Kurt Woock started writing for NerdWallet in 2021. Prior to joining NerdWallet, Kurt was a writer and educator for Colorado PERA, a retirement system for public employees. Before that he was a legislative editor for the Colorado General Assembly. Kurt has a B.A. in music from Valparaiso University and an M.A. in journalism from the University of Missouri-Columbia. He lives in Detroit.
Assistant Assigning Editor Christine Aebischer
Assistant Assigning Editor | Small-business finance, personal finance
Christine Aebischer is an former assistant assigning editor on the small-business team at NerdWallet who has covered business and personal finance for nearly a decade. Previously, she was an editor at Fundera, where she developed service-driven content on topics such as business lending, software and insurance. She has also held editing roles at LearnVest, a personal finance startup, and its parent company, Northwestern Mutual. She is based in Santa Monica, California.
Fact Checked Co-written by Lisa Anthony Lead Writer Lisa Anthony
Lead Writer | Small-business lending, payroll, marketing
Lisa A. Anthony is a former lead writer on NerdWallet’s small-business team, primarily covering small-business lending. She has over 20 years of diverse experience in finance, lending and taxes. Prior to joining NerdWallet, Lisa worked as a writer for Intuit Turbo Tax, loan officer for Bank of America and a business analyst for Wells Fargo Home Mortgage. Over the years, she has had the opportunity to interact directly with consumers on lending products and tax preparation software. Her work has appeared in The Associated Press, Washington Post and Entrepreneur, among other publications.
Many, or all, of the products featured on this page are from our advertising partners who compensate us when you take certain actions on our website or click to take an action on their website. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here's how we make money.
Table of Contents
MORE LIKE THIS Small BusinessTable of Contents
MORE LIKE THIS Small BusinessThe Payment Card Industry Security Standards Council’s latest version of the PCI Data Security Standard will go into effect March 31, 2024, following a two-year transition period. In response to industry feedback, the updated standards include new requirements around passwords and phishing, as well as additional guidance concerning security maintenance. It also gives businesses room to validate PCI compliance in new ways. For more details, visit the PCI DSS Summary of Changes in PCI Security Standards Council’s document library.
PCI compliance, or payment card industry compliance, refers to a set of 12 security standards that businesses must use when accepting credit card payments and transmitting, processing and storing the related data. It involves requirements such as encryption of cardholder data, managing firewalls, updating antivirus software and assigning unique IDs to each person with computer access.
The PCI Security Standards Council, an independent body created by the card networks in 2006, manages PCI security standards while the enforcement of these standards falls to the card networks and payment processing companies . Every business, regardless of the number of card transactions processed, must be PCI compliant. The card networks (Visa, Mastercard, American Express, etc.) can be contacted directly for information about their specific PCI compliance programs. [0]
PCI Security Standards Council . How do I contact the payment card brands. Accessed Mar 8, 2024.Featured card placement may be affected by compensation agreements with our partners, but these partnerships in no way affect our recommendations or advice, which are grounded in thousands of hours of research. Our partners cannot pay us to guarantee favorable reviews of their products or services. Here is a list of our partners.
NerdWallet Rating Starting Atin-person; 2.9% + 30¢ online.
Read Review Learn moreNo, merchant compliance is not determined or enforced by the government. And, while the PCI Security Standards Council manages security standards and looks for ways to improve security, it doesn’t enforce compliance either. Instead, the steps a business must take to be PCI compliant are in the terms of the contract or agreement with its merchant services provider or payment service provider and the card networks.
While the broad intent of these requirements is the same from one provider to the next, details about implementation can vary. Not following the proper procedures can lead to serious problems, including tens of thousands of dollars in fines issued by card networks.
PCI compliance can be especially frustrating for business owners who have little expertise or interest in cybersecurity. However, current payment networks are built on chains of trust.
"The result is that someone needs to take responsibility," says Gary Glover, vice president of assessments at SecurityMetrics, a cybersecurity company specializing in PCI compliance matters. "Ultimately, it falls on the person who takes the card. Over the years, it will be easier. In five to 10 years, hopefully, merchants will be out of scope because the system is more secure."
But until then, merchants need to understand the following:
PCI compliance isn’t a one-time exercise; it’s a task that must be completed each year. Compliance requirements vary by business size and by the number of card transactions each year.Compliance rules divide businesses into four groups that vary slightly by card network. For example, Visa classifies Level 4 merchants as those that process fewer than 20,000 online card transactions or up to 1 million total transactions per year. Larger businesses generally have more burdensome requirements.
The type of payment service a business uses can also affect the amount of work required to be compliant each year.
Merchant account providers offer businesses the special type of bank account needed to accept card payments, which is called a merchant account . If you have this type of account, PCI compliance-related requirements are usually written into the terms and conditions of your agreement.
Payment service providers , such as Square or Stripe , replace the need for a business to have its own merchant account and often take on some compliance responsibilities. Businesses that accept payments with a PSP must still be PCI compliant, but it’s generally easier compared with businesses with merchant accounts.
Advertisement NerdWallet ratingNerdWallet's ratings are determined by our editorial team. The scoring formula incorporates coverage options, customer experience, customizability, cost and more.
NerdWallet ratingNerdWallet's ratings are determined by our editorial team. The scoring formula incorporates coverage options, customer experience, customizability, cost and more.
NerdWallet ratingNerdWallet's ratings are determined by our editorial team. The scoring formula incorporates coverage options, customer experience, customizability, cost and more.
Payment processing fees
plus interchange, in-person; 0.50% + 25¢ plus interchange, online.
Payment processing fees
in-person; 2.9% + 30¢ online.
Payment processing fees
in-person; 2.9% + 30¢ online.
Starts at $0/month for unlimited devices and locations.
Here are the 12 PCI compliance requirements from the PCI Security Standards Council. [0]
PCI Security Standards Council . The Prioritized Approach to Pursue PCI DSS Compliance. Accessed Mar 8, 2024.
Install and maintain a firewall. That includes testing network connections, restricting connections to untrusted networks and other efforts.
Change vendor-supplied default passwords and security settings. This includes enabling only necessary services, removing functionality where warranted, encrypting access and other efforts.
Protect stored cardholder data. That includes having policies for disposing of data, limiting what is stored, avoiding storing certain types of data and other efforts.
Encrypt cardholder data when transmitting it across open, public networks. Among other things, don't send unprotected account numbers via email, instant messaging, text, chat or other end-user messaging technology.
Use and regularly update antivirus software. That means performing and documenting periodic scans, as well as ensuring the software is running and other activities.
Develop security systems and processes. This means creating processes to find and take action on vulnerabilities, as well as other efforts.
Restrict access to cardholder data to a need-to-know basis. That requires defining the access certain roles need, as well as creating user privileges and control systems, among other things.
Assign user IDs to everybody with computer access. Businesses should also ensure there's a way to authenticate users, document their policies in this area and take other actions.
Restrict physical access to cardholder data. This means using cameras or other tools to monitor who is in sensitive areas of the business or handling certain equipment, for example.
Track and monitor who accesses networks and cardholder data. That means having an audit trail, using time-stamped tracking tools, reviewing logs for suspicious activity and other activities.
Regularly test systems and processes. Test and inventory wireless access points, do quarterly vulnerability scans and monitor traffic, among other things.
Have a policy on information security. That means writing, publishing and disseminating a policy at least once a year that lays out usage rules for certain technologies and explains everyone's responsibilities, among other things.
To become PCI compliant, small businesses typically must fill out a self-assessment form in addition to meeting the requirements listed above. Larger businesses usually need to hire third-party auditors to assess them. These businesses may also have to submit additional paperwork and hire an outside firm to scan their networks.
Although the PCI compliance requirement is universal, validation requirements and assessments may be slightly different, depending on the card network. The type of annual assessment required depends on a few factors, including the volume of card transactions.
A business falls into one of four category levels. For example, the following are the compliance levels for Visa:
Level 1 merchants are those that process more than 6 million Visa transactions per year across all channels, or are global merchants identified as Level 1.
Level 2 merchants are those that process between 1 million and 6 million Visa transactions per year across all channels.
Level 3 merchants are those that process 20,000 to 1 million e-commerce Visa transactions per year.Level 4 merchants are those that process fewer than 20,000 e-commerce Visa transactions, or those processing up to 1 million total annual Visa transactions.
Merchants that have had a hack or cyber attack that led to data loss may be moved to a higher validation level by Visa.
There are four layers of groups involved in PCI compliance, beginning with the card networks that created it down to the individual businesses that accept customer payments.
Each card network, like Visa and Mastercard, creates its own set of specific requirements, guided by the security standards set by the PCI Security Standards Council.
American Express, Discover, JCB International, Mastercard and Visa founded this organization in 2006. It creates broad security standards, certifies vendors, and tests and certifies payment technology.
Businesses use merchant account providers or payment service providers to gain the ability to accept card payments. In addition to following the rules set by each card provider, they also function as de facto administrators of PCI compliance for businesses by including specific PCI compliance-related requirements in the terms of their contracts or agreements.
Every business must meet the requirements set forth by its merchant account or payment service provider. Meeting the requirements means your business is in compliance. If you aren’t in compliance, you could face hefty fees or even lose your merchant account.
Some payment processors charge PCI compliance fees. In return, you might receive compliance-related services, like access to consultants who help you complete requirements.
National Processing , for example, charges a $79.95 annual fee for PCI compliance.Dharma Merchant Services doesn’t have a PCI compliance charge, but there is a $39.95 monthly fee for noncompliance.
Adyen , Payline , Square and Stripe don’t have specific charges for PCI compliance.Some companies don’t have any information listed on their website, or they may have vague “service fees” that may or may not include PCI-related items.
Weighing the cost of this fee, if any, against the services you receive can play a role in choosing a credit card processing company . Even if your payment partner doesn’t charge you a fee, becoming PCI compliant usually costs something. Level 4 merchants can expect to pay hundreds of dollars annually to hire an approved scanning vendor to test their network, complete the questionnaire and help address any issues.
Given the technical nature of data security, completing the assessment questionnaire can be challenging for small-business owners who must address all the issues before submitting it. The following steps can make the process easier.
Much of the advice on securing data mirrors best practices you might already be familiar with when securing your own personal devices, including:
Use strong passwords.Keep software updated. Older point-of-sale terminals can be particularly vulnerable. Newer cloud-based systems are built with strong encryption, and typically receive updates automatically.
Store only what you need. You probably don’t need to store physical copies of receipts. Don’t click on suspicious links. Only use card readers and payment software that are validated by the PCI Security Standards Council. Educate employees about the importance of protecting cardholder data.Self-assessment questionnaires are technical in nature and can frustrate business owners, Glover says. Some people are tempted to simply check yes to all the questions on the questionnaire without giving the questions much thought.
“People just get frustrated,” Glover says. “We see this a lot. This is a business risk you’re taking.” He says that if a business owner does this and is later compromised, penalties are often stiffer. If you’re unsure of how to handle these questionnaires, consider asking your payment processor for clarification or seeking help from an outside agency.
The point-of-sale, or POS, system that you use can make PCI compliance easier. Using an up-to-date cloud-based POS system with built-in payment processing services and in-house hardware can minimize security risks. These end-to-end systems are usually secure, low-maintenance and often include PCI compliance support.
Some business owners piece together an array of products and services from different companies, but these systems can be less secure and often depend on the owner keeping everything up-to-date.
Use resources on the PCI Security Standards Council website to learn more about securing customer data.
For help finding an approved scanning vendor or someone to help with your assessment, talk to your financial partners or use the vendor lists PCI Security Standards Council keeps. [0]
PCI Security Standards Council . PCI Qualified Professionals Listings Overview. Accessed Mar 8, 2024.
Explore NerdWallet’s list of top credit card processing companies to start securely accepting credit card payments both in-person and online.
About the authorsYou’re following Kurt Woock
Visit your My NerdWallet Settings page to see all the writers you're following.
You’re following Lisa Anthony
Visit your My NerdWallet Settings page to see all the writers you're following.
Lisa Anthony is a former NerdWallet writer covering small-business. Before Nerdwallet, she had more than 20 years of experience in banking and finance. See full bio.
On a similar note.
card on a flat surface with coins on both sides." />
Smart money moves for your business Get access to business insights and recommendations, plus expert content.
Sign up for free Best Payment Processing Companies NerdWallet Rating Learn moreon Helcim's website
plus interchange, in-person; 0.50% + 25¢ plus interchange, online.
Learn moreon Helcim's website
NerdWallet Rating Learn moreon Square's website
in-person; 2.9% + 30¢ online.
Starts at $0/month for unlimited devices and locations.
Learn moreon Square's website
NerdWallet Rating Learn moreon Stripe's website
in-person; 2.9% + 30¢ online.
Learn moreon Stripe's website
NerdWallet Rating Learn moreon Shopify's website
in-person; 2.9% + 30¢ online (Basic plan).
and up for e-commerce plans with POS Lite; Can upgrade to POS Pro for an extra $89.
Learn moreon Shopify's website
Compare more payment processors MORE LIKE THIS Small BusinessFactor in hardware portability, software integrations and your business’s specific industry needs to determine the best POS system.
Factor in overall cost, terms, customer support and integrations to find the best merchant services for your business.
The best card reader for your business will integrate with your larger POS system and be as mobile as your business is.
NerdWallet Home Page Finance Smarter Credit Cards Financial Planning Financial News Small BusinessDownload the app
Disclaimer: NerdWallet strives to keep its information accurate and up to date. This information may be different than what you see when you visit a financial institution, service provider or specific product’s site. All financial products, shopping products and services are presented without warranty. When evaluating offers, please review the financial institution’s Terms and Conditions. Pre-qualified offers are not binding. If you find discrepancies with your credit score or information from your credit report, please contact TransUnion® directly.
NerdUp by NerdWallet credit card: NerdWallet is not a bank. Bank services provided by Evolve Bank & Trust, member FDIC. The NerdUp by NerdWallet Credit Card is issued by Evolve Bank & Trust pursuant to a license from MasterCard International Inc.
Impact on your credit may vary, as credit scores are independently determined by credit bureaus based on a number of factors including the financial decisions you make with other financial services organizations.
NerdWallet Compare, Inc. NMLS ID# 1617539
California: California Finance Lender loans arranged pursuant to Department of Financial Protection and Innovation Finance Lenders License #60DBO-74812
Insurance Services offered through NerdWallet Insurance Services, Inc. (CA resident license no.OK92033) Insurance Licenses
NerdWallet™ | 55 Hawthorne St. - 10th Floor, San Francisco, CA 94105
