Home » Ecommerce Security » PCI Compliance

PCI Compliance for Online Stores: What You Need to Know and Do

PCI DSS (Payment Card Industry Data Security Standard) compliance is mandatory for every business that accepts credit card payments, including online stores of every size. Most small ecommerce stores using hosted payment solutions like Stripe, PayPal, or Shopify Payments qualify for the simplest compliance path, SAQ A, which involves a 22-question self-assessment questionnaire and no quarterly vulnerability scanning requirement. The key to easy PCI compliance is ensuring that credit card data never touches your server by using a hosted payment form or redirect.

Before You Start

PCI DSS is not a government regulation, it is a contractual requirement created by the major card networks (Visa, Mastercard, American Express, Discover, and JCB) and enforced through your payment processor. When you signed your merchant agreement, you agreed to maintain PCI compliance. Non-compliance can result in fines from $5,000 to $100,000 per month assessed by your payment processor, increased per-transaction fees, mandatory remediation costs, and in severe cases, termination of your ability to accept credit cards. These fines escalate dramatically if you suffer a data breach while non-compliant.

PCI DSS version 4.0 became mandatory on March 31, 2025, replacing the previous version 3.2.1. Version 4.0 includes significant changes including requirements for multi-factor authentication on all access to the cardholder data environment, mandatory automated technical mechanisms for reviewing audit logs, and stricter requirements for web application security including protection against client-side attacks like card skimming JavaScript. If your last compliance assessment was under version 3.2.1, you need to reassess under version 4.0.

Step-by-Step Compliance Process

Step 1: Determine your PCI compliance level.
PCI DSS defines four merchant levels based on annual Visa transaction volume (other card brands use similar thresholds). Level 4 processes fewer than 20,000 ecommerce transactions per year and is where the vast majority of small online stores fall. Level 3 processes 20,000 to 1 million ecommerce transactions. Level 2 processes 1 to 6 million transactions. Level 1 processes over 6 million. Your level determines your validation requirements: Level 4 merchants complete a Self-Assessment Questionnaire (SAQ) and, depending on their SAQ type, may need quarterly external vulnerability scans. Level 1 merchants require an annual onsite assessment by a Qualified Security Assessor (QSA), which costs $50,000 to $200,000+. Confirm your level with your payment processor because some processors impose stricter requirements than the baseline standards. For most stores reading this guide, you are Level 4, and the path to compliance is straightforward and inexpensive.

Step 2: Use a hosted payment solution to minimize your PCI scope.
Your PCI compliance burden depends entirely on how your store handles credit card data. If card numbers pass through your server, even momentarily, you face the full PCI DSS scope with over 300 requirements (SAQ D). If card numbers are entered on a hosted payment page or iframe provided by your processor and never touch your server, your scope drops to 22 requirements (SAQ A). The difference in effort, cost, and risk is enormous. Shopify, BigCommerce, and Squarespace handle payment processing through their own PCI-compliant infrastructure, so their merchants automatically qualify for SAQ A. For WooCommerce stores, using Stripe with Stripe Elements (where the card input fields are iframes served from Stripe's servers) or PayPal's hosted buttons qualifies you for SAQ A. If you currently use a payment gateway that processes cards through your own server-side code, switch to a hosted solution immediately. There is no reason for a small ecommerce store to handle raw card data. The security risk, compliance cost, and liability exposure are all dramatically higher than the hosted alternative.

Step 3: Complete your Self-Assessment Questionnaire.
Download the correct SAQ from the PCI Security Standards Council website (pcisecuritystandards.org). For stores using fully hosted payment processing with no card data touching their server or website code, complete SAQ A (22 questions). For stores using a payment form that loads on their own page via iframe or JavaScript redirect, complete SAQ A-EP (approximately 140 questions). The questions cover your security practices including: do you use strong encryption for all transmissions of cardholder data, do you restrict access to system components to authorized personnel, do you use unique IDs for each person with computer access, do you maintain a firewall configuration, and do you regularly test security systems and processes. Answer honestly, these are not trick questions, they are genuine security practices that protect your business. Where you answer "no" to a required control, implement the control before submitting your SAQ. Your payment processor typically provides a portal or form where you submit your completed SAQ, and most processors accept annual submission.

Step 4: Run quarterly vulnerability scans if required.
SAQ A merchants are generally not required to perform quarterly external vulnerability scans, which is another reason to use hosted payment processing. SAQ A-EP and SAQ D merchants must engage an Approved Scanning Vendor (ASV) to perform external vulnerability scans every quarter. ASV scans cost $100 to $300 per quarter and test your store's public-facing systems for known vulnerabilities, misconfigurations, and outdated software. Approved vendors include SecurityMetrics, Qualys, Trustwave, and Comodo. The scan must produce a "pass" result, meaning no high-severity vulnerabilities were found. If the scan identifies vulnerabilities, you must remediate them and rescan until you achieve a passing result. Even if you qualify for SAQ A and scans are not required, running periodic vulnerability scans is a best practice that catches security issues before attackers find them.

Step 5: Maintain compliance year-round.
PCI compliance is not a one-time event, it is a continuous obligation. Your security controls must be in place and functioning at all times, not just when you fill out the annual SAQ. Maintain compliance by keeping all software updated (platforms, plugins, server operating systems, PHP versions), reviewing your admin access list quarterly and removing accounts for anyone who no longer needs access, monitoring your security monitoring tools for alerts about unauthorized changes or suspicious activity, documenting your security policies and procedures in writing, and training any employees who handle customer data on security awareness. When you make changes to your store's payment integration, hosting environment, or checkout flow, reassess whether the change affects your PCI scope. Adding a new payment method, switching hosting providers, or modifying your checkout page can all change your compliance requirements. Document significant changes and their PCI implications in your security records.

PCI DSS 4.0 Key Changes for Ecommerce

Client-side security requirements (Requirement 6.4.3) are the most significant new requirement for online stores. PCI DSS 4.0 requires that all payment page scripts loaded in the customer's browser are authorized, their integrity is verified, and an inventory of all scripts is maintained. This directly addresses Magecart-style attacks where malicious JavaScript is injected into checkout pages to skim card data. In practice, this means implementing Content Security Policy (CSP) headers that restrict which scripts can run on your payment pages, using Subresource Integrity (SRI) attributes on script tags to detect tampering, and monitoring for unauthorized script changes. Hosted platforms like Shopify handle this automatically, but self-hosted stores must implement these controls themselves.

Multi-factor authentication (Requirement 8.4.2) is now required for all access to the cardholder data environment, not just remote access. For most ecommerce stores, this means every admin account on every system that touches payment processing or customer data must have MFA enabled. This aligns with the authentication best practices that security experts have recommended for years.

Targeted risk analysis (Requirement 12.3.1) requires you to perform a documented risk analysis for each PCI DSS requirement where the standard allows flexibility in implementation. This affects mostly larger organizations, but even small stores should document their security decisions and the reasoning behind them.

Common PCI Compliance Mistakes

Storing card data you do not need. Some store owners mistakenly save credit card numbers in their order management system, spreadsheets, emails, or paper files for reorder convenience. Any storage of full card numbers outside a PCI-certified payment processor is a serious compliance violation and dramatically increases your breach liability. If you need to support reorders, use your payment processor's tokenization feature, which stores a token referencing the card in the processor's secure vault rather than the actual card number on your systems.

Assuming your platform handles everything. While hosted platforms like Shopify handle payment processing security, you are still responsible for the security of your admin account, your third-party apps, your staff accounts, and any custom code or integrations. PCI compliance covers your entire cardholder data environment, which includes any system that could affect the security of payment processing.

Treating compliance as an annual checkbox. Completing your SAQ once per year and then ignoring security for the other 364 days is technically non-compliant and practically dangerous. If a breach occurs and investigation reveals that your security controls were not maintained between assessments, your non-compliance penalties increase and your liability for the breach escalates dramatically.

Not knowing your SAQ type. Many merchants complete the wrong SAQ, typically choosing an easier SAQ than their payment integration actually qualifies for. If your checkout page includes any JavaScript from your payment processor that runs within your website's HTML (rather than a fully hosted page or a processor-served iframe), you likely need SAQ A-EP rather than SAQ A. Your payment processor's integration documentation specifies which SAQ type applies to their integration method.

Cost of PCI Compliance by Store Size

Small stores using hosted payments (SAQ A): Effectively free. The SAQ is a self-assessment you complete yourself, no external scanning is required, and the security controls (strong passwords, 2FA, software updates) are things you should be doing regardless. Your payment processor may charge a small PCI compliance fee of $5 to $20 per month, which is not actually a compliance cost but a fee they assess for compliance program administration.

Mid-size stores requiring SAQ A-EP or SAQ D: Expect $400 to $1,200 per year for quarterly ASV scans, $500 to $2,000 for a PCI compliance consultant to help with your SAQ if needed, and the cost of implementing any security controls you currently lack (WAF, intrusion detection, log management). Total annual cost typically ranges from $1,000 to $5,000.

Large stores requiring Level 1 assessment: A Qualified Security Assessor engagement costs $50,000 to $200,000+ annually, plus the cost of maintaining the full 300+ requirement control set, dedicated security personnel, and continuous compliance monitoring. This level of compliance is a significant operational commitment that requires dedicated resources.