Skip to Content
Shopify
  • By business model
    • B2C for enterprise
    • B2B for enterprise
    • Retail for enterprise
    • Payments for enterprise
    By ways to build
    • Platform overview
    • Shop Component
    By outcome
    • Growth solutions
    • Shopify
      Platform for entrepreneurs & SMBs
    • Plus
      A commerce solution for growing digital brands
    • Enterprise
      Solutions for the world’s largest brands
  • Customer Stories
    • Everlane
      Shop Pay speeds up checkout and boosts conversions
    • Brooklinen
      Scales their wholesale business
    • ButcherBox
      Goes Headless
    • Arhaus
      Journey from a complex custom build to Shopify
    • Ruggable
      Customizes Headless ecommerce to scale with Shopify
    • Carrier
      Launches ecommerce sites 90% faster at 10% of the cost on Shopify
    • Dollar Shave Club
      Migrates from a homegrown platform and cuts tech spend by 40%
    • Lull
      25% Savings Story
    • Allbirds
      Omnichannel conversion soars
    • Shopify
      Platform for entrepreneurs & SMBs
    • Plus
      A commerce solution for growing digital brands
    • Enterprise
      Solutions for the world’s largest brands
  • Why trust us
    • Leader in the 2024 Forrester Wave™: Commerce Solutions for B2B
    • Leader in the 2024 IDC B2C Commerce MarketScape vendor evaluation
    What we care about
    • Shop Component Guide
    How we support you
    • Premium Support
    • Help Documentation
    • Professional Services
    • Technology Partners
    • Partner Solutions
    • Shopify
      Platform for entrepreneurs & SMBs
    • Plus
      A commerce solution for growing digital brands
    • Enterprise
      Solutions for the world’s largest brands
  • Latest Innovations
    • Editions - June 2024
    Tools & Integrations
    • Integrations
    • Hydrogen
    Support & Resources
    • Shopify Developers
    • Documentation
    • Help Center
    • Changelog
    • Shopify
      Platform for entrepreneurs & SMBs
    • Plus
      A commerce solution for growing digital brands
    • Enterprise
      Solutions for the world’s largest brands
  • Get in touch
  • Get in touch
Shopify
  • Blog
  • Enterprise ecommerce
  • Total cost of ownership (TCO)
  • Migrations
  • B2B Ecommerce
    • Headless commerce
    • Announcements
    • Unified Commerce
    • See All topics
Type something you're looking for
Log in
Get in touch

Powering commerce at scale

Speak with our team on how to bring Shopify into your tech stack

Get in touch
blog|Ecommerce Operations Logistics

The 12 PCI DSS Compliance Requirements Explained

Meeting PCI compliance requirements is a must for an ecommerce company that collects cardholder data to complete transactions. Learn more.

by Shopify
ShopifyPlus PCI Compliance Requirements
On this page
On this page
  • What is PCI compliance? 
  • 12 requirements of PCI DSS Compliance
  • Consequences of non-compliance 
  • How to become PCI compliant 
  • PCI compliance requirements FAQ

The platform built for future-proofing

Get in touch

Ecommerce data breaches have steadily climbed, with three-quarters of businesses reporting a net increase in attacks since 2020. 

Securing cardholder data is a top priority for online businesses processing payment transactions. The first step is meeting PCI compliance requirements, which ensure adherence to strict security standards.

What is PCI compliance? 

PCI compliance is the adherence to the security standards outlined in the Payment Card Industry Data Security Standard (PCI DSS). These standards ensure companies that process, store, or transmit credit card information are taking the necessary steps to secure cardholder data and prevent data breaches, fraud, and unauthorized access. Cardholder data refers to payment details for debit, credit, and prepaid cards, as well as all associated personal information, like names and addresses.

The specific PCI compliance requirements depend on the size of your company and the number of credit card transactions you process per year. PCI compliance levels determine the specific requirements and validation procedures. These four levels of PCI compliance are laid out by the key members of the PCI DSS, and other card brands may have variations on these categories.

There are four levels:

PCI Compliance Level 1

The highest level of compliance, required for companies who process more than six million transactions per year and payment facilitators who process more than 300,000 transactions per year. 

PCI Compliance Level 2

Required for companies that process between one million and six million transactions per year and payment facilitators who process fewer than 300,000 transactions per year. 

PCI Compliance Level 3

Required for companies that process 20,000 to one million transactions per year. 

PCI Compliance Level 4

Required for companies that process up to 20,000 transactions per year. 

While PCI compliance is not enforced at the federal level, non-compliance has legal implications. In some states—like Nevada—PCI compliance is mandated by law. Credit card companies and numerous banks incorporate PCI compliance requirements in their terms of service. Non-compliance can result in severe penalties, fines, and legal consequences.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. These are the requirements you must meet to remain PCI compliant. PCI DSS was created by the Payment Card Industry Security Standards Council (PCI SSC), which was founded as an independent organization in 2006 by Visa, Mastercard, American Express, Discover, and JCB. 

PCI SSC created the PCI DSS to improve and standardize existing security checks and balances in the industry. It aims to ensure ecommerce businesses meet the technical, operational, and security requirements needed to keep cardholder data safe.

Ecommerce platforms like Shopify are fully PCI compliant by default, ensuring all businesses remain up-to-date with requirements in perpetuity. Individual modules within the platform—like Shopify Payments—also fulfill all PCI compliance requirements, regardless of the number of transactions you process. 

12 requirements of PCI DSS Compliance

  1. Install and maintain a secure network

  2. Apply secure configurations to all system components

  3. Protect stored account data

  4. Protect cardholder data during transmission over public networks

  5. Protect systems and networks from malicious software

  6. Develop and maintain secure systems and software

  7. Restrict access to system components and cardholder data on a need to know basis

  8. Identify users and authenticate their access

  9. Restrict physical access to cardholder data

  10. Monitor and log access to systems and cardholder data

  11. Regularly test networks and security systems

  12. Maintain and support information security with policies and programs

PCI DSS requirements are operational, technical, and procedural instructions that help protect cardholder data from malicious actors. Here are six objectives for PCI DSS compliance: 

1. Install and maintain a secure network

Implement network security controls and tools like firewall configurations and anti-virus software. Validate and allow only trusted traffic into your cardholder data environment, and create a secure systems zone for card data storage. Regularly test security systems to ensure they remain compliant.

2. Apply secure configurations to all system components

Hackers often try to breach systems by using default password settings to access sensitive information. Ensure system passwords and other security parameters are unique and aren’t set to the vendor-supplied default.

Make sure your team uses strong passwords to access software that handles customer payment information. Apply secure configurations like password protocols, two-factor authentication (2FA), restricted sharing, and permission restrictions.

3. Protect stored account data

Ensure cardholder and account data is stored in a protected environment. Enhance data security by implementing policies and processes that minimize risk. These include:

Point-to-point encryption (P2PE): P2PE is a secure data transmission method that protects sensitive information during its journey from one point to another. Truncation: Truncation protects cardholder data by removing or masking a portion of sensitive information, making it unreadable and reducing the risk of unauthorized access or fraud. For example, storing parts of a password or credit card number. Masking: Modifying and storing sensitive data in such a way that it’s unusable or of little value to potential hackers. For example, only including part of a customer’s credit card number on a receipt. Hashing: Converting sensitive information, like credit card numbers, into a fixed length and irreversible alphanumeric string makes it difficult for attackers to reverse-engineer the original data.

4. Protect cardholder data during transmission over public networks

Ensure cardholder and account data is encrypted when transmitted across open, public networks.

5. Protect systems and networks from malicious software

Set up processes for identifying, classifying, remediating, and mitigating system vulnerabilities using a combination of employee training, data security processes, and monitoring tools. This includes protecting all systems against malware and updating antivirus software regularly.

6. Develop and maintain secure systems and software

Avoid hacks with the help of vendor-provided security patches, monitoring your software lifecycle (SLC), and implementing secure coding techniques.

You can help ensure data security is maintained by creating a specialized team to oversee auditing your store’s network and data management practices. This team conducts regular audits to identify potential vulnerabilities and implement security improvements.

7. Restrict access to system components and cardholder data on a need to know basis

Ensure critical data is only accessible by authorized systems and individuals on a need-to-know and need-to-use basis.

8. Identify users and authenticate their access

Use login IDs to authenticate those with access to the network. Set permissions for each ID that restrict access, create user privileges, and track who is doing what with stored cardholder data.

For example, a company may only grant access to unencrypted credit card data to a core group of employees on the data security team. All other employees are either not granted access to personal information or shown only truncated versions of the data to help with customer inquiries and order fulfillment.

9. Restrict physical access to cardholder data

Use security systems to lock away devices that store sensitive data and restrict physical access to areas of the store where these devices are kept. Set up surveillance cameras to monitor spaces that might be vulnerable to a physical breach.

10. Monitor and log access to systems and cardholder data

Track network access points, activity, time stamps, and change logs—records of what is changed or updated in the system—to audit customer data usage.

This is useful in the event of a data breach. When these occur, network security teams reverse engineer the path through which the nefarious actor entered the system. Tracked access points, activities, time stamps, and change logs provide breadcrumbs to those teams, helping them determine how the hacker gained access to the system and what they did once inside.

11. Regularly test networks and security systems

Stress test your network security. For example, simulate spikes in traffic to your ecommerce store or imitate attacks on the network. This lets you identify weak points, outdated software or applications, and other vulnerabilities.

12. Maintain and support information security with policies and programs

Establish a dedicated information security policy for all employees outlining:

Technological requirements for network security, including firewalls, anti-virus software, and password protections Best practices for network usage, data usage, and data storage Key roles and responsibilities across the organization, including data security leaders Identify requirements for all staff members, including data classification guidelines, using strong passwords, following data handling procedures, and undergoing regular security training Processes for identifying and reporting potential vulnerabilities in data security, including phishing scams and improper data transfers

This provides a baseline of technical and operational requirements designed to protect cardholder data and ensure consistent data security measures globally.

Consequences of non-compliance 

PCI compliance is obligatory for businesses that collect and handle cardholder data through major credit card issuers like Visa, Mastercard, American Express, Discover, and JCB or transacting through banks that enforce compliance. Each includes its own language about PCI compliance in its service agreement outlining what businesses must do to remain compliant and the consequences of non-compliance.

Failure to comply with the PCI data security standard while transacting through these companies can open you up to potential fines levied by banks or payment card companies. These range from hundreds of dollars per month for small businesses to hundreds of thousands of dollars per month for larger enterprises. 

Fines resulting from PCI non-compliance can be intricate. In case of a breach at an online store, the credit card brand may investigate the processing bank to assess their level of PCI compliance for the involved business. Should they discover non-compliance on either the bank or the business’s part, fines may be imposed on the bank. The bank may transfer these fines to the offending company, which could face higher transaction fees or termination of the transaction agreement. Fines can also be levied by the acquiring bank, but not the card brands directly.

Monetary penalties aren’t the only risk of non-compliance with PCI DSS. Companies that fail to protect stored cardholder data put themselves—and their customers—at risk of potential data breaches and hacks. A data breach can have far-reaching consequences, including identity theft, damage to the company’s reputation, loss of customers, and potential lawsuits, insurance claims, and government fines.

According to IBM’s Cost of Data Breach Report 2023, the average cost of a data breach across all industries reached $4.45 million in 2023. These costs factor in: 

  • Time committed to identifying, patching, and remediating the effects of the data breach

  • Financial losses to the company due to system outages and customer turnover

  • Long-term loss of reputation and trust amongst customers

How to become PCI compliant 

  1. Determine your PCI compliance level

  2. Map the flow of cardholder data

  3. Fill out the Self-Assessment Questionnaire (SAQ)

  4. Fill out the Attestation of Compliance (AOC)

  5. Scan your network used to process payments

  6. Submit all documents to key stakeholders

  7. Undergo regular assessments and validations

You have two choices for becoming PCI compliant: Using an ecommerce platform that manages compliance for you (like Shopify), or managing the process yourself. 

For companies that want to manage PCI compliance themselves, there are seven requirements: 

1. Determine your PCI compliance level

Find out how many credit card transactions you process annually to determine which PCI compliance level you need to meet. Shopify’s compliance covers all four PCI compliance levels and applies to every store using the platform.

2. Map the flow of cardholder data

Take stock of all applications, systems, and people who work with stored credit card data to form a complete picture of where information is collected, how it’s used, and where potential vulnerabilities lie.

3. Fill out the Self-Assessment Questionnaire (SAQ)

The Self-Assessment Questionnaire (SAQ) is a self-assessment form for secure payment card handling to validate your PCI compliance. Primarily for smaller businesses, the SAQ allows you to verify your compliance with PCI DSS requirements for your level. If you fall short, you can take steps to achieve compliance, which could include security investments, upgrades, or maintenance.

4. Fill out the Attestation of Compliance (AOC)

The Attestation of Compliance (AOC) is a form you complete and submit to the PCI SSC to declare that your business complies with your level’s requirements. This form ensures and validates that you’ve fulfilled every compliance step.

5. Scan your network used to process payments

A thorough scan of your network is required to validate security and compliance. This process involves internal network scans (which audit data security within the network) and external network scans (which stress test the network against simulated outside threats and attacks). 

These scans aim to identify and address potential vulnerabilities. Some compliance levels require these scans to be completed by an outside firm designated as an Approved Scanning Vendor (ASV). These may be required quarterly, and can cost a few hundred dollars per year.

6. Submit all documents to key stakeholders

In addition to the PCI SSC, you may need to submit documents to your partner banks, credit card companies, and any other vendor with contractual PCI requirements. Each bank and credit card company has requirements based on its terms of service. Consult your service agreement for more information about what information is required and when.

7. Undergo regular assessments and validations

PCI compliance requires annual assessments and validations, either internally or through third-party auditors. The specific requirements and who is in charge of performing the network audits depend on your PCI compliance level. 

Level 1 merchants that process more than six million transactions per year are required to have an annual on-site review by a Qualified Security Assessor. This can cost between $10,000 and $50,000 per year, and doesn’t include the cost of required security upgrades or maintenance.

Start selling in-person with Shopify POS

Shopify POS is the easiest way to start selling in-person. Take your brand on the road and accept payments, manage inventory and payouts, and sell everywhere your customers are—farmer’s markets, pop-up events and meetups, craft fairs, and anywhere in between.

Meet Shopify POS. The POS system with everything you need to sell in person, backed by everything you need to sell online.

Start your free trial

PCI compliance requirements FAQ

How often do I need to be PCI compliant?

PCI compliance must be validated every year. It’s an ongoing requirement for all merchants who accept payment card data to process payments. 

How long does it take to become PCI compliant?

The time required to achieve PCI compliance varies based on factors like system complexity, company size, desired compliance level, and the duration of necessary steps. Typically, companies can achieve compliance within one day to a few weeks.

How much does it cost to become PCI compliant?

The cost of PCI compliance depends on various factors, including: 

  • Internal resources required to manage PCI compliance

  • Your compliance level, which dictates if you need to use external vendors

  • Your organization’s size, existing security culture, and network security 

  • Fees associated with using PCI-compliant platforms or payment facilitators

Most platforms, like Shopify, include PCI compliance in the cost of the platform.

Is PCI compliance enough to ensure the security of my business?

PCI compliance is crucial to securing cardholder data in online transactions, but it shouldn’t be viewed as the sole solution. Consider it a single layer of security within a comprehensive security program that addresses all areas where data is collected and exchanged.

What is a PCI compliance audit?

A PCI compliance audit is an evaluation conducted by a qualified security assessor (QSA) or an internal security assessor (ISA) to verify a company is adhering to the Payment Card Industry Data Security Standard (PCI DSS). This audit is required for larger businesses, known as Level 1 merchants, that process more than six million credit card transactions annually. Smaller businesses may also choose to undergo an audit to ensure they are following best practices for securing cardholder data. The QSA or ISA will provide a Report on Compliance (ROC) detailing whether the company is compliant with each requirement of the PCI DSS.

A compliance audit includes:

  • Reviewing the company’s policies and procedures

  • Examining the company’s IT environment

  • Conducting interviews with staff

  • Performing vulnerability scans and penetration testing

S
by Shopify
Updated on 20 Aug 2023
Share article
  • Facebook
  • Twitter
  • LinkedIn
by Shopify
Updated on 20 Aug 2023

The latest in commerce

Get news, trends, and strategies for unlocking new growth.

By entering your email, you agree to receive marketing emails from Shopify.

popular posts

Enterprise commerceHow to Choose an Enterprise Ecommerce Platform for Your Scaling StoreTCOHow to Calculate Total Cost of Ownership for Enterprise SoftwareMigrationsEcommerce Replatforming: A Step-by-Step Guide To MigrationB2B EcommerceWhat Is B2B Ecommerce? Types + Examples
start-free-trial

Unified commerce for the world's most ambitious brands

Learn More

popular posts

Direct to consumer (DTC)The Complete Guide to Direct-to-Consumer (DTC) Marketing (2025)Tips and strategiesEcommerce Personalization: Benefits, Examples, and 7 Tactics for 2025Unified commerceHow To Sell on Multiple Channels Without the Logistical Headache (2025)Enterprise ecommerceComposable Commerce: What It Means and Is It Right for You?

popular posts

Enterprise commerce
How to Choose an Enterprise Ecommerce Platform for Your Scaling Store

TCO
How to Calculate Total Cost of Ownership for Enterprise Software

Migrations
Ecommerce Replatforming: A Step-by-Step Guide To Migration

B2B Ecommerce
What Is B2B Ecommerce? Types + Examples

Direct to consumer (DTC)
The Complete Guide to Direct-to-Consumer (DTC) Marketing (2025)

Tips and strategies
Ecommerce Personalization: Benefits, Examples, and 7 Tactics for 2025

Unified commerce
How To Sell on Multiple Channels Without the Logistical Headache (2025)

Enterprise ecommerce
Composable Commerce: What It Means and Is It Right for You?

subscription banner
The latest in commerce
Get news, trends, and strategies for unlocking unprecedented growth.

Unsubscribe anytime. By entering your email, you agree to receive marketing emails from Shopify.

Popular

Headless commerce
What Is Headless Commerce: A Complete Guide for 2025

29 Aug 2023

Growth strategies
How To Increase Conversion Rate: 14 Tactics for 2025

05 Oct 2023

Growth strategies
7 Effective Discount Pricing Strategies to Increase Sales (2025)

Ecommerce Operations Logistics
What Is a 3PL? How To Choose a Provider in 2025

Ecommerce Operations Logistics
Ecommerce Returns: Average Return Rate and How to Reduce It

Industry Insights and Trends
Global Ecommerce Statistics: Trends to Guide Your Store in 2025

Customer Experience
Fashion Brand Storytelling Examples to Inspire You

24 Mar 2023

Growth strategies
SEO Product Descriptions: 7 Tips To Optimize Your Product Pages

Powering commerce at scale

Speak with our team on how to bring Shopify into your tech stack.

Get in touch
Shopify

Shopify

  • About
  • Careers
  • Investors
  • Press and Media
  • Partners
  • Affiliates
  • Legal
  • Service status

Support

  • Merchant Support
  • Shopify Help Center
  • Hire a Partner
  • Shopify Academy
  • Shopify Community

Developers

  • Shopify.dev
  • API Documentation
  • Dev Degree

Products

  • Shop
  • Shopify Plus
  • Shopify for Enterprise

Solutions

  • Online Store Builder
  • Website Builder
  • Ecommerce Website
  • Australia
    English
  • Canada
    English
  • Hong Kong SAR
    English
  • Indonesia
    English
  • Ireland
    English
  • Malaysia
    English
  • New Zealand
    English
  • Nigeria
    English
  • Philippines
    English
  • Singapore
    English
  • South Africa
    English
  • UK
    English
  • USA
    English

Choose a region & language

  • Australia
    English
  • Canada
    English
  • Hong Kong SAR
    English
  • Indonesia
    English
  • Ireland
    English
  • Malaysia
    English
  • New Zealand
    English
  • Nigeria
    English
  • Philippines
    English
  • Singapore
    English
  • South Africa
    English
  • UK
    English
  • USA
    English
  • Terms of service
  • Privacy policy
  • Sitemap
  • Privacy Choices