Does My Online Business Need to Be PCI Compliant?


If you’re running an online business that takes card payments, you need to get to grips with the Payment Card Industry Data Security Standard (PCI DSS). No matter how small your business, keeping customer data safe should be a top priority. Numerous companies have hit the headlines in recent years for failing to adequately protect credit card data and suffering serious data breaches as a result. 

Fraudulent activity could cost your company thousands of pounds in lost business and fines — not to mention the damage to your brand’s reputation. Consumers are increasingly wary of handing over their personal data as a result of the publicity surrounding major data breaches. Businesses who want to succeed must build their trust by showing a commitment to implementing secure payment processes. In this guide, we’ll take a closer look at what PCI DSS compliance is and who it applies to. 

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was introduced in 2004 by five major credit card companies — MasterCard, American Express, Visa, JCB International and Discover Financial Services — that collaborated to amalgamate their information security policies.

The standard was designed to protect card issuers from fraudulent activity by requiring merchants who handle branded credit cards to adhere to minimum levels of security when storing, processing and transmitting cardholder data. In 2006, the Payment Card Industry Security Standards Council (PCI SSC) was formed to administer the new standard.

There are 12 requirements across six categories that must be met to achieve PCI DSS compliance. For details of the 12 requirements, refer to the PCI SSC website. The categories are: 

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

Who Needs to Be PCI DSS Compliant?

Any business that accepts credit card payments needs to become PCI DSS compliant. Although compliance is not a legal requirement, the potential consequences of penalties and lost business are so significant that businesses would be well-advised to treat it as such.

There are four levels of compliance, depending on the number of transactions you process annually. 

  • Level 1 – businesses that process more than six million card transactions per annum
  • Level 2 – businesses that process one to six million card transactions per annum
  • Level 3 – businesses that process 20,000 to one million card transactions per annum
  • Level 4 – businesses that process fewer than 20,000 card transactions per annum

The requirements for compliance become more comprehensive and strict as the levels progress, with level one being the highest standard to meet. If you run a small online business, it’s likely you’ll only need to work towards compliance at level three or four.

How Do I Make My Business PCI DSS Compliant?

According to PCI DSS, gaining PCI compliance is a three-step process:

  1. Assess
  2. Remediate
  3. Report

The first step towards PCI DSS compliance is to complete a self-assessment questionnaire. This will allow you to determine your current level of compliance and to identify any areas where security must be improved to meet the required standard. There are eight different questionnaires to choose from. The PCI DSS has created a useful guide to self-assessment, which includes a table to help business owners select the most appropriate questionnaire. Merchants must comply with all requirements in their chosen questionnaire to achieve compliance. 

The second step is to address any vulnerabilities in your business systems and processes flagged during the assessment process. This might include swapping to PCI DSS compliant software and implementing new procedures that enable you to take secure payments. The PCI SSC also recommends eliminating storage of cardholder data “unless absolutely necessary”. 

The final step towards compliance is to report your compliance status with the PCI DSS to the relevant acquiring financial institutions or payment card brand. 

There is a fee for maintaining PCI compliance. The cost will depend on the size of your business, your current level of security and the technology you use. 

What Are the Consequences of Non-Compliance?

Gaining the appropriate level of PCI compliance for your business will take time and money, but this investment pales in comparison to the potential cost of non-compliance. The cost of a data breach can run into millions of pounds. If a non-PCI compliant business suffers a data breach or other fraudulent activity that compromises the security of cardholder data, it will be liable for significant penalties.

Average fees in the UK for small businesses are £15,000 and this can be significantly higher for big brands. In 2017, Equifax, one of the largest consumer credit reporting agencies, incurred fees exceeding  $575 million after it lost the personal and financial information of almost 150 million customers. On top of penalties, there are likely to be additional costs in terms of lost business, legal fees and damage to the company reputation. Small businesses may well never recover from such an experience. 

Gaining PCI DSS compliance may seem like a complex and arduous process, especially for small businesses with few human and financial resources to spare. But compliance is a must-have, not a nice-to-have for any business that processes card transactions. Start the process today by taking the appropriate self-assessment questionnaire. You might be pleasantly surprised to find that with only a few tweaks to existing processes, you can gain compliance at the most appropriate level for your business.