PCI Compliance for Small Businesses: What You Actually Need to Do
Cut through the complexity of PCI-DSS compliance. A practical guide for small and medium businesses on what's required, what's optional, and how to stay compliant without breaking the bank.
PCI compliance sounds intimidating. And the full PCI-DSS standard is a 300+ page document designed for enterprise payment systems. But for most small businesses, what's actually required is much more manageable than you think.
What Is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed to protect cardholder data. If you accept credit card payments, you must comply. Period.
Non-compliance can result in:
Fines from $5,000 to $100,000 per month
Increased processing fees
Account termination
Liability for fraud losses
PCI Compliance Levels
Your compliance level depends on your annual transaction volume:
Level 4: Under 20,000 e-commerce transactions/year — Self-Assessment Questionnaire (SAQ)
Level 2: 1-6 million transactions/year — SAQ plus quarterly scans, possible on-site audit
Level 1: Over 6 million transactions/year — Annual on-site audit by Qualified Security Assessor
Most small businesses fall into Level 3 or 4, which means the requirements are relatively straightforward.
What Small Businesses Actually Need to Do
Use a PCI-Compliant Payment Processor
This is the single biggest thing you can do. When you use Stripe, Square, PayPal, or any reputable processor's hosted payment forms, they handle most of the PCI heavy lifting. Your cardholder data never touches your servers.
Complete Your SAQ
The Self-Assessment Questionnaire is a form you fill out annually. The type you need depends on how you accept payments:
SAQ A: If you use fully hosted payment pages (like Stripe Checkout) — the simplest form
SAQ A-EP: If you embed payment forms on your site (like Stripe Elements)
SAQ D: If you handle card data directly — the most complex. Avoid this if possible.
Maintain Basic Security Hygiene
Use HTTPS on all pages that collect or display payment information
Keep software and systems updated
Use strong, unique passwords for admin accounts
Restrict access to payment data to only those who need it
Never store full card numbers, CVV codes, or PINs
Quarterly Vulnerability Scans
If you're Level 3 or above, you need quarterly external vulnerability scans from an Approved Scanning Vendor (ASV). These typically cost $100-$500 per quarter.
Common PCI Mistakes
Emailing card numbers: Never, ever send card data via email
Storing card data in spreadsheets: Use your processor's vault instead
Ignoring the SAQ: Your processor may charge PCI non-compliance fees ($25-$100/month) until you complete it
Assuming you're exempt: If you accept cards, you must comply. No exceptions.
Is Your Business at Risk?
PCI compliance is just one factor in your payment processing risk. Get the full picture.