Next named exclusive Trail Blazer in NEW 2024 Radicati DLP Market Quadrant Report Read the Report
Updated: Jun 6, 2024   |   Fergal Glynn

What is PCI DSS compliance, and why is it important?

Go back

PCI DSS compliance requires companies that process, store, or transmit payment card data to implement various security measures to prevent fraud and limit the vulnerability of cardholder data. The current version of the Payment Card Industry Data Security Standard (PCI DSS), PCI DSS v3.2.1, is scheduled to be replaced by PCI DSS 4.0 in early 2024.

This article provides an overview of PCI DSS compliance and why it’s important for merchants and other companies that handle cardholder data. 

In this article: 

What is PCI DSS? 

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect sensitive credit card holder information. PCI DSS was established in 2004 by five payment card companies, including Visa, MasterCard, Discover Financial Services, JCB International, and American Express. 

In 2006, those same payment card companies established the PCI Security Standards Council (PCI SSC), a governing body that develops and administers the PCI DSS and oversees PCI compliance. 

What are the requirements for PCI DSS compliance?

Person making an ecommerce purchase on their smartphone with a payment card

The following 12 requirements are defined in PCI DSS to protect the privacy and security of cardholder data. Companies processing credit card data need to adhere to these requirements to comply with PCI DSS.

  1. Firewalls: Firewalls are required to be installed, configured, and maintained.
  2. Default passwords: Vendor-supplied default passwords must be changed for all devices or systems associated with processing cardholder data.
  3. Stored data protection: Cardholder data must be protected in storage.
  4. Encryption: Encryption must be implemented to safeguard cardholder data transmitted across public networks.
  5. Antivirus software: Antivirus software must be installed and updated regularly.
  6. Secure systems: Secure systems must be developed and maintained to protect cardholder information.
  7. Access controls: Access to cardholder data needs to be restricted on a business need-to-know basis.
  8. Unique IDs: A unique ID needs to be assigned to everyone with computer access to systems containing cardholder data.
  9. Restricting physical access: Physical access to systems with cardholder data must be restricted.
  10.  Access monitoring: All access to network resources and cardholder data has to be tracked, monitored, and logged.
  11. Security testing: Regular testing must be performed to ensure the effectiveness of security processes.
  12. Information security policies: Organizations have to develop and maintain an information security policy.

There are various PCI DSS compliance solutions that can help organizations comply with different aspects of the requirements. 

Annual PCI DSS assessments need to be conducted with compliance evidence provided to third-party auditors. Many organizations also perform internal assessments to identify and proactively address security vulnerabilities.

Why PCI DSS compliance matters to your business

Person making a payment on a POS device with a payment card

PCI DSS applies to all organizations that process, store, and transmit credit card data. In the age of ecommerce, virtually every company accepts credit card payments and needs to comply with PCI DSS. 

Companies that do not follow the 12 requirements are considered in violation of PCI DSS which can result in fines, penalties, and negative public relations in the wake of a data breach.

Costs of PCI DSS implementation

Implementing the necessary safeguards to comply with PCI DSS and providing ongoing PCI compliance training to ensure employees follow best practices can be expensive. PCI DSS violations are often accidental or result from oversights by inexperienced personnel employed by a vendor. In some cases, companies may intentionally violate PCI DSS in an attempt to save money or streamline operations.

Costs of PCI DSS violations 

PCI DSS violations can be costly. Fines can range from $5,000 to $100,000 per month. The monetary value of the fine is based on the company’s size and takes into consideration the scope and duration of the violation. 

In addition to fines, companies that experience a data breach resulting from PCI DSS non-compliance may incur costs associated with:

  • Legal representation for class-action lawsuits and other litigation
  • Free credit card monitoring, identity theft insurance, and service fee reimbursement provided to impacted individuals
  • Damages paid to companies such as payment card issuers that have incurred costs (such as reissuing payment cards or reimbursing fraud victims) due to a PCI DSS violation resulting in a data breach
  • Lost revenue due to business disruption 

Negative public relations can be even more damaging to a violator than financial penalties.

How are PCI DSS fines determined?

Person pointing to compliance with a graphic overlay and tool icons

Individual credit card companies are responsible for levying fines and enforcing compliance with PCI DSS. The penalties for noncompliance are determined by considering multiple factors. 

Contracts between merchants and payment processors

Merchants sign contracts with payment processors in which they agree to pay fines if they violate PCI DSS. Financial penalties are determined based on the size of the violating entity and the volume of cardholder transactions it processes.

Merchant levels 

Most payment card companies define four merchant levels, except Discover, which defines three. The specific definitions for each level may vary among payment card companies. PCI DSS requirements are more stringent for merchants that process higher volumes of transactions. 

How Visa classifies merchants 

As an example, Visa has defined four PCI levels primarily based on the number of transactions an entity processes over 12 months. The levels also consider the method used to perform the transaction. 

PCI merchant levels also influence the type of security assessments required to demonstrate compliance.

  • Level 1 merchants process over six million Visa transactions per year using any credit card acceptance method.
  • Level 2 applies to companies that process between one and six million Visa transactions per year using any credit card acceptance method.
  • Level 3 is for merchants processing between 20,000 and one million Visa ecommerce transactions per year.
  • Level 4 applies to entities that process less than 20,000 ecommerce Visa transactions and merchants processing up to one million Visa transactions of any kind.
Common PCI DSS Violations

Failure to uphold any of the 12 PCI DSS requirements results in a violation and potential penalties. The most common PCI DSS violations include:

  • Not performing annual audits and assessments
  • Not changing default passwords on systems and devices
  • Using weak or non-expiring passwords
  • Failure to install security patches
  • Poor encryption key management

Enforcing PCI compliance with a DLP solution

PCI DSS defines how cardholder data can be used and accessed by an organization’s employees. The Reveal Platform by Next is a cloud-native data loss prevention (DLP) solution that can be instrumental in enforcing PCI compliance throughout the workforce. 

Incorporating PCI DSS requirements into a company’s data handling policy allows Reveal to automatically enforce compliance. Reveal provides next-gen endpoint agents powered by machine learning to identify and categorize data at the point of risk. The platform prevents the unauthorized use of cardholder data while providing education and training to employees so they won’t repeat the same mistakes. 

PCI DSS compliance is everyone’s responsibility. Reveal increases your employees’ security IQ and helps them understand how they can use protected cardholder data, creating a security-positive culture while minimizing insider risk and maintaining compliance.  

Talk to the DLP experts at Next to learn how Reveal can help you comply with PCI DSS, and book a demo to see this valuable DLP tool in action.

Frequently asked questions

What is PCI DSS in simple terms?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to improve the security of transactions involving credit, debit, or cash cards. PCI DSS is designed to protect sensitive cardholder data, protecting cardholders from the breach or theft of their payment card data and misuse of their personal information.

Who must be PCI compliant?

Any business that handles cardholder data in any way must be PCI compliant, including businesses that: 

  • Accept payment cards
  • Process payment card transactions
  • Store cardholder data
  • Transmit cardholder data

What are the 12 requirements for PCI DSS?

The 12 requirements for PCI DSS include: 

  1. Firewalls: Install, configure, and maintain firewalls.
  2. Default passwords: Change default passwords supplied by vendors on any device or system involved in processing cardholder data.
  3. Stored data protection: Implement measures to protect stored cardholder data.
  4. Encryption: Implement encryption to protect cardholder data in transit across public networks.
  5. Antivirus software: Install antivirus software and keep it up-to-date.
  6. Secure systems: Develop and maintain secure systems to protect cardholder data.
  7. Access controls: Restrict access to cardholder data based on the principle of least privilege.
  8. Unique IDs: Assign a unique ID to any employee, vendor, or contractor with access to systems containing cardholder data.
  9. Restricting physical access: Restrict physical access to systems with cardholder data for on-site employees and contractors.
  10.  Access monitoring: Track and log access to network resources and cardholder data.
  11. Security testing: Conduct regular testing to evaluate and validate security processes and ensure that they’re effective.
  12. Information security policies: Develop and maintain an information security policy.

What are the 4 PCI DSS compliance levels?

Each credit card processor defines merchant levels that determine what controls the merchant must implement. While the specific classification may vary among payment card processors, most define four merchant levels, with the exception of Discover, which classifies merchants into three levels. 

As an example, Visa’s merchant level classification is: 

  • Level 1: Merchants that process 6 million or more Visa transactions annually.
  • Level 2: Merchants that process between 1 million and 6 million Visa transactions per year.
  • Level 3: Merchants processing between 20,000 and 1 million ecommerce Visa transactions per year.
  • Level 4: Merchants processing less than 20,000 ecommerce transactions and up to 1 million transactions annually using any acceptance method.



See how Next protects your employees and prevents data loss