PCI Compliance Guide for Small Business

What Is PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by Visa, Mastercard, American Express, Discover, and JCB to protect cardholder data. Every business that accepts, processes, stores, or transmits credit card information must comply with PCI DSS, regardless of size. There are no exemptions based on transaction volume, number of employees, or business type.

The standard is maintained by the PCI Security Standards Council, an independent organization founded by the five major card networks. The current version is PCI DSS 4.0, which became mandatory in March 2025 after a transition period from version 3.2.1. Version 4.0 introduced more flexibility in how businesses meet the requirements, allowing customized approaches alongside the traditional defined requirements.

Non-compliance does not result in criminal penalties, but the financial consequences are real. Your acquiring bank or payment processor can fine you $5,000 to $100,000 per month for non-compliance. If a data breach occurs while you are non-compliant, you are liable for all costs: forensic investigation ($20,000 to $100,000+), card replacement costs ($3 to $10 per compromised card), notification costs, legal fees, and the fines imposed by the card networks. For a small business, a breach while non-compliant can be financially devastating.

PCI Compliance Levels for Merchants

The card networks categorize merchants into four levels based on annual transaction volume. Your level determines the type of compliance validation you need:

Level 1: More than 6 million transactions per year. Requires an annual on-site assessment by a Qualified Security Assessor (QSA) and quarterly network vulnerability scans by an Approved Scanning Vendor (ASV). This level applies to major retailers and large ecommerce operations.

Level 2: 1 million to 6 million transactions per year. Requires an annual SAQ (Self-Assessment Questionnaire) and quarterly ASV scans. Some acquirers require a QSA-validated SAQ for Level 2 merchants.

Level 3: 20,000 to 1 million ecommerce transactions per year. Requires an annual SAQ and quarterly ASV scans (if applicable based on SAQ type).

Level 4: Fewer than 20,000 ecommerce transactions per year, or up to 1 million total transactions across all channels. Requires an annual SAQ. Quarterly ASV scans depend on the SAQ type. This is where the vast majority of small businesses fall.

If your online store processes fewer than 20,000 transactions per year (roughly 55 transactions per day), you are Level 4. Compliance means completing the right SAQ once per year and maintaining basic security practices. There is no auditor visit, no penetration test requirement, and in most cases no quarterly scan needed.

Understanding SAQ Types

The SAQ (Self-Assessment Questionnaire) is the document you complete to validate your PCI compliance. There are multiple SAQ types, and the one you need depends on how you handle card data. Choosing the right SAQ type is critical because it determines how many requirements you must meet.

SAQ A (22 requirements): For merchants who fully outsource all cardholder data processing to PCI-compliant third parties. Card data never enters, is processed by, or stored on your systems. This is what you qualify for when you use Stripe Checkout, Stripe Elements, PayPal hosted checkout buttons, Shopify Payments, or any hosted payment form where the customer enters their card information on the processor's domain or in an iframe served from the processor's servers.

SAQ A-EP (191 requirements): For ecommerce merchants who partially outsource payment processing but whose website could affect the security of the payment transaction. This applies if your website serves the payment page (even if the actual card fields are in an iframe from Stripe) and your server could be compromised to alter the page. Some interpretations require SAQ A-EP for merchants using Stripe Elements because the JavaScript that renders the payment form is served within your site's page context.

SAQ D (329 requirements): For merchants who handle card data directly, store card numbers on their servers, or do not meet the criteria for a simpler SAQ. This is the full PCI compliance burden and requires quarterly ASV scans, internal vulnerability scans, penetration testing, and extensive documentation. Very few small businesses should be in this category.

The practical advice for small businesses: use a hosted payment solution (Stripe Checkout, PayPal hosted buttons, Shopify Payments) and qualify for SAQ A. The difference between 22 requirements and 329 requirements is the difference between a 30-minute annual checklist and a multi-week compliance project requiring outside consultants.

Step 1: Use Hosted Payment Forms

The single most impactful step for PCI compliance is ensuring that credit card data never touches your server. Modern payment processors make this easy with hosted payment solutions:

Stripe Checkout: Redirects the customer to a Stripe-hosted payment page. Card data is entered entirely on Stripe's domain. Your server never sees, processes, or stores any card information. This is the clearest path to SAQ A.

Stripe Elements / Payment Element: Embeds card input fields as iframes served from Stripe's servers within your website's checkout page. The customer appears to enter their card on your site, but the actual input fields run in a sandboxed iframe from Stripe. The card data goes directly from the iframe to Stripe without passing through your server. This approach qualifies for SAQ A under most interpretations, though some stricter acquirers may require SAQ A-EP.

Shopify Payments: Shopify handles the entire checkout and payment flow on their PCI-compliant infrastructure. If you use Shopify, you are automatically PCI compliant at the SAQ A level, and Shopify provides you with a compliance certificate.

PayPal Checkout: Redirects customers to PayPal's domain for payment. Card data is processed entirely by PayPal. Qualifies for SAQ A.

WooCommerce Payments: Uses Stripe's payment infrastructure under the hood. Card fields are rendered in Stripe-hosted iframes. Qualifies for SAQ A in most configurations.

Step 2: Complete the SAQ A Requirements

SAQ A has 22 requirements grouped into manageable categories. Here is what each requires in practice for a small online business:

Firewall and router configuration (if applicable): If you manage your own web server, ensure your firewall restricts inbound connections to only the ports you need (80 for HTTP, 443 for HTTPS, and your SSH port). If you use a hosted platform like Shopify or a managed hosting provider, they handle this for you.

No default passwords: Change all default passwords on your web hosting control panel, CMS admin account, database, and any other systems. Use strong, unique passwords for every account. Use a password manager.

HTTPS everywhere: Your entire website must use HTTPS, not just the checkout page. Most hosting providers include free SSL certificates through Let's Encrypt. Verify that HTTP requests redirect to HTTPS automatically.

Anti-virus and security patches: Keep your operating system, CMS (WordPress, Magento), plugins, and themes updated to the latest versions. Unpatched software is the most common attack vector for ecommerce breaches. Enable automatic updates where possible.

Restrict access: Only give admin access to people who need it. Remove access for former employees immediately. Use two-factor authentication (2FA) on all admin accounts. This is the requirement most small businesses overlook, often leaving former employees or contractors with active admin credentials.

Unique user IDs: Every person who accesses your admin panel should have their own username. Do not share a single admin account among multiple people. This creates an audit trail if a breach occurs.

Physical security: Restrict physical access to any systems that handle payment data. For most small online businesses using hosted platforms, this is not applicable because there are no on-premise systems.

Maintain a security policy: Document your security practices, even if the document is a single page. Cover password requirements, access control procedures, update schedules, and incident response (who to contact if you suspect a breach). This does not need to be a formal document, a clear internal wiki page or Google Doc works.

Step 3: Maintain Compliance Year-Round

PCI compliance is not a once-a-year checkbox. The SAQ is an annual validation, but the security practices it covers must be maintained continuously. Here is a practical maintenance schedule:

Weekly: Check for and apply CMS and plugin updates. Review admin access logs for unusual activity.

Monthly: Review active admin accounts and remove any that should not be active. Check that SSL certificates are valid and not approaching expiration.

Quarterly: If your SAQ type requires ASV scans, complete them. Review your password practices and update any weak or shared passwords.

Annually: Complete and submit your SAQ. Review and update your security policy. Verify that your payment integration has not changed in a way that affects your SAQ type (for example, switching from Stripe Checkout to a direct API integration would change your SAQ type from A to A-EP or D).

Common PCI Compliance Mistakes

Storing card numbers in your database: Never store full card numbers, CVVs, or magnetic stripe data. There is no legitimate reason for a small online business to retain this data. Your payment processor stores and tokenizes card data for you. If you find card numbers in your database, order forms, email, support tickets, or log files, delete them immediately and change your processes to prevent future storage.

Collecting card data via email or phone and entering it manually: When a customer emails you their card number or reads it to you over the phone and you key it into your processor's virtual terminal, you are handling card data directly. This can change your SAQ type and increase your compliance scope. Instead, send the customer a payment link (Stripe Payment Links, PayPal.Me, Square invoices) so they enter their own card data into the processor's hosted form.

Ignoring the annual SAQ: Some payment processors charge a PCI non-compliance fee ($19 to $30/month) if you do not complete your SAQ. More importantly, non-compliance leaves you liable if a breach occurs. The SAQ A takes 15 to 30 minutes. Complete it annually.

Using outdated software: Running an old version of WordPress, WooCommerce, Magento, or any CMS with known security vulnerabilities is a PCI violation and a practical risk. The majority of small ecommerce breaches exploit known vulnerabilities in unpatched software. Set up automatic updates or check for updates weekly.

PCI Compliance on Popular Platforms

Shopify: Shopify is Level 1 PCI DSS compliant and handles all compliance for you. You receive a PCI compliance certificate automatically. There is nothing you need to do beyond following basic security practices for your admin account (strong password, 2FA).

WooCommerce: Your compliance responsibility depends on your payment gateway and hosting. With WooCommerce Payments or Stripe Elements, you qualify for SAQ A. You need to complete the SAQ yourself and maintain your WordPress installation's security.

BigCommerce: Like Shopify, BigCommerce is Level 1 PCI compliant and handles compliance for hosted payment processing. Your responsibility is limited to securing your admin account.

Custom-built stores: Your compliance scope depends entirely on how you handle card data. Use Stripe Checkout or a hosted payment solution to minimize your scope to SAQ A. If you build your own payment form that submits card data through your server, you face SAQ D requirements, which are substantial.