Back to blogSecurity

PCI Compliance Checklist: What Every Merchant Needs to Know

7 min read

Every business that accepts card payments is required to be PCI DSS compliant. The standard runs to hundreds of pages, but for almost all small businesses, the practical compliance work is a short questionnaire once a year. The penalty for skipping it — usually a $20–$40 monthly non-compliance fee — is real money, so it's worth taking the 15 minutes.

First: figure out which level you are

PCI defines four merchant levels by annual card volume. Almost all small and mid-sized businesses are Level 4 (under 20,000 e-commerce transactions or under 1 million total transactions per year). Level 4 is the lowest compliance burden — a self-assessment questionnaire (SAQ), not an external audit.

Find your SAQ type

The SAQ you fill out depends on how you accept cards. The most common ones for small business:

  • SAQ A — e-commerce only, with all payment processing fully outsourced (hosted checkout). About 22 questions.
  • SAQ A-EP — e-commerce with payment forms on your site that post to a processor. About 191 questions.
  • SAQ B — only standalone terminals, no internet-connected POS. About 41 questions.
  • SAQ B-IP — IP-connected terminals, no card storage. About 83 questions.
  • SAQ C — POS system connected to the internet. About 161 questions.
  • SAQ D — anything that stores cardholder data, or doesn't fit another SAQ. About 329 questions.

The compliance checklist

Whichever SAQ applies, the core security requirements break down to:

  • Don't store full card numbers, CVV codes, or PINs anywhere on your systems — ever.
  • If your POS or e-commerce site touches card data, run it on a separate network from the rest of your business.
  • Use unique logins for every staff member with access to payment systems. No shared accounts.
  • Run vulnerability scans quarterly if your environment is internet-connected (ASV scan — your processor can recommend a vendor).
  • Keep your POS and terminal firmware updated. Out-of-date firmware is the single most common audit finding.
  • Train staff annually on basic security: no writing card numbers down, no taking photos of cards, no emailing card data.

What happens if you skip it

Your processor will assess a monthly non-compliance fee — usually $20–$40 — until you complete the SAQ. That's $240–$480/year of pure penalty for a 15-minute form.

More importantly: if a data breach happens and you weren't compliant, the card networks can fine the issuing processor (who passes the fine to you), often $5,000–$100,000, plus the cost of forensic investigation and customer notification.

PCI compliance isn't optional, and it isn't hard for most small businesses. Log into your processor's compliance portal (every PCI-compliant processor provides one), find the SAQ matching how you accept cards, fill it out, and re-attest annually. That's the whole job.

Ready to grow your business?