SITE STATUS: LIVEINDEPENDENT REFERENCE · NOT NMI
Blog

What Is PCI Compliance?

The Payment Card Industry Data Security Standard, the four merchant levels, the SAQ types, and how to shrink scope.

HomeBlogWhat Is PCI Compliance

PCI compliance means meeting the Payment Card Industry Data Security Standard (PCI DSS) — a set of 12 requirements maintained by the PCI Security Standards Council covering how cardholder data must be handled. Every business that accepts card payments is expected to comply, but the proof obligation scales with annual transaction volume across four merchant levels. The biggest practical lever for most merchants is scope reduction — pushing card data out of your environment so you qualify for a lighter Self-Assessment Questionnaire (SAQ).

The 12 PCI DSS requirements, briefly

PCI DSS organizes its rules into six control objectives covering twelve high-level requirements:

  1. Build and maintain a secure network — firewalls in front of cardholder-data environments; no vendor-default passwords.
  2. Protect cardholder data — protect stored data; encrypt transmission across open networks.
  3. Maintain a vulnerability-management program — anti-malware; develop and maintain secure systems and applications.
  4. Implement strong access control — restrict access by need-to-know; unique IDs; restrict physical access.
  5. Monitor and test networks — log and monitor access; regularly test security systems.
  6. Maintain an information-security policy — written policy that addresses everything above.

Each high-level requirement breaks down into many sub-requirements (hundreds in total). What matters for most merchants is not memorizing the standard but understanding which SAQ they qualify for — that determines how many of those sub-requirements they actually have to attest to.

The four PCI merchant levels

Level 1

Over 6M transactions/year. External QSA audit (RoC). Quarterly ASV scans. Costliest tier.

Level 2

1-6M transactions/year. Self-assessment (SAQ) signed by an internal officer; quarterly scans.

Level 3

20K-1M e-commerce transactions. SAQ + quarterly scans.

Level 4

Under 20K e-commerce or under 1M total. SAQ (and scans if applicable). The level most small businesses are in.

SAQ types — the practical question

For Levels 2-4 the merchant fills out a Self-Assessment Questionnaire annually. Which SAQ depends on how cards are accepted:

The big scope-reduction lever

The difference between SAQ A (20 questions) and SAQ D (330 questions) is whether cardholder data ever touches your environment. Tokenization and hosted checkout/iframe integrations push the answer toward "no" — which is why every payment gateway pushes them. With a Collect.js-style iframe (NMI), card data goes straight to the gateway and you typically qualify for SAQ A-EP instead of SAQ D.

People also ask about PCI compliance

How does tokenization reduce PCI scope?

Tokenization replaces the card number with a random token stored in the gateway's PCI-compliant vault, so the merchant never holds the real card number. With no cardholder data in the merchant environment, PCI scope shrinks to the systems that transmit data — usually SAQ A or A-EP territory instead of SAQ D. See tokenization vs. encryption for the distinction.

Is PCI compliance legally required?

It's a contractual obligation imposed by the card networks via your acquirer, not a federal statute. But non-compliance carries real consequences: monthly fines from the acquirer ($5,000-$100,000+ for sustained non-compliance), liability for breach costs, and potentially loss of card acceptance. Several US state laws reference PCI in data-breach statutes, giving it indirect legal weight.

What does PCI compliance cost?

For a small merchant on SAQ A, the direct cost is essentially zero — you complete the form annually, often guided by your processor's compliance portal. Level 1 merchants spend $30,000-$200,000+ on QSA audits. Quarterly ASV scans (for SAQs that require them) run $100-$500 per scan. The bigger cost is the engineering work to qualify for the lighter SAQ in the first place.

Practical compliance roadmap

  1. Establish your level based on transaction volume.
  2. Pick a payment architecture that minimizes scope — hosted checkout or iframe over server-to-server keyed entry.
  3. Complete the right SAQ annually, usually through your acquirer's portal.
  4. Run quarterly ASV scans if your SAQ requires them.
  5. Keep written policies covering incident response, access control, and key management.
  6. Use tokenization for stored cards — the Customer Vault or equivalent — so you never store the real PAN.

FAQ

What is PCI compliance?

Meeting the Payment Card Industry Data Security Standard — 12 requirements on how cardholder data is handled. Required by your acquirer for every business that accepts cards.

The 4 levels?

L1 (>6M txn/yr, QSA audit), L2 (1-6M, SAQ), L3 (20K-1M ecom, SAQ), L4 (small, SAQ). Most small businesses are L4.

SAQ A vs SAQ D?

~20 questions vs ~330. SAQ A applies to merchants who outsource all card handling; SAQ D to those who store/process card data themselves.

How to shrink scope?

Tokenize stored cards, use hosted checkout or iframe integration, P2PE for card-present. Goal: cardholder data never touches your environment.

NMI & PCI?

NMI's Customer Vault tokenizes stored cards; Collect.js iframe keeps card data off your servers. Both shrink PCI scope significantly.

Related