Nowadays, businesses that accept credit card payments must follow a comprehensive set of strict rules to ensure that sensitive customer data is protected. The name for this ruleset is Payment Card Industry Data Security Standard, or in short, PCI DSS.
PCI compliance specifically is the rules of adhering to this standard in order to safeguard payment card data, cardholder data, and prevent fraud or data breach incidents.
PCI DSS compliance is a generally accepted standard that applies to all organizations handling any type of operation involving debit or credit card transactions, cardholder data, or other payment information.
In this guide, we’ll break down what PCI compliance means, why it matters for business, and share some of our own experience with it.
PCI compliance meaning
As we have already established, PCI stands for Payment Card Industry, and PCI DSS refers to the Payment Card Industry Data Security Standard.
The standard was created in 2006 by the PCI Security Standards Council (PCI SSC), founded by the five largest credit card companies in the world: Visa, Mastercard, American Express, Discover, and JCB.
Such global, yet consistent, data security measures have been implemented to protect sensitive cardholder data and sensitive authentication data. It means that any company in any industry that operates with this type of data is required to be PCI compliant.
Some examples of who PCI DSS applies to:
Any business that accepts debit payments or credit card payments, essentially all offline and E-Commerce Businesses nowadays.
Payment processors, gateways, and fintech providers are involved because transactions are passed through them.
Hosting companies, because their servers are in contact with financial data, and potentially they could gain access to cardholder data.
Even software developers should follow PCI DSS because their work potentially influences security parameters and personal data security.
In the past, PCI standards were established to ensure that everyone could perform financial operations safely, and for the most part, they were successful. However, new challenges have arisen.
Why PCI compliance matters
Complying with PCI DSS requirements isn’t just about avoiding penalties. It’s about building a secure business foundation that won’t be affected by any threat. After all, your company is an essential part of the environment you create for clients, for your employees, and for yourself – you simply cannot neglect its safety.
And here comes one of the worst risks – the data breach. Each year, we re-evaluate the latest trends in data breach incidents related to our business, and each year, the situation has worsened. Breached accounts increased nearly eight times in 2024, with numbers surging from approximately 730 million accounts in 2023 to over 5.5 billion in 2024, meaning nearly 180 accounts were compromised every second.
As you can see, free antivirus software won’t be enough.
This is why the data security standard PCI DSS really matters:
It protects customer data, reducing the risk of data breaches and exposure of credit card data, passwords, and external access to network resources.
Builds trust. Customers are more likely to pay with confidence when you’re PCI compliant and do not engage in a data breach story.
Prevents PCI compliance fees and penalties. Non-compliance can lead to fees from banks and credit card companies.
Reduces fraud and chargebacks. By securing your Payment Card Industry (PCI) data and clients’ data, you protect revenue and minimize disputes.
PCI compliance levels
The PCI SSC defines four compliance levels, based on the number of transactions a business process handles annually, regardless of whether it uses online payments or a credit card in-store or offline.
Level 1: Over 6 million transactions per year. Requires an annual on-site audit by a Qualified Security Assessor (QSA).
Level 2: Between 1–6 million transactions per year. Requires a Self-Assessment Questionnaire (SAQ) and quarterly scans.
Level 3: Between 20,000 and 1 million transactions annually. Requires SAQ and scans.
Level 4: Fewer than 20,000 transactions annually. Still requires an SAQ, but with fewer obligations.
Even small businesses must comply – there are no exceptions.
A self-assessment questionnaire, for instance, is a standard corporate tool for evaluating and training employees.
A Qualified Security Assessor, on the other hand, is a comprehensive, thorough audit conducted by an independent security third party, certified by the Payment Card Industry Council, to assess an organization’s adherence to security standards.
By the way, QSA can be performed not only by a third-party but also with the help of an internal security assessor, a qualified employee within an organization who is trained and certified by the Payment Council to perform this job.
PCI compliance requirements
The PCI DSS standards are organized into 12 key requirements grouped under six major goals. In other words, if you want to build and maintain a server, there are specific rules that apply. Achieving PCI compliance is not as simple as it may seem. It is designed to protect cardholder data, not to provide convenience.
Goal | PCI DSS requirements |
Build and maintain secure networks | 1. Install and maintain firewalls. 2. Avoid vendor-supplied defaults for system passwords and security settings. |
Protect cardholder data | 3. Protect stored cardholder data. 4. Encrypt transmitted cardholder data across public networks. |
Maintain a vulnerability management program | 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and apps. |
Implement strong access control measures | 7. Restrict access to cardholder data. 8. Assign unique IDs for each person with computer access. 9. Restrict physical access to system components and data. |
Monitor and test networks | 10. Track and monitor all network resources and customer data access. 11. Regularly test security systems and processes. |
Maintain information security policy | 12. Create and enforce a comprehensive security policy. |
These requirements form the backbone of PCI compliance standards.
Open an account
in Genome online
How to become PCI compliant
The PCI compliance process follows these steps:
Step 1. Scope your business process and physical data, keeping in mind PCI DSS compliance. It is probably the most important.
Determine your merchant level: Your bank or payment processor can tell you your merchant level. Over 6 million transactions annually require an annual audit by a Qualified Security Assessor. For transactions below 6 million, a Self-Assessment Questionnaire would be sufficient.
Map your cardholder data flow: every system, every server, and application that stores, processes, or transmits payment card data or cardholder data. It is the so-called Cardholder Data Environment. (CDE)
Reduce your scope if possible. For example, if you outsource payment processing to another provider, the total number of PCI requirements would be reduced, making compliance simpler.
Step 2. Test against PCI standards
Do a stress test for each requirement you are targeting. It will reveal the “gaps” you need to address.
After that, you’re ready to complete the SAQ if your merchant level requires it, or simply fill out the appropriate Self-Assessment.
Step 3. The implementation
Initially, address security gaps by developing and executing a remediation plan based on your gap analysis to resolve any compliance deficiencies.
Implement security controls:
Build a secure network, which means implementing firewalls and network segmentation. The goal is to isolate your CDE from less-secure networks, such as public internet providers.
Secure all physical access points to areas where cardholder data is stored and maintained.
Limit access in order to protect cardholder data to only those employees who require it for their job.
Minimize the amount of cardholder data stored and apply strong encryption to any data that must be retained.
Never store authentication data, such as the card’s CVV.
Multi-factor authentication for clients should be a must.
Create documentation: Write and maintain an information security policy for all personnel and document all implemented procedures and changes to other security parameters.
Step 4. Validate and report compliance
Perform quarterly network scans: Use an Approved Scanning Vendor to conduct quarterly external vulnerability scans of your environment.
Engage a QSA (if applicable): If you are a Level 1 merchant, hire a Qualified Security Assessor to perform an annual on-site audit.
Complete the Attestation of Compliance: This is the formal document that declares you have passed the PCI DSS compliance.
Submit documents: Send your completed SAQ, AOC, and ASV scan reports to your acquiring bank.
That’s basically it. After that, you can maintain continuous compliance by educating employees, regularly monitoring and testing your systems, repeating the mandatory validation process annually, and performing ongoing monitoring and testing throughout the year to ensure new vulnerabilities don’t emerge.
PCI compliance vs. PCI certification
There is a small difference, by the way, PCI compliance is an ongoing process of following the PCI standards and keeping your security systems up to date.
PCI validation is an official acknowledgment of your compliance status, usually through a Self-Assessment Questionnaire (SAQ) or, for larger merchants, an on-site audit by a Qualified Security Assessor (QSA).
Smaller businesses only need to demonstrate that they maintain compliance, not go through a full QSA audit, in order to be PCI compliant.
Common PCI compliance mistakes
Many businesses fail to stay compliant due to avoidable errors; we will bring up the most important ones:
Storing credit card data or cardholder data unnecessarily is a huge mistake and should be avoided at all costs.
Using weak or default passwords.
Not applying timely updates and patches to their security systems.
Failing to restrict physical access to servers and storage.
Ignoring employee training on security standards.
Any of these could lead to failure at PCI security standards.
We should also mention the risk of vendor-supplied defaults – this refers to pre-configured hardware with default usernames and passwords, as well as potentially insecure software. Any hardware should be securely reconfigured before use, not trusted straight out of the box.
Maintaining PCI compliance
Compliance isn’t a one-time project – it’s an ongoing responsibility. It is way easier than a full-scale audit for PCI security standards, but still important.
Businesses should:
Perform annual reassessments and update their PCI compliance checklist.
Continuously monitor security systems and test for vulnerabilities.
Provide staff with regular security training and testing to ensure ongoing security awareness.
Keep documentation updated for possible audit.
By doing so, businesses can maintain PCI compliance and avoid gaps that could lead to a data breach.
It is also crucial to use the services of financial providers that are PCI DSS compliant, like Genome.
We are an electronic money institution licensed and supervised by the Bank of Lithuania. In addition to PCI DSS compliance, we also abide by PSD2, GDPR, and DORA, and have achieved the ISO 27001 and ISO 27701 certifications.
We provide a full scope of financial services for business, including: multi-currency accounts with dedicated IBANs, SEPA Instant/Credit Transfers and SWIFT payments, currency exchange, batch transfers, instant payouts, virtual and physical Visa cards, and more! Merchant accounts are coming soon as well!
Open an account
in Genome online
FAQ
Is PCI compliance required by law?
It’s not a law, but all major credit card companies require it, making PCI security standards de facto mandatory for any business that processes card payments.
Does Genome use PCI compliance?
Yes, Genome is fully PCI DSS compliant, ensuring safe processing of payment card industry data.
How long does PCI compliance last?
Compliance must be validated annually, with quarterly scans for many businesses.
What happens if my business is not PCI compliant?
You risk fines, higher fees, and liability in the event of a data breach, but more importantly, it can also damage a customer’s trust and erode their confidence.
