PCI Compliance FAQs

What is PCI compliance?

Payment Card Industry (PCI) compliance refers to a security standard designed to protect customer data in credit and debit card transactions. The PCI DSS (Payment Card Industry Data Security Standard) was established to strengthen payment systems against potential data breaches. Being “PCI compliant” means a merchant has completed a self-assessment questionnaire (SAQ) that shows that steps have been taken to protect credit and debit card information.

What is the SAQ?

The self-assessment questionnaire (SAQ) is a series of questions that assess a merchant’s PCI compliance based on the equipment and procedures used to accept credit and debit card payments. In the SAQ questionnaire, you answer simple, yes-or-no questions about how your business handles cardholder data.

Why is PCI compliance important?

Merchants that are PCI compliant increase their data security and help protect their customers’ sensitive information, which also contributes to a positive and trustworthy business reputation. By being PCI compliant, you will also help protect your business from breaches that can lead to significant fines or penalties, liability issues and severe damage to business reputation.

Does my business need to be PCI compliant?

According to the PCI Security Standards Council, all merchants or service providers that store, process or transmit payment cardholder data must be PCI compliant.

How often do I need to renew my PCI compliance?

Merchants are required to submit a self-assessment questionnaire (SAQ) annually and are audited quarterly to ensure PCI compliance.

What does non-compliance look like?

There are many ways you can end up non-compliant. Here are a few:

  • Not filling out your annual SAQ (Self-Assessment Questionnaire)
  • Filling out your annual SAQ incompletely and/or inaccurately
  • Failing to complete quarterly network audits
  • Not taking recommended steps provided by PCI compliance experts
  • Sharing login information or usernames among employees
  • Using default passwords for any of your networks or equipment
  • Using a public Wi-Fi for some of your transactions if you have a network issue or are off-site

What are the consequences of non-compliance?

While it is possible to operate a business without being PCI compliant, there are several potential consequences. If you either refuse to meet current PCI standards or neglect maintaining compliance, you run the risk of being hacked, losing customers, incurring fines and losing the privilege of accepting credit cards. If your business fails to remain PCI compliant, you might be charged a monthly non-receipt of PCI Validation fee by your merchant services provider. This monthly fee will continue until your business becomes PCI compliant.

What are the requirements that my business needs to meet to be PCI compliant?

To establish and maintain PCI compliance under version 3.2.1, there are 12 basic requirements that every business needs to meet.

Goal 1: Build and maintain a secure network and systems.

  • REQUIREMENT 1: Install and maintain a firewall configuration to protect cardholder data.
  • REQUIREMENT 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Goal 2: Protect cardholder data.

  • REQUIREMENT 3: Protect stored cardholder data.
  • REQUIREMENT 4: Encrypt transmission of cardholder data across open, public networks.

Goal 3: Maintain a vulnerability management program.

  • REQUIREMENT 5: Protect all systems against malware and regularly update anti-virus software or programs.
  • REQUIREMENT 6: Develop and maintain secure systems and applications.

Goal 4: Implement strong access control measures.

  • REQUIREMENT 7: Restrict access to cardholder data by business’ need to know.
  • REQUIREMENT 8: Identify and authenticate access to system components.
  • REQUIREMENT 9: Restrict physical access to cardholder data.

Goal 5: Regularly monitor and test networks.

  • REQUIREMENT 10: Track and monitor all access to network resources and cardholder data.
  • REQUIREMENT 11: Regularly test security systems and processes.

Goal 6: Maintain an information security policy.

  • REQUIREMENT 12: Maintain a policy that addresses information security for all personnel.

What is my PCI compliance level?

There are 4 levels of PCI compliance, which are based on the number of transactions a merchant processes each year:

  • Level 1: required if a merchant processes 6 million+ transactions annually
  • Level 2: required if a merchant processes between 1 and 6 million transactions annually
  • Level 3: required if a merchant processes between 20,000 and 1 million transactions annually
  • Level 4: required if a merchant processes less than 20,000 transactions annually

Most small- and medium-sized businesses fall under Level 4. Your Merchant Level, along with other information about how your payments system is configured, will determine which Self-Assessment Questionnaire (SAQ) you will need to complete.

How long does it take to become PCI compliant?

How long it takes to become PCI compliant depends on which SAQ you need to take. While there are eight different SAQ questionnaires, Clover will send you a link for your specific business type. Once you have completed the SAQ that applies to your business, you will immediately be compliant.

Do you still have questions or need more assistance? Please reach out to Clover Security for more information:

Call: 866.957.1807 (Assistance available in English and Spanish)
Hours: Monday to Friday, 7 AM to 7 PM CT
Email: support@compliance.clover.com