What Is PCI Compliance and How Do Small Businesses Meet the Requirements?

If your business accepts credit or debit cards — even one transaction a year — you’re required to comply with the Payment Card Industry Data Security Standard (PCI DSS). That sounds intimidating, but for most small businesses, the requirements are manageable once you understand what’s actually being asked. This guide breaks down PCI compliance in plain language: what the rules are, which level applies to you, how to complete your self-assessment, and where small businesses most often trip up.

What Is PCI DSS and Why Does It Exist?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — through the PCI Security Standards Council, founded in 2006. The standard exists to protect cardholder data wherever it’s stored, processed, or transmitted.

The current version is PCI DSS v4.0.1, released in June 2024, with full enforcement of all new requirements starting March 31, 2025. If you were compliant under v3.2.1, some requirements have changed, and it’s worth reviewing what’s new.

PCI DSS isn’t a law in the traditional sense — it’s a contractual obligation. When you signed your merchant agreement with your payment processor, you agreed to maintain PCI compliance. Failure to comply can result in fines ranging from $5,000 to $100,000 per month, increased transaction fees, or in serious cases, losing the ability to accept card payments entirely.

What Are the PCI Compliance Levels for Small Businesses?

PCI compliance levels are determined by your annual transaction volume. Most small businesses fall into Level 4, which has the simplest requirements:

• Level 1: Over 6 million transactions per year — requires an annual on-site audit by a Qualified Security Assessor (QSA)
• Level 2: 1 million to 6 million transactions per year — annual Self-Assessment Questionnaire (SAQ) and quarterly network scans
• Level 3: 20,000 to 1 million e-commerce transactions per year — annual SAQ and quarterly network scans
• Level 4: Fewer than 20,000 e-commerce transactions or up to 1 million total transactions per year — annual SAQ recommended, quarterly scans if applicable

Level 4 merchants typically complete a self-assessment questionnaire and, depending on how they process cards, may need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). You don’t need a formal audit — but you still need to actually follow the security requirements.

Which Self-Assessment Questionnaire (SAQ) Do I Need?

The SAQ you fill out depends entirely on how your business handles card data. There are several versions, but these are the most common for small businesses:

• SAQ A: You never touch card data. All payment processing is fully outsourced to a PCI-compliant third party (like Shopify, Square, or Stripe hosted checkout). This is the shortest and simplest SAQ — around 22 questions.
• SAQ A-EP: You have a website that redirects to a payment processor, but your web server could still affect transaction security. More questions than SAQ A.
• SAQ B: You use standalone, dial-out card terminals (not connected to the internet). Increasingly rare but still applicable for some retail setups.
• SAQ B-IP: You use standalone IP-connected payment terminals (the most common setup for brick-and-mortar businesses using modern terminals from companies like Verifone or Ingenico).
• SAQ C: Your payment application is connected to the internet, but you don’t store card data electronically.
• SAQ D: The catch-all. If none of the above apply, or if you store cardholder data, you need SAQ D — which covers all 200+ PCI DSS requirements.

The goal for most small businesses is to qualify for SAQ A or SAQ B-IP. The less contact you have with actual card data, the fewer requirements you need to meet. If you’re manually keying in card numbers or storing them in a spreadsheet, you’re making compliance exponentially harder — and putting your customers at serious risk.

What Are the 12 Core PCI DSS Requirements?

PCI DSS is organized around 12 high-level requirements grouped into six categories. Even if you only need to complete a short SAQ, understanding the full framework helps you see the big picture:

Build and Maintain a Secure Network and Systems

1. Install and maintain network security controls (firewalls, segmentation)
2. Apply secure configurations to all system components (no vendor defaults)

Protect Account Data 3. Protect stored account data (encryption, masking, retention policies) 4. Protect cardholder data during transmission over open networks (TLS/SSL)

Maintain a Vulnerability Management Program 5. Protect all systems and networks from malicious software (antivirus, anti-malware) 6. Develop and maintain secure systems and software (patching, secure coding)

Implement Strong Access Control Measures 7. Restrict access to system components and cardholder data by business need-to-know 8. Identify users and authenticate access to system components (unique IDs, MFA) 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks 10. Log and monitor all access to system components and cardholder data 11. Test security of systems and networks regularly (vulnerability scans, penetration testing)

Maintain an Information Security Policy 12. Support information security with organizational policies and programs

Under PCI DSS v4.0.1, several requirements that were previously best practices are now mandatory — including multi-factor authentication (MFA) for all access to the cardholder data environment, not just remote access.

What Are the Most Common PCI Compliance Mistakes Small Businesses Make?

After working with businesses across metro Atlanta for over 35 years, we at COMNEXIA see the same PCI mistakes repeatedly:

Storing card data you don’t need. The single biggest risk reduction you can make is to stop storing cardholder data. If you’re writing down card numbers, keeping them in a CRM, or emailing them internally — stop. Use a tokenized payment processor that handles storage for you.

Using default passwords on payment terminals and network equipment. PCI DSS explicitly requires changing all vendor-supplied defaults. That includes the admin password on your router, your point-of-sale terminal, and any system that touches the payment environment.

Flat networks with no segmentation. If your payment terminal sits on the same network as your employee laptops, guest Wi-Fi, and security cameras, your entire network is in scope for PCI. Proper network segmentation reduces your compliance burden dramatically by isolating the cardholder data environment.

Skipping quarterly vulnerability scans. If your SAQ type requires ASV scans, they need to happen every 90 days. Missing a scan doesn’t just mean non-compliance — it means vulnerabilities could be sitting undetected on your network.

Thinking compliance is a one-time project. PCI compliance is continuous. Requirements include ongoing monitoring, regular patching, annual policy reviews, and periodic testing. Passing an SAQ once and forgetting about it leaves you exposed.

How Much Does PCI Compliance Cost a Small Business?

Costs vary significantly based on your compliance level and how you process payments:

• SAQ A merchants (fully outsourced payment processing): Minimal direct cost — your payment processor handles most of the heavy lifting. You may pay a small annual compliance fee ($50–$200) through your processor.
• SAQ B-IP or SAQ C merchants: Budget for quarterly ASV scans ($100–$500 per quarter), plus the time cost of completing the SAQ and maintaining security controls.
• SAQ D merchants: Significantly more expensive due to the breadth of requirements. Penetration testing alone can run $3,000–$15,000 annually. Many SAQ D merchants engage a managed security provider.

The cost of non-compliance is always higher. Beyond processor fines, a data breach involving payment card data triggers mandatory forensic investigation costs (typically $10,000–$50,000+ for small businesses), potential lawsuits, and the reputational damage that comes with telling your customers their card data was stolen.

How Do I Actually Get Started with PCI Compliance?

Here’s a practical roadmap for a small business approaching PCI compliance for the first time:

1. Identify how you accept payments. Document every channel — in-store terminals, e-commerce, phone orders, mobile payments, invoicing.
2. Determine your SAQ type. Use the PCI Security Standards Council’s SAQ selection guide, or ask your payment processor which SAQ applies to your setup.
3. Minimize your scope. The less cardholder data you touch, the easier compliance becomes. Move to tokenized or hosted payment solutions wherever possible.
4. Segment your network. Isolate payment systems from the rest of your business network. This alone can reduce your compliance requirements by 50% or more.
5. Complete your SAQ honestly. Don’t check boxes you can’t back up. The SAQ is a self-assessment — treat it as a diagnostic tool, not a formality.
6. Schedule recurring tasks. Set calendar reminders for quarterly ASV scans, annual SAQ completion, regular password changes, and patch management reviews.
7. Get help where you need it. If you’re handling sensitive payment data or struggling with technical requirements, working with a managed IT provider who understands PCI can save time and reduce risk.

Does PCI Compliance Apply to Phone Orders and Paper Receipts?

Yes. PCI DSS applies to cardholder data in any form — electronic or paper. If your employees take card numbers over the phone and write them down, those paper records are subject to PCI requirements including secure storage, access restrictions, and proper destruction (cross-cut shredding, not just tossing in the recycling bin).

Phone orders where staff manually key card numbers into a terminal also increase your PCI scope. Consider using a payment link or hosted payment page instead — send the customer a secure link via email or text, they enter their own card data, and your business never handles it directly.

Frequently Asked Questions

Do I need PCI compliance if I only accept cards through Square or Stripe? If you exclusively use a fully hosted payment solution where your systems never touch card data — no card numbers entered on your website, no manual keying — you likely qualify for SAQ A, the simplest compliance level. You’re still technically required to complete it, but the burden is minimal. Check with your processor to confirm.

Can I be fined for PCI non-compliance even if I haven’t had a breach? Yes. Your acquiring bank or payment processor can assess non-compliance fees (often $25–$100/month) simply for failing to validate your PCI compliance annually. These fees appear on your merchant processing statement and add up over time.

How often do PCI DSS requirements change? Major versions are released every few years, with the transition from v3.2.1 to v4.0 being the most significant update in over a decade. Between major versions, the PCI SSC issues minor revisions and guidance documents. Staying current doesn’t require constant monitoring — an annual review during your SAQ process is usually sufficient.

What’s the difference between PCI compliance and PCI certification? There is no formal “PCI certification” for merchants. Compliance means you’ve met the applicable requirements and validated them through an SAQ or audit. Some processors issue a compliance certificate after SAQ completion, but it’s a validation acknowledgment, not a formal certification.

Is PCI compliance enough to protect my business from a data breach? PCI compliance establishes a strong security baseline, but it’s a minimum standard, not a guarantee. Businesses should layer additional protections — endpoint detection and response, employee security training, managed network monitoring, and incident response planning — on top of PCI requirements for comprehensive protection.

---

COMNEXIA has been helping Atlanta-area businesses implement security and compliance solutions since 1991. If you need help assessing your PCI compliance posture or securing your payment environment, contact our cybersecurity team for a consultation.