Payment Security

What is PCI-DSS?

The security standard that every business accepting credit or debit cards must follow — whether you process ten transactions a month or ten thousand.

The Short Version

PCI-DSS stands for Payment Card Industry Data Security Standard. It was created by Visa, Mastercard, American Express, Discover, and JCB to protect cardholder data. If your business accepts card payments — any card payments — you are required to comply.

Non-compliance doesn't just result in fines. Your payment processor can terminate your ability to accept cards entirely. For most businesses, that is a company-ending event.

Who Needs to Comply?

Any business that:

  • Accepts credit or debit card payments in person
  • Accepts card payments online or by phone
  • Stores, processes, or transmits cardholder data in any way
  • Uses a third-party payment processor (you still have responsibilities)

PCI compliance is divided into four levels based on transaction volume. Most small businesses are Level 4 (fewest requirements) but the requirements still exist and still apply.

What Does PCI-DSS Require From Your IT?

PCI-DSS has 12 core requirements covering:

  • Network security: Firewalls configured to protect cardholder data
  • No default passwords: Every device must have its default password changed
  • Data protection: Stored card data must be encrypted
  • Encrypted transmission: Card data sent over networks must be encrypted
  • Antivirus: All systems must have up-to-date malware protection
  • Secure systems: Regular patching and updates required
  • Access control: Only authorized personnel can access card data
  • Physical security: Physical access to systems with card data must be restricted
  • Monitoring: All access to card data must be logged and monitored
  • Security testing: Regular vulnerability scans and penetration tests
  • Security policy: A documented information security policy

What Happens When You Don't Comply?

  • Fines from card brands: $5,000–$100,000 per month until compliant
  • Increased transaction fees: Non-compliant merchants pay higher processing fees
  • Loss of card acceptance: Your processor can shut off your ability to accept cards
  • Breach liability: If a breach occurs while non-compliant, you absorb the full cost of fraud
  • Forensic investigation costs: Mandatory PCI forensic investigation after a breach — typically $20,000–$50,000

How Digital Armor Helps

We handle the technical side of PCI compliance including:

  • Network segmentation — isolating payment systems from the rest of your network
  • Firewall configuration and management
  • Patch management and vulnerability scanning
  • Access controls and user management
  • Security logging and monitoring
  • Annual SAQ (Self-Assessment Questionnaire) support
  • Staff training on card security practices

Is Your Business PCI Compliant?

If you're not sure, the answer is probably no. Most small businesses that accept cards are technically non-compliant — not because they're reckless, but because no one explained what was required. We can tell you exactly where you stand in 30 minutes.

Book Your Assessment