PCI Compliance for Small Business: A Quick Guide

  • March 22, 2022

Emily Bonnie

Senior Content Marketing Manager at Secureframe


Marc Rubbinaccio

Manager of Compliance at Secureframe

Whether you’re new to the world of PCI or you’ve gone through the process before, you likely know that PCI and the language around it can be complex and even confusing. 

You’re already juggling challenges of production and operations and now you have to throw PCI compliance into the mix, as well. 

The good news is that for startups and growing businesses, the path to PCI DSS compliance is a bit less complex than it would be for an enterprise-level company. 

We cut through the ambiguous terminology that can make PCI difficult to understand and highlight exactly what you need to know to become PCI compliant. 

Let’s get to it!

What does it mean to be PCI compliant?

PCI compliance is the process of ensuring card transactions and the way that companies store and access cardholder data adhere to certain security standards. 

Those standards are defined by a group of specific credit card brands that collectively form the PCI Security Standards Council (PCI SSC). 

PCI standards are designed to protect cardholder data from fraud and build customer trust so people feel comfortable using their credit cards online.

The benefits of PCI compliance include:

  • Tightening protection of customer’s card data
  • Boosting customer’s confidence with using card payments
  • Offering a security standard to follow
  • Improving operational efficiency
  • Reducing the cost of a data breach

Do I need to be PCI compliant as a small business?

If your business accepts debit, credit, or cash cards as a form of payment, then you must be PCI compliant. 

Additionally, if you are a third-party that can affect the security of credit card transactions such as a payment processor, PCI compliance applies to you, as well. 

The cost of non-compliance with PCI can lead to financial penalties that range between $5,000 and $10,000 per month — or more when you factor in increased transaction fees. 

Non-compliance can also lead to your business losing its merchant status, rendering you unable to accept credit card payments. With 45 billion credit card transactions in 2019 alone, the inability to process credit card payments can isolate a business from its customers. 

PCI compliance is required for organizations of all sizes that handle cardholder data. However, the number of credit or debit transactions your business makes annually will determine what PCI compliance level you need to comply with.   

PCI compliance levels

PCI compliance applies to both merchants and service providers. Small businesses are considered merchants.

PCI compliance includes four categories: Level 1, Level 2, Level 3, and Level 4. Businesses that fall into Level 1 will have more stringent requirements than businesses in the Level 4 category. 

Most small businesses fall into the Level 4 category. However, it’s worth noting that any business that experiences a data breach could be moved to Level 1.

PCI requirements for small businesses

Because most small businesses fall into the Level 4 category, this is the level we’ll be taking a deeper look at. 

Level 4 compliance requires three things:

  • Completing a self-assessment questionnaire (SAQ)
  • Having an Approved Scanning Vendor (ASV) conduct quarterly network scans
  • Completing an Attestation of Compliance (AoC)

Unlike merchants at higher levels, Level 4 merchants do not need an annual Report on Compliance (ROC) by a Qualified Service Assessor (QSA), also known as a Level 1 onsite assessment.

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified. 

How does a small business become PCI compliant?

Becoming PCI compliant can be a complicated process. But understanding what’s required of you can help you create a game plan and make the process smoother. 

1. Determine which PCI compliance level you belong to

First things first, you need to figure out your company’s PCI compliance level. While most small businesses fall into the Level 4 category, it’s worth double-checking. 

If you’re not sure what level your business falls into, your point of sale (POS) reports can show your detailed transaction data. 

2. Fill out a self-assessment questionnaire (SAQ)

Small businesses in the Level 4 category will need to fill out a self-assessment questionnaire (SAQ) to determine whether your business meets the PCI DSS compliance requirements. 

There are eight types of SAQs based on your payment and transaction processes:

  • SAQ A
  • SAQ A-EP
  • SAQ B
  • SAQ B-IP
  • SAQ C
  • SAQ C-VT
  • SAQ P2PE
  • SAQ D for Merchants and Service Providers

What category you fall under will depend on the method you use for transactions, whether or not you store any cardholder data, and the type of business you are. 

For example, if you only use imprint machines to process card transactions, you’d fall under SAQ B. If you process card-not-present transactions, (orders that happen remotely), and redirect to a third-party platform for payment processing, you’d fall into SAQ A-EP. 

Once you’ve determined which SAQ applies to your business, you can begin to fill out the survey. An SAQ involves a series of yes/no questions and includes:

  • A basic survey about the company
  • A second section with questions about each PCI requirement and sub-requirement 

3. Conduct quarterly network vulnerability scans

The next step is to complete a quarterly network vulnerability scan. These internal and external scans identify vulnerabilities in your website and payment processing system to proactively identify malware and viruses. 

Scans must be completed by an Approved Scanning Vendor (ASV) that’s been certified by the PCI SSC. You can find an ASV through PCI’s official directory.

4. Complete an Attestation of Compliance (AoC)

An Attestation of Compliance (AoC) is a declaration of an organization's PCI compliance. This document must be completed by a Qualified Security Assessor (QSA) and shows that your organization has completed the correct SAQ.

5. Submit PCI compliance documentation

Gather all your documents, including a completed SAQ, AoC, and proof of passing quarterly external scans from an ASV. 

You’ll submit these documents to the PCI DSS council either electronically or through the mail. 

How to build a compliance-first mindset in your business

Beyond the requirements, there are day-to-day practices your business can put in place as you begin the PCI compliance process.

Here are a few ideas:

  • Always ask for a CVV code when taking payments over the phone.
  • Avoid storing cardholder data. 
  • Remind customers that they should never send credit card or bank account numbers via regular email. This can be included in the footer of emails or on your website.
  • Train employees on cardholder data protection. 
  • Keep software updated.

How Secureframe can help streamline PCI DSS compliance

PCI compliance can be complicated, but you don’t have to do it alone. 

Secureframe can simplify the entire assessment process by gathering evidence and meeting PCI’s 300-plus control requirements. 

We can also help you stay compliant with automatic evidence collection from 100+ integrations so you can focus on running your business. To learn more, request a demo with one of our compliance experts. 

PCI compliance is just one of the top concerns facing today’s e-commerce businesses. 

From unique standards and regulations to increasing cybersecurity concerns, e-commerce businesses face a wide array of concerns that differ from a brick-and-mortar. 

We cover the top concerns facing e-commerce businesses in 2022 below in the hopes that it can inform and protect your business.