Credit Card Processing, Security and PCI Compliance

PCI Compliance is Required - Now Validation is, Too

Ben Dwyer By Ben Dwyer
July 25, 2012

Every business that takes credit cards is required to comply with PCI standards, no matter how few credit card transactions it processes.

What is PCI?

PCI stands for "Payment Card Industry," and it's the first part of two-part acronym that refers to security guidelines for businesses that accept credit cards. The full acronym is PCI DSS, which stands for "payment card industry data security standard." PCI DSS provides businesses that accept credit cards with guidelines and an actionable framework to protect cardholder data. PCI DSS is governed by the PCI Security Standards Council, and it was originally created using information from Visa and Mastercard's security programs. As mentioned in the introduction, there are 6 categories of PCI regulations. You must:
  • Have a secure card processing network
  • Protect all cardholder information and data
  • Protect your systems against malware
  • Put strong access control measures in place
  • Monitor and test your networks
  • Create and maintain an Information Security Policy
Related Article: Visa's Cardholder Information Security (CISP) program

Secure Card Processing Network

Having a secure card processing network means utilizing technology and processes to help safeguard cardholder data. You'll need to:
  • Install firewalls to protect sensitive data, like credit card numbers.
  • Change the default passwords and any other default security settings. When you receive hardware, software, system updates or security from vendors, update passwords and default security immediately.
You'll also need to ensure that cardholder data is encrypted during transmission and "at rest" (meaning while stored.) Your credit card processor will typically handle encryption and other security during transmission, but be sure to confirm that they are also PCI compliant.

Protect All Cardholder Information

In addition to securely storing data, you'll need to protect cardholder information.
  • If you store card data, put proper security and access controls around any cardholder data you store. Note that you should never store card data "plain text" or unencrypted.
Credit card processors and gateways offer secure storage vaults, often that they host, to minimize your PCI scope for stored card data.

Protect Your Systems Against Malware

Another aspect is guarding against malware. You should always:
  • Make sure you have proper, regularly updated antivirus and other security software in place.
  • Maintain secure systems and applications, including patching any vulnerabilities.
Don't take a "set it and forget it" approach to anti-virus programs and malware. Be sure to update your software to ensure that you're getting the latest coverage.

Put Access Control Measures in Place

Access control measures are one of the 'easier' aspects of PCI compliance, but just as important to implement.
  • Limit employee access to cardholder data. Ensure only authorized employees have access, and only those employees who need it as part of their job duties.
  • Track who has access to cardholder data by using unique IDs for each user.
  • Require strong passwords and multi-factor authentication (MFA) to ensure only approved users are accessing your systems.
  • Restrict physical access. Ensure only authorized employees can access physical cardholder data.

Monitor and Test Your Networks

You'll also need to monitor and test your networks to confirm its secure or identify and fix vulnerabilities.
  • Monitor and track anyone who has access to cardholder data and network and what they are doing with that data.
  • Test your security systems and procedures for flaws or vulnerabilities.
Some small businesses may be required to perform quarterly network scans. Even if you're not required to do so, it's a good idea to do them periodically.

Create and Maintain an “Information Security” Policy

Lastly, documentation. It's not enough to simply implement these policies without documentation.
  • Create, maintain, and share an information security policy that clearly sets out how your organization deals with PCI and the responsibilities of employees and contractors.
Please note these are only high-level descriptions of the requirements laid out by PCI. You can contact your processor or visit the PCI standards website to find out more. Related Article: MasterCard's Site Data Protection (SDP) program.

Is PCI Compliance required?

Yes, PCI compliance is required for all businesses that accept credit or debit card payments — even for businesses with very little volume. In 2016, Visa issued new rules requiring validation for all businesses starting in January of 2017. You can read more about it, including details on Qualified Security Assessors, in this article. Additionally, updated requirements went into effect in March of 2025. You can read about what changed in our article PCI 4.0.

Merchant Levels & Compliance

PCI guidelines separate businesses into four levels depending on the number of transactions processed annually and the method used to transmit cardholder information. Most businesses are classified as PCI level four, which is the least scrutinized level for businesses that process fewer than 20,000 e-commerce transactions and fewer than one million retail transactions annually. For these merchants, it had traditionally been up to individual processors and merchant service providers to determine validation requirements, or whether to validate PCI compliance at all. However, in January of 2017, Visa began requiring validation for all businesses, including level four merchants.

Processor Approaches to PCI Validation

Not surprisingly, processors and merchant service providers have taken several different approaches to validating PCI compliance — some better than others.

Compliance Support & Required Validation

Some large processors, such as First Data (now Fiserv), require all businesses to validate PCI compliance, and provide PCI support programs to help businesses become compliant. These support programs typically carry some sort of annual or monthly fee. Businesses that have not validated compliance are typically charged a PCI non-compliance fee that's meant to serve as a reminder to become compliant. Processors that have taken it upon themselves to require compliance from businesses also allow merchant service providers that use their processing services to maintain their own in-house compliance validation programs. The fees and requirements for such programs are left to the discretion of each provider so long as businesses validate compliance.

Merchant Service Provider Discretion

Currently, the most popular approach that large processors take to PCI is to leave compliance validation up to merchant service providers. This approach passes the PCI buck one more level, and opens the door for the provider to let businesses handle PCI validation on their own terms. Merchant service providers that don't check validation aren't necessarily being irresponsible or devaluing the importance of PCI compliance. In fact, this approach is beneficial for businesses in a number of ways.

Freedom to Choose Vendors

PCI has created a cottage industry of scanning vendors, consultants, and qualified security assessors, each with their own rates and fees. By allowing businesses to validate PCI on their own terms, merchant service providers make it possible for businesses to shop for vendors that closely match their needs.

Lower PCI Expense

Merchant service providers that provide a mandatory PCI validation service charge all businesses the same fee for the program. However, the cost of PCI compliance and validation is much less for retail businesses than it is for e-commerce business. This leaves retail businesses paying more than their fair share for PCI validation, and e-commerce businesses paying less. Merchant service providers that allow businesses to handle PCI validation themselves ensure that the price a business pays for validation is relative to how it processes credit cards. The point of PCI is to ensure businesses are taking the necessary steps to safeguard credit card information. It's important -- especially for e-commerce businesses that transmit cardholder information electronically. Merchant service providers that don't check validation are assuming a business will validate on its own. Of course, this doesn't happen 100% of the time, and PCI non-compliant businesses will slip through the cracks.

Visa Technology Innovation Program (TIP) for Validation Exemption

There is a way around yearly PCI validation. You must still maintain PCI compliance, but if you meet qualifications for Visa’s Technology Innovation Program (TIP), you may be exempt from validating compliance. To qualify for the TIP program, you must: 1. Not store sensitive card information (such as card numbers, CVV, etc.) after the transaction is authorized

- AND -

2. Use qualifying equipment or solutions for at least 75% of your transactions. For TIP, this means that you must use one of the following options:
  • A terminal that supports both EMV chip cards and mobile NFC payments.

-OR-

  • A validated point-to-point encryption (P2PE) solution.
To clarify, a chip-capable machine that cannot support contactless payments or a contactless-capable machine that cannot support chip cards are not qualified machines for the purposes of TIP. Only P2PE solutions from the official list will count for TIP. TIP is not available to ecommerce businesses and those who primarily accept credit card transactions by phone or mail. You can contact your processing company about TIP, or submit an application yourself.

Costs of PCI Compliance

There are several different possible costs involved in PCI compliance. Your specific costs will vary depending on your setup, processor, and more. You can expect to pay for IT services (either employees or an external company) if you need assistance setting up secure networks, firewalls, etc. Some processors may charge a PCI compliance fee either monthly or annually. Not all processors charge a PCI compliance fee; however, lots of processors charge a PCI non-compliance fee. That is, a fee if you're not up-to-date on all your compliance requirements. Think of it as an expensive reminder or warning to stay compliant. Your processor should be able to help you with compliance.  Lastly, if you do experience a data breach, you'll likely incur expenses like fines from the card companies, costs of replacing customers' cards, and more. The costs associated with a breach can be huge, and generally far outweigh the costs of ensuring you're PCI compliant. It's best to make sure that you become and stay PCI compliant to minimize the likelihood of a data breach. Related Article: Is Data Breach Insurance Worth It?

Ben Dwyer
Ben Dwyer

Ben Dwyer began his career in the processing industry in 2003 on the sales floor for a Connecticut‐based processor. As he learned more about the inner‐workings of the industry, rampant unethical practices, and lack of assistance available to businesses, he cut ties with his employer and started a blog where he could post accurate information about credit card processing. As the blog gained in popularity, Ben began directly assisting merchants in their search for a processor. Ben believes in empowering businesses by providing access to fair, competitive pricing, accurate information, and continued support. His dedication to transparency and education has made CardFellow a staunch small business advocate in the credit card processing industry.

FOUND THIS USEFUL? SHARE THIS!
Guide to Credit Card Processing

Credit Card Processing exposed

Use the secrets that credit card processors don't want you to know to drastically lower your credit card processing fees.

Read Now!
Back To The Top
HELPFUL RESOURCES
PROCESSORS
Get started now!
info@cardfellow.com
Top