What is PCI Compliance?
PCI compliance (Payment Card Industry Data Security Standard) is mandatory for any business accepting credit card payments. Learn the 12 requirements, compliance levels, and what happens if you're not compliant.
What Is PCI Compliance?
PCI Compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS)—a comprehensive set of security requirements established by the major payment card networks (Visa, Mastercard, American Express, Discover, and JCB) to protect cardholder data and reduce credit card fraud. PCI DSS is not a law—it's a contractual obligation enforced by the card networks. But the consequences of non-compliance are severe enough that every business accepting cards takes it seriously. The standard was created in 2004 when the major card brands united to create a unified security framework. Today, PCI DSS version 4.0 (released in 2022, with enforcement of many new requirements phased in through 2024-2025) is the current version.
Who Needs to Be PCI Compliant?
Any business that accepts credit or debit cards must be PCI compliant. This includes: - E-commerce businesses (card-not-present transactions) - Retail stores (card-present transactions) - Freelancers and independent contractors accepting card payments online - Any business using a payment terminal or card reader - Businesses that take payments over the phone (card-not-present) The volume of transactions determines your Merchant Level, which determines the specific compliance requirements: | Merchant Level | Annual Transaction Volume | Requirements | |---|---|---| | Level 1 | 6 million+ | Annual SAQ or ROC, quarterly scans, on-site audit | | Level 2 | 1-6 million | Annual SAQ, quarterly scans | | Level 3 | 20,000 - 1 million e-commerce | Annual SAQ, quarterly scans | | Level 4 | <20,000 e-commerce or <1 million total | Annual SAQ, quarterly scans (if applicable) | Most freelancers and small businesses are Level 4 merchants.
The 12 PCI DSS Requirements
PCI DSS has 12 core requirements organized around 6 goals: Goal 1: Build and Maintain a Secure Network Requirement 1: Install and maintain network security controls (firewalls, routers) to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Goal 2: Protect Cardholder Data Requirement 3: Protect stored cardholder data. Use strong cryptography; limit storage to what's necessary; mask PANs when displayed. Requirement 4: Encrypt transmission of cardholder data across open, public networks (use TLS 1.2+ for web transactions). Goal 3: Maintain Vulnerability Management Program Requirement 5: Protect all systems and networks from malicious software; maintain anti-virus software. Requirement 6: Develop and maintain secure systems and applications; patch promptly. Goal 4: Implement Strong Access Controls Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Identify and authenticate access to system components. Requirement 9: Restrict physical access to cardholder data. Goal 5: Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Goal 6: Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for all personnel.
PCI Compliance for Small Businesses — The Practical Reality
For most small businesses and freelancers, PCI compliance is less about on-site audits and more about: The Smartest Path: Use a Compliant Payment Processor The easiest way for freelancers and small businesses to achieve PCI compliance is to delegate card data handling to a PCI-compliant payment processor. When you use Stripe, Square, PayPal, or similar processors: - They handle all card data transmission and storage - They're already PCI compliant (Level 1 certified) - You're partially relieved of compliance burden (but still responsible for your environment) However: Even with a compliant processor, you're responsible for security in your own environment—your website, your email system, your CRM.
SAQ Types — Which One Do You Need?
The Self-Assessment Questionnaire (SAQ) has multiple versions depending on how you accept payments: | SAQ Type | Description | Who It's For | |---|---|---| | SAQ A | Card-not-present merchants, fully outsourced | E-commerce using Stripe/PayPal exclusively | | SAQ A-EP | E-commerce only, some channels not outsourced | E-commerce with direct payment pages | | SAQ B | Imprint machines or dial-terminal only | In-person only, no e-commerce | | SAQ B-IP | POS terminal IP-connected | In-person with IP-connected terminal | | SAQ C-VT | Virtual terminal on isolated computer | Manual keying via web-based terminal | | SAQ C | Payment application connected to internet | POS with internet connection | | SAQ D | All other scenarios | Most complex environments | Most freelancers using payment processors for e-commerce qualify for SAQ A—the simplest self-assessment.
What Happens If You're Not PCI Compliant?
If You Suffer a Data Breach While Non-Compliant: Card Network Fines: - $5,000 to $100,000 per month in PCI non-compliance penalties - Fined by the card networks (Visa, Mastercard), passed down through your acquiring bank Direct Breach Costs: - Card replacement costs: $3-$10 per card - Forensic investigation: $20,000-$100,000+ - Credit monitoring for affected cardholders: $10-$30 per cardholder - Regulatory fines (if financial or healthcare data also exposed) Legal Consequences: - Individual and class-action lawsuits from affected customers - Banks may revoke your ability to accept card payments entirely Reputational Damage: - Public breach disclosure in most states - Customer trust destruction
PCI Compliance Best Practices for Freelancers
1. Never store card numbers — Not in spreadsheets, not in email, not in CRM, nowhere 2. Use PCI-compliant payment processors — Stripe, Square, PayPal, etc. 3. Keep software updated — Your OS, browser, and any tools that touch payment data 4. Use strong passwords and 2FA — On all accounts related to payment processing 5. Don't send card numbers over email — Even "for our records" 6. Complete your SAQ annually — Takes 20-60 minutes for most small businesses 7. Use HTTPS/TLS on your website — Non-negotiable for e-commerce
The Bottom Line
PCI compliance is mandatory for any business accepting cards. For freelancers and small businesses, the practical path is straightforward: use a reputable PCI-compliant payment processor (Stripe, Square, PayPal), complete your annual SAQ, and don't store card data yourself. This takes you from complex PCI requirements to a manageable checklist. Non-compliance isn't a theoretical risk—data breaches at small businesses are common, and the financial consequences can be devastating. Take it seriously. Key Takeaways: 1. PCI DSS is the mandatory security standard for any business accepting cards 2. All merchants (including freelancers) must comply and complete an annual SAQ 3. Using a compliant payment processor (Stripe, Square) dramatically simplifies compliance 4. Never store card numbers, CVVs, or expiration dates on your own systems 5. Breach while non-compliant: $5K-$100K/month fines + legal costs + loss of card processing Need to accept payments securely and stay PCI compliant? Try Eonebill Free View Pricing → | Glossary Home → | Home →