PCI Compliance: What, How and Why?

PCI Compliance
Reading Time: 4 minutes

The Payment Card Industry Data Security Standard (PCI DSS) exists to help keep sensitive financial information safe from theft, hacking, and other security threats. Since all merchants that process, transmit, or store cardholder data must be compliant, it’s surprising how many misconceptions and myths there are about the standard. Here they look at the most common misconceptions, set the record straight, and provide a handy guide to becoming – and staying – compliant.

I’m not an e-commerce business, so it’s not relevant to me.

Wrong! Even if you store, process and transmit cardholder information through in-store point-of-sale (POS) systems, standalone terminals or virtual terminals, you need to be compliant.

My business is too small to worry about PCI compliance.

Compliance does not depend on the size of a merchant’s business. This is a common and potentially costly mistake that many small businesses owners make. Whether you take just one credit card every year, or thousands, you need to follow PCI regulations.

We follow most of the criteria, that’s enough, right?

This is another common misconception. To be compliant, merchants must meet all PCI requirements – even the ones that don’t seem relevant. Failing to meet even one standard puts customer information at risk. According to research by SecurityMetrics, merchants who experienced data compromises were not compliant with 47% or more of PCI DSS requirements.

Does PCI mean I have to store cardholder data?

The PCI discourages merchants and processors from storing such data. If you have a legitimate business reason to store any information on the front of a payment card, such as a customer’s name or account number, PCI DSS requires that you encrypt that data.

My card processing is outsourced, so I must be compliant.

Outsourcing payment processing is not a guarantee of compliance, and merchants still need to follow procedures for handling transactions and data, as well as ensure payment terminals and applications comply with PCI regulations. If in doubt, ask for a certificate of compliance from your payment processing provider.

The whole thing is too complicated.

We can’t entirely bust this particular myth; following the 12 PCI DSS requirements can be daunting, particularly for smaller enterprises which often lack time and resources. The best way to simplify PCI compliance is to partner with a trustworthy provider of products and services that help meet the requirements of compliance. Partnering with Evolve means benefitting from Evolve’s platinum partnership with Mako, which has the world’s only PCI level 1 compliant SD-WAN device.

So, we’re not compliant – what’s the worst that can happen?

Once security has been compromised, it’s incredibly difficult to regain customer trustespecially when it comes to sensitive payment information. The Forbes Insight report found 46% of surveyed companies had suffered reputational damage following a data breach.

If that doesn’t deter you, then you might take notice of the financial implications, as non-compliant merchants can be fined by their acquiring bank, prevented from taking card payments and even lose its merchant status. On top of these penalties, merchants that suffer a data breach can be forced to compensate affected customers. In fact, the average global cost of a data breach reached $4.35 million globally in 2022, an all-time high and up 2.6% from the previous year.

Hopefully we’ve convinced you just how important PCI compliance is, but how do you actually go about it?

Step 1: Calculate the number of transactions you process annually, then compare it to the requirements of each credit card company you plan to support.

Step 2: Map the flow of cardholder data, including apps, systems and people who work with credit card data. Make sure to include all credit payment platforms and storage systems that hold card data.

Step3: Fill out the Self-Assessment Questionnaire (SAQ), a tool used to validate PCI compliance, which checks if your business meets each of the 12 requirements. Remember, the experts at Evolve are on hand to help.

Step 4: Fill out the Attestation of Compliance (AOC), which differs according to the PCI compliance level of your business.

Step 5: Conduct a vulnerability scan to make sure you meet all standards.

Step 6: Submit relevant documents, such as AOC and SAQ, to banks, credit card companies, etc.

Crucially, you need to monitor compliance on a regular basis throughout the year. Becoming and remaining PCI compliant requires continual audits and precautions to make sure cardholder data is always protected from data breaches.

For merchants to survive and thrive in what are very challenging times, it’s vital they remain PCI compliant. We provide customised solutions with PCI Level 1 certification for payment security as Mako Network’s only platinum partner – the only network management company in the world to qualify as a PCI-certified Level 1 service provider.

If you’d like to know more, or would like to talk about how Evolve can help you with compliance, get in touch with the team today on 0333 207 0364 or visit Evolve’s website 



About Evolve Business Group and Evolve

Evolve Business Group is an independently owned company that specialises in providing end-to-end IT and managed network solutions to a range of businesses. Evolve is helping businesses to reduce costs and simplify the management of services and give business owners and their teams more time to do what they do best.

Founded in 2005, it has worked with a variety of clients across different industries around the world, building a team of highly experienced specialists to help create effective and efficient packages using any combination of different offerings. It keeps a range of cross-sector networks protected and connected.


More News

Evolve Appoints Simon Saffidine As Chief Technology Officer

Reading Time: 2 minutes Evolve Appoints Simon Saffidine As Chief Technology Officer. Simon has a plethora of knowledge in technical service delivery and IT engineering. His appointment will strengthen Evolve’s position as a market leader and accelerate the company’s expansion plan. Alan Stephenson-Brown, CEO at Evolve Business Group, said: “We are thrilled to welcome Simon to our executive team.

SD-WAN V SASE: Understanding the difference and choosing the right solution

Reading Time: 2 minutes Two key technologies have emerged to address the need for robust network performance and security: Software-Defined Wide Area WAN (SD-WAN) and Secure Access Service Edge (SASE). While both solutions offer their own significant benefits, understanding their differences and how they complement each other is crucial for making informed decisions. What is SD-WAN? Software-Defined Wide Area

sd-wan to sase

From SD-WAN to SASE – how WAN is evolving

Reading Time: 2 minutes The digital transformation journey for many businesses has been marked by the need to adapt their Wide Area Networks (WAN) to meet increasing demands for performance, flexibility and security. Traditional WAN architectures have struggled to keep up with the dynamic needs of modern enterprises, leading to the rise of Software-Defined Wide Area Network (SD-WAN) and

PSTN switch off

The Delay of the PSTN Switch-Off

Reading Time: < 1 minute The Public Switched Telephone Network (PSTN) switch-off has been a significant transition within the telecommunications industry, aiming to move from traditional copper-based networks to modern IP-based networks. Recently, the switch-off has been delayed by a further two years due to various technical, regulatory, and market readiness factors. The PSTN has been the backbone of global

Let's Connect.

Translate »
Scroll to Top