How to Become PCI Compliant – A Step by Step Guide

August 9, 2021 / Posted in Payment Processing

If you’re trying to start a business but keep seeing the information that you have to be PCI certified, don’t ignore it. Being compliant with security and data protection rules has many benefits for your company, and here you can learn how to become PCI compliant and what exactly it represents.

How Do You Get PCI Compliant?

Suppose this is the first time you’re hearing about the concept of becoming compliant with specific standards. In that case, we have to explain what it is and how to get PCI compliant according to particular rules and regulations. Any type of small business idea can come to life, but if you plan on accepting transactions and payments via credit cards, you’ll have to do it according to the rules known as the PCI DSS.

These rules were created by large companies such as Visa and MasterCard, which formed an independent regulatory body called the SSC. You can read a complete PCI compliance guide and find everything necessary to register the company you’re running as a compliant business.

And how much does it cost to be PCI compliant? This will depend mainly on the level of your enterprise, as well as its functionality. There are four possible levels for each enterprise to work on, and they rely on the size of your purchasing clients base during 12 months.

What Does the Term PCI DSS Mean?

Starting from the basics, let’s answer the question – what does PCI mean? It stands for Payment Card Industry, and it’s for businesses that plan on accepting payments via credit cards. Whether it’s an online or a brick-and-mortar shop, digital payments from customers need to be protected and secure. Being compliant means sticking to the industry standards so your business could successfully process payment info online, in addition to avoiding credit card fraud this way.

The other abbreviation, DSS, stands for Data Security Standard. The security standard in question is the basic requirement for all businesses that accept digital payments and are registered as compliant. The easiest answer to how to become PCI certified is to do a Self-Assessment Questionnaire (SAQ) that helps companies determine their merchant levels.

It’s Great for Businesses That Handle Credit Card and Owner Data

While it’s not required or mandatory to become compliant with the standards, there’s a price to pay that’s very well-known to many merchants. Say, for example, that your account receives around 20,000 online transactions during one year. In that case, if you’re not in compliance with the DSS, the companies that run the SSC can fine you with a large sum of money for every data breach and other security issues.

It’s now more apparent that it’s much easier to pay a yearly PCI compliance fee when you’re done applying for a merchant account for your company. In addition to the annual fee, you have to partner up with an acquiring bank to take care of all electronic payments and communication between the customers’ bank and merchants.

The SSC Determines if a Company Is Working by the PCI DSS Requirement Code

SSC stands for Security Standards Council, and they’re the ones who make the rules and determine whether a company is following the DSS code. They ask companies to adhere to regulations, such as doing checkups yearly or once every six months, to determine whether the company is still compliant and on the same merchant level. Something to note about the SSC is that they can’t force a company to become PCI compliant; they simply make rules for those that already are or plan to register.

If you’re wondering, “Can I do my own PCI compliance” the short answer is – yes, but there’s a lot more to it. You can process all payments directly, but you’d need someone in the company to be an expert on this matter. It’s much easier to get help from a merchant processing company with its own payment gateway that processes payments online after a customer clicks the “Order Now” button on your website. Most of the gateways at every credit card processing company are fully adherent to the DSS code.

Several POS machines on a counter

How to Become PCI Compliant and What’s the PCI Certification Process

So you want to learn how to be PCI compliant with your company. The first step is to look up the basic requirements before attempting to do the Self Assessment Questionnaire. The SSC sets twelve high-standard demands, and each of them has sub-requirements of its own. If your company can adhere to these twelve requirements, then you can check your merchant levels.

What are the twelve requirements, anyway? Well, surprisingly or not, they’re software-related. Since DSS was created to protect consumers’ data and transaction information, you must ensure that the software you’re using for credit card processing has a good enough firewall and response. In addition, some of the rules are:

  • Do not use vendor-supplied default passwords for your software and security,
  • All information about your cardholders must be stored, encrypted, and protected,
  • Develop and maintain the safety of your security systems,
  • Give each person with access to company software a unique ID,
  • Create and maintain a policy for information security.

You can read about all of the requirements and check if your enterprise follows them closely. Something else that could help is researching POS fees, the potential uses of a free POS system for keeping track of transactions, and possibly a cash discount program once you’ve established your shop.

And how long does it take to get PCI compliance? This process can last anywhere from one to fourteen days, depending on the duration of your SAQ and scan of merchant services.

How to Get a PCI Compliance Certificate According to Merchant Levels

There are four different levels for different types of businesses, and the SAQ usually determines them. Level one is for companies with the highest traffic of customers, while the fourth is for those with the lowest. Each of these levels has different yearly requirements that companies have to meet if they want to comply with the industry standards.

Level 1 Merchants Need Security on a Global Scale

A merchant on the highest part of the scale annually sees over six million transactions from both credit and debit cards. These transactions can be in-store, over the phone, or online, and they are counted globally. Annually, they have to meet the following criteria:

  • Completing a Report on Compliance (ROC) through a Qualified Security Assessor (QSA,)
  • Doing a quarterly network scan by the Approved Scanning Vendor (ASV,)
  • Completing the Attestation of Compliance form (AOC.)

Companies that receive over six million transactions per year are typically those that work on a global scale. They can benefit a lot from checking out merchant service rates and getting the best for their needs. Additionally, they go through the strictest, on-site checkups every year.

Level 2 Merchants Have Quarterly Network Scans

Companies on this scale see between one and six million transactions annually through credit and debit cards and each payment type (in-store, phone, or online). The only times they’re put through an on-site assessment is if a data breach occurs or the acquiring bank requests it. They may be better off without getting a high-risk merchant account.

To be compliant, companies on this scale have to do the following:

  • Complete the annual Self Assessment Questionnaire (SAQ,)
  • Perform a quarterly network scan by the ASV,
  • Complete the AOC form.

Level 3 Merchants Require eCommerce Support

Every merchant on this scale functions as one of the e-commerce business models. They receive between 20,000 and one million transactions annually, exclusively through e-commerce. They’re not subject to audits by the SSC, but they can opt for one as a way of ensuring a safe environment for customers’ data.

These companies go through the following steps to be compliant with the industry standard:

  • Completing the appropriate annual SAQ,
  • Performing a quarterly network scan by the ASV,
  • Completing the AOC form.

Cards provider JCB doesn’t have a definition for this kind of merchant in their policy. For them, any company that sees less than one million transactions per year is a scale two service provider.

Level 4 Merchants Can Have Lots of Customers Online and In-Store

Companies on this scale see fewer than 20,000 e-commerce transactions per year or fewer than one million transactions through all forms of payment (no contact and contact transactions alike) per year. They can register for different e-commerce payment options and request a quarterly SSC audit.

The criteria for these types of companies are:

  • Completing the appropriate annual SAQ,
  • Performing a quarterly external network safety scan by the ASV,
  • Completing the AOC form.

Some providers, like Discover, JCB, and American Express don’t have designations for companies on this scale.

How to Do the Self-Assessment Questionnaire

The fastest way on how to get PCI compliance is by completing the SAQ. This questionnaire contains several cybersecurity, POS vendor systems, and cardholder data questions that a company must answer truthfully. The SSC will know if your answers are correct based on the info you provide about the transactions made over the past fifty-two weeks.

This is also how levels are determined for each merchant, and they can change over time. Those on the highest scale typically take some time to reach those heights. In some cases, each merchant may have to contact their acquiring bank and follow additional validation procedures. This is why it’s essential to look for the best credit card processing companies for small businesses.

Protecting the Clients If Your Business Accepts Payments Over the Phone

Another type of service to look out for is phone commerce. When you call customers and ask them to provide their cardholder info for a payment, you must ensure that the line is secure and tight. This applies to call centers, typically, but any company that takes payments over the phone has to comply with the standards, just like any other trader. All of them have specific acquirer processor fees as well as average processing fees to pay.

Credit card processing services have to be working for you at all times in this type of commerce because it feels riskier to make transactions this way, both for the trader and the customer. To make it complicated, several regulatory bodies have requested some companies to record phone conversations in various situations. However, the standard for compliant companies states that the three-digit or four-digit verification codes on the backs of cards cannot be kept after a transaction, and full primary account numbers (PANs) cannot be kept without further protection measures.

What’s the Essential Cardholder Data?

We’ve mentioned the full primary account number, or PAN, as the essential info of every customer that authorizes a transaction, whether with contact payments or otherwise. To provide a professional service, you can give them Paypal alternatives, such as the recently added Apple Pay.

The PAN contains essential info on cardholders, which is:

  • Cardholder’s name,
  • The card’s date of expiration,
  • Service code,
  • Sensitive authentication information, such as the CID and PIN.

The idea of becoming compliant with the SSC’s standard means never allowing any of this info to leak or fall into the wrong hands. The minute that happens, your customer’s account is in danger, and you’re not providing the safest service possible.

A woman talking on the phone

Is it Worth It to Become PCI Compliant?

Merchant services credit card processing can be difficult to choose. Still, more and more understand the importance of being compliant with the rules and regulations while also protecting your clients. Additionally, they ensure that the cards convenience fees save you some money in the long run. We’d recommend doing the SAQ and registering to become compliant because there’s nothing more trustworthy than a well-secured enterprise. Not only that, but you could see reduced expenses over time and find yourself growing and thriving, just as planned.


It never hurts to know how much you can save.

Get a Quote

Step 1 of 2