5 min read
Key takeaways
- PCI DSS provides a well-tested framework to protect your customers’ payment data and prevent fraud.
- The governing/overseeing body for PCI DSS is the PCI Security Standards Council (SSC).
- Meeting PCI requirements strengthens your overall security posture and helps build lasting customer relationships anchored with trust.
- Stay secure through systematic assessment, remediation and reporting of your PCI compliance measures.
Debit and credit cards account for more than 60% of consumer payments1 —making the protection of sensitive payment data essential to your business. The Payment Card Industry Data Security Standard (PCI DSS) provides the framework you need to safeguard cardholder data and maintain secure transactions.
What is PCI compliance?
PCI compliance requires implementing and maintaining specific security measures to protect cardholder data. Compliance requirements are enforced by the major credit card brands, such as Visa, Mastercard and American Express. The governing/overseeing body for PCI DSS is the PCI Security Standards Council (SSC). As a merchant, payment processor or service provider, you must meet these standards if your business handles credit or debit card information in any way—whether storing, processing or transmitting it.
These requirements establish a complete security framework for your business, from basic protections like firewalls and passwords to more comprehensive systems for data encryption and access management.
How is PCI compliance ranked?
As a merchant, your PCI compliance requirements scale with your transaction volume, divided into four levels. Typical volume-based compliance levels are:
- Level 4: Fewer than 20,000 transactions annually
- Level 3: 20,000 to 1 million transactions annually
- Level 2: 1 to 6 million transactions annually
- Level 1: Over 6 million transactions annually
Not all credit cards use all four compliance levels, and transaction volumes for each level may vary depending on the card. For example, Discover and American Express have no PCI Level 4 designation, and JCB has only two trader levels. Additionally, if a merchant suffers a data breach that compromises cardholder information, they may be moved to a higher PCI compliance level.
Your compliance level determines your validation requirements. Larger merchants (Levels 1-2) typically need on-site assessments by Qualified Security Assessors (QSAs) who are certified by SSC, while smaller merchants may only need to complete self-assessment questionnaires (SAQs).
While merchants have four levels of PCI requirements, service providers (such as payment gatewaus and other businesses involved in processing, storing or transmitting cardholder data_ have only two.
Why is PCI compliance important?
PCI compliance protects your business and customers on multiple levels. Beyond protecting sensitive data—from credit card numbers to security codes—it provides a structure for preventing data breaches, fraud and identity theft.
Following PCI DSS standards strengthens your overall security posture and helps you stay ahead of evolving threats. Most importantly, it demonstrates to your customers that you take their data security seriously, helping you build the trust essential for long-term business relationships.
Our specialists can help you implement payment security measures that safeguard your business and customer trust.
What are the key requirements for PCI compliance?
PCI DSS protects card holder data through 12 core security requirements:
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission over open public networks
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data by business need to know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security with organizational policies and programs
These 12 requirements work together in a continuous cycle of security management:
- Assess: Evaluate where cardholder data exists in your systems, and map out both the IT assets and business processes that interact with it.
- Remediate: Address vulnerabilities, optimize data storage and strengthen protective measures based on your assessment findings.
- Report: Document your compliance efforts and submit required validation to maintain your PCI DSS certification.
We’re here to help
J.P. Morgan offers the expertise and solutions you need to implement and maintain strong security measures. Our security solutions help you protect cardholder data while meeting all PCI DSS requirements—letting you focus on growing your business.
JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/commercial-banking/legal-disclaimer for disclosures and disclaimers related to this content.
References
1.
Federal Reserve Financial Services’ FedCash® Services, 2024 Diary of Consumer Payment Choice
