PCI compliance

What is PCI DSS compliance?

PCI Compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS), a global set of security standards designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. The standard is maintained by the PCI Security Standards Council, which was formed by Visa, Mastercard, American Express, Discover, and JCB. The current version of the standard is PCI DSS v4.0.

It applies to merchants of all sizes that accept card payments, plus any service provider that handles cardholder data on a merchant’s behalf, including any system that stores payment information such as card numbers, expiration dates, or CVVs.

Why is PCI compliance important?

PCI compliance helps prevent data breaches, reduces the risk of financial fraud, and builds trust with customers. By following PCI DSS, businesses protect sensitive cardholder data and avoid the consequences of non-compliance, which can include monthly fines from card brands and acquiring banks, mandatory forensic investigation after a breach, and in serious cases, the suspension or termination of the merchant account used to accept card payments. For most ecommerce stores, the reputational damage that follows a card-data breach is harder to recover from than the fines themselves.

What are the requirements for PCI compliance?

PCI DSS organizes its 12 core requirements into six high-level control objectives:

• Build and maintain a secure network: install and maintain firewalls; do not use vendor-supplied default passwords or default system configurations.
• Protect cardholder data: protect stored cardholder data; encrypt cardholder data when it is transmitted across open or public networks.
• Maintain a vulnerability management program: protect all systems against malware; develop and maintain secure systems and applications.
• Implement strong access control measures: restrict access to cardholder data on a need-to-know basis; assign a unique ID to every person with system access; restrict physical access to cardholder data.
• Regularly monitor and test networks: track and monitor all access to network resources and cardholder data; regularly test security systems and processes.
• Maintain an information security policy: maintain a documented policy that addresses information security for all personnel.

All 12 requirements apply equally to every business that handles cardholder data. What changes between PCI levels is not the requirements themselves but how compliance is validated.

What are the 4 levels of PCI compliance?

PCI DSS outlines four merchant compliance levels based on the number of card transactions a business processes annually:

• Level 1: Over 6 million transactions per year, across all channels
• Level 2: 1 million to 6 million transactions per year
• Level 3: 20,000 to 1 million ecommerce transactions per year
• Level 4: Fewer than 20,000 ecommerce transactions per year

Validation steps scale with level. Level 1 merchants typically complete an annual on-site audit by a Qualified Security Assessor (QSA), an annual Report on Compliance (ROC), and quarterly network scans by an Approved Scanning Vendor (ASV). Levels 2 to 4 generally self-assess using a Self-Assessment Questionnaire (SAQ) along with regular ASV scans.

Example of PCI compliance

A Shopify store processing 50,000 ecommerce transactions a year falls under Level 3 PCI compliance, which typically means completing the relevant Self-Assessment Questionnaire and running quarterly vulnerability scans. Because the store routes card data through Shopify Payments, most of the technical PCI scope is offloaded to Shopify; the store still owns its own SAQ and its broader security policy obligations.

Driftcharge Tip

Even small merchants are not exempt from PCI compliance. The simplest way to reduce your scope is to route all card data through a PCI-DSS-validated payment gateway so the raw card numbers never touch your servers. That alone can shrink your validation effort from a long SAQ to a much shorter one.

Ganesh Pawar

• 

Ganesh Pawar is the founder of Driftcharge, a subscription management app designed to help Shopify merchants streamline and scale their subscription businesses. With a deep focus on solving real-world pain points—like legacy account page support, flexible subscription options, and advanced analytics—Ganesh is passionate about building tools that drive growth and retention.