What Is PCI Compliance? Do You Need It?

If you accept credit or debit cards, PCI compliance isn't optional — it's a contractual obligation with the card networks. Here's what it requires and what it protects you from.

What Is PCI Compliance?

PCI compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS) — 12 security requirements that every business accepting card payments must meet to protect cardholder data from theft and fraud.

The standard is maintained by the PCI Security Standards Council, established by Visa, Mastercard, Amex, Discover, and JCB. It applies to any organization that stores, processes, or transmits card data — from a solo freelancer to a Fortune 500 retailer.

Do You Need to Be PCI Compliant?

If you accept card payments legally in the United States and store any customer data — names, email addresses, card numbers — yes, you are required to comply. Most businesses working with a reputable merchant services provider are already largely compliant, because the provider handles much of the technical infrastructure. The annual self-assessment questionnaire (SAQ) is the piece that many merchants skip — and your monthly merchant statement is where you'll see the non-compliance fee charge if you do — resulting in avoidable monthly non-compliance fees.

The 12 PCI DSS Security Standards

1. Firewall: Install and maintain a firewall configuration that restricts access to cardholder data.
2. No Default Passwords: Change all vendor-supplied default passwords and remove default accounts.
3. Protect Cardholder Data: Encrypt stored data. Never store CVV codes. Limit retention of card data to only what's operationally necessary.
4. Encrypt Transmissions: Use SSL/TLS to encrypt cardholder data transmitted across open networks.
5. Anti-Malware: Deploy anti-virus software on all systems that could be affected by malware.
6. Secure Applications: Develop and maintain secure systems and applications, including all network-facing applications.
7. Restrict Access by Role: Limit access to cardholder data to only those employees who need it to perform their job.
8. Access Logs: Maintain audit logs tracking who accessed what data and when.
9. Physical Access Controls: Restrict physical access to systems containing cardholder data.
10. Network Monitoring: Continuously monitor and test networks to detect unauthorized access.
11. Security Testing: Regularly test security systems and processes — including penetration testing and firewall reviews.
12. Security Policy: Maintain and enforce a written information security policy for all staff, covering passwords, access procedures, and acceptable use.

Which SAQ Type Applies to You?

The PCI DSS self-assessment questionnaire comes in several versions. Using the wrong one — or skipping it — is the most common cause of non-compliance fees.

Consequences of Non-Compliance

• Monthly fines: Up to $100,000 per month from the card networks
• Higher processing rates: Non-compliant merchants are often charged a monthly PCI non-compliance fee ($20–$50) in addition to fines
• Loss of card acceptance: Visa and Mastercard can revoke your ability to accept their cards
• Breach liability: If non-compliant merchants suffer a breach, they bear full liability for all resulting fraud losses and notification costs

GoPayhawk and PCI Compliance

Non-compliance fees are just one of six avoidable processing costs most merchants pay without realizing it. For unfamiliar terms in this article, see our payment processing glossary.

Here's exactly who is responsible for what — the fastest way to make compliance feel manageable: