Webinar: Join us, Tues 5/24. Nightfall & Hanzo experts will discuss how machine learning can enhance data governance, data security, and the efficiency of legal investigations. Register now ⟶

Woman in a white shirt using smartphone reading pci compliance
Blog 4 min read

The Basics of PCI Compliance: Merchant Levels and Requirements

by Emily Heaslip Published Jun 29, 2021

PCI compliance isn’t just good for customers; it’s also good for business. Merchants that fall short of PCI compliance standards not only put their customer data at risk, they also may face hefty fines. The PCI Compliance Guide reports that fines and penalties can range from $5,000 to $100,000 per month for the merchant. And, if you don’t achieve PCI compliance, not only will these fees start to add up quickly, but you’re at risk of being dropped by your credit card merchant. 

[Read more: Cloud DLP and Regulatory Compliance: 3 Things You Must Know]

PCI compliance can seem complicated. There are four different levels and 12 different requirements, which all vary to some degree depending on what level you fall under. However, the goal of PCI compliance is simply to protect customer data from falling into the wrong hands. By implementing common-sense security measures, you can achieve PCI compliance with relative ease. 

What is PCI compliance?

PCI DSS stands for Payment Card Industry Data Security Standard. The Payment Card Industry includes major credit card brands like Mastercard, Discover, American Express, and Visa. These credit card providers set security rules for any business that accepts their cards to protect customer credit and debit card data. If your business accepts any non-cash payments, it’s likely you will have to meet PCI DSS standards

There are four PCI compliance levels. All merchants fall into one of these four levels based on the volume of Visa transactions that the business processes over a 12-month period (including credit, debit, and prepaid sales). The four PCI compliance levels are: 

  • Level 1: Merchants who process more than 6 million Visa transactions per year. 
  • Level 2: Merchants who process 1 – 6 million Visa transactions per year. 
  • Level 3: Merchants who process 20,000 – 1 million Visa transactions per year. 
  • Level 4: Merchants who process fewer than 20,000 Visa transactions per year. 

To make things more complicated, there are also 12 PCI requirements that you must meet — from having a firewall to regularly testing network security — to ensure you are PCI compliant. These 12 requirements apply whether you are a Level 4 business or a Level 1 business, though the specifics for compliance may vary based on the level. 

PCI compliance checklist: what are the requirements?

There are 12 requirements that businesses need to meet to be considered PCI compliant. Here are the requirements as laid out in the official PCI DSS Quick Reference Guide.

  1. Install and maintain a firewall to protect cardholder data.
  2. Use unique passwords and other security parameters, never vendor-supplied default passwords or other security parameters.
  3. Use SSL-level encryption if cardholder data is transmitted across networks.
  4. Store cardholder data securely.
  5. Update antivirus and malware protection regularly.
  6. Maintain secure systems and applications.
  7. Restrict access to cardholder data to only users who need it.
  8. Restrict physical access to cardholder data, such as device access.
  9. Require users to log in or authenticate to access system components.
  10. Track and monitor access to network resources and cardholder data.
  11. Test security systems regularly.
  12. Create an information security policy and update it regularly.

These are relatively broad requirements, but they mean that your business must take concrete steps to implement security measures. Here are some PCI compliance best practices to implement at your business. 

PCI compliance best practices 

Let’s go beyond PCI compliance basics to understand some of the core best practices to protecting your business from a data breach. First, make sure you have strong passwords in place, as well as 2FA or MFA to control who can access your data. Strong passwords can be automatically generated by password managers to contain random strings of numbers and letters for maximum security. 

[Read more: 5 Identity and Access Management Best Practices]  

In addition, make sure that your network and all devices on the network should have firewall protection. Not only should your in-store wireless router be password-protected, but any computers or servers used to run your e-commerce site should also be password-protected. 

PCI experts also recommend using a modern point of sale (POS) system to maintain security through tokenization and encryption. Tools like Clover, Square, and Shopify are designed to protect data whenever a sale is processed, taking the onus away from the merchant to ensure that aspect of security. 

Merchants should not store cardholder information on a local hard drive or on their website server. Similarly, never store physical copies of customers’ credit card data. Avoid asking customers to email or text their credit card information, as these messages are not as secure as payment processing systems — and small businesses are often the target of phishing and malware scams.

Improve your PCI compliance

PCI DSS requires effective management & protection of customer data to keep consumers safe. In addition to basic security measures like encryption, firewalls, user access management, and using a modern POS, consider implementing a cloud data loss prevention tool. 

Nightfall can help you first discover and classify sensitive customer data like PII, PHI, and PCI that must be protected. Our platform uses machine learning detectors individually trained to identify a specific type of PII or customer data that is protected by PCI compliance regulations. Next, the platform provides a way to quickly remediate any security issues by notifying admins and quarantining or deleting data. This reduces the risk of losing or exposing sensitive customer data and reinforces your commitment to protecting this information. 

Build trust with your clients and customers, and avoid steep penalties, by implementing tools to achieve PCI DSS compliance. Learn more about PCI DSS compliance in our 2021 security guide. And, to get started with Nightfall, schedule a demo at the link below. 

Subscribe to our newsletter

Receive our latest content and updates

Nightfall logo icon

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack, Google Drive, GitHub, Confluence, Jira, and many more via our Developer Platform. You can schedule a demo with us below to see the Nightfall platform in action.


Schedule a Demo

Select a time that works for you below for 30 minutes. Once confirmed, you’ll receive a calendar invite with a Zoom link. If you don’t see a suitable time, please reach out to us via email at sales@nightfall.ai.

call to action

See Nightfall in action.

Schedule a demo