PCI Compliance Guide for Small Business: What You Actually Need to Do

PCI Compliance Guide for Small Business: What You Actually Need to Do

PCI compliance sounds intimidating — and payment processors don't make it easier by charging $10-30/month for "PCI compliance programs" without explaining what compliance actually requires. The truth is that for most small businesses, PCI compliance is straightforward and free to achieve yourself. Here's exactly what you need to do.

What PCI DSS Actually Is

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the card networks (Visa, Mastercard, Amex, Discover) to protect cardholder data. It's not a law — it's a contractual requirement. When you agree to process card payments, you agree to comply with PCI DSS.

Non-compliance consequences: if you suffer a data breach and are found non-compliant, you may be liable for card replacement costs, forensic investigation fees, and fines from the card networks. For small businesses, this can be catastrophic. But compliance itself isn't difficult.

Merchant Levels: Which Rules Apply to You

PCI DSS uses four merchant levels based on annual transaction volume:

• Level 1: Over 6 million Visa/Mastercard transactions annually — full annual audit by a Qualified Security Assessor (QSA)
• Level 2: 1-6 million transactions — annual Self-Assessment Questionnaire (SAQ)
• Level 3: 20,000-1 million e-commerce transactions — annual SAQ
• Level 4: Under 20,000 e-commerce transactions OR under 1 million total transactions — annual SAQ (may also require quarterly scans)

Most small businesses are Level 4. The requirements are reasonable and achievable.

The Self-Assessment Questionnaire: Which One Do You Fill Out?

The SAQ you complete depends on how you accept cards. This is the most confusing part — there are 9 different SAQ types. Here are the ones relevant to most small businesses:

SAQ A — Simplest. For merchants who have fully outsourced card data handling to PCI-compliant third parties (Stripe, Square, PayPal). Your website redirects to a hosted payment page OR you use an iframe/embedded form where card data never touches your server. You don't store, process, or transmit card data. This SAQ has only 22 questions and is the easiest to complete.

SAQ A-EP — For e-commerce merchants who have a payment page that partially redirects (your page loads but calls a third-party iframe). More questions than SAQ A (~191 questions).

SAQ B — For merchants using standalone dial-up terminals that don't connect to the internet. Common for very simple retail setups.

SAQ B-IP — For merchants using IP-connected standalone terminals (not a POS software) where the terminal handles all card data.

SAQ C — For merchants running POS applications on internet-connected systems.

SAQ C-VT — For merchants who manually key card numbers into a web-based virtual terminal (no other electronic card storage).

SAQ D — For merchants that store card data electronically or don't fit other SAQ types. Most complex — 329 questions. Avoid this scenario entirely.

If you use Stripe Checkout, Square's hosted payment page, or PayPal's redirect checkout: You qualify for SAQ A. Complete the 22-question form, sign it, and you're done.

Quarterly Vulnerability Scans: When You Need Them

Some SAQ types (A-EP, B-IP, C) require quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). These scans check your public-facing IP addresses for known vulnerabilities.

ASV scan costs: Most run $100-300/year for a small business with 1-3 IP addresses. Trustwave, SecurityMetrics, and Qualys are common ASVs.

For SAQ A merchants: Quarterly scans are not required. If you're on SAQ A, you don't need to pay for vulnerability scanning.

The PCI Compliance Fee: What You're Actually Paying For

Many processors charge $10-30/month labeled as a "PCI compliance fee" or "PCI program fee." Here's the truth: this fee is largely the processor's profit.

The actual cost of self-certifying PCI compliance (filling out the SAQ) is $0. The processor may offer to guide you through compliance for this fee, or they may just be collecting rent. Ask your processor what the fee actually covers. If it doesn't include something specific (like ASV scan access), question whether it's necessary.

Some processors include quarterly ASV scans in their compliance program — for merchants who need scans, that may be worth $20-30/month. For SAQ A merchants, it's not.

Step-by-Step Compliance Checklist for Small Businesses

1. Determine your SAQ type based on how you accept payments (see above)
2. Download your SAQ from the PCI Security Standards Council website (pcisecuritystandards.org)
3. Complete the questionnaire honestly — it walks you through security questions specific to your payment environment
4. Run quarterly scans if required for your SAQ type
5. Submit to your acquiring bank — your processor will tell you where to submit your compliance documentation
6. Renew annually — SAQ compliance is an annual process

For most small businesses on Stripe or Square using hosted checkout, this whole process takes about an hour once a year.