Payment Security

What is PCI-DSS?

The security standard that every business accepting credit or debit cards must follow — whether you process ten transactions a month or ten thousand.

The Short Version

PCI-DSS stands for Payment Card Industry Data Security Standard. It was created by Visa, Mastercard, American Express, Discover, and JCB to protect cardholder data. The only active version in 2026 is PCI DSS v4.0.1 (all future-dated v4 requirements became mandatory on 31 March 2025). If your business accepts card payments — any card payments — you are required to comply.

Non-compliance doesn't just result in fines. Your payment processor can terminate your ability to accept cards entirely. For most businesses, that is a company-ending event.

Who Needs to Comply?

Any business that:

  • Accepts credit or debit card payments in person
  • Accepts card payments online or by phone
  • Stores, processes, or transmits cardholder data in any way
  • Uses a third-party payment processor (you still have responsibilities)

How you prove compliance depends on your merchant level (annual card-transaction volume) and how you handle card data:

  • Level 1 — over 6M transactions/yr: annual on-site assessment by a Qualified Security Assessor (QSA).
  • Level 2 — 1M to 6M: annual Self-Assessment Questionnaire (SAQ), often QSA-supported.
  • Level 3 — 20,000 to 1M e-commerce: annual SAQ plus quarterly vulnerability scans.
  • Level 4 — under 20,000 e-commerce (or up to 1M total): annual SAQ plus quarterly scans. Most small businesses sit here.

Which SAQ type you complete depends on how you take cards: SAQ A (e-commerce fully outsourced to a compliant processor), SAQ A-EP (e-commerce site that can affect the transaction), SAQ B-IP (IP-connected standalone terminals), and SAQ D (the catch-all for everyone else). Picking the right SAQ is half the battle — the wrong one means you attest to the wrong controls.

What Does PCI-DSS Require From Your IT?

PCI-DSS has 12 core requirements covering:

  • Network security: Firewalls configured to protect cardholder data
  • No default passwords: Every device must have its default password changed
  • Data protection: Stored card data must be encrypted
  • Encrypted transmission: Card data sent over networks must be encrypted
  • Antivirus: All systems must have up-to-date malware protection
  • Secure systems: Regular patching and updates required
  • Access control: Only authorized personnel can access card data
  • Physical security: Physical access to systems with card data must be restricted
  • Monitoring: All access to card data must be logged and monitored
  • Security testing: Regular vulnerability scans and penetration tests
  • Security policy: A documented information security policy

What Happens When You Don't Comply?

  • Fines from card brands: set by your acquiring bank — commonly cited at roughly $5,000–$100,000 per month until compliant
  • Increased transaction fees: Non-compliant merchants pay higher processing fees
  • Loss of card acceptance: Your processor can shut off your ability to accept cards
  • Breach liability: If a breach occurs while non-compliant, you absorb the full cost of fraud
  • Forensic investigation costs: Mandatory PCI forensic investigation after a breach — typically $20,000–$50,000

How Digital Armor Helps

We handle the technical side of PCI compliance including:

  • Network segmentation — isolating payment systems from the rest of your network
  • Firewall configuration and management
  • Patch management and vulnerability scanning
  • Access controls and user management
  • Security logging and monitoring
  • Annual SAQ (Self-Assessment Questionnaire) support
  • Staff training on card security practices

Is Your Business PCI Compliant?

If you're not sure, the answer is probably no. Most small businesses that accept cards are technically non-compliant — not because they're reckless, but because no one explained what was required. We can tell you exactly where you stand in 30 minutes.

Book Your IT Assessment