What does PCI compliance mean?

Payment Card Industry (PCI) compliance is based on a set of industry guidelines to protect the security of credit card transactions among companies in the payment industry.

These specific guidelines are referred to as Payment Card Industry Data Security Standards (PCI DSS). These global security standards apply to all companies that accept, process, store, or transmit credit card information. The standards were implemented in order to maintain a consistent and secure requirement for all companies handling sensitive cardholder and authentication data.

The PCI DSS was created by the Payment Card Industry Security Standards Council (PCI SSC) launched in 2006 in order to manage the continual progression and changes among the payment card industry. The PCI SCC was formed by American Express, Discover, JCB, Mastercard, and VISA and who continue to monitor, update, and manage the PCI DSS to improve payment security and accountability in the industry. Ultimately, the PCI SCC works to protect not only credit card processing companies, but consumers and banks as well.

Why is PCI DSS important?

PCI DSS’s ultimate goal is to safeguard private financial account information that PCI companies are transacting or storing. The PCI DSS upholds the standards to prevent data breaches, potential hacking, or fraudulent activity. If a company’s credit card information is breached, it causes significant consequences including loss of customers and reputation, regulatory notification requirements, financial liabilities, or litigation. The PCI SCC demands specific requirements, outlined within the PCI DSS, to prevent these ramifications

What are the PCI DSS compliance levels?

The first step to understanding what standards your company needs to follow is to determine which PCI compliance level your company falls under. There are four PCI compliance levels based on your company’s transaction volume during a 12-month period. Below we break down the requirements for each level.

Level 1

  1. Merchant that processes over 6 million total transactions annually; or
  2. Previously experienced a data breach; or
  3. Considered level 1 merchants by the card association

Level 2

  1. Merchant that processes between 1-6 million total transactions annually

Level 3

  1. Merchant that processes between 20,000 to 1 million online transactions annually; or
  2. Merhcant that processes less than 1 million total transactions annually

Level 4

  1. Merchant that processes less than 20,000 online transactions annually
  2. Merchant that processes up to 1 million total transactions annually

In addition, the PCI DSS Self-Assessment Questionaires (SAQs) are used by companies to help determine their copliance with the PCI DSS. The different SAQs types apply to PCI conpliance levels 2, 3, and 4. Below are the requirements for each SAQ type according to PCI’s SAQs instruction and guidelines manual.


Card-not-present merchants (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Not applicable to face-to-face channels


E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of cardholder data on merchant’s systems or premises.

Applicable only to e-commerce channels.


Merchants using only:
Imprint machines with no electronic cardholder data storage, and/or
Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.


Merchants using only standalone, PTS-approved payment terminals with an IP
connection to the payment processor with no electronic cardholder data storage.

Not applicable to e-commerce channels.


Merchants who manually enter a single transaction at a time via a keyboard into an
Internet-based, virtual payment terminal solution that is provided and hosted by a
PCI DSS validated third-party service provider. No electronic cardholder data

Not applicable to e-commerce channels


Merchants with payment application systems connected to the Internet, no electronic
cardholder data storage.

Not applicable to e-commerce channels.


Merchants using only hardware payment terminals included in and managed via a
validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.

Not applicable to e-commerce merchants.


SAQ D for Merchants: All merchants not included in descriptions for the above
SAQ types.

SAQ D for Service Providers: All service providers defined by a payment brand as
eligible to complete an SAQ

Do you know what PCI compliance level your company falls under?

To learn what steps your company needs to take in order to comply with your PCI DSS requirements, get in touch with Evolve Payments by visiting our website or giving us a call at (651) 628-4000.