What Is PCI DSS?
PCI DSS — the Payment Card Industry Data Security Standard — is a set of security requirements that every business accepting credit or debit card payments must follow. It was created by the PCI Security Standards Council, which is governed by Visa, Mastercard, American Express, Discover, and JCB.
The goal is straightforward: protect cardholder data from theft and fraud. If you accept cards, PCI compliance is not optional. Non-compliance can result in fines ranging from $5,000 to $100,000 per month, increased processing fees, and in severe cases, loss of your ability to accept card payments entirely.
The 12 PCI DSS Requirements
PCI DSS is organized into six control objectives containing 12 requirements:
Build and Maintain a Secure Network
Requirement 1: Install and maintain network security controls Use firewalls (or equivalent) to protect cardholder data environments. Default passwords on routers and network devices must be changed immediately.
Requirement 2: Apply secure configurations to all system components Never use vendor-supplied defaults for system passwords or security parameters. Harden every system that touches cardholder data.
Protect Account Data
Requirement 3: Protect stored account data Don't store cardholder data unless absolutely necessary. If you must store it, encrypt it. Never store CVV/CVC codes, full magnetic stripe data, or PINs after authorization.
Requirement 4: Protect cardholder data with strong cryptography during transmission Use TLS 1.2 or higher when transmitting cardholder data across public networks. Never send unencrypted card numbers via email, chat, or SMS.
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems and networks from malicious software Install and regularly update anti-virus/anti-malware software on all systems commonly affected by malware.
Requirement 6: Develop and maintain secure systems and software Keep all systems patched and up to date. If you develop payment applications, follow secure coding practices and test for vulnerabilities before deployment.
Implement Strong Access Control Measures
Requirement 7: Restrict access to system components and cardholder data by business need-to-know Only employees who need cardholder data to do their jobs should have access. Everyone else is locked out.
Requirement 8: Identify users and authenticate access to system components Every person with computer access must have a unique ID. Use multi-factor authentication for remote access and administrative functions.
Requirement 9: Restrict physical access to cardholder data Lock up servers, paper records, and backup media. Use access controls, cameras, and visitor logs in areas where cardholder data is accessible.
Regularly Monitor and Test Networks
Requirement 10: Log and monitor all access to system components and cardholder data Implement logging mechanisms and review logs regularly. Automated alerts for suspicious activity are essential.
Requirement 11: Test security of systems and networks regularly Run vulnerability scans quarterly (through an Approved Scanning Vendor for external scans) and penetration tests annually.
Maintain an Information Security Policy
Requirement 12: Support information security with organizational policies and programs Create and maintain a formal security policy. Train employees annually. Have an incident response plan ready.
SAQ Types: Which One Do You Need?
The Self-Assessment Questionnaire (SAQ) is how most small and mid-sized merchants validate PCI compliance. Your SAQ type depends on how you accept payments:
SAQ A (Fewest Requirements)
For: eCommerce merchants who fully outsource all cardholder data processing to PCI-compliant third parties. Your website redirects customers to a hosted payment page (like a payment gateway hosted checkout) — card data never touches your systems.
Requirements: 22 questions. Easiest path to compliance.
SAQ A-EP
For: eCommerce merchants whose website controls the checkout experience but submits card data directly to a PCI-compliant payment processor via JavaScript or API. Card data passes through your web pages but is never stored on your servers.
Requirements: 191 questions. Significantly more work than SAQ A because your website's security directly impacts cardholder data.
SAQ B
For: Brick-and-mortar merchants using imprint machines or standalone dial-up terminals that connect directly to the processor. No electronic cardholder data storage. Think standalone PAX terminals with direct connections.
Requirements: 41 questions.
SAQ C
For: Merchants with payment applications connected to the internet (IP-connected terminals, POS systems) but no electronic cardholder data storage. This covers most retailers using terminals like Clover or PAX devices connected via internet.
Requirements: 160 questions. Covers network security since your terminal uses your network to process transactions.
SAQ D (Most Comprehensive)
For: Merchants who don't fit into any other SAQ category, or who store cardholder data electronically. Also required for all Level 1 merchants.
Requirements: 329 questions. Full PCI DSS assessment. Most businesses should aim to avoid this category by outsourcing cardholder data handling.
Merchant Levels: Where Do You Fall?
Card networks classify merchants into four levels based on annual transaction volume:
Level 1
Volume: Over 6 million Visa/Mastercard transactions per year Validation: Annual on-site assessment by a Qualified Security Assessor (QSA), quarterly network scans by an Approved Scanning Vendor (ASV)
Level 2
Volume: 1 million to 6 million transactions per year Validation: Annual SAQ, quarterly ASV scans
Level 3
Volume: 20,000 to 1 million eCommerce transactions per year Validation: Annual SAQ, quarterly ASV scans
Level 4
Volume: Fewer than 20,000 eCommerce transactions or up to 1 million total transactions per year Validation: Annual SAQ, quarterly ASV scans (recommended but not always enforced by acquirers)
Most small businesses fall into Level 4. Even at Level 4, compliance is required — enforcement just tends to be less rigorous.
Common PCI Compliance Mistakes
Storing cardholder data you don't need
Many merchants unknowingly store full card numbers in spreadsheets, CRM notes, email threads, or paper files. If you don't need it, don't keep it. Tokenization replaces card numbers with non-sensitive tokens — eliminating storage risk entirely.
Assuming your processor handles everything
Your processor handles their portion of compliance, but you are responsible for your own environment. If your staff can see card numbers, if you have unpatched systems, or if you lack access controls — that's on you.
Using default passwords
Routers, POS terminals, and software systems often ship with default credentials. Attackers know every default password for every major device. Change them immediately.
Skipping employee training
An employee who writes down a card number on a sticky note or clicks a phishing email undermines your entire security posture. Annual PCI training is a requirement for a reason.
Not documenting your compliance
Completing the SAQ once and forgetting about it is not compliance. PCI DSS requires ongoing monitoring, quarterly scans, annual reassessment, and documented policies that are actively followed.
Tips for Maintaining PCI Compliance
1. Minimize your cardholder data environment — The less data you touch, the fewer requirements apply. Use tokenization and hosted payment pages wherever possible.
2. Use P2PE-validated terminals — Point-to-point encryption terminals encrypt card data at the point of interaction, before it reaches your POS system. This dramatically reduces your PCI scope. Both Clover and PAX terminals support encryption that reduces your compliance burden.
3. Segment your network — Keep your payment processing systems on a separate network from your general business systems. This limits the scope of your PCI assessment.
4. Automate vulnerability scanning — Schedule quarterly ASV scans and don't wait until the deadline. Fix identified vulnerabilities promptly.
5. Maintain an incident response plan — Know exactly what to do if you suspect a data breach. Who do you contact? How do you contain it? Document this and test it annually.
6. Review access quarterly — Remove access for terminated employees immediately. Review who has access to what every quarter and revoke unnecessary privileges.
How Unison Helps with PCI Compliance
Unison Payment Solutions reduces your PCI compliance burden through:
- P2PE terminals — Clover and PAX devices with point-to-point encryption ensure card data is encrypted from the moment the card is read, reducing your PCI scope to the simplest SAQ categories.
- Tokenization — Card numbers are replaced with non-sensitive tokens after the first transaction, so you never store actual cardholder data.
- PCI compliance support included — No separate PCI non-compliance fee. We help you complete your SAQ and maintain compliant status.
- Secure [payment gateway](/payment-gateway) — For online merchants, our gateway handles cardholder data on PCI-certified infrastructure, keeping card data off your servers.
- [Chargeback protection](/services/chargeback-protection) — Fraud-related chargebacks are a PCI red flag. Our chargeback management tools reduce disputes that could trigger additional compliance scrutiny.
For high-risk merchants, maintaining PCI compliance is especially critical — elevated scrutiny from acquirers means any compliance gap can trigger account review or termination.
What Happens If You're Not Compliant?
Non-compliance consequences escalate:
1. Monthly non-compliance fees — $19 to $99 per month from your processor 2. Increased transaction fees — Processors add basis points to non-compliant merchants 3. Fines from card networks — $5,000 to $100,000 per month for sustained non-compliance 4. Liability for breaches — If a breach occurs while you're non-compliant, you bear full liability for fraudulent transactions, forensic investigation costs, card replacement costs, and regulatory fines 5. Account termination — Your processor closes your account and you're added to the MATCH list