Skip to main content

What is PCI compliance? PCI DSS basics for secure payments

| 7 min read
M.E. Hammond headshot
M.E. Hammond

Senior Content Strategist and Blog Specialist @ 8am

Business professional securely handling client payment data on a laptop

Table of contents

Key takeaways

  • PCI compliance is required for any business that accepts card payments, regardless of size or industry.

  • PCI DSS is enforced by major card brands, not the government.

  • Professional services firms face unique risks due to large retainers, recurring billing, and high-value transactions.

  • Partnering with a provider that supports PCI-compliant payment processing can significantly reduce your compliance burden.

If your firm accepts credit or debit cards, you may be wondering: What is PCI compliance? PCI compliance means meeting the security requirements of the Payment Card Industry Data Security Standard (PCI DSS), a global framework designed to protect cardholder data. In short, it’s the set of security rules your business must follow to safely accept, process, transmit, or store card payments.

For professional services firms across law, accounting, design, architecture, engineering, and construction, PCI compliance plays a critical role in protecting sensitive client payment information. These firms often handle large retainers, milestone payments, or recurring billing, making secure payment processing essential to maintaining client trust.

With digital payments now the norm, data security expectations are higher than ever. Understanding PCI compliance is a practical first step toward strengthening your firm’s payment security and reducing risk.

What is PCI DSS compliance?

PCI DSS compliance means adhering to the Payment Card Industry Data Security Standard (PCI DSS), a set of security requirements established to protect credit, debit, and prepaid card data. Any business that accepts, processes, stores, or transmits cardholder information must meet these standards.

The PCI SSC develops and maintains the standards, but they are not government laws. The standard is developed by the PCI Security Standards Council (PCI SSC), but compliance is enforced contractually by major card brands such as Visa, Mastercard, American Express, Discover, and JCB through your merchant agreement. If you accept card payments, you are required to comply.

PCI DSS compliance requires businesses to:

  • Secure networks and systems

  • Protect stored and transmitted cardholder data

  • Restrict access to sensitive information

  • Regularly test and monitor security controls

Noncompliance can result in significant monthly fines, higher processing fees, reputational harm, and even the loss of your ability to accept card payments.

Which business types does PCI compliance apply to?

PCI compliance applies to any business that accepts, processes, stores, or transmits credit or debit card payments—regardless of size or industry.

For professional services, which include:

  • Architecture firms

  • Engineering firms

  • Design firms

  • Law firms

  • Accounting firms

If your firm takes client payments by card—whether online, over the phone, or in person—PCI compliance applies to you.

Professional services firms are often especially impacted because they routinely:

  • Accept large upfront retainers

  • Process high-value project or matter-based payments

  • Manage recurring billing arrangements

  • Collect payments remotely through invoicing links or virtual terminals

Even if your firm never stores full card numbers, you are still responsible for ensuring that your PCI-compliant system protects cardholder data throughout the payment process.

Most small and mid-sized professional firms fall into the lowest PCI compliance level based on transaction volume. In many cases, compliance involves completing an annual Self-Assessment Questionnaire (SAQ) and confirming that appropriate security controls are in place, even if card data is fully outsourced to a secure, third-party payment processor.

The four PCI compliance levels

PCI compliance standards are tiered based on the number of card transactions a business processes each year. Your level determines how you validate compliance and whether additional audits or testing are required.

Businesses are categorized into four PCI compliance levels (via Exabeam):

  • Level 1: Over 6 million card transactions annually This level applies to large enterprises and national organizations. Validation typically requires an annual on-site assessment by a Qualified Security Assessor (QSA) and regular network scans.

  • Level 2: 1 million to 6 million transactions annually These businesses usually complete an annual SAQ and may be required to undergo quarterly network scans by an Approved Scanning Vendor (ASV).

  • Level 3: 20,000 to 1 million e-commerce transactions annually This level generally applies to mid-sized online merchants. Annual SAQ completion and quarterly scans are commonly required.

  • Level 4: Fewer than 20,000 e-commerce transactions annually or up to 1 million total transactions Most small and mid-sized businesses—including many law firms, AEC firms, and accounting practices—fall into this category. Validation typically involves completing the appropriate SAQ and, in some cases, quarterly vulnerability scans.

Although Level 4 carries fewer validation requirements than higher tiers, compliance is still mandatory. Even smaller firms must confirm each year that they meet PCI data security requirements and maintain proper safeguards for cardholder information.

The six goals of PCI DSS compliance

PCI DSS is built around six core security goals. Together, they form the foundation of a strong PCI compliance program and help businesses protect cardholder data at every stage of the payment process.

1. Build and maintain a secure network

Your network is the first line of defense. This goal focuses on installing and maintaining firewalls, securing routers, and avoiding vendor-supplied default passwords or settings.

In practice, that means:

  • Regularly updating firewalls and network configurations

  • Replacing default passwords with strong, unique credentials

  • Using password managers where appropriate

  • Ensuring Wi-Fi networks are encrypted and secured

A properly configured network reduces the risk of unauthorized access from the start.

2. Protect cardholder data

Protecting cardholder data is at the heart of PCI compliance. Sensitive payment information must be encrypted when transmitted and safeguarded if stored.

Key protections include:

  • Using secure “https” connections for online payments

  • Encrypting stored data (such as full-disk encryption, if applicable)

  • Avoiding storage of full card numbers unless absolutely necessary

  • Partnering with secure payment providers that tokenize or host card data

For many professional services firms, working with a PCI-compliant payment processor significantly reduces the need to store sensitive data internally.

3. Maintain a vulnerability management program

Cyber threats constantly evolve, requiring businesses to proactively identify and address weaknesses in their systems.

That includes:

  • Installing and updating antivirus and anti-malware software

  • Enabling real-time threat detection where possible

  • Keeping operating systems, billing software, and applications current

  • Promptly applying security patches and updates

Routine updates may seem simple, but they play a critical role in preventing exploitation of known vulnerabilities.

4. Implement strong access-control measures

Not everyone in your firm needs access to payment data. PCI DSS requires businesses to restrict access based on a need-to-know basis.

Best practices include:

  • Assigning unique login credentials to each employee

  • Limiting payment data access to accounting or finance personnel

  • Using multi-factor authentication where available

  • Securing any physical card data in locked cabinets or restricted areas

Clear access controls reduce both internal risk and the potential impact of compromised credentials.

5. Regularly monitor and test networks

Security controls must be tested to ensure they are working as intended. 

Businesses should:

  • Monitor logs of system and network access

  • Conduct periodic vulnerability scans (if required)

  • Test user permissions and access controls

  • Confirm that surveillance systems and physical safeguards are operational

Ongoing monitoring helps detect suspicious activity early, before it becomes a larger issue.

6. Maintain an information security policy

Finally, PCI DSS requires a formal information security policy that outlines how your firm handles sensitive data.

This policy should:

  • Define how payment information is processed and protected

  • Set expectations for employee security practices

  • Be reviewed annually and updated as needed

  • Be shared with staff and relevant third parties

A written policy reinforces that data security is a firmwide responsibility.

The 12 PCI DSS requirements explained

PCI compliance checklist outlining the 12 PCI DSS security requirements for protecting cardholder data

At the center of PCI compliance standards are 12 core security requirements. These requirements constitute the operational framework businesses must follow to meet PCI data security standards and protect cardholder information.

If you’re looking for a practical PCI compliance checklist, these 12 controls are the foundation:

  1. Install and maintain network security controls: Use firewalls and other safeguards to protect cardholder data from unauthorized access.

  2. Apply secure configurations to all system components: Change passwords and ensure servers, routers, and devices are securely configured.

  3. Protect stored account data: Limit storage of cardholder data and use encryption or tokenization where storage is necessary.

  4. Protect cardholder data with strong cryptography during transmission: Encrypt sensitive data whenever it is transmitted across open or public networks.

  5. Protect systems and networks from malicious software: Deploy and maintain anti-malware solutions to guard against viruses and cyber threats.

  6. Develop and maintain secure systems and software: Keep operating systems, payment platforms, and applications updated with the latest security patches.

  7. Restrict access to system components and cardholder data by business need-to-know: Ensure only authorized personnel can access sensitive information.

  8. Identify users and authenticate access to system components: Assign unique user IDs and use strong authentication methods, such as multi-factor authentication.

  9. Restrict physical access to cardholder data: Secure physical files, payment terminals, and servers in controlled locations.

  10. Log and monitor all access to system components and cardholder data: Track user activity and maintain audit logs to detect suspicious behavior.

  11. Test the security of systems and networks regularly: Perform vulnerability scans and penetration testing as required.

  12. Support information security with organizational policies and programs: Establish written policies and training programs that reinforce firmwide security best practices.

Together, these requirements form a comprehensive PCI compliance checklist that helps businesses systematically reduce risk, strengthen security controls, and protect client payment information.

How can your business become PCI compliant?

Maintaining a PCI-compliant system begins with a clear understanding of how cardholder data flows through your firm and what safeguards protect it along the way. While the exact requirements depend on your transaction volume and payment setup, most businesses follow a structured process to meet PCI DSS requirements and protect sensitive payment information.

Assess your payment process

Start by mapping your payment environment in detail. Identify:

  • Where card data enters your business (online payments, phone payments, in-office terminals)

  • How it moves through your systems (invoicing platforms, practice management software, virtual terminals)

  • Whether any card data is being stored, intentionally or unintentionally

For many professional services firms, payment flows include emailed invoices, embedded payment links, recurring billing arrangements, and occasional manual key-entry for phone payments. Each of these touchpoints represents a potential exposure to cardholder data.

Your goal is to clearly define where data enters, how it is processed, and where it exits your systems. The less exposure you have to raw card data, the simpler your compliance requirements will be.

Use a PCI-compliant payment processor

One of the most effective ways to reduce your compliance burden is to work with a provider that offers PCI-compliant payment processing.

A PCI-compliant processor can:

  • Tokenize card data so your firm never stores full card numbers

  • Host secure, encrypted payment pages

  • Limit your direct handling of sensitive information

  • Provide a PCI-compliant system tailored to your industry’s workflows

For professional services firms, this approach shifts much of the technical complexity—such as encryption, secure hosting, and infrastructure management—to a trusted provider. As a result, your internal compliance scope is reduced, and your risk exposure is minimized.

 

Complete your SAQ and maintain compliance

Most small and mid-sized firms validate compliance by completing the appropriate Self-Assessment Questionnaire (SAQ) each year. Depending on your setup, you may also need to:

  • Conduct quarterly vulnerability scans through an Approved Scanning Vendor (ASV)

  • Review and update internal security policies

  • Confirm that required safeguards remain in place

PCI compliance is not a one-time certification. It requires ongoing attention, annual validation, and consistent security practices. By reviewing your systems regularly and keeping documentation current, your firm can maintain compliance and continue protecting client payment data with confidence.

Ensure PCI compliance at your firm with 8am™ payment solutions

PCI compliance ultimately comes down to protecting your clients’ payment information and maintaining the trust they place in your firm. For professional services businesses that handle retainers, milestone payments, and recurring billing, choosing the right payment partner can significantly improve compliance.

8am provides industry-specific payment solutions designed to support secure, PCI-compliant payment processing while aligning with the way professional firms actually work.

  • LawPay: Built specifically for law firms, with trust accounting safeguards and PCI-compliant payment processing designed to meet the unique requirements of legal practices.

  • CPACharge: Designed for accounting professionals managing client retainers, advisory billing, and recurring payments, with a PCI-compliant system tailored to financial workflows.

  • ClientPay: Secure payment processing for architecture, engineering, design, and other professional services firms that need reliable, compliant online payment tools.

If you’d like help evaluating your current payment setup and PCI compliance posture, contact the 8am team.