If your business accepts credit or debit cards, you must comply with the Payment Card Industry Data Security Standard (PCI DSS). Non-compliance can result in fines of $5,000 to $100,000 per month, increased transaction fees, and potentially losing the ability to accept card payments — a death sentence for most businesses.
The good news: most small and medium businesses can achieve PCI DSS compliance without a massive security infrastructure investment.
The 12 PCI DSS Requirements
PCI DSS v4.0 (current as of 2024) has 12 core requirements organized into six goals:
Build and Maintain a Secure Network and SystemsYour Merchant Level Determines Your Obligations
PCI DSS applies differently based on your transaction volume:
Level 1: More than 6 million transactions/year- Annual on-site audit by a Qualified Security Assessor (QSA)
- Quarterly network scans by an Approved Scanning Vendor (ASV)
- Attestation of Compliance (AoC)
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scans by ASV
- Annual SAQ
- Quarterly network scans by ASV
- Annual SAQ (requirements vary by acquiring bank)
- Quarterly network scans may be required
Choosing the Right SAQ
There are multiple SAQ types depending on how you accept cards:
SAQ A — Simplest. Card data functions entirely outsourced to PCI-compliant third parties (e.g., Stripe, Square). No card data on your systems. ~22 requirements. SAQ A-EP — E-commerce merchants using third-party payment pages but with website code that could affect payment security. ~191 requirements. SAQ B — Card-present merchants using imprint machines or standalone dial-out terminals. No electronic storage of cardholder data. SAQ B-IP — Card-present merchants using PTS-approved IP-connected terminals. SAQ C — Payment application systems connected to the internet, but no electronic storage of cardholder data. SAQ D — Merchants that don't fit other SAQ types. All 12 requirements. Most burdensome. The biggest simplification strategy: Use a third-party payment processor (Stripe, Braintree, Square) with hosted payment pages or iframes. This typically qualifies you for SAQ A, reducing your compliance burden dramatically.The Most Impactful Technical Controls
Whether you're SAQ A or SAQ D, these controls deliver the highest security value:
Firewall and Network Segmentation- Isolate your cardholder data environment (CDE) from the rest of your network
- Document all firewall rules and review them every six months
- Block all inbound traffic except what's explicitly required
- Unique user IDs for every person with system access — no shared accounts
- Multi-factor authentication on all remote access and admin accounts (now required by PCI DSS v4.0 for all accounts)
- Strong passwords: minimum 12 characters with complexity requirements
- Lock accounts after 6 failed login attempts
- All cardholder data transmitted over public networks must be encrypted (TLS 1.2+)
- Store only what you need — truncate PANs (show only last 4 digits)
- Never store the Card Verification Code (CVC/CVV)
- Never store the full magnetic stripe, PIN, or PIN block
- Apply critical security patches within one month of release
- Maintain an inventory of all system components and software
- Track vulnerabilities and patch status
- Log all access to cardholder data and system components
- Synchronize system clocks using NTP
- Review logs daily (automated tools make this feasible)
- Retain logs for at least 12 months (3 months immediately available)
- Quarterly external vulnerability scans by an ASV (required for all merchant levels)
- Annual internal vulnerability scans
- After any significant infrastructure change, rescan
- Annual penetration test (required for Level 1; recommended for others)
- Quarterly network segmentation testing if you use segmentation to reduce PCI DSS scope
Practical Steps to Get Compliant
Step 1: Scope Reduction Before anything else, minimize your PCI DSS scope. Use a hosted payment page or tokenization service. The less your systems touch card data, the less you have to comply with. Step 2: Determine Your SAQ Based on how you accept cards, identify the correct SAQ. Your acquiring bank can help. Step 3: Complete a Self-Assessment Go through the SAQ honestly. Mark each requirement as "Yes," "No," or "N/A." For every "No," create a remediation task. Step 4: Implement Missing Controls Prioritize by risk. Encryption and authentication gaps are highest risk. Logging gaps are often easier to close. Step 5: Run External Vulnerability Scans Engage an ASV for your quarterly scans. Popular options include Qualys, Trustwave, and SecurityMetrics. Step 6: Complete and Submit Submit your completed SAQ and ASV scan results to your acquiring bank.Continuous PCI DSS Monitoring
PCI DSS compliance is not annual — it's continuous. OuterSec monitors PCI DSS-specific controls continuously, including:
- Firewall configuration checks
- TLS version verification
- Authentication policy compliance
- Logging and audit trail verification
- Vulnerability scanning integration
The Cost of Non-Compliance
Don't treat PCI DSS as optional. Fines for non-compliance after a breach:
- $5,000–$100,000 per month from card brands
- Increased transaction fees (typically 0.05% per transaction for 12+ months)
- Cost of forensic investigation ($20,000–$100,000+)
- Card replacement costs ($3–$10 per card)
- Reputational damage and customer loss