after a breach and remediation efforts to fix the security gaps.
  • Operational consequences: In more severe cases, non-compliant businesses may also lose their ability to process card payments altogether. This could bring operations to a halt, especially for those businesses that primarily rely on card transactions.
  • Reputational damage: Perhaps the most lasting damage is the loss of customer trust and reputation, which is difficult to quantify. Customers want to feel confident that their card data is safe with a business, and a breach can result in irreversible damage to a business's brand image.
  • Legal consequences: Depending on local laws and regulations, businesses could also face potential lawsuits from affected customers, state attorneys general or card companies. 

As an example, the convenience store Wawa experienced a data breach in 2019 that resulted in the compromise of 34 million payment cards. They were fined $8 million as a result of PCI compliance issues. 

These consequences underscore the importance of making every effort to adhere to PCI compliance standards. It's not just about abiding by rules — it's about protecting your business, your customers, and your reputation.

How GoDaddy helps businesses with PCI compliance

PCI compliance is a vital span in the bridge of trust between businesses and their customers. It ensures the safe handling of sensitive data, substantially minimizing the risk of data breaches and theft. 

GoDaddy can help your business stay in compliance. 

We offer PCI-compliant solutions with certified products like GoDaddy Payments, Online Store and Online Appointments. If your business is primarily conducted in person, then you’ll want to consider which of the available POS systems are a good fit for your business. Security is baked in as payments via GoDaddy Payments transactions are end-to-end encrypted with strict PCI compliance.*

Or, if you need a more flexible approach for accepting payments, GoDaddy can lend a hand. Take payments in more ways and grow your business. Securely accept all major payment types on all devices, online, over the phone, or in person.

Utilizing our PCI-certified solutions means that business owners can benefit from our systems and processes structured to secure customer credit card information. 

For example, transactions via our Online Store and Online Appointments are seamlessly coordinated with third-party systems that process credit card information within their tightly secured frameworks. These platforms utilize minimal code on your site, affording your customers the ability to input their credit card details and allowing you to remain in compliance. 

However, be aware that remaining PCI compliant is a joint effort. We recommend the following steps to ensure that your ecommerce solution remains in compliance:

  • Always assign users a unique ID and use strong passwords.
  • Don't use shared or generic IDs or passwords.
  • Remove users when they should no longer have access.
  • If you collect credit card information on paper, make sure to control access to the information and destroy it when it's no longer needed.
  • If you use services to manage paper records or manage your account, make sure the service provider has acknowledged their responsibility for safely handling credit card data and you're confident they're fulfilling their obligations.
  • Make sure you have a list of who you need to reach out to and how you will handle customer communication in case of a data breach.
  • Submit PCI Self-Assessment Questionnaire A (PCI SAQ-A) with your processor if you decide not to use GoDaddy Payments (e.g. Stripe, Square or PayPal).

In conclusion, ensuring the security and privacy of your customers' sensitive payment information should be a top priority for all businesses accepting card payments. Ignoring or missing components of this crucial security protocol can lead to breaches, loss of customer trust and heavy penalties. Therefore, truly understanding what is PCI compliance and implementing it comprehensively in your organization isn't just another box to tick on your task list, but a powerful tool to protect both your business and your valued customers. 

Remember, PCI compliance isn't a one-time process; it is an ongoing commitment to securing transactions and building trust. 

*Card reader/Smart Terminal is PCI certified.