What Merchants Need to Know About PCI Compliance
What Merchants Need to Know About PCI Compliance
If your business accepts credit or debit card payments, PCI compliance isn’t optional—it’s a requirement. But don’t worry, it’s not as overwhelming as it might sound. Let’s break down what PCI compliance is, why it matters, and what you need to do to stay on the right track.
What Is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of rules created by major card brands like Visa, Mastercard, Discover, and American Express to help businesses protect cardholder data.
If your business accepts, processes, transmits, or stores credit or debit card information, then you are required to follow PCI DSS.
Why Does PCI Compliance Matter?
Being PCI compliant helps protect your customers from fraud and data breaches. But just as importantly, non-compliance can lead to serious consequences:
In short, not complying could cost you your ability to do business with cards—which is a dealbreaker for most merchants.
What Do You Need to Do to Be Compliant?
There are two main things every merchant must do:
Follow the security standards outlined in the PCI DSS.
Validate that you're following them.
For most small- to medium-sized businesses, validation means:
Filling out a Self-Assessment Questionnaire (SAQ) once a year.
Completing a quarterly scan of your systems (if required), done by a certified scanning vendor.
Larger businesses or those with higher risk may also need an onsite audit by a PCI-certified professional.
What Is the SAQ?
The SAQ (Self-Assessment Questionnaire) is a yearly checklist that helps you confirm whether your business meets PCI requirements. There are different types of SAQs based on how your business processes cards (in-person, online, etc.).
The questionnaire may be short and simple—or more technical—depending on your setup. But the good news is there are tools and services available to walk you through it and help you fix any issues.
What Happens If You’re Not Compliant?
If you're not compliant, your payment processor or bank might:
While PCI isn’t a government law, it's a mandatory part of your agreement with card networks and banks. Ignoring it can lead to major disruptions in your business operations.
What Is a Fix-It Plan?
If your SAQ reveals issues, you'll receive a Fix-It Plan—a step-by-step guide to help you resolve them. Once you've completed the plan and passed a follow-up assessment, you'll be considered PCI compliant.
How Do I Get PCI Compliant?
Most payment processors will help guide you through the process. It typically involves:
Completing a questionnaire (usually once a year)
Running security scans (if required, based on how you process payments)
Following basic security best practices
To become PCI Compliant, please go to the PCI application at: www.pciapply.com/pcicompliance
The username is the complete Merchant ID, and the password is the last 5 digits of the Merchant ID and capitalized state abbreviation.
Example: Merchant ID is 4900000012345 and is located in Illinois --
- Username: Merchant ID
- First time Password: 12345IL
If you’re unsure, please reach out to merchantsupport@fractalpay.com to learn more about becoming PCI compliant.
Quick Overview of Merchant Levels
PCI requirements vary based on your volume of card transactions:
Level 1: Over 6 million transactions/year
Level 2: 1 to 6 million transactions/year
Level 3: 20,000 to 1 million e-commerce transactions/year
Level 4: Fewer than 20,000 e-commerce or 1 million total transactions/year
Most small businesses fall into Level 4, which means your main responsibility is completing the SAQ and possibly running quarterly scans.
Final Thoughts
PCI compliance might seem technical, but at its core, it’s about keeping your business and your customers safe. The requirements scale to your business size, and plenty of tools exist to help you succeed. Stay informed, take the SAQ seriously, and resolve any issues promptly to protect your business and avoid costly disruptions.
If you’re ever unsure about how to get started, reach out to your payment processor—they’re there to help.