localwebadvisor
WIKI← Wiki home

What Is PCI Compliance?

By FayUpdated Jul 9, 2026EVERGREEN
⚡ THE ANSWER

PCI compliance means meeting the Payment Card Industry Data Security Standard (PCI DSS), a set of security requirements created by the major card brands for every business that accepts credit or debit cards. It is a contractual obligation through your payment processor, not a government law. Small online stores that use a hosted checkout like Stripe or PayPal can usually validate with the shortest self-assessment questionnaire, because card data never touches their own servers.

Current standard
PCI DSS v4.0.1, maintained by the PCI Security Standards Council (PCI SSC)
Who founded it
Visa, Mastercard, American Express, Discover, and JCB formed the PCI SSC in 2006 (PCI SSC)
Small-merchant tier
Level 4 generally covers merchants with fewer than 20,000 e-commerce card transactions per year (card brand merchant levels)
Non-compliance penalties
Acquiring banks can pass through fines widely reported in the $5,000 to $100,000 per month range for sustained violations (industry-reported)

PCI Compliance, Defined #

PCI DSS stands for Payment Card Industry Data Security Standard. It is a single, unified set of security requirements that Visa, Mastercard, American Express, Discover, and JCB jointly maintain through the PCI Security Standards Council. Any business that accepts, transmits, or stores payment card data must comply, from a one-person Etsy alternative to a national retailer. The standard is organized around twelve core requirements covering things like firewalls, encryption, access control, logging, and security testing. What compliance looks like in practice varies enormously by how you handle cards: a store whose checkout is fully outsourced to Stripe or PayPal has a dramatically smaller obligation than one that touches raw card numbers. For most small US merchants, PCI compliance boils down to an annual self-assessment questionnaire plus keeping card data off your own systems entirely.

Is PCI DSS a Law? #

No, and this surprises many owners. PCI DSS is a contractual standard, not legislation. When you signed up with your payment processor or acquiring bank, the agreement almost certainly included a clause requiring you to maintain PCI compliance. Enforcement flows through that contract: the card brands fine acquiring banks for non-compliant merchants, and the banks pass those fines and requirements down to you. That said, the legal picture is not empty. A few states, such as Nevada and Washington, reference PCI DSS in statutes related to payment card data, and after a breach, regulators and plaintiffs routinely treat PCI compliance as the baseline for reasonable security. So while no federal PCI police exist, ignoring the standard exposes you to contractual penalties, higher processing rates, breach liability, and in the worst case, losing the ability to accept cards at all.

Who Has to Comply, and What Are Merchant Levels? #

Every merchant that accepts cards must comply. The card brands sort merchants into four levels by annual transaction volume, and the level determines how you prove compliance, not whether you must comply. Level 1, generally over six million transactions per year, requires an annual on-site assessment by a Qualified Security Assessor. Levels 2 and 3 cover mid-size volumes. Level 4, where nearly all small businesses live, generally means fewer than 20,000 e-commerce transactions or up to one million total transactions annually. Level 4 merchants typically validate with an annual Self-Assessment Questionnaire, called an SAQ, and in some cases quarterly network scans by an Approved Scanning Vendor. Practically, your processor tells you what it needs: Stripe, Square, and similar providers surface the right questionnaire in your dashboard and often pre-fill most of it based on your integration type.

Which SAQ Applies to a Small Online Store? #

Three questionnaires cover most small e-commerce merchants. SAQ A is the shortest and applies when payment functions are fully outsourced: the customer enters card data on the provider's hosted page or inside the provider's iframe, and your systems never see a card number. SAQ A-EP applies when your website affects how card data is captured, for example a custom form that sends data directly to the gateway from your page. It is substantially longer and adds requirements like vulnerability scanning. SAQ D is the full standard, hundreds of requirements, and applies if card data touches your servers. The difference in effort between SAQ A and SAQ D is enormous, which is why integration choice is the single biggest PCI decision a small store makes. Choose a fully hosted or provider-managed embedded checkout, and you keep yourself in the lightest tier.

How Does Using Stripe or a Hosted Checkout Shrink Your Scope? #

PCI scope means every system that stores, processes, or transmits card data, plus anything connected to those systems. Shrinking scope means keeping card data away from everything you own. Hosted checkouts do this by redirecting the customer to the provider's page. Embedded solutions like Stripe Elements or Braintree Hosted Fields achieve nearly the same result with iframes: the input fields on your page are actually served from the provider's domain, so keystrokes travel straight to them.

Iframe-based card field (concept)
<!-- The card input lives inside the provider's iframe. -->
<!-- Your page hosts the frame; card data never touches -->
<!-- your server. You receive only a one-time token. -->
<div id="card-element"></div>
<script>
  const card = elements.create('card');
  card.mount('#card-element');
</script>

What Must a Merchant Still Do, Even Fully Outsourced? #

Outsourcing checkout shrinks your obligations; it does not erase them. Under SAQ A you still must: 1) confirm your payment providers are themselves PCI compliant, which the major ones publish; 2) protect the web pages that redirect to or embed the payment form, because an attacker who alters your checkout page can skim cards before they reach the iframe; 3) use strong, unique passwords and multi-factor authentication on your store admin, hosting, and gateway dashboards; 4) never store card numbers anywhere on your side, including email, order notes, spreadsheets, or paper; 5) keep your platform, plugins, and themes updated, since compromised WordPress plugins are a common path to checkout tampering; and 6) complete and retain your SAQ annually. PCI DSS v4 tightened expectations around script integrity on payment pages precisely because skimming attacks like Magecart target the merchant side of outsourced checkouts.

What Happens If You Ignore PCI Compliance? #

Consequences arrive through your processor, and they escalate. First come monthly non-compliance fees, commonly $20 to $100, that many small merchants pay for years without realizing a free questionnaire would remove them. Sustained non-compliance can bring pass-through fines from the card brands, widely reported in the range of $5,000 to $100,000 per month for serious cases, though penalties at that scale target larger or breached merchants. The real danger is a breach while non-compliant: you can face forensic investigation costs, card reissuance fees, higher processing rates, and contract termination, and a terminated merchant can be placed on an industry watchlist that makes getting a new account very difficult. None of this is meant to alarm a small store using hosted checkout properly; for that store, compliance is genuinely a short annual questionnaire and sensible hygiene.

A Practical PCI Checklist for a Small Store #

Work through this list once, then revisit annually. 1) Use a hosted or provider-embedded checkout so card data never touches your systems. 2) Log in to your processor dashboard and complete the SAQ it assigns, usually SAQ A. 3) Turn on multi-factor authentication for your store admin, hosting control panel, and gateway account. 4) Delete any stored card numbers from emails, notes, and files, and stop any process that collects cards by phone into a spreadsheet. 5) Update your platform, plugins, and themes on a schedule, and remove ones you do not use. 6) Serve your entire site over HTTPS, not just checkout. 7) Limit admin accounts to people who need them, and remove ex-staff promptly. 8) Keep a copy of your completed SAQ and your providers' compliance attestations. 9) Recheck everything after any redesign or platform change.

When to Get Help #

If your store runs on a mainstream platform with hosted checkout, you can likely handle PCI on your own with the checklist above. Bring in help when the picture gets murkier: a custom checkout, card payments taken by phone, a legacy site whose integration nobody remembers building, or a processor letter demanding an SAQ type you do not understand. Our website security services handle exactly this territory, from hardening store admin access and locking down checkout pages against script tampering to walking you through the correct SAQ. If you want a quick outside view first, run your store through our free Website Grader, which flags HTTPS gaps, outdated software signals, and other issues that overlap heavily with PCI requirements. And because a compliant checkout should also be usable by everyone, our free ADA Compliance Checker will surface accessibility barriers on the same pages.

FAQ

Does PCI compliance apply if I only use PayPal buttons?

Yes, but lightly. Accepting cards through fully hosted PayPal buttons keeps card data entirely on PayPal's systems, which typically qualifies you for SAQ A, the shortest questionnaire. You still need to keep your website and admin accounts secure, avoid storing card numbers anywhere, and complete the annual self-assessment if your processor requests it.

How much does PCI compliance cost a small business?

Often nothing beyond time. The self-assessment questionnaire is free, and hosted checkout providers carry most of the technical burden. Costs appear when scope grows: quarterly ASV scans run a few hundred dollars per year, and some processors charge monthly PCI program fees, or non-compliance fees of $20 to $100 if you never complete the questionnaire. Completing the SAQ usually removes those.

Is storing customer card numbers ever okay?

Not on your own systems, for a small merchant. If you need cards on file for subscriptions or repeat billing, use your gateway's tokenization: the provider stores the card in its certified vault and gives you a token to charge later. That keeps you out of SAQ D territory. Writing card numbers in spreadsheets, emails, or paper notes is the fastest way to fail PCI.

What is an ASV scan and do I need one?

An Approved Scanning Vendor scan is an external vulnerability scan of your internet-facing systems, run quarterly by a PCI-certified vendor. SAQ A merchants with fully outsourced checkout generally do not need them. SAQ A-EP and SAQ D merchants do. Your processor's compliance portal will tell you whether scans are required for your integration type.

Does PCI compliance mean my store cannot be hacked?

No. PCI DSS is a security baseline for protecting card data, not a guarantee against every attack. A compliant store can still suffer account takeovers, defacement, or data theft unrelated to cards. Treat PCI as the floor: pair it with regular updates, strong authentication, backups, and monitoring for a genuinely resilient store.

Is this legal advice?

No. This article is general information about an industry standard, not legal or compliance advice, and requirements evolve as the PCI Council releases new versions. Your specific obligations come from your agreements with your processor and acquiring bank, so confirm details with them or with a qualified advisor for your situation.

Was this helpful?