Becoming PCI compliant can seem difficult, and it’s common to have questions about compliance standards and processes

We’ve created a list of PCI common questions to help you get compliant and stay compliant. Let us guide you through the PCI compliance requirements by selecting a topic below.

For a full collection of published PCI FAQs, you may refer to our Index of PCI Frequently Asked Questions.

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a collection of standards created to ensure all organizations that process, transmit, or store credit card data and information do so in a secured environment.

The Payment Card Industry Security Standards Council was established to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. PCI DSS compliance is administered and managed by the PCI SSC (, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.)

It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Do I Need To Be PCI Compliant?

The simple answer is yes.  PCI Compliance pertains to any organization that accepts, stores or transmits credit card data, regardless of the size of the company or the number of transactions processed.

What If I Am Not PCI Compliant?

Organizations that fail to meet PCI compliance standards are subject to fines. If you experience a data breach where credit card data is compromised, you are subject to additional fines and sanctions. Failure to get your compliance validation could also lead to the termination of your card acceptance agreement with the credit card provider. We help ensure that you are compliant and avoid paying hefty non-compliance fines.

Do Organizations Using Third-Party Credit Card Processors Have To Be PCI Compliant?

Yes. Using a third party does not exempt your organization from PCI compliance regulations. If you use credit cards as a form of payment or collect credit card data, even though a third-party solution, you are required to follow all PCI compliance rules.

Why Should My Company Work With Control Gap?

We can propose compliance options that other organizations cannot. Our compliance options are geared toward the needs of your organization and are designed to save your time and money. They help reduce security risk, and we make compliance understandable. We regularly use multiple approaches, technologies and assessment tools to ensure that our clients benefit from the best of the best. And where there’s a simpler, more cost-effective way to do something, our clients are the first to know.

How Do I Become PCI Compliant?

Achieving PCI Compliance is only the first step. Control Gap provides customized long-term solutions that integrate PCI requirements into an organizational corporate compliance strategy. Through strategic and operational guidance, we work to transition your compliance efforts form an annual project to an operational routine.

What is the Fine for Not Being PCI Compliant?

Businesses are not found to be compliant are subject to PCI Compliance fines. In cases where credit card information has been stolen, the breach must be reported to the bank and larger PCI fines may apply. Please see the section on PCI Compliance Penalties for more information.

PCI Compliance Penalties

Payment brands can fine an acquiring bank anywhere from $5,000 to $10,000 per month for PCI Compliance violations. These penalties can be catastrophic to small business, resulting in higher transaction fees or end your relationship with the bank in more severe cases. It is important to be familiar with your merchant account agreement, which should outline your exposure.

What PCI Compliance Level Do I Need?

PCI compliance standards can be confusing. The first thing you need to do is understand which level you fall under. Each credit card provider has unique criteria to determine your position. All merchants fall into one of the PCI Compliance Levels 1-4 based on transaction volume over a 12-month period. Volume is based on the total number of transactions within an operating business or businesses under a registered legal name. Once you know which level you fall under, you can now determine what information you need to provide to your acquiring bank to provide compliance validation.

Control Gap can help you with every step in the process to ensure you meet all PCI compliance standards. The below PCI Merchant Levels chart is a quick tool to find out what your PCI compliance requirements entail.

Find My Merchant Compliance Level
Become PCI Compliant Today! Control Gap will help you get compliant and stay compliant. Contact us today with your PCI compliance questions or to set up a consultation with a member of the Control Gap team.


Want important PCI information delivered to you? Sign-up to our e-newsletter and be the first one to know about industry news and trend, offers and promotions.




PCI Pilot™ is coming soon!

Our highly-anticipated online tool will be launching very soon to make your PCI SAQ process quick and seamless.

Sign-up today and be among the first to know when PCI Pilot™ is live!