How to become PCI compliant

Blogs 14 Jun 2024

Stay secure and protect your customers' data during card payments with our step-by-step guide to becoming PCI compliant as a small business.

A version of this article was first published on our website in February 2022. 


When a customer is completing a transaction, you're processing sensitive payment information that needs to be protected. All merchants and service providers must comply with the data security standards.

What is PCI compliance?

The Payment Card Industry Data Security Standard (PCI DSS) guidelines are designed to improve the security of your card processing environment and reduce the chance of card fraud. They ensure that your business is handling and storing data for card payments according to certain regulations. This is to maintain the security of card transactions in your business and prevent data breaches. If you accept card payments, regardless of the level or value of the transactions, you must be PCI compliant.

What could happen if you’re not PCI compliant?

Whilst it’s not a legal requirement, fines for data breaches can be given to the banks by the providers who make up the Security Standards Council (SSC): American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.

If your business isn’t compliant and there’s a data breach, your bank provider could choose to pass these fines onto you under the terms of their contract with you, or terminate your business bank account entirely, as you are seen as posing a significant risk of leaking customer data.

Furthermore, the ICO has warned online retailers that if they do not adopt the PCI DSS, or provide equivalent protection when processing customers' payment card details, they risk being in breach of the Data Protection Act 1998 and subject to enforcement action from the ICO.

What are the benefits of PCI compliance?

It may seem like a daunting and difficult process, but your business shouldn’t risk not being compliant, as customers may choose to spend their money with other, more secure, businesses.

  • Avoid the risk of financial penalties
  • Give financial institutions confidence in your business that you protect public data
  • Maintain your credibility and trust by preventing a security breach

How to become PCI compliant as a small business

In the journey to becoming PCI compliant, there are 12 steps you must complete, which the SSC separates into the following six goals.

1. Building and maintaining a secure network

The first step is to ensure that access to your systems is protected in several ways.

  • A regularly tested firewall policy should be in place to protect any data you hold
  • The SSC advises that vendor-supplied passwords for any hardware or software are changed immediately to unique and secure passwords
  • Update passwords every 90 days
2. Protecting cardholder data

If your business actively stores cardholder data, for example in a database or physically in a locked filing cabinet, then this data could become a risk. It’s not recommended that you store any card data.

  • Never keep data such as PIN numbers or card validation codes
  • Combine virtual and physical safety measures, such as authentication procedures, locked cabinets and limited access to the server
  • Encrypt the transmission of all data to ensure that anyone who does not have the correct cipher will not be able to read the data
3. Maintaining a Vulnerability Management Program

As part of your Vulnerability Management Program, you should have a robust anti-virus system in place for secure card payments.

  • Scan your software for any malicious viruses
  • Update your anti-virus software to ensure that it can stop newer viruses
  • Check your card provider updates their systems to stop any security exploits

By keeping yourself prepared, instead of having to react to breaches, you can make sure that every step of the payment process is always secure.

4. Implementing strong access control measures

Only those who have a definite need to access cardholder data should be able to access it. The fewer people there are who can access the data, the lower the chance of any breach.

  • Provide staff with unique IDs for computer access
  • Follow best practices such as authorisation and frequent password resets

Holding data offsite?

Your provider is the one who should limit access to any data instead of your business – just because it is held offsite does not mean they are able to provide a lower level of security. The third-party provider still must ensure sufficient security every step of the way.

5. Regularly monitoring and testing networks

While you should make sure that only the necessary people have access to cardholder data, you still should track who accesses the data and when. If a security breach does happen, having accurate logging systems in place may help your provider find the root cause and fix it as soon as possible.  Regular testing also helps to constantly keep customers and businesses safe in the knowledge that the network, and the cardholder data held in it, are fully secure.

6. Maintaining an information security policy

Your information security policy should be a comprehensive overview of every aspect of your data security procedures in your business.

  • What are your data security procedures and who executes them?
  • Who will be guiding the business on compliance?
  • How will compliance be achieved?

Legal compliance is just a click away

With FSB Legal and Business Hub, you’ll have legal documents at your fingertips. Search over 1,500 documents, templates, policies and more, on everything from tax to cyber security. Checked by real lawyers, fully compliant and easy to use.

find out more