PCI compliance — A 2026 guide

If you’re running a small business and accept card payments, you’ll want to be aware of something called PCI compliance.

PCI compliance is about keeping all card transactions safe, no matter the size of your business.

Read on to learn about what is PCI compliance for your small business and how GoDaddy can help.

What is PCI DSS compliance?

PCI compliance refers to the technical and operational standards businesses must follow to ensure that credit card data provided by customers is protected. Formally referred to as Payment Card Industry Data Security Standard (PCI DSS), this security regulation is implemented globally to hinder credit card fraud and various other data security vulnerabilities. 

The PCI DSS is developed and maintained by the PCI Security Standards Council (PCI SSC). Along with PCI DSS, the Council also maintains these payment security standards:

  • Point-to-Point Encryption (P2PE) for encrypting data from capture to decryption
  • Secure software standards for payment application development
  • PIN security for ATM and POS terminal transactions
  • Token Service Provider (TSP) standards for payment tokenization
  • Mobile payment standards for smartphone and tablet acceptance

For most businesses, PCI DSS is the primary standard that requires compliance. If your business requires specialized payment technologies, however, some of the above standards may also apply to your business.

So what does it mean to be PCI compliant? Being PCI compliant means your business is doing its part to keep your customers’ credit card information secure. It signifies you’re following a set of guidelines — PCI DSS — which helps prevent credit card fraud and data security issues.

How PCI compliance works (core components)

PCI compliance involves three interconnected components that work together to protect cardholder data:

1. Secure data collection and transmission

This component ensures that sensitive card information is collected and transmitted securely by using encryption and secure communication protocols. 

2. Secure data storage

PCI compliance requires secure storage to protect any stored cardholder data. This includes security features like encryption, access controls, ongoing monitoring, and regular security testing. 

3. Annual validation

Businesses must validate their security controls annually to maintain PCI compliance. The validation process depends on the business size, but typically involves a self-assessment questionnaire, external vulnerability scans, or third-party audits. 

Imagine you run a popular local bakery. Your delicious pastries have a loyal following, and many of your customers pay using their credit cards. Being PCI compliant guarantees your hungry patrons’ credit card information is secure each and every time they purchase your baked goods. If there is a data breach and credit card data is stolen from your business, it can lead to loss of trust and serious fines, which can harm your business. 

PCI compliance is essential for every small business handling credit card transactions — ensuring customers’ peace of mind while also protecting the business.

Is PCI compliance required by law?

While PCI compliance isn’t required by federal law, it is strongly enforced by the card brands themselves (Visa, Mastercard, American Express, JCB and Discover). Failure to comply with PCI standards can result in hefty fines from these card companies, and in some cases, the ability to process card payments may be revoked.

In addition to this, some states have laws mandating certain aspects of the PCI standards, so you’ll need to verify your own state laws as well.

Disclaimer: This content is for informational purposes only and should not be construed as legal or financial advice. Always consult an attorney or financial advisor regarding your specific legal or financial situation.

Who is required to be PCI compliant?

PCI compliance is required for all businesses, regardless of business size, that accept, transmit or store any cardholder data. This includes any credit, debit or payment cards that are branded with one of the card logos from the five major card brands — Visa, MasterCard, American Express, Discover and JCB. 

To sum it up, if your business handles card transactions in any way, you’re required to be PCI compliant.

How to know if you are PCI compliant?

Determining if you’re PCI compliant often involves a Self-Assessment Questionnaire (SAQ A), or an audit by a Qualified Security Assessor (QSA), depending on your business’s size and card transaction volume.

The self-assessment questionnaire consists of a series of yes-or-no questions about your security practices. If a QSA is required, they’ll conduct a comprehensive review of your business’s card data practices to ensure they meet PCI standards. 

In both cases, you’ll receive a report detailing your compliance status. If there are areas where you’re not compliant, the report will offer guidance on what needs to be improved.

What are the benefits of PCI compliance?

Illustration of servers and charts with two hands in a handshake.

There’s more to PCI compliance than just following a set of guidelines. Ensuring that your business adheres to these standards carries several invaluable benefits that touch various aspects of your business. Here are some standout benefits of PCI compliance every business owner should consider:

  • Building customer trust: PCI compliance boosts customer confidence as it demonstrates that their credit card data is safeguarded.
  • Protecting cardholder data: By reducing the risk of data breaches, PCI compliance adds an extra layer of protection to sensitive information. 
  • Steering clear of penalties: Compliance acts as a buffer against formidable fines and legal consequences that come with non-adherence.
  • Polishing brand image: Adhering to PCI standards can greatly enhance a business’s reputation as a trustworthy entity.
  • Navigating standards together: PCI compliance often aligns with other industry regulations, helping businesses maintain overall compliance more seamlessly.
  • Embracing peace of mind: Knowing that they are doing everything possible to guard against fraud allows merchants to operate with fewer worries about security breaches.

What are the 12 PCI compliance requirements?

Without a doubt, PCI compliance can seem complex, especially for the uninitiated. However, the true heart of what is PCI compliance really boils down to a set of 12 core requirements, designed to secure and protect cardholder data.

  1. Install and maintain network security controls: This step involves setting up network security controls, such as firewalls, to serve as a barrier between your network and potential external threats. Under the latest rules, this requirement now covers network security controls broadly, not just firewalls.
  2. Apply secure configurations to all system components: Default settings can be easily targeted by cybercriminals, so applying secure configurations across all system components helps secure your data.
  3. Protect stored account data: Any stored account data, which now broadly includes both cardholder data and Sensitive Authentication Data (SAD), should be securely protected and encrypted.
  4. Protect cardholder data with strong cryptography: As data can be vulnerable while being transmitted, strong cryptography ensures it remains secure as it moves across open or public networks.
  5. Protect all systems and networks from malicious software: This involves actively defending systems and networks against all forms of malicious software, which is broader than just keeping anti-virus software updated.
  6. Develop and maintain secure systems and software: This requirement focuses on keeping all systems and software related to cardholder data processing secure and up to date.
  7. Restrict access to system components and cardholder data: Access to system components and cardholder data should only be granted to those who absolutely need it for their role.
  8. Identify users and authenticate access to system components: Every individual with access to the system should be uniquely identified and authenticated to ensure actions can be traced back to specific users.
  9. Restrict physical access to cardholder data: Measures should be taken to limit physical access to systems that store cardholder data.
  10. Log and monitor all access to system components and cardholder data: This involves setting up logging mechanisms to track user activities, which aids in the prevention, detection, or minimization of data compromise.
  11. Test security of systems and networks regularly: Regular security testing helps to maintain robust defenses that keep up with current threats.
  12. Support information security with organizational policies and programs: This requirement emphasizes organizational policies and programs so that everyone within the business understands their role in maintaining information security.

How to become PCI compliant

Achieving PCI compliance for your small business may seem intricate, but it can be simplified into three manageable steps: Assess, Remediate and Report.

1. Assess

The first step towards PCI compliance is understanding where your small business fits within the four levels of PCI Requirements.

The four levels are determined by the volume of transactions your business processes annually.

The exact thresholds will vary based on the specific card provider (Visa, American Express, JCB, Mastercard and Discover), but here are the general levels for businesses seeking PCI compliance:

Compliance level Who this applies to Requirements
Level 1 – Businesses that process over 6 million credit card transactions per year.
– Businesses that have experienced a data breach.
1. Report on Compliance (ROC) to be performed by a Qualified Security Assessor (QSA), required annually.
2. Network scans by an Approved Scanning Vendor (ASV), required quarterly.
3. Attestation of Compliance (AOC), required annually.
Level 2 – Businesses processing between 1 million and up to 6 million transactions per year. 1. Completion of Self-Assessment Questionnaire (SAQ), required annually.
2. Network scans by an Approved Scanning Vendor (ASV), required quarterly.
3. Attestation of Compliance (AOC), required annually.
Level 3 – Businesses processing 20,000 and up to 1 million transactions per year. Same as level 2.
Level 4 – Businesses processing less than 20,000 transactions per year. Same as level 2.

2. Remediate

After understanding where your business stands, the next step is remediation, which means fixing any vulnerabilities that were discovered during the assessment phase. Remediation is crucial as it helps plug security gaps and ensures more secure processes. This can involve several steps, including:

  • Updating and patching hardware and software applications to fix security vulnerabilities.
  • Restricting access to sensitive data to only necessary personnel.
  • Encrypting cardholder data both when it’s stored and transmitted.
  • Regularly testing security systems and processes to ensure they are robust and updated.

3. Report

The final step in achieving PCI compliance is to report. During this phase, you need to document your compliance with a Report on Compliance (ROC) or complete the relevant SAQ, depending on your business’s level. These documents provide evidence that you have assessed and remedied your business’s vulnerabilities and are compliant with PCI requirements. It’s important to then submit these reports to your acquiring bank and card brands as required.

How much does it cost to be PCI compliant?

The answer here isn’t straightforward, as the costs can vary widely depending on the size and type of your business, the state of your current security infrastructure, and the previous level of PCI compliance. Here are some costs to consider before even applying for PCI compliance:

  • Self-assessment: For smaller businesses that qualify, self-assessment could be a low-cost way to achieve PCI compliance. This could involve purchasing a self-assessment kit for anywhere from $100 to $500.
  • Security infrastructure updates: Depending on your existing systems, you may need to invest in new hardware, software, or other security measures to meet PCI standards. The cost here could range from a few hundred to several thousand dollars.
  • Maintenance and training: Ongoing costs for maintaining secure systems and training staff in PCI security practices need to be factored in. This can range from a few hundred to several thousand dollars annually.

Once you’ve completed any necessary prework, here are the estimated costs for each business level:

  • Level 1: Level 1 businesses are required to complete a Report on Compliance (ROC), which is a detailed report on the business’s security standards, server environment, and how they protect customer data. This report is compiled via onsite audit and review performed by a Qualified Security Assessor (QSA). In addition to a ROC, level 1 businesses also must complete quarterly network scans by an Approved Scanning Vendor (ASV), as well as an Attestation of Compliance. The cost for these combined requirements can range from $30k-200k per year.
  • Level 2: For a level 2 business, the requirements include quarterly ASV scans, a self-assessment questionnaire and an Attestation of Compliance. The cost for these requirements generally starts at $10k per year.
  • Level 3: Level 3 businesses require regular ASV scans, as well as the self-assessment questionnaire and an Attestation of Compliance. Because the ASV scan pricing is based on the number of IP addresses associated with your business operations, smaller businesses tend to have fewer IP addresses for the ASV to scan and thus tend to be less costly. As such, the cost for level 3 businesses generally starts around $1500 per year and goes up from there.
  • Level 4: For small businesses, an ASV, self-assessment questionnaire and an Attestation of Compliance are required. The cost for a level 4 business tends to be under $1000 per year, but can increase depending on your specific business configuration. 

Remember, while these costs may seem significant, the cost of non-compliance, including potential fines, remediation costs and brand damage, can be much higher.

What are the risks and consequences of non-compliance?

Illustration of a seated woman surrounded by ecommerce icons.

Now that we’ve covered what is PCI compliance and the steps associated with it, it’s important that we also highlight the repercussions of non-compliance with PCI standards. Non-compliance can be serious and span multiple aspects of your business. Here are some of the key risks and consequences:

  • Financial implications: Non-compliant businesses face the risk of hefty fines from credit card companies. Moreover, businesses would also be liable to cover any costs related to fraud losses incurred by payment card issuers, investigational procedures after a breach and remediation efforts to fix the security gaps.
  • Operational consequences: In more severe cases, non-compliant businesses may also lose their ability to process card payments altogether. This could bring operations to a halt, especially for those businesses that primarily rely on card transactions.
  • Reputational damage: Perhaps the most lasting damage is the loss of customer trust and reputation, which is difficult to quantify. Customers want to feel confident that their card data is safe with a business, and a breach can result in irreversible damage to a business’s brand image.
  • Legal consequences: Depending on local laws and regulations, businesses could also face potential lawsuits from affected customers, state attorneys general or card companies.

Stay current with evolving standards

As technology changes, so too do the standards for PCI compliance. These standards are updated regularly to keep pace with evolving technology, and businesses need to stay informed of these updates as well.

An example of updating requirements, the Payment Application Data Security Standard (PA-DSS) was retired in October 2022 and was replaced by the Secure Software Standard and the Secure Software Lifecycle Standard. These changes mean that the old compliance applications were retired, and businesses will need to file through the new, updated system instead. 

Key actions to stay current:

  • Regularly check the PCI Security Standards Council website for standard updates
  • Verify that any payment software or applications you use comply with current standards
  • Work with vendors and service providers who maintain active compliance with the latest PCI requirements
  • Review your compliance status whenever standards are updated, typically every few years

Using outdated payment applications that only comply with retired standards could leave your business vulnerable and potentially non-compliant, even if you were compliant in the past.

As an example, fashion retailer Forever 21 disclosed a 2023 data breach that exposed personal and payment-related data of over 500,000 individuals. Following an earlier 2017 POS malware incident, the repeat breach pointed to ongoing PCI compliance gaps, particularly around encryption of stored account data and monitoring access to cardholder data.

PCI compliance standards exist to keep both customers and businesses safe, so it’s important to stay up-to-date to protect yourself, your customers, and your business reputation.

How GoDaddy helps businesses with PCI compliance

We offer PCI-compliant solutions with certified products like GoDaddy Payments and Online Store. If your business is primarily conducted in person, then you’ll want to consider which of the available POS systems are a good fit for your business, such as our retail POS system designed for secure and seamless transactions. Security is baked in as payments via GoDaddy Payments transactions are end-to-end encrypted with strict PCI compliance.*

Or, if you need a more flexible approach for accepting payments, GoDaddy can lend a hand. Take payments in more ways and grow your business. Securely accept all major payment types on all devices, online, over the phone, or in person.

Utilizing our PCI-certified solutions means that business owners can benefit from our systems and processes structured to secure customer credit card information. 

For example, transactions via our Online Store and Online Appointments are seamlessly coordinated with third-party systems that process credit card information within their tightly secured frameworks. These platforms utilize minimal code on your site, affording your customers the ability to input their credit card details and allowing you to remain in compliance. 

However, be aware that remaining PCI compliant is a joint effort. We recommend the following steps to ensure that your ecommerce solution remains in compliance:

  • Always assign users a unique ID and use strong passwords.
  • Don’t use shared or generic IDs or passwords.
  • Remove users when they should no longer have access.
  • If you collect credit card information on paper, make sure to control access to the information and destroy it when it’s no longer needed.
  • If you use services to manage paper records or manage your account, make sure the service provider has acknowledged their responsibility for safely handling credit card data and you’re confident they’re fulfilling their obligations.
  • Make sure you have a list of who you need to reach out to and how you will handle customer communication in case of a data breach.
  • Submit PCI Self-Assessment Questionnaire A with your processor if you decide not to use GoDaddy Payments.

Why PCI compliance matters for your business

Ensuring the security and privacy of your customers’ sensitive payment information should be a top priority for all businesses accepting card payments. Ignoring or missing components of this crucial security protocol can lead to breaches, loss of customer trust and heavy penalties.Understanding what is PCI compliance and implementing it comprehensively in your organization is a powerful tool to protect both your business and your valued customers. 

Remember, PCI compliance isn’t a one-time process. It’s an ongoing commitment to securing transactions and building trust.

*Card reader/Smart Terminal is PCI certified.

Similar Posts

Leave a Reply