Send a message
Careers
Would you like to join our growing team?
careers@email.com
Consulting
We’ll figure out the best option for you.
connect@email.com
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
close icon
Compliance
Cybersecurity
Awareness Training

PCI Compliance Updates 2025

The need for robust security measures should be top of mind for any business handling payment card information, both for the safety of your clients and your business’ reputation.

You may have heard of PCI compliance (or the Payment Card Industry Data Security Standard (PCI DSS)). This set of security standards is designed to protect cardholder data and compliance is mandatory for organizations that accept, process, store, or transmit credit card information.

Understanding who needs PCI compliance and the requirements for different types of businesses can be complex. However, we are going to peel back the layers of this framework and help you get the tools you need. Let’s take a look.

Who Needs PCI Compliance?

If your business handles any form of payment card data from major credit card brands, you are required to comply with PCI DSS. This applies to businesses of all sizes, from multinational corporations to small local shops. Non-compliance can result in fines, increased transaction fees, and the potential loss of the ability to process credit card payments.

Examples of Businesses That Need PCI Compliance:

  • Retailers (in-store and online): Clothing stores, electronics shops, supermarkets, etc., that accept credit card payments are required to protect customer data at all touchpoints.
  • E-commerce Companies: Online retailers, regardless of size, must adhere to PCI standards as they process card payments over the Internet.
  • Hospitality: Hotels, motels, and resorts store customer data for reservations and often store card information for future transactions.
  • Healthcare Providers: Medical practices and hospitals that accept credit card payments for services or copays must comply with PCI DSS, given the sensitive nature of the data involved.
  • Restaurants: These businesses handle numerous card transactions daily, making them prime targets for cyberattacks and necessitating PCI compliance.

Levels of PCI Compliance

The requirements for PCI compliance vary based on the volume of transactions a business processes annually and the way it interacts with cardholder data. PCI DSS categorizes merchants into four levels, with different compliance requirements for each.

Level 1: Over 6 million transactions per year

  • Requirement: Annual on-site audit and quarterly network scans by an Approved Scanning Vendor (ASV).
  • Typical Businesses: Large online retailers like Amazon, high-traffic physical stores like Walmart, and large hotel chains that process millions of transactions.

Level 2: 1 million to 6 million transactions per year

  • Requirement: Self-Assessment Questionnaire (SAQ) or an annual on-site audit, along with quarterly network scans.
  • Typical Businesses: Mid-sized retailers and hospitality businesses, such as a regional retail chain or restaurant group.

Level 3: 20,000 to 1 million e-commerce transactions per year

  • Requirement: Annual SAQ and quarterly network scans.
  • Typical Businesses: Small to mid-sized online businesses, local boutiques with e-commerce capabilities, and smaller hotel chains.

Level 4: Fewer than 20,000 e-commerce transactions or up to 1 million other transactions annually

  • Requirement: Annual SAQ and quarterly network scans, although requirements can be less stringent.
  • Typical Businesses: Small brick-and-mortar shops, small e-commerce stores, and local restaurants.

Self Assessment Questionnaire (SAQ)

The Self-Assessment Questionnaire (SAQ) is a tool for organizations that do not require a full on-site audit. It is, quite literally, a series of yes-or-no questions for each applicable PCI Data Security Standard requirement. (PCI Security Standards Council) It comes in various forms depending on how a business handles cardholder data, allowing businesses to attest to their compliance with the specific controls relevant to their setup.

You can find a full list of the SAQs as well as determine which SAQ is applicable to you on the PCI Security Standards Council website. Basically: Review how you accept payment cards to determine which questionnaire is applicable > Fill out the SAQ

https://listings.pcisecuritystandards.org/pci_security/completing_self_assessment

Penalties for Non-Compliance

Non-compliance can lead to significant financial consequences. The major credit card brands may impose fines ranging from $5,000 to $100,000 per month depending on the severity and duration of non-compliance. Additionally, breaches resulting from non-compliance often incur steep recovery and remediation costs, damage to customer trust, and lost business opportunities. You cannot overstate the importance of those last two.

New Requirement for 2025: Security Awareness Training

Starting in 2025, PCI DSS is placing a renewed emphasis on security awareness training as a mandatory requirement for compliance. This addition addresses a critical security gap: human error. Many data breaches occur due to simple mistakes, such as falling for phishing scams, weak password practices, or mishandling cardholder data. Security awareness training aims to educate employees on recognizing and preventing security threats, protecting both the organization and its customers.

Security Awareness Training: What This Means for You

Regardless of size or industry, businesses must implement regular, documented security awareness training programs for all employees involved in handling payment card information. These programs should cover:

  • Phishing and Social Engineering Awareness: Teaching employees to identify and avoid phishing attempts and other social engineering tactics commonly used by attackers.
  • Password Management: Emphasizing the importance of strong, unique passwords, and educating employees on secure password practices.
  • Data Handling and Storage Practices: Training on the secure handling and storage of cardholder data, including the importance of avoiding unauthorized storage or sharing of sensitive information.
  • Incident Reporting: Establishing clear protocols for reporting potential security incidents, so employees can respond quickly to suspicious activity.
  • Ongoing Updates: Regular training sessions to keep employees informed of new threats and compliance requirements.

Examples of Businesses Needing Security Awareness Training:

  • Retail Chains: Large and small retailers alike must educate cashiers and customer service staff to protect point-of-sale systems from unauthorized access.
  • E-commerce Platforms: Training employees on secure online transaction processing is essential to prevent data breaches in customer databases.
  • Restaurants and Cafes: Front-line employees should be aware of security practices, especially in businesses that rely on point-of-sale terminals.
  • Healthcare and Hospitality: For industries storing sensitive data, awareness of data handling and security protocols is critical to prevent unauthorized data exposure.

Failure to comply with the security awareness training requirement can result in non-compliance penalties and increase the likelihood of breaches due to human error. Businesses that prioritize security training reduce their risk of data breaches, improve employee engagement in security protocols, and build stronger customer trust.

With the addition of security awareness training in 2025, PCI compliance is now a more comprehensive mandate, requiring businesses to prioritize both technical and human security measures to protect cardholder data, ensure compliance, and safeguard against cyber threats—essential for any business handling payment card information, as PCI DSS not only protects sensitive customer data but also shields companies from hefty fines, reputational damage, and financial loss.

Compliance
Cybersecurity
Awareness Training
Category
Support and Best Practices
Virtualization
Emerging Technology
Hardware/Software Solutions
Infrastructure
IT Management
Networks
Security
Recent
Dec 6, 2024
By
Stratus Services
CMMC Overview
Nov 21, 2024
By
Stratus Services
The Stratus Holiday Gift List
Nov 20, 2024
By
Stratus Services
PCI Compliance Updates 2025
Nov 9, 2024
By
Why a Cloud-Only Approach to Data Storage Requires More Security
Tags
Information Technology
Video
Cybersecurity
Cloud Computing
Virtualization
Data Management
CMMC
A/V
Awareness Training
Backups
Infrastructure Design
Compliance
AI and Machine Learning
Desktop Support