PCI Compliance Guide

PCI compliance made easy.


PCI DSS compliant



What is PCI Compliance?




The major credit card companies - Visa, Mastercard and American Express - established the Payment Card Industry Data Security Standards (PCI-DSS) guidelines in 2006 in an effort to protect credit card data from fraud and theft.

Each year billions of dollars worth of fraudulent credit card transactions take place in the United States. PCI-DSS tries to halt the increasing trend of credit card fraud. Protecting customer data and payment information must be a priority for businesses otherwise they face devastating reputation loss.

Understanding your PCI compliance responsibilities can help your business to remain in compliance and protect it's staff and customers.


Return to top of page


What happens if I don't comply with PCI Compliance?


If you can't prove your PCI compliance then your business could face a number of negative consequences such as:

  • PCI non compliance charges
  • Damaging loss of reputation to your business.
  • Loss of customer trust.
  • Loss of customer identity and payment information.
  • Higher banking charges



Return to top of page


12 Requirements for PCI Compliance 


Goals Requirements
Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for all personnel


ALSO READ: Credit card protection: Understanding the 12 PCI security requirements

Return to top of page


How much does it cost to become PCI Compliant

The answer to this question can depend on a number of factors. There is a cost involved in becoming compliant, however these charges can be dwarfed by the potential fine amount that could be levied by your payment provider.




Return to top of page


How do I validate my PCI compliance?

You can validate your businesses PCI compliance by filling out a Self-Assessment Questionnaire (SAQ). It's a way of your business proving it is taking the security measures needed to keep your customers credit card data safe. PCI SAQs vary in length but contain protocols and procedures your business should be following to keep payment card data safe.

Return to top of page


Can Paytia help with PCI Compliance?

Paytia is a PCI Level 1 Service Provider and can save you answering 93% of questions when preparing the Self-Assessment Questionnaire and prepares you for full PCI Compliance.

Paytia specialises in providing a PCI compliant payment by phone solution with our Secure Virtual Terminal, suitable for one user or call centres with our scalable payment environment. Your customers enter their details via their phone keypad, and your agent will see live input on their computer screen, but with the card number displayed as ‘XXXX.’ Paytia replaces the need for your staff to ask your customers to audibly read their sensitive credit card details and keeps you in scope for PCI compliance.


Return to top of page



Do I have to complete a Compliance Self-Assessment Questionnaire (SAQ)?

Yes your business will have to complete a compliance self assessment questionnaire in order to be recognised as PCI compliant. However, if you choose Paytia as your payment provider we can take responsibility for 93% of the questions in the compliance self assessment questionnaire.


The table below can help you choose the correct self-assessment questionnaire.

Questionnaire How do you accept payment cards?
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Applicable only to e-commerce channels.
B Merchants using only:
  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
D For Merchants: All merchants not included in descriptions for the above types.
D For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.


Return to top of page


Enabling a BMW main dealership to meet it's PCI-DSS obligations




Paytia delivered a solution that staff would be able to accept payments over the phone without impacting their GDPR or PCI compliance obligations. Enable staff identification, invoice identification and tracking and email transaction receipts to departments in real-time without affecting any existing systems. The system should be easy to use and not slow down the process of taking payments by phone.


READ MORE : BMW Main Dealership Case Study

Return to top of page


Total Tiles Case Study



total tile logo


Total Tiles had two key objectives 1. Security, 2. Speed - and a number of key feature requirements.

The most urgent requirement was for customer-facing staff, who were now working from home during the pandemic, to be able to accept and process credit and debit card payments over the telephone. It was critical that this be available within days to ensure minimal interruption to their business operations, allowing them to continue within a safe and secure processing environment.

Paytia was the only company that could meet their requirements. The customer would not have to read out their credit card details to the agent working from home. Another huge benefit to the business was from the order being placed to transactions being processed took only three days! This was a fantastic achievement. A unique solution and implemented extremely quickly.


READ MORE: Total Tiles Case Study

Return to top of page



Lean On The Experts

Paytia is a Level 1 ( the highest) Payment Card Industry Data Service Provider.

Talk to us