PCI-DSS compliance is a mandatory set of security standards that any business accepting, storing, processing, or transmitting credit card data must meet.
At CMIT Solutions, we work with small and medium businesses every day that are either unaware of their PCI-DSS obligations or uncertain whether their current IT environment actually meets them. Failing to comply puts your customers, your revenue, and your reputation at risk.
This guide breaks down what PCI DSS means, who it applies to, what the 12 requirements involve, and what non-compliance can cost your business.
For a broader look at how PCI-DSS fits within your overall compliance obligations, explore our business data compliance solutions.
What is PCI-DSS compliance?
PCI DSS compliance means your business meets the security standards required to safely store, process, or transmit payment card data. The standard is managed by the PCI Security Standards Council, which was formed in 2006 by American Express, Discover, JCB, Mastercard, and Visa to establish a consistent global baseline for payment security.
The current version is PCI DSS v4.0.1, published in June 2024, with some requirements becoming mandatory by March 31, 2025. Any organization that stores, processes, or transmits cardholder data, or can impact the security of that environment, is required to meet these standards.
This includes merchants, service providers, payment processors, and any business that accepts card payments.
Who does PCI-DSS apply to?
PCI DSS applies to any organization that stores, processes, or transmits cardholder data, regardless of size or industry. For many small business owners, compliance feels like another layer of IT complexity on top of an already stretched workload, and the instinct is often to assume it only applies to larger organizations. That assumption is one of the most common and costly mistakes in payment security.
The standard applies to merchants, payment processors, service providers, software developers who build payment applications, and any third party with access to card data environments. If your business uses a third-party payment platform, you may still carry compliance responsibilities depending on how that platform is integrated.
A business running a cloud-based POS system, for example, is still expected to meet certain PCI requirements for how that system is configured and accessed.
As trusted technology advisors to businesses across industries, CMIT Solutions helps clients work out exactly where their obligations begin and end, so nothing is missed, and nothing is over-engineered.
💡 Additional reading: data compliance regulations
The four PCI-DSS compliance levels explained
Your compliance level is determined by the number of card transactions your business processes each year. Each level carries different assessment and reporting requirements.
| Compliance Level | Who It Applies To | Key Requirements |
| Level 1 | More than 6 million Visa/Mastercard transactions annually, or any business that has experienced a data breach | Annual on-site audit by a Qualified Security Assessor (QSA); quarterly network scans by an Approved Scanning Vendor (ASV) |
| Level 2 | 1 to 6 million transactions annually | Annual Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC); quarterly ASV scans |
| Level 3 | 20,000 to 1 million e-commerce transactions annually | Annual SAQ; quarterly ASV scans |
| Level 4 | Fewer than 20,000 e-commerce transactions annually, or up to 1 million total | Annual SAQ recommended; quarterly ASV scans |
Most small and medium businesses fall into Level 3 or Level 4. This does not mean compliance obligations are light. The same 12 core requirements apply at every level. What changes is how you demonstrate and document compliance.
Our team can determine which level applies to your business and what that means for your assessment process.
The 12 PCI-DSS requirements: what your business needs to meet
PCI DSS v4.0.1 is organized around 12 principal requirements, grouped into six security goals. Together, they cover every layer of how cardholder data is protected across your environment. For businesses managing multiple vendors, systems, or locations, meeting all 12 consistently is where accountability gaps tend to appear.
1. Install and maintain network security controls
Firewalls and other network security controls must be in place to prevent unauthorized access to your cardholder data environment. This means configuring rules that restrict inbound and outbound traffic and reviewing those rules regularly to confirm they remain appropriate.
2. Apply secure configurations to all system components
Default passwords and security settings provided by vendors are well-known to attackers and must be changed before any system goes into use. Every device and software component that touches payment data needs a documented, hardened configuration, and those configurations must be maintained over time.
3. Protect stored account data
Cardholder data that must be stored should be kept to a minimum and protected using strong encryption. Primary account numbers (PANs) must be rendered unreadable through methods such as tokenization or one-way hashing. Sensitive authentication data, such as full card numbers and CVV codes, must never be stored after a transaction is authorized.
4. Protect cardholder data with strong cryptography during transmission
Any cardholder data transmitted across open or public networks must be encrypted. This applies to online transactions, email, and any other channel where data could be intercepted. Sending unencrypted account numbers to unverified destinations is a direct violation.
5. Protect all systems and networks from malicious software
Antivirus and anti-malware tools must be installed and kept current on all systems that interact with cardholder data. PCI DSS v4.0.1 expanded the scope of malware scanning to include portable media devices, reflecting how attackers increasingly use physical devices to introduce threats into otherwise secured environments.
6. Develop and maintain secure systems and software
All software must be kept patched and up to date. For businesses running public-facing web applications, PCI DSS v4.0.1 introduced a requirement for automated, continuously active solutions to detect and block web-based attacks in real time, such as a web application firewall or equivalent control.
7. Restrict access to system components and cardholder data by business need to know
Access to cardholder data must be limited strictly to those who need it to perform their job. Access control systems must be configured to deny access by default, granting permissions only where there is a documented business reason.
8. Identify users and authenticate access to system components
Every person and system that accesses cardholder data must have a unique identifier. Shared logins are not permitted. Multi-factor authentication (MFA) is now required for all access to the cardholder data environment under PCI DSS v4.0.1, a significant expansion from the previous version’s narrower remote-access requirement.
9. Restrict physical access to cardholder data
Physical security is just as important as digital security. Cardholder data stored on physical media, and the devices used to process it, must be kept in locked, access-controlled areas. Any physical access must be logged, and POS terminals should be inspected regularly for signs of tampering or skimming devices.
10. Log and monitor all access to system components and cardholder data
Every instance of access to cardholder data must be recorded in audit logs. Those logs must be reviewed regularly, retained for a minimum of 12 months, and protected against modification. PCI DSS v4.0.1 requires that audit log reviews be automated where feasible.
11. Test security of systems and networks regularly
Regular vulnerability scanning and penetration testing are required to confirm that security controls are working as intended. Quarterly scans by an Approved Scanning Vendor are mandatory, alongside internal and external penetration tests conducted at least annually and after any significant change to the environment.
12. Support information security with organizational policies and programs
A formal information security policy must be documented, approved by leadership, and communicated to all relevant staff. PCI DSS v4.0.1 placed increased emphasis on clearly defined roles and responsibilities, ensuring that every person involved in cardholder data environments knows exactly what they are accountable for.
With more than 30 years of experience securing IT environments for small and medium businesses, CMIT Solutions helps clients translate these requirements into practical, layered protections across systems, devices, and users that fit their specific environment, rather than leaving teams to work through 500-plus pages of technical documentation on their own.
If you need help identifying gaps or building a clear path to PCI DSS compliance, contact our team to take the next step.
PCI-DSS v4.0.1: what changed and why it matters for your business
The current version introduced 64 new requirements compared to the previous version, with 51 of those becoming mandatory as of March 31, 2025. Businesses that had not addressed those requirements by that date are now out of compliance. For teams already stretched thin on IT resources, tracking a standard that evolves this quickly is a genuine challenge.
The most significant changes reflect how the threat landscape has shifted. Key updates include expanded MFA requirements covering all access to the cardholder data environment, stronger controls around phishing protection using email authentication protocols, mandatory automated solutions for protecting public-facing web applications, and clearer documentation requirements around how roles and responsibilities are assigned across teams.
Security threats do not stand still, and neither do the standards designed to address them. A business that was fully compliant under the previous version may not automatically meet the updated requirements without reviewing and updating its controls.
CMIT Solutions works alongside businesses to identify exactly where those gaps exist and build a clear path to full compliance under the current standard, with cybersecurity-informed recommendations that go beyond the minimum the standard requires.
What PCI-DSS compliance looks like day to day
Compliance is not a one-time project. It is an ongoing discipline that touches how your systems are configured, how your staff behave, and how your vendors are managed. When technology is treated purely as a maintenance task rather than something actively managed for security and growth, the ongoing nature of compliance is precisely where things fall through the cracks.
Day-to-day compliance typically includes keeping all software and security tools current with patches and updates, reviewing access logs for unusual activity, ensuring that only authorized personnel can access payment systems, conducting periodic checks of physical POS terminals for signs of tampering, and maintaining documentation of security policies and who is responsible for each area.
Managing this consistently alongside everything else a small business demands is where most compliance gaps appear.
CMIT Solutions provides the continuous monitoring and threat response, maintenance, and expert oversight that keep these controls in place without adding to your team’s workload, so your business can stay focused on growth rather than security administration.
The cost of PCI-DSS non-compliance
Non-compliance with PCI DSS carries financial, operational, and reputational consequences that can far exceed the cost of achieving compliance in the first place. The risk is not just financial.
A breach or extended period of non-compliance can cause operational disruption severe enough to affect whether a business can continue accepting payments at all. Card brands and acquiring banks can issue monthly fines to non-compliant organizations that can range from $5,000 to $100,000, depending on the severity and duration of the violation.
Beyond fines, a data breach resulting from non-compliance can trigger mandatory forensic investigations, legal action, and potential termination of the ability to process card payments.
For a small business, losing the ability to accept credit cards is often an existential threat. Rebuilding customer trust after a payment data breach takes time and resources that most small businesses cannot easily absorb.
Use our IT downtime calculator to see what a compliance failure or security incident could cost your business.
| Consequence | Potential Impact |
| Monthly non-compliance fines | Can range from $5,000 to $100,000 per month |
| Mandatory forensic investigation | Significant cost depending on merchant level and incident scope |
| Loss of card processing rights | Loss of all card-based revenue until reassessment is complete |
| Legal fees and fraud liability | Varies by incident severity and number of affected cardholders |
| Reputational damage and customer attrition | Long-term revenue impact that can outlast the incident itself |
How to validate PCI-DSS compliance
Validation is how you formally demonstrate that your business meets PCI DSS requirements. The process depends on your compliance level and how payment data flows through your environment.
Most small businesses at Level 3 or Level 4 validate compliance by completing a Self-Assessment Questionnaire (SAQ). There are multiple SAQ types, and the correct one depends on how your business collects and handles card data. A business using a fully hosted payment page provided by a third party has a very different SAQ profile than one that processes card data through its own servers.
Level 1 merchants are required to complete a Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA). This is a formal on-site audit by an independent assessor certified by the PCI SSC.
The PCI SSC’s directory of certified QSAs covers organizations operating across all US regions. All businesses, regardless of level, must also complete quarterly vulnerability scans conducted by a PCI SSC-certified Approved Scanning Vendor (ASV).
CMIT Solutions can advise on which SAQ type applies to your environment, help prepare the documentation your assessment requires, and draw on a nationwide network of technology experts to connect you with the right assessors when a formal audit is needed.
PCI-DSS and your IT environment: what SMBs often overlook
Small and medium businesses frequently underestimate how much of their IT infrastructure falls within the scope of PCI compliance. As businesses grow, so does the complexity of their IT environments, and what started as a simple payment setup can quickly expand into a web of connected systems, cloud services, and third-party tools that all carry compliance implications.
The cardholder data environment (CDE) is not limited to the payment terminal or checkout page. It includes every system that stores, processes, or transmits card data, as well as any system with network connectivity to those systems.
A business with a shared network where payment terminals sit alongside general office computers may find that a much larger portion of its IT environment falls under PCI scope than expected. Network segmentation, which separates the CDE from the rest of the business network, is one of the most effective ways to reduce scope and simplify compliance, but it requires deliberate design and ongoing maintenance.
Cloud environments add another layer of complexity. If card data passes through or is stored in a cloud platform, that platform and your configuration of it both carry compliance implications. Cloud providers operate under a shared responsibility model, meaning they secure the underlying infrastructure while your business remains responsible for how access, encryption, and monitoring are configured within that environment.
PCI DSS v4.0.1 also strengthened requirements around security awareness training, making it mandatory for all personnel with access to cardholder data environments to receive regular, role-specific training.
Our team helps businesses map their actual CDE scope, design the segmentation and layered protections that reduce risk and compliance burden, and build the access controls and training programs that keep your environment secure as it evolves. Where in-person assessment or on-site support is needed, our locally delivered IT expertise means help is never far away.
PCI-DSS compliance and cyber insurance: a growing connection
Many businesses assume their cyber insurance will cover them after an attack, but insurers increasingly require specific security controls before issuing or renewing coverage. Businesses that cannot demonstrate those controls at renewal may find themselves facing exclusions, higher premiums, or outright denial of coverage.
Common insurer requirements that overlap directly with PCI DSS include multi-factor authentication, endpoint protection, access logging, incident response capabilities, and regular security awareness training.
A business that has built security in by design, rather than bolting it on after the fact, will typically already have these controls in place, which can directly influence insurer decisions on coverage terms and premiums.
Use our insurance readiness assessment to see whether your current security environment aligns with what modern insurers expect.
PCI-DSS compliance by industry
The 12 PCI DSS requirements apply universally. What differs across industries is how those requirements manifest in practice, which systems are in scope, what types of transactions are processed, and what additional regulatory obligations may run alongside PCI compliance.
- Healthcare: Must meet PCI DSS alongside HIPAA, often within shared environments where payment systems and electronic health records coexist. Strong network segmentation, access controls, and continuous monitoring are critical to prevent crossover risk between financial and patient data.
- Hospitality: Operates across multiple POS systems, locations, and booking platforms, creating a mix of card-present and card-not-present transactions. High staff turnover increases risk, making standardized controls, terminal inspection processes, and ongoing staff training essential.
Professional services: Typically process fewer transactions but store highly sensitive client data, including financial and legal information. A breach can expose both payment data and privileged information, so controls must balance strong security with minimal disruption to day-to-day operations. - Government contractors: PCI DSS requirements may overlap with federal frameworks such as CMMC, particularly where payment systems exist within broader regulated environments. Compliance requires aligning payment security controls with wider cybersecurity obligations and audit expectations.
💡 Additional reading: GDPR compliance | SOX compliance
For defense contractors, this includes CMMC obligations that run alongside PCI DSS. Our CMMC compliance services guide contractors from gap assessment through to full certification.
Practical PCI-DSS compliance checklist for small businesses
The following checklist reflects the core controls that small and medium businesses should have in place. It is designed as a starting point for a compliance review, not a substitute for a formal assessment.
- Network security controls: Firewall or equivalent installed and configured with documented, reviewed rules
- Default credentials: All vendor-supplied default passwords changed on every device and system before use
- Data minimization: Cardholder data inventory completed; data minimized and encrypted where stored
- Transmission encryption: Encryption in place for all cardholder data transmitted over open networks
- Malware protection: Antivirus and anti-malware software installed, active, and regularly updated on all relevant systems
- Patch management: All software, operating systems, and firmware kept current with security patches
- Access controls: Access to cardholder data restricted to those with a documented business need
- Unique IDs: Unique user IDs assigned to all individuals with system access; no shared logins permitted
- Multi-factor authentication: MFA enabled for all access to the cardholder data environment
- Physical security: Physical access to payment systems and data storage restricted and logged
- Audit logging: Logs enabled, reviewed regularly, and retained for a minimum of 12 months
- Vulnerability scanning: Quarterly scans completed by a PCI SSC-certified ASV
- Penetration testing: Annual penetration test completed, and after any significant environmental change
- Policy documentation: Security policies documented and communicated to all relevant staff
- Staff training: All personnel with access to cardholder environments trained on their security responsibilities
- Vendor management: Third-party vendors with access to card data reviewed for their own PCI DSS compliance status
Let CMIT Solutions take PCI-DSS compliance off your plate
PCI-DSS compliance touches every layer of your IT environment, and maintaining it requires more than a one-time review.
CMIT Solutions takes a security-first approach to managed IT, building proactive threat protection, continuous monitoring and threat response, and layered security controls directly into how we manage your environment, so your business is protected by design rather than by reaction.
With more than 30 years of experience and a nationwide network of 900+ technology experts, we bring enterprise-level cybersecurity capabilities to small and medium businesses across healthcare, hospitality, professional services, and government contracting.
Every client benefits from the responsive, locally delivered IT support of a trusted advisor who knows their business, backed by the shared tools, standards, and expertise of a national network.
We close compliance gaps, build lasting protections, and keep your environment audit-ready as your business grows. The result is stronger security, greater operational resilience, and the confidence to grow without compliance holding you back. Whatever stage you are at, CMIT Solutions is here to guide you through every step.
Optyx, a multi-location eye care business, partnered with CMIT Solutions to overhaul its IT infrastructure and security posture across all its locations. The engagement delivered improved compliance audit outcomes, faster security incident response times, and greater operational efficiency, demonstrating how the right IT partnership supports both security and business growth. Read the full Optyx case study to see what that looks like in practice.
To speak with an IT expert about your PCI compliance posture, contact CMIT Solutions or call (800) 399-2648.
Frequently asked questions
We use Stripe or Square to take payments, do we still need to worry about PCI-DSS?
Yes, using a third-party payment processor reduces your PCI scope, but does not remove your obligations entirely. Your business remains responsible for how that processor is integrated, how staff access the system, and how cardholder data is handled outside the platform. You still need to complete the correct SAQ and pass quarterly vulnerability scans.
How long does it take a small business to get PCI-DSS compliant for the first time?
For most small businesses, first-time PCI compliance takes one to three months. The timeline depends on how much of your environment needs to be reconfigured, documented, or retrained. Businesses with multiple locations, legacy systems, or complex networks typically take longer. CMIT Solutions starts every engagement with a gap assessment so you know exactly what is involved before work begins.
Can we be fined for PCI non-compliance even if we have never had a breach?
Yes, fines for PCI non-compliance can be issued monthly based solely on failing to meet the standard’s requirements, regardless of whether a breach has ever occurred. Card brands and acquiring banks can impose penalties ranging from $5,000 to $100,000 per month. A breach makes those consequences more severe, but the financial risk exists before any incident takes place.
What is the difference between an SAQ and a Report on Compliance, and which one does my business need?
An SAQ (Self-Assessment Questionnaire) is a self-completed document used by Level 2, 3, and 4 merchants to confirm compliance. A Report on Compliance (ROC) is a formal on-site audit by a certified Qualified Security Assessor, required for Level 1 merchants. Which one applies to your business depends on your annual transaction volume and how payment data flows through your environment.
Do we need to redo our PCI compliance if we switch payment platforms or open a new location?
Yes, any significant change to how your business collects, processes, or stores card data requires a compliance review. Switching payment platforms, adding a new sales channel, opening an additional location, or moving payment systems to the cloud can all change your PCI scope and affect which SAQ type applies. CMIT Solutions recommends completing that review before the new environment goes live.
