If your business wants to accept credit or debit cards, you must remain compliant with the Payment Card Industry Data Security Standard (PCI DSS). This is mandated across the industry and is not just limited to larger companies processing in the space. Any business that plans on processing, storing or transmitting cardholder data must meet these set standards. As of 2026, the current standard is PCI DSS version 4.0.1, which introduced significant and important changes to how compliance is maintained and validated.
PCI DSS is a set of security standards created by the PCI Security Standards Council, which was founded by Visa, Mastercard, American Express, Discover, and JCB. The PCI DSS standards establish requirements for how businesses must protect cardholder data as a part of the transaction process. The goal is to prevent data breaches and credit card fraud by ensuring that every organization that handles card data maintains a baseline level of security. There are over 500 individual security controls that are grouped into 12 core requirement areas including network security, data encryption, access control, system monitoring and documentation of the whole process.
The standard establishes requirements for how businesses must protect cardholder data throughout the transaction process. The goal is straightforward: prevent data breaches and credit card fraud by ensuring that every organization handling card data maintains a minimum level of security. The standard covers over 500individual security controls organized into 12 core requirement areas,including network security, data encryption, access control, system monitoring,and security policy documentation.
PCI DSS is built around 12 requirement areas. Merchants of all sizes are required to install and maintain firewalls and network security controls to protect cardholder data environment. That means changing the vendor-supplied default passwords and updating manager passwords as well as changing any security settings on the terminal and POS level. Merchants must also protect any stored cardholder data with encryption, or more common for smaller merchants is to not store any cardholder data at all. When transaction data needs to be sent over for batching or for review, that data must be encrypted when traveling over public networks (TLS 1.2+). Additionally, when there are multiple employees, each employee should have their own access ID with restricted access, so owners an operators know exactly who is operating in what capacity.
Your compliance obligations depend on how many card transactions your business processes annually.
Version4.0.1 that was released on 6/11/24 represents the most significant update to the PCI DSS standards since it was originally released in 2004. The previous version 3.2.1 was officially retired in March 2024 and future-dated requirements for 3/31/25. The most important change was a structural and procedural change from point-in-time compliance to ongoing continuous compliance. That means that businesses are now more responsible than ever for maintaining security standards for cardholder data. Merchants can no longer just complete annual checklists, but now have to maintain and demonstrate ongoing security practices all year round.Some of the other key changes include: mandatory multi-factor authentication(MFA) access for any cardholder data environment, updated password protocols(12+ characters) and automated log review and monitoring. In addition, ecommerce merchants are required to manage and monitor scripts on payment pages and complete updated Self-Assessment Questionnaires that reflect the new controls.
Merchants can face severe financial consequences with non-compliance fines ranging from$5000 to $100,000, depending on merchant size, transaction volume and the length and severity of the violation. Even worse, if a data breach occurs when you are in a non-compliant state, your business could face even steeper consequences: card brand fines, liability for fraudulent charges, investigation costs and even potentially losing the ability to accept card payments altogether.Beyond just financial exposure, non-compliance to PCI DSS standards can damage customer trust and create a severe legal liability.
PCI Compliance doesn’t have to be expensive or overwhelming. Your merchant processor should be there with you every step of the way to help navigate the issues. Your processor should provide both tools and the necessary guidance so you can complete the SAQ, offer PCI-compliant terminals and gateways that reduce your PCI scope and help avoid incurring the excessive PCI Non-compliance fees. As a merchant owner, you need to understand your payments scope: the conversation changes if you have a modern POS or payment gateway that handles the card data on your behalf. Your compliance burden becomes significantly reduced because your payments system never really handle any cardholder data. Use tokenization and point-to-point encryption (P2PE) wherever possible to minimize the amount of cardholder data in your environment. Enable MFA on all systems that access payment data. Use strong, unique passwords (12 characters minimum). Keep all software and systems updated. Complete your Self-Assessment Questionnaire annually using the updated PCI DSS 4.0.1 forms. Run quarterly network vulnerability scans through an Approved Scanning Vendor (ASV). Train your staff on security practices and document your policies.
FidesBankcard works with merchants to simplify PCI compliance and provides the support, technology, and guidance needed to protect your business and your customers. Contact us if you have questions about your compliance status or need help getting started.
