What does a small business need to do for PCI compliance?

Most small businesses qualify for the simplest path by never touching raw card data — using a hosted payment page or processor-managed terminals. This limits you to SAQ A (22 questions) or SAQ B (41 questions), plus an annual self-assessment and quarterly vulnerability scan. Using Stripe or Square's hosted checkout handles the majority of compliance requirements for you.