Your PCI Compliance Requirements Checklist for 2024

Ecommerce sales are growing faster today than ever before. In 2023, global ecommerce sales were over $6.5 trillion, and are expected to surpass $8.1 trillion in 2026. 

As more customers purchase online, people share more personal and financial data with trusted brands. 

Unfortunately, as consumers share sensitive authentication data online, hackers come out of the woodwork to try and steal that data. And, if your company processes payments online, you’re on their hit list.

According to the HUMAN Enterprise Bot Fraud 2023 report, on average, 48% of total login attempts in 2022 were malicious. This is a 108% Year-over-Year (YoY) increase in account takeover attacks from 2021. Even some of the biggest ecommerce companies like Yum! Brands, the parent company of KFC, Taco Bell, and Pizza Hut, which announced a cyber attack in April 2023 that may have exposed employee data.

While consumers continue to shop online, brands and retailers need to understand people will only shop with your company if they trust your site’s security. Baymard found the average documented online shopping cart abandonment rate is 70.19%.

This begs the question: What can you do to prevent cybersecurity breaches and earn the trust of your customers? Become PCI Data Security Standard (DSS) compliant.

What is PCI DSS?

PCI DSS compliance stands for Payment Card Industry Data Security Standard. It’s an information security standard defined by the Payment Card Industry Security Standard Council, created to improve existing processes, checks, and balances that protect cardholder data.

It applies to any organizations that store, process, or transmit credit card data from places like Visa, Mastercard, Discover, American Express, and JCB.

In December 2004, the main credit card brands formed the Payment Card Industry Security Standards Council (PCI SSC), the organization behind PCI DSS. Since then, PCI SSC has released several updated versions of the PCI DSS standards. The most recent update—PCI DSS v4.0.1—was released in June 2024.

According to a document created by the council, PCI DSS v4.x incorporates several changes, including:

• Working to continually meet the ongoing security needs of the payments industry by expanding multi-factor authentication requirements and updating password requirements.
• Promoting security as a continuous process to stay ahead of cybercrime. One example includes adding guidance to help people implement and maintain security.
• Increasing flexibility for organizations using different methods to support payment application innovation. This includes the allowance of group, shared, and generic accounts. 
• Enhancing validation methods and procedures to support transparency. This includes better reporting.

PCI compliance standards were developed to protect card issuers and cardholders by making sure merchants meet global technical, operational, and security requirements to keep all payment data safe. 

Examples of data breaches

The largest data breach in history is attributed to Yahoo!, when, in 2013, Russian spies hacked into the company’s database by sending fake emails to Yahoo! employees and compromised three billion accounts. 

Here are some examples of the most recent ecommerce data breaches. 

Honda E-commerce Platform Attack (2023)

In 2023, Honda's e-commerce platform for power equipment, lawn, garden, and marine products was compromised due to a significant API vulnerability. This flaw allowed unauthorized password resets for any account, potentially granting full admin-level access without needing the current password or a security token. The breach exposed sensitive data including 21,393 customer orders, 1,570 dealer websites, 3,588 dealer accounts, 1,090 dealer emails, and 11,034 customer emails from August 2016 to March 2023. The vulnerabilities were addressed by Honda in April 2023 after responsible disclosure in March.

Luxottica Data Exposure (2023)

Luxottica, the world's largest eyewear company, experienced a data breach in 2023 that exposed the personal information of over 70 million customers. The breach occurred due to a cyber attack on a Luxottica partner in 2021, with the database containing approximately 300 million customer records from the United States and Canada being leaked on hacking forums in April and May 2023. The leaked data included email addresses, full names, residential addresses, and dates of birth, but did not contain financial information, social security numbers, or login credentials.

JD Sports Data Breach (2023)

JD Sports, a leading retailer of sports, fashion, and outdoor brands, reported a cyber-attack in 2023 that potentially accessed the personal and financial information of 10 million customers. The breach targeted online orders made between November 2018 and October 2020 across several of JD Sports' brands. The information potentially accessed included names, billing and delivery addresses, phone numbers, order details, and the final four digits of payment cards. JD Sports notified the Information Commissioner’s Office and began contacting affected customers in January 2023.

Does my business need to be PCI compliant? 

You may be wondering whether or not you are required to become PCI compliant. Well, yes and no.

Technically, US federal law doesn’t require PCI compliance. All major credit card companies require PCI compliance when your organization stores, processes, or transmits cardholder data.

If you don’t comply, credit card companies may:

• Impose fines (anywhere from $5,000 to $500,000 per month)
• Suspend your credit card usage privileges
• Increase your transaction fees
• Issue a Common Point of Purchase (CPP) notice
• Hold you liable for fraud charges

“Any retail business that conducts transactions with the major credit card companies is required by those schemes to adhere to the PCI DSS requirements,” says Mitangi Parekh, senior marketing manager at eSentire. 

“Retailers have access to credit card data and this data is not just being stored by the retailer in some sort of a locked box. It's transmitted and processed, often with third-party vendors that the retailer may do business with. So, being compliant with the PCI DSS requirements helps retailers determine the necessary controls, policies, or practices they need to have in place to help reduce retail-specific cyber risks,” says Parekh.

Adhering to PCI compliance standards isn’t about avoiding fines. It’s about protecting your customers and their personal data. When you do everything in your power to reduce the potential for data breaches, it increases your business’s credibility and the trust of your customers.

2024 ecommerce PCI compliance checklist 

The good news is, if you build your ecommerce store on a SaaS solution like Shopify, your store will be PCI compliant out of the box. You won’t have to worry about following rigid steps every year to ensure PCI compliance.

“The best advice for a new ecommerce entrepreneur is to choose a platform that is already PCI compliant, so you’re covered by default. PCI compliance is very pricey, which bigger, more established retailers can invest in, but it’s not practical for small businesses,” says Parekh.

If you choose to invest in a commercial PCI solution or an open-source PCI compliance platform, then your IT team will need to follow these 12 steps. This is a very high-level overview, but it’s wise to consult the PCI DSS requirements.

1. Install and maintain network security controls

Installing and maintaining network security controls (NSCs) means utilizing solutions such as network policies and firewalls to protect cardholder data. This includes only allowing trusted traffic to enter your cardholder data environment (CDE), configuring and maintaining NSCs properly, and creating a highly secure zone for all card data storage.

2. Apply secure configurations to all system components

Hackers often try to breach systems by using default settings to access sensitive information. Since default configurations such as default passwords are easily determined through public information, make sure you apply secure configurations to system components. Also, change default passwords and make them more secure.

3. Protect stored account data

If you’re storing credit card information or other sensitive data, ensure you have protection methods like point-to-point encryption, truncation, masking, and hashing. Do everything to minimize risks. This includes not storing unnecessary info, truncating cardholder data, and not sending sensitive info through email or instant messaging.

4. Protect cardholder data with strong cryptography

Use strong cryptography to protect data, in particular during transmission over networks that are highly vulnerable to attack—especially public networks. 

5. Protect all systems and networks from malicious software

Malware includes things like Trojans, spyware, viruses, worms, ransomware, rootkits, and links. Hackers use these to infiltrate a computer system. Protect your cardholders with anti-malware and anti-virus software solutions.

6. Develop and maintain secure systems and software

Avoid hacks with the help of vendor-provided security patches, monitoring your software lifecycle (SLC), and implementing secure coding techniques. Ensure the system components have software patches that protect against compromise and malware. 

7. Restrict access to cardholder data by Business Need to Know

Make sure critical data is only accessible by authorized systems on a need-to-know basis. Create rules that give specific access and privileges to IT personnel to complete only the necessary tasks.

8. Identify users and authenticate access to system components

Authenticate users by establishing their identity and putting a verification process into place. Consider requiring users to provide proof of identification to verify who they are. Additionally, implement multi-factor authentication (MFA) to secure access into the high-value systems and prevent misuse.

9. Restrict physical access to cardholder data

Protect the exfiltration of cardholder data by restricting physical access. This means removing hard copies and any other physical document or device that has sensitive information. This requirement usually applies to merchants who fully manage their payment infrastructure.

10. Log and monitor all access to system components and cardholder data

Another critical step in protecting cardholder data is to put logging mechanisms into place and track users and systems activities. Logs on system components help with tracking, altering, and analysis in the event of a breach.

11. Test security of systems and networks regularly

Hackers don’t rest, so don’t sleep on checking the security of your system. Implement tools, processes, and test networks to stress test your security often.

12. Support information security with organizational policies and programs

Take the time to put your security and compliance information in writing, and build a program to maintain compliance year-round. Then, educate all of your employees on what your compliance policies are and how they can play a critical role in protecting your customers’ data.

Ecommerce PCI compliance requirements and levels

Compliance levels vary depending on whether you are a merchant or a service provider. For ecommerce merchants, there are four different compliance levels, and each may vary slightly depending on the credit card scheme.

You can determine your PCI compliance level by evaluating how many transactions you process annually through your respective credit card provider. Here’s a closer look at Visa, Discover, and Mastercard’s compliance levels to help you determine your own.

PCI Compliance Level 1

Level 1 is the highest compliance level. It’s for merchants who process more than six million transactions annually. This level also includes all third-party processors (TPPs) that process over 300,000 transactions each year.

PCI compliance Level 1 validation requirements include:

• Annual On-Site Assessment by a Qualified Security Assessor (QSA) to complete an Annual Report on Compliance (ROC)
• Quarterly network vulnerability scans by an approved scanning vendor (ASV) to produce an attestation of Scan.
• Yearly submission of the AOC and ROC to demonstrate compliance against all of the 300+ PCI DSS requirements and sub-requirements

PCI Compliance Level 2

Level 2 is for merchants who process between one million and six million transactions annually. It also includes third-party processors (TPPs) that process fewer than 300,000 transactions every year.

PCI compliance Level 2 validation requirements include:

• Yearly self-assessment using the a proper self-assessment questionnaire (SAQ) according to the PCI SSC SAQ Instructions and Guidelines
• Quarterly network scans by an approved scanning vendor (ASV)
• Yearly submission of an SAQ-based AOC to demonstrate compliance against all of the applicable PCI DSS requirements

PCI Compliance Level 3

Level 3 is for smaller ecommerce merchants who process 20,000 to one million transactions each year.

PCI compliance Level 3 validation requirements include:

• Yearly self-assessment using the a proper self-assessment questionnaire (SAQ) according to the PCI SSC SAQ Instructions and GuidelinesPCI SSC SAQ
• Quarterly network scans by an approved scanning vendor (ASV)
• Yearly submission of an SAQ-based AOC to demonstrate compliance against all of the applicable PCI DSS requirementsAttestation of compliance form and submitted documentation

PCI Compliance Level 4

Level 4 is for companies that process smaller amounts of transactions annually. Merchants who process fewer than 20,000 transactions a year are considered Level 4.

PCI compliance Level 4 validation requirements include:

• Yearly self-assessment using the a proper self-assessment questionnaire (SAQ) according to the PCI SSC SAQ Instructions and GuidelinesPCI SSC SAQ
• Quarterly network scans by an approved scanning vendor (ASV)
• Yearly submission of an SAQ-based AOC to demonstrate compliance against all of the applicable PCI DSS requirementsAttestation of compliance form and submitted documentation

Changes rolled out as of March 2024

There are 63 new requirements ecommerce businesses must comply with to meet PCI standards. But only 12 of them have to be met by March 31, 2024. The first batch of 12 requirements focuses more on compliance methodologies and defining roles rather than the nitty-gritty technical details.

This strategic approach eases organizations into the more rigorous demands and clearer role delineations that'll be achieved with the complete rollout March 31, 2025.

Here's a breakdown of what's expected by March 2024:

1. Clarifying roles and responsibilities: A significant chunk of the new requirements (specifically, 2.1.2, 3.1.2, and so on through 11.1.2) zeroes in on the 'who does what' within your IT and security teams. This means explicitly assigning individuals to oversee various aspects of PCI compliance and incident response. This fosters a culture of best security practices within your organization and streamlines responding to incidents and audits.
2. Defining third-party roles: Requirement 12.9.2 calls for third-party service providers to clearly outline their roles in managing your customer data environment (CDE). Whether it's a payment processor or a managed service provider, they must also be ready to share their PCI DSS compliance status upon request. This transparency ensures all parties involved agree, and that compliance is a collective effort.
3. Outlining the CDE and scope: As part of the groundwork for full PCI DSS 4.0 compliance, organizations must define their CDE and the scope of compliance a year in advance. This preparatory step is crucial for a seamless transition to the comprehensive requirements set to take effect in March 2025.
4. Embracing customized approaches: PCI DSS 4.0 introduces a 'customized approach' for meeting certain requirements. This benefits organizations that must adhere to other regulatory standards like HIPAA or GDPR. It allows for a tailored compliance strategy that fits unique operational environments without compromising security. However, these customized controls require approval and annual risk analysis documentation to ensure they meet the stringent standards set by PCI DSS.

As we navigate these changes, it's clear that preparation and understanding are key to a smooth transition. By focusing on these initial steps, businesses can ensure they're compliant and foster a secure and trustworthy environment for their customers.

Ecommerce PCI compliance platform types

The question is not whether you need to achieve PCI compliance. You do. The question is: What kind of platform should you use to become PCI compliant?

Just like there are different options for creating, managing, and hosting websites online (e.g., self-hosted, dedicated, or shared), there are also different software options that will help your ecommerce store become PCI compliant.

What you choose will depend on your store size, expertise, budget, IT staff, and goals.

Here are the three main ecommerce PCI compliance platform types and a closer look at how you can be compliant on all three:

• Commercial software
• Open-source software
• Hosted software as a service (SaaS)

Certified commercial PCI software

Buying a certified commercial PCI software is like opting for dedicated hosting for a website. 

Instead of paying a hosting company to help you with all the ins and outs of becoming PCI compliant, you buy and maintain your own hardware and commercial software license. With this option, you’re solely responsible for licensing and certifying your store, but commercial PCI software will make it easier.

These certified commercial PCI solution providers are typically reserved for huge and widely recognized ecommerce stores with:

• Level 1 ecommerce compliance
• Well over six million transactions annually
• Robust IT support
• Big budgets to install, customize, and maintain the ecommerce store and PCI compliance requirements

The bottom line: If you’re growing your new ecommerce store, don’t have millions of transactions to manage, or are looking into PCI compliance for the first time, this option is overkill and not for you.

Open-source software

Open-source software for PCI compliance is like WooCommerce, where you have access to open-source codes and can make your own customizations to enhance security.

With this option, you will pay for your hardware, but you don’t have to worry about paying a software license fee.

Open-source software is a good solution for large ecommerce stores with dedicated development and compliance teams who write their own code and can take full advantage of the customization and flexibility offered by open-source solutions. In other words, an open-source software will allow your ecommerce store tech-savvy and PCI expert staff to move forward with coding, and take full responsibility of continuous building and maintenance of the necessary compliance controls.

The bottom line: If you are creating a highly customized ecommerce store with complex and unique requirements, but have ample budget, resources, and in-house expertise to meet all of the 300+ PCI DSS requirements , then open-source may be for you.

Hosted software as a service (SaaS)

Using a hosted PCI compliance SaaS solution is like building a site on a shared hosting platform.

Most of the big ecommerce platforms (like Shopify) provide hosted SaaS as part of their service. In other words, you can create a Shopify store and don’t have to worry about the security of your site—because PCI compliance is built into Shopify.

“Most ecommerce stores typically don’t need to do anything specific to become PCI compliant simply because if the store is hosted on a platform like Shopify, they will automatically be PCI compliant,” says Parekh.

It is critical to remember, however, that no matter which option you choose (even hosted), you’ll still have to fill out a self-assessment questionnaire if you’re a Level 2–4 merchant. If you’re a Level 1 merchant, you’ll have to fill out the questionnaire and a ROC. Therefore, there are shared compliance responsibilities, but a PCI-compliant platform like Shopify takes care of the most challenging, resource-intensive, and expensive ones on behalf of the merchant.

The bottom line: If you’re building an ecommerce store on a commerce platform like Shopify, this option is for you. You don’t have to worry about spending money on hardware, licenses, or dedicated engineering and compliance teams, and you’ll remain PCI compliant with little effort.

Why being PCI compliant is important for your business

Hackers are everywhere in today’s high-tech world, and they are becoming savvier every day. In 2022, the Internet Crime Complaint Center (IC3) received nearly 801,000 cybercrime reports, with financial damages soaring past $10.3 billion. Despite a slight decrease in the number of complaints, down by 5% from the previous year, the financial impact of these crimes surged by an astonishing 49%. 

As the internet grows and hackers get better at what they do, it’s critical for ecommerce companies to take action on heightening security.

The way to secure sensitive data and continue to earn the trust of consumers and payment networks is by following PCI compliance standards. 

“Adhering to PCI SSC standards ensures you’ve implemented the best practices to protect against cyber threats and reduce cyber risks impacting retail organizations,” says Parekh. “Furthermore, if you can’t prove that your ecommerce store is PCI compliant, many credit card payment schemes won’t allow you to transmit, store, or even process credit card transactions.”

Above all, growing an ecommerce business requires you to earn the trust of your customers—and you can’t do this if their data isn’t safe with you.

Keep your site secure with Shopify

When push comes to shove, the onus is on you to protect your customers’ credit card information and any other sensitive data.

Unless you are a highly skilled compliance-savvy developer with experience in securing ecommerce sites and making sure they are 100% PCI compliant, the best way to protect customer data is with a little help.

In other words, it’s best to rely on help from a hosted SaaS tool (ahem, Shopify) to keep your customers’ credit card data safe. When you set up your ecommerce store with Shopify, you can rest assured it will be PCI compliant.

Illustration by Melanie Peters