Security Standards for Businesses That Accept Credit and Debit Cards

According to Total System Services, Inc., 80 percent of the consumers questioned in a 2018 survey responded that they preferred making payments using credit or debit cards.

If you accept credit or debit card payments, you may not know that you are subject to a set of standards created by the Payment Card Industry (PCI) Security Standards Council. This council, made up of the five payment card brands Visa, MasterCard, American Express, JCB International, and Discover, was created in response to increases in data breaches and fraud in the credit card industry. The PCI Data Security Standards address technical and operational systems to keep customer cardholders safe. The goal of these standards is to protect businesses, customers, banks, and all others engaged in the credit industry.


Many business owners find that collecting payment via credit or debit cards benefits both them and the customer. However, they often do not know about these established data security standards, and thus, fail to comply with them. Below are the twelve PCI Data Security Standards that business owners who accept credit and debit card payments must comply with:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open public networks.
  5. Use and regularly update antivirus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data on a business need-to-know basis.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for employees and contractors.

Each of these standards has a number of components to achieve the following goals: protect cardholder data, maintain an effective management system for dealing with such data, establish access control procedures, test networks, and regularly refine such modes of data security. For example, when hackers and cybercriminals attack, their first attempts to break into a system often involve using the default passwords provided by vendors. The second standard was established to prevent this. Businesses are expected to change all default passwords to new strong passwords—passwords with at least twelve characters that are a mix of numbers, letters, and symbols, and are not connected to personal information. By implementing this standard, businesses make it more difficult for security breaches to occur.


In order to comply with these standards, business owners must thoroughly understand how cardholder data is collected and flows through the business. The channels that contain such data should be encrypted to protect consumer information in the company’s network of systems. Likewise, business owners must verify that direct public access between the internet and any system components that store  cardholder data is avoided. Business owners can protect themselves and cardholders by installing firewall protection on company and employee-owned devices that connect to the internet outside of the company network.


Give Us a Call

If you want to satisfy today’s consumers and make it easier for people to do business with you by accepting credit and debit card payments, you must comply with the PCI Data Security Standards. We can help you map out the right strategies to protect cardholders’ information and develop employee handbooks that explain your processes. Contact us today to schedule a meeting.

Like what you're learning?

Sign up for our free newsletter

Notes from the Chief Counsel's Desk 

and get more legal insights sent directly to your inbox.

* indicates required

Sign up for our free educational event on

Legal Life Planning

to learn how you can protect your loved ones and assets when something happens to you.

This article is a service of Sky Unlimited Legal Advisory PC, Personal Family Lawyer® .  We're not your traditional law firm, we stand apart from the rest by helping you make informed and empowered decisions on how to deal with your business throughout life and in the event of an emergency. We offer a complete spectrum of legal services, including a New Business Planning Session or an Existing Business Review Session, which includes a review of all the legal, insurance, financial, and tax systems you need for your business. You can begin by calling our office at (650) 761-0992 today or book online to schedule a Business Planning Session and mention this article to find out how to get this $950 session at no charge.

Having a will simply is not enough.  It doesn't guarantee the care of your children if the unthinkable happens!  See how we do it differently...

The strategies that are appropriate for protecting your assets are different for every family.  Check out our proven process that gives you peace of mind...

Our unique legacy process gives your loved ones a precious gift - a lasting expression of your love.  Find out what we offer with every plan...