If you run a retail store, restaurant, or any business in Western New York that processes credit card payments, PCI DSS compliance isn’t optional — it’s a contractual obligation embedded in your merchant agreement. Most small business owners we work with have never had anyone explain what it actually requires in plain terms. This checklist is our attempt to fix that.
Hello! We are Acme Business in Olean, NY. We help businesses across Western NY and Northern PA get PCI compliant and maintain that compliance over time. Here’s what the standard requires, translated out of technical language.
Why PCI Compliance Matters — and What’s at Stake
The Payment Card Industry Data Security Standard (PCI DSS) was established by the major card brands — Visa, Mastercard, American Express — to protect cardholder data. Non-compliance has real consequences: fines from your payment processor ($86,000 to $4 million), increased transaction fees, and in the event of a breach, direct liability for fraudulent charges. Some processors will revoke your ability to accept cards entirely if a compliance failure contributes to a breach.
The good news: most small businesses only need to complete a Self-Assessment Questionnaire rather than a formal third-party audit. And if your IT environment is properly configured, you may already be meeting many of these requirements. The gaps are usually smaller than business owners expect.
Read more from the official PCI Security Standards Council
The 12 PCI DSS Requirements in Plain English
- Install and maintain a firewall. Any network where cardholder data flows must have a properly configured firewall. For most of our clients, this means a SonicWall firewall with appropriate security zones. A basic ISP-provided router does not meet this requirement (this means your Spectrum router).
- Change all vendor-supplied default passwords. Every piece of equipment — firewalls, switches, access points, payment terminals — ships with default credentials. These must be changed before the device goes into service.
- Protect stored cardholder data. If you store card numbers (most small businesses shouldn’t), they must be encrypted. For most businesses, the right answer is to not store cardholder data at all — use a payment processor that handles tokenization.
- Encrypt cardholder data in transit. Any payment data transmitted across open networks must be encrypted using current protocols: HTTPS and TLS on web-based payment processing, encrypted connections between point-of-sale and processor.
- Protect all systems against malware. Every system that handles or could connect to cardholder data must have active, up-to-date endpoint protection. This is where SentinelOne comes in for our clients — traditional antivirus typically does not satisfy the spirit of this requirement.
- Develop and maintain secure systems and applications. Operating systems and software must be patched consistently. Unpatched vulnerabilities are among the most common entry points for attackers.
- Restrict access to cardholder data by business need. Access controls should limit exposure to only those who genuinely require it, and those controls must be documented.
- Identify and authenticate all access to system components. Everyone accessing systems that touch cardholder data needs a unique user ID. Shared accounts are not acceptable. MFA is required for remote access.
- Restrict physical access to cardholder data. Who can walk up to your point-of-sale terminal? Who has access to the server room? These boundaries must be defined and enforced.
- Log and monitor all access to network resources. Systems should generate logs, and those logs need to be retained and reviewed. The network monitoring we deploy for all managed clients handles the technical requirements of this control.
- Regularly test security systems. Quarterly vulnerability scans are required for most merchant categories. Higher-volume environments also require annual penetration testing.
- Maintain an information security policy. Written policies covering how cardholder data is handled, who is responsible for security, and what your incident response plan looks like.
Where Most Small Businesses Have Gaps
In assessments of small businesses across our region, the most common PCI compliance gaps fall into four categories: inadequate network segmentation (the payment network is flat, not isolated from the general business network), missing documentation (controls exist but aren’t written down), inconsistent patching (devices are behind on firmware and security updates), and weak access controls (shared passwords, no MFA on remote access). Each of these is fixable, and most can be addressed within the first 30 to 60 days of a managed IT engagement.
How Acme Helps Businesses Achieve and Maintain Compliance
The technical controls required for PCI compliance — SonicWall firewall with network segmentation, SentinelOne endpoint protection, consistent patch management, access control enforcement, and continuous logging and monitoring — are standard components of our managed IT agreements. The documentation layer — written policies, access control records, and SAQ completion — we guide clients through as part of onboarding.
If you’re facing a compliance deadline or want to confirm your environment would hold up under scrutiny, reach out at Contact Us.
Try our PCI self-assessment now to gauge your PCI compliance.
