The payments sector is constantly evolving, and while companies must adjust to the latest in developments to stay competitive, it is imperative that any company accepting credit cards and debit cards protect sensitive cardholder data.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies process and store credit card information in a secure environment. The cost of PCI non-compliance can lead to fines ranging from $5,000 to $10,000 per month — or more if you get penalized with increased transaction fees.
Why such hefty penalties and fees? Adhering to the PCI DSS is critical to both businesses and consumers as the number of fraud reports continues to grow. In 2021, consumers lost $321 million due to credit and debit card fraud. Establishing PCI compliance is not only good for your customers’ data but can also protect businesses from losing millions of dollars in income from security breaches. With the global average cost of a data breach reaching $4.24 million in 2021, it is paramount that organizations are compliant.
In this guide, we’ll walk you through, and demystify, the process of PCI compliance.
Key Takeaways
- PCI DSS v4.0 is now in effect, introducing new compliance requirements focused on continuous security monitoring, risk-based authentication, and broader flexibility for implementation.
- All businesses that handle cardholder data must comply with PCI standards, regardless of size or industry, to avoid costly fines and mitigate breach risk.
- Bluefin’s 12-step PCI compliance guide walks organizations through every key requirement, from securing systems and encrypting data to conducting regular vulnerability scans.
- New v4.0 updates include stricter MFA requirements, expanded scoping, and a shift toward outcome-based reporting, all of which require organizations to take a more proactive and transparent security approach.
- Failure to comply with PCI DSS can lead to steep penalties, legal liabilities, and reputational damage, making compliance a critical part of your data protection strategy.
What Is PCI Compliance?
In the early stages of credit card usage, each major card brand (Visa, Mastercard, Discover and American Express) developed their own systems for protection against fraud. But these card brands later united to create a unanimous, industry-wide standard for fraud protection, which we now know as PCI DSS — managed by the PCI Security Standards Council (PCI SSC).
There are four levels of PCI compliance
Determined by the number of transactions processed annually, a business will be assigned to one of the following levels:
Level 1
Upwards of 6 million annual transactions or a business that has experienced a data breach.
Level 2
Between 1 and 6 million annual transactions.
Level 3
Between 20,000 and 1 million annual internet transactions.
Level 4
Less than 20,000 annual internet transactions or less than 1 million annual physical card transactions.
If your business falls in the Level 1 category, you’ll be required to have an annual internal audit and quarterly PCI scan conducted by an approved third-party vendor. Businesses categorized as levels 2 through 4 must do a yearly self-assessment using a designated questionnaire. They may also be required to do a quarterly PCI scan.
How to Achieve PCI Compliance (Version 3.2.1)
Your business, regardless of size, can establish PCI compliance by meeting and maintaining 12 basic requirements – here’s how.
Step 1: Build, Maintain, and Monitor a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Avoid using vendor-supplied defaults for system passwords and other security parameters.
Step 2: Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across public networks.
Step 3: Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Step 4: Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data.
Step 5: Regularly Monitor and Test Network
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Step 6: Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel.
Who Needs PCI Compliance?
Any organization that accepts, processes, transmits, or stores credit or debit card information is required to comply with PCI DSS, regardless of size or industry. This includes:
- Retailers, both online and brick-and-mortar
- E-commerce platforms and marketplaces
- Healthcare providers processing patient payments
- Educational institutions accepting tuition or donations
- Hospitality businesses, including hotels and restaurants
- SaaS platforms that handle payments on behalf of clients
- Government and nonprofit agencies accepting card payments
Even if your business doesn’t store cardholder data, PCI DSS still applies if you process or transmit payment information. Using secure, validated technologies—like tokenization and PCI-validated point-to-point encryption (P2PE)—can reduce your compliance scope but not eliminate it altogether.
What’s New in PCI DSS v4.0
PCI Security Standards Council (PCI SSC) released version 4.0 of the PCI DSS to respond to the evolving payments ecosystem and advanced threats. While the core 12 requirement areas remain, several meaningful updates reshape how organizations must approach compliance:
- Stronger emphasis on security as a continuous process – Rather than a once‑a‑year audit mindset, v4.0 introduces ongoing validation and monitoring requirements.
- Flexible implementation approach – The standard now allows entities to use alternative controls or customised methods if they meet the defined security objectives, enabling innovation while maintaining rigor.
- Expanded authentication and access control criteria – Multi‑factor authentication (MFA) is required for more types of access, and new controls address script‑based attacks, compromised credentials, and client‑side risks.
- Enhanced scoping and risk identification requirements – Organizations must perform targeted risk analyses and document scope more precisely, particularly around third‑party access and non‑traditional payment flows.
- Deadline for transition and full requirement enforcement – Although v3.2.1 remains valid until March 31, 2024, many of the “best practices” introduced in v4.0 became mandatory as of March 31, 2025.
Why it matters for your business: If your organisation is still operating solely under v3.2.1 controls, you’re likely exposed to gaps in your compliance programme. The newer standard isn’t just procedural, it shifts the mindset toward real‑time security, broader scope, and strategic flexibility.
Immediate next steps:
- Conduct a gap assessment comparing your current controls to the new v4.0 requirements.
- Prioritize high‑impact areas such as MFA rollout, script‑integrity monitoring, and tokenisation/P2PE solutions to reduce your PCI scope and complexity.
- Establish continuous monitoring and third‑party vendor oversight – it’s no longer optional or “just best practice.”
By aligning early with v4.0, you transform compliance from a checkbox exercise into a competitive advantage, and you better protect your customers, reputation, and bottom line.
Not All Encryption Solutions are Created Equal
As PCI DSS requirements state, companies must encrypt all cardholder data transmissions across public networks. There are many payment encryption products on the market but only those solutions validated by the PCI SSC have met rigorous standards for encryption, decryption, key management and chain of custody.
While these requirements may seem overwhelming, merchants can implement a PCI-validated Point-to-Point Encryption (P2PE) solution, making the entire process of certifying PCI compliance much more manageable.
As the first PCI-validated provider of a P2PE solution in 2014, Bluefin’s PCI-validated P2PE solutions immediately encrypt data upon tap, dip, swipe, or key entry in a P2PE certified device, with encryption being done outside of the merchant environment by Bluefin. Bluefin also offers the only 100% online portal for chain of custody management, the P2PE Manager®. Learn more about PCI-validated P2PE in our FAQ section.
Specializing in PCI Compliance and Payment Security
Bluefin’s payment processing products are backed by the highest level of encryption with PCI-validated P2PE and tokenization with our ShieldConex® data security platform. But every merchant that signs with Bluefin has access to our full PCI compliance program through our partner, SecureTrust™, for annual scans, attestations and more.
Maintaining PCI compliance is important for your company and your clients. Contact us today to learn how we can help your organization.
PCI Compliance FAQs
What does PCI compliant mean?
Being PCI compliant means that a business meets the data security requirements outlined by the Payment Card Industry Data Security Standard (PCI DSS). These standards are designed to ensure that merchants securely collect, store, process, and transmit cardholder data to reduce the risk of payment data breaches.
Is PCI compliance legally required?
PCI compliance is not a federal law, but it is contractually required by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through agreements with payment processors. Noncompliance can result in fines, increased fees, or loss of the ability to process credit card transactions.
What are the 4 PCI standards?
This question likely refers to the four levels of PCI compliance, which are based on transaction volume:
Level 1 – Over 6 million transactions annually
Level 2 – 1 to 6 million transactions annually
Level 3 – 20,000 to 1 million e-commerce transactions annually
Level 4 – Fewer than 20,000 e-commerce or up to 1 million total transactions annually
Each level has its own reporting and validation requirements. The PCI DSS itself is one unified standard with 12 core requirements.
What are the 12 requirements of PCI DSS?
The PCI DSS framework includes 12 security requirements such as installing firewalls, encrypting cardholder data, restricting access to card data, and regularly monitoring networks. These are grouped under six core goals, including building secure systems, protecting data, and maintaining strong access control.
What happens if my business is not PCI compliant?
Failure to comply with PCI DSS can lead to hefty fines, increased scrutiny from acquiring banks, damage to your brand, and even a suspension of payment processing privileges. In the event of a data breach, noncompliance can also result in legal liability and increased penalties.
Does PCI DSS apply to businesses that don’t store card data?
Yes. PCI DSS applies to any business that processes, transmits, or has access to cardholder data, even if they don’t store it. Using secure, compliant solutions like PCI-validated point-to-point encryption (P2PE) can help reduce PCI scope, but not eliminate compliance requirements altogether.
