If your business accepts credit or debit cards — in person, online, or over the phone — PCI compliance applies to you. There is no revenue threshold below which it doesn’t matter, and no exemption for “we only run a few cards a month.” Yet PCI DSS (the Payment Card Industry Data Security Standard) remains one of the most misunderstood requirements small businesses face.
This guide breaks down what PCI compliance actually is, what it requires at each level, how the self-assessment process works, and the mistakes that most often get small businesses in trouble. After 35 years of helping Atlanta-area businesses secure their networks and payment environments, we’ve seen where companies stumble — and how straightforward compliance can be when the technical foundation is right.
What Is PCI DSS?
PCI DSS is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — to protect cardholder data. The standard is maintained by the PCI Security Standards Council, which the card brands founded in 2006, and it applies to every organization that stores, processes, or transmits payment card data.
The current version of the standard is PCI DSS 4.x, which became the only active version after PCI DSS 3.2.1 was retired on March 31, 2024. A number of new requirements introduced in version 4.0 became mandatory on March 31, 2025, so businesses that haven’t reviewed their compliance posture in a couple of years are likely working from an outdated checklist.
At its core, PCI DSS is organized around 12 requirements grouped into six goals:
- Build and maintain a secure network — firewalls and secure configurations (no vendor default passwords)
- Protect cardholder data — encrypt stored data and data transmitted across open networks
- Maintain a vulnerability management program — anti-malware protection and secure systems/software
- Implement strong access control — restrict access to cardholder data by business need-to-know, unique IDs for every user, physical access restrictions
- Regularly monitor and test networks — logging, log review, and security testing
- Maintain an information security policy — documented policies that address security for all personnel
Important distinction: PCI DSS is not a law. It’s a contractual obligation embedded in your merchant agreement with your bank and payment processor. But contractual doesn’t mean optional — the consequences of ignoring it are very real, as we’ll cover below.
Does PCI Compliance Apply to Small Businesses?
Yes. PCI DSS applies to any business that accepts payment cards, regardless of size or transaction volume. A one-location coffee shop running 50 transactions a day has the same fundamental obligation as a national retailer — the difference is in how compliance is validated, not whether it applies.
This is the single most common misconception we encounter. Small business owners often assume their payment processor “handles PCI” for them, or that compliance only kicks in at some transaction threshold. Neither is true. Your processor provides tools and may guide you through validation, but the compliance obligation sits with you, the merchant.
The good news: for most small businesses, validation is a self-assessment process rather than a formal audit, and modern payment technology can dramatically shrink what you’re responsible for.
What Are the PCI Compliance Levels?
PCI compliance levels are based on your annual card transaction volume, and they determine how you must validate compliance — not what security is required. The four merchant levels (using Visa’s commonly referenced thresholds) are:
- Level 1: More than 6 million Visa transactions per year. Requires an annual on-site assessment by a Qualified Security Assessor (QSA) producing a Report on Compliance (ROC), plus quarterly network scans by an Approved Scanning Vendor (ASV).
- Level 2: 1 million to 6 million transactions per year. Annual Self-Assessment Questionnaire (SAQ), quarterly ASV scans.
- Level 3: 20,000 to 1 million e-commerce transactions per year. Annual SAQ, quarterly ASV scans.
- Level 4: Fewer than 20,000 e-commerce transactions and up to 1 million total transactions per year. Annual SAQ; quarterly scans if applicable to your SAQ type.
The overwhelming majority of small businesses fall into Level 4. That means your validation path is a Self-Assessment Questionnaire — a structured document where you attest to meeting the requirements that apply to your payment environment.
One caveat: a business of any size that suffers a data breach can be escalated to Level 1 validation requirements by the card brands. Compliance level is not a permanent classification.
What Is a Self-Assessment Questionnaire (SAQ) and Which One Do I Need?
A Self-Assessment Questionnaire is the document most small businesses complete annually to validate PCI compliance, and the version you fill out depends entirely on how you accept cards. Choosing the right SAQ matters enormously — the difference between the shortest and longest questionnaires is hundreds of requirements.
The most common SAQ types:
- SAQ A — Card-not-present merchants (e-commerce or mail/phone order) who have fully outsourced all cardholder data functions to PCI-validated third parties. Example: your website redirects customers to a hosted payment page (like a processor-hosted checkout). This is the shortest SAQ.
- SAQ A-EP — E-commerce merchants whose website doesn’t receive cardholder data but does affect the security of the payment transaction (for example, your site serves the payment form code). Significantly longer than SAQ A.
- SAQ B — Merchants using only standalone dial-out terminals or imprint machines, with no electronic cardholder data storage.
- SAQ B-IP — Merchants using standalone, PTS-approved payment terminals that connect over IP to the processor, with no electronic storage.
- SAQ C — Merchants with payment application systems connected to the internet, no electronic cardholder data storage.
- SAQ P2PE — Merchants using a validated point-to-point encryption solution listed by the PCI Council. Card data is encrypted at the terminal and your systems never see it in usable form. Very short questionnaire.
- SAQ D — Everyone who doesn’t fit a simpler category, including any merchant that electronically stores cardholder data. This is the full standard — hundreds of requirements — and it’s the questionnaire you want to avoid qualifying for.
The strategic takeaway: how you architect your payment acceptance determines your compliance burden. A dealership or retail business using validated P2PE terminals and never storing card numbers has a radically lighter compliance load than one keying card numbers into a browser on an office PC.
What Happens If My Business Isn’t PCI Compliant?
Non-compliance exposes your business to monthly fines, higher processing fees, and — after a breach — costs that can be existential for a small company. Consequences generally arrive in two waves:
Before any breach: Payment processors commonly charge non-compliance fees (often $20–$100+ per month) to merchants who haven’t submitted their annual SAQ. Card brands can also assess fines against your acquiring bank, which passes them to you — these can range from thousands to tens of thousands of dollars per month for prolonged non-compliance.
After a breach: This is where the real damage happens. A breached merchant that wasn’t compliant can face forensic investigation costs (which the merchant typically pays), card reissuance costs, fraud liability, escalation to Level 1 validation requirements, dramatically higher processing rates, and in severe cases, loss of the ability to accept cards at all. Add regulatory exposure — for example, Georgia’s data breach notification law requires notifying affected residents — plus legal fees and reputational harm, and a payment card breach routinely costs small businesses six figures.
The math is straightforward: the cost of maintaining compliance is a small fraction of the cost of a single incident.
What Are the Most Common PCI Compliance Mistakes Small Businesses Make?
The most common mistakes are storing card data unnecessarily, running payments on a flat network, and treating the SAQ as a once-a-year paperwork exercise. Here’s the fuller list we see in the field:
- Writing down or storing card numbers. Card numbers on paper order forms, in spreadsheets, in email, in CRM notes — any of this instantly puts you in SAQ D territory and creates breach liability. If you don’t store it, you can’t leak it. Never store the CVV/CVC code under any circumstances; storage of sensitive authentication data after authorization is prohibited outright.
- No network segmentation. When your payment terminal shares a flat network with guest Wi-Fi, employee laptops, and smart TVs, your entire network is in scope for PCI. Properly segmenting the cardholder data environment behind a firewall shrinks scope, cost, and risk. This is a network design problem as much as a compliance one.
- Default passwords and unpatched systems. PCI DSS Requirement 2 exists because attackers scan for vendor defaults constantly. Routers, terminals, and point-of-sale systems all ship with defaults that must be changed, and unpatched POS software remains a leading breach vector.
- Choosing the wrong SAQ. Merchants frequently complete SAQ A when their environment actually requires SAQ A-EP or SAQ D. An inaccurate attestation doesn’t protect you — it just means you were non-compliant with paperwork saying otherwise.
- Ignoring third-party and remote access risk. Many small-business breaches trace back to compromised remote access tools used by POS vendors or IT providers. Vet your service providers, require multi-factor authentication on remote access (an area PCI DSS 4.0 tightened considerably), and keep an inventory of who can touch your payment systems.
- Treating compliance as annual instead of continuous. The SAQ is a snapshot, but the standard requires ongoing practices — log monitoring, patching, quarterly scans where applicable. Compliance lapses in month two don’t wait for your next questionnaire to become a problem.
How Do I Make PCI Compliance Easier?
The fastest path to simpler PCI compliance is reducing scope: keep card data out of your systems entirely, segment your network, and use validated payment technology. Practical steps:
- Use P2PE or hosted payment solutions. Validated point-to-point encryption terminals or fully hosted checkout pages mean cardholder data never touches your systems in usable form, qualifying you for the shortest SAQs.
- Segment your network. Isolate payment systems on their own VLAN behind a properly configured firewall. Guest Wi-Fi should never share a segment with payment devices.
- Eliminate stored card data. If recurring billing requires stored cards, use your processor’s tokenization vault instead of storing numbers yourself.
- Turn on MFA and kill default credentials. Multi-factor authentication for all access into the cardholder data environment is a PCI DSS 4.0 emphasis area, and it’s one of the highest-value controls per dollar in all of cybersecurity.
- Keep evidence. Document your policies, patch schedules, and scan results. If your processor or bank ever asks, organized evidence turns a stressful request into a quick email.
- Get help scoping. An experienced IT partner can map your cardholder data flows, identify which SAQ actually applies, and often reduce your scope before you fill out a single form.
COMNEXIA has been securing business networks in the Atlanta area since 1991, and payment environments — from automotive dealerships with multiple locations to professional services firms — are among the most common things we’re asked to harden. Getting the network architecture right up front is usually what separates a 30-question compliance exercise from a 300-question one.
Frequently Asked Questions
Q: Is PCI compliance required by law? A: PCI DSS itself is not a law — it’s a contractual requirement in your merchant agreement with your bank and payment processor. However, some states reference it in legislation, and a breach can trigger legal obligations like Georgia’s data breach notification requirements. Practically speaking, if you accept cards, compliance is mandatory.
Q: My payment processor says they’re PCI compliant. Doesn’t that cover me? A: No. Your processor’s compliance covers their systems. You remain responsible for your own environment — your terminals, network, staff practices, and any place card data could be exposed on your side. Using a compliant processor helps reduce your scope, but it never eliminates your obligation.
Q: How often do I have to validate PCI compliance? A: The Self-Assessment Questionnaire must be completed annually, and if your SAQ type requires vulnerability scans, those must be performed quarterly by an Approved Scanning Vendor. The underlying security practices — patching, monitoring, access control — are continuous obligations, not annual ones.
Q: What’s the difference between PCI compliance levels 1 through 4? A: Levels are based on annual transaction volume and determine how you validate compliance. Level 1 (over 6 million transactions) requires a formal on-site assessment by a Qualified Security Assessor. Levels 2–4 typically validate with an annual self-assessment. The security requirements themselves apply to everyone; only the validation rigor changes.
Q: Can I store customer credit card numbers for repeat billing? A: You can, but you almost certainly shouldn’t do it yourself. Storing card numbers pulls you into SAQ D — the most demanding compliance path — and creates serious breach liability. Use your payment processor’s tokenization or card-on-file vault instead, which lets you bill repeat customers without ever holding the actual card number. And never store the CVV code; that’s prohibited for everyone.
Need help scoping your payment environment or segmenting your network for PCI compliance? COMNEXIA has secured Atlanta-area business networks for 35 years. Talk to our cybersecurity team about a compliance-ready network review.