If you process payment cards,
PCI DSS applies to you.
The Payment Card Industry Data Security Standard requires any organization that stores, processes, or transmits cardholder data to validate compliance annually. Non-compliance exposes you to card brand fines and unlimited liability in a breach.
PCI DSS is not optional — it is a contractual obligation.
PCI DSS v4.0 is a set of security standards established by the Payment Card Industry Security Standards Council (PCI SSC) and enforced by Visa, Mastercard, and other card brands through your acquiring bank. If you accept card payments, you are contractually required to comply.
For most small businesses, compliance is validated annually through a Self-Assessment Questionnaire (SAQ). The SAQ type depends on how you process cards — card-present, card-not-present, or e-commerce. Non-compliance is not reported to a regulator — it is reported to your payment processor, who can suspend your ability to accept cards.
PCI DSS v4.0 was released in 2022 with full compliance required by March 2025. Key changes include mandatory multi-factor authentication for all access to the cardholder data environment and expanded e-commerce security requirements.
Who must comply
Any merchant or service provider that stores, processes, or transmits cardholder data — including card numbers, expiration dates, CVVs, and PINs. Applies regardless of size or transaction volume.
Enforcement mechanism
Card brands (Visa, Mastercard, etc.) through acquiring banks. Non-compliance results in fines to your bank, which are passed to you. Repeat non-compliance can result in loss of card acceptance privileges.
Fine range
$5,000 to $100,000 per month for non-compliance. In the event of a breach without validated compliance, card brands can assess unlimited fines and charge back all fraudulent transactions.
Version in effect
PCI DSS v4.0. All v3.2.1 requirements retired as of March 31, 2024. New v4.0 requirements include mandatory MFA for all CDE access and updated e-commerce security controls.
PCI DSS v4.0 — 12 requirement domains.
PCI DSS organizes its controls into 12 requirements across six control objectives. Every requirement applies to systems in your cardholder data environment.
Network Security Controls
Install and maintain network security controls. Apply secure configurations to all system components. Firewalls, network segmentation, and configuration standards.
Protect Account Data
Protect stored account data. Protect cardholder data with strong cryptography during transmission over open networks. Encryption at rest and in transit.
Vulnerability Management
Protect all systems against malware. Develop and maintain secure systems and software. Anti-malware, patching, and secure development practices.
Access Control
Restrict access to system components and cardholder data by business need to know. Identify users and authenticate access to system components. MFA required for all CDE access under v4.0.
Physical & Monitoring
Restrict physical access to cardholder data. Log and monitor all access to system components and cardholder data. Audit logs retained for 12 months minimum.
Testing & Policy
Test security of systems and networks regularly. Support information security with organizational policies and programs. Annual penetration testing, quarterly vulnerability scans, written security policy.
The consequences of PCI non-compliance hit your bank account directly.
Card brands can assess $5,000 to $100,000 per month for sustained non-compliance. These fines are passed from the card brand to your acquiring bank and then directly to you.
Persistent non-compliance or a breach can result in termination of your merchant account — the ability to accept Visa and Mastercard at all. For most businesses this is existential.
A breach without validated PCI compliance removes all liability protections. Card brands can charge back every fraudulent transaction and assess forensic investigation costs — often exceeding $100,000 for small merchants.
BoTech validates and maintains your PCI DSS compliance program.
PCI DSS compliance requires more than answering an SAQ questionnaire once a year. It requires operating controls documented throughout the year — quarterly vulnerability scans, patch compliance reports, access reviews, and training records.
BoTech maps your environment to the correct SAQ type, implements the required controls, runs your quarterly scans, and prepares your annual evidence package for submission to your acquiring bank.
Audit-ready in 90 to 120 days.
A structured four-phase process that builds your PCI DSS compliance program from the ground up — no prior compliance work required.
Assess
Every current control assessed against PCI DSS requirements. Every gap documented with specific regulatory citations before a single policy is written.
Build
All required policies written and customized. Risk assessment completed. Evidence tracking configured. PCI DSS-specific documentation in place.
Activate
Documentation signed and dated. Workforce training initiated. Access controls reviewed. Evidence tracking live. Your program is operating.
Audit-Ready
First evidence cycle complete. All agreements executed. You can now respond to a regulator, auditor, or insurer with confidence.
Timeline assumes client completion of information requests within 5 business days of receipt. Delays in client response, vendor agreement execution, or workforce training completion will extend the timeline proportionally.
Find out if your cardholder data environment is PCI compliant.
The free Security Scorecard reviews your current PCI DSS posture — scope, controls, SAQ readiness, and evidence gaps — in 30 minutes. Written report within 24 hours. No obligation.
No cost · No obligation · Written report within 24 hours
