Does my business need to be PCI DSS compliant?

If your business accepts credit card payments in any way, PCI DSS applies to you. That surprises a lot of business owners who assume this is only a concern for banks and large retailers. Let’s clear up the confusion.

What Is PCI DSS?

PCI DSS = Payment Card Industry Data Security Standard

It’s a set of security requirements created by the major credit card brands (Visa, Mastercard, American Express, Discover, and JCB) through the PCI Security Standards Council. The standard exists for one reason: to protect cardholder data from theft and fraud.

Cardholder data includes:

• Primary account number (the card number)
• Cardholder name
• Expiration date
• Service code
• Full magnetic stripe data
• CVV/CVC codes
• PINs and PIN blocks

If your business touches any of this data — even briefly, even through a third-party terminal — PCI DSS applies to you.

Does PCI DSS Apply to My Business?

Here’s the simple test: Do you accept credit or debit card payments?

If yes, PCI DSS applies. Period. There is no minimum size, no revenue threshold, and no exemption for small businesses.

You Need PCI DSS Compliance If You:

• Accept credit cards at a physical register or terminal
• Take payments online through your website
• Process phone orders where customers read you their card numbers
• Store card numbers in any system (even a spreadsheet — please don’t do this)
• Use a point-of-sale system
• Accept payments through a mobile card reader
• Send invoices that customers pay with a card

Common Misconception: “My Payment Processor Handles It”

This is the biggest misunderstanding we see. Yes, using a payment processor like Stripe, Square, or PayPal significantly reduces your burden. But it doesn’t eliminate it entirely.

Even if you never see a card number, you’re still responsible for:

• Securing the systems and network where payments happen
• Ensuring employees can’t intercept card data
• Maintaining the security of your payment terminals or website
• Completing the appropriate Self-Assessment Questionnaire (SAQ)
• Attesting annually that you meet the requirements

Using a processor reduces your scope. It does not remove your obligation.

The Four Compliance Levels

PCI DSS categorizes businesses into four levels based on annual transaction volume:

Level	Annual Transactions	Requirements
Level 1	Over 6 million	Annual on-site audit by Qualified Security Assessor (QSA), quarterly network scans
Level 2	1 million to 6 million	Annual Self-Assessment Questionnaire (SAQ), quarterly network scans
Level 3	20,000 to 1 million (e-commerce)	Annual SAQ, quarterly network scans
Level 4	Under 20,000 (e-commerce) or up to 1 million (other channels)	Annual SAQ, quarterly network scans recommended

Most small businesses fall into Level 4. That means you can self-assess using a questionnaire rather than hiring an auditor. That’s the good news. The less-good news is that you still need to actually do everything on that questionnaire.

The 12 Core Requirements

PCI DSS 4.0 (the current version, which became mandatory in March 2025) organizes its requirements into six categories with 12 core requirements:

Build and Maintain a Secure Network

Requirement 1: Install and maintain network security controls

Firewalls, network segmentation, and security rules that control traffic to and from the cardholder data environment.

Requirement 2: Apply secure configurations to all system components

Don’t use vendor-supplied defaults for system passwords or security settings. Every system that touches card data needs to be hardened.

Protect Account Data

Requirement 3: Protect stored account data

If you must store cardholder data (and you should avoid it whenever possible), encrypt it. Use strong cryptography and manage encryption keys properly.

Requirement 4: Protect cardholder data with strong cryptography during transmission

Encrypt card data when it’s transmitted over open or public networks. TLS 1.2 or higher is the standard.

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems and networks from malicious software

Deploy and maintain anti-malware solutions on all systems that interact with the cardholder data environment.

Requirement 6: Develop and maintain secure systems and software

Keep systems patched and up to date. If you develop your own payment applications, follow secure coding practices.

Implement Strong Access Control Measures

Requirement 7: Restrict access to system components and cardholder data by business need to know

Only people who need access to card data for their job should have it. No exceptions.

Requirement 8: Identify users and authenticate access to system components

Unique user IDs for everyone. Multi-factor authentication for administrative access and any remote access to the cardholder data environment. PCI DSS 4.0 expanded MFA requirements significantly.

Requirement 9: Restrict physical access to cardholder data

Lock up servers, restrict access to payment terminals, maintain visitor logs. Physical security matters.

Regularly Monitor and Test Networks

Requirement 10: Log and monitor all access to system components and cardholder data

Log everything. Review logs regularly. Retain logs for at least 12 months with the last three months immediately available.

Requirement 11: Test security of systems and networks regularly

Run vulnerability scans quarterly (using an Approved Scanning Vendor for external scans). Conduct penetration testing annually.

Requirement 12: Support information security with organizational policies and programs

Document your security policies, train employees, maintain an incident response plan, and manage your service providers’ compliance.

The Self-Assessment Questionnaires (SAQs)

For Level 2-4 businesses, compliance is documented through SAQs. There are several types based on how you handle card data:

SAQ Type	Who It’s For	Number of Questions
SAQ A	E-commerce or mail/telephone order merchants who fully outsource cardholder data to validated third parties	~30
SAQ A-EP	E-commerce merchants who partially outsource payment processing	~140
SAQ B	Merchants using only imprint machines or standalone dial-out terminals	~40
SAQ B-IP	Merchants using standalone IP-connected payment terminals	~80
SAQ C	Merchants with payment application systems connected to the internet	~160
SAQ C-VT	Merchants using web-based virtual terminals	~80
SAQ D	Everyone else, or any merchant that stores cardholder data	~320
SAQ P2PE	Merchants using validated point-to-point encryption devices	~30

The takeaway: The less you touch card data, the simpler your questionnaire. SAQ A has roughly 30 questions. SAQ D has over 300. That alone is a compelling reason to outsource card handling to a validated processor.

What Happens If You’re Not Compliant?

Financial Penalties

Your acquiring bank (the bank that processes your card transactions) can impose fines for non-compliance:

• $5,000 to $100,000 per month in fines
• Increased transaction fees — processors can raise your rates
• Liability for fraud losses — if a breach occurs and you’re not compliant, you’re on the hook for all fraudulent charges

Other Consequences

• Loss of card processing privileges — your bank can terminate your ability to accept cards
• Breach liability — forensic investigation costs ($20,000 to $100,000+), card replacement costs ($3 to $10 per card), and notification costs
• Reputation damage — customer trust is hard to rebuild
• Lawsuits — affected customers and banks can sue

Real-World Example

A small restaurant chain with 12 locations suffered a breach through an unpatched point-of-sale system. The result: $200,000 in forensic investigation costs, $150,000 in fines, $80,000 in card replacement fees, and a 15% drop in revenue over the following year as customers lost trust. The total impact exceeded $500,000 — for a business that could have achieved compliance for under $20,000 annually.

How to Achieve Compliance as a Small Business

Step 1: Minimize Your Scope

The single most impactful thing you can do is reduce the amount of card data you handle.

• Use a PCI-validated payment processor (Stripe, Square, PayPal, etc.) — let them handle the card data
• Use point-to-point encryption (P2PE) terminals — card data is encrypted at the terminal and never touches your network
• Never store card numbers — not in spreadsheets, not in email, not in your CRM, not in paper files
• Segment your network — isolate payment systems from the rest of your network

Step 2: Identify Your SAQ Type

Based on how you accept and process payments, determine which SAQ applies to you. If you’re not sure, your payment processor can usually help, or consult with a Qualified Security Assessor.

Step 3: Complete a Gap Assessment

Walk through the requirements for your SAQ type and identify where you fall short. Common gaps for small businesses include:

• No firewall between payment systems and other networks — a flat network where everything talks to everything
• Default passwords on devices — payment terminals, routers, and switches still using factory settings
• No logging or monitoring — no way to detect if someone accesses card data
• Weak access controls — shared logins, no MFA, excessive permissions
• Missing patches — operating systems and payment software not kept up to date
• No documented policies — security practices exist informally but nothing is written down
• No employee training — staff handling cards don’t know the security requirements

Step 4: Remediate the Gaps

Address each gap methodically. For most small businesses, this means:

• Configuring firewalls and network segmentation
• Changing default passwords and hardening systems
• Enabling logging on payment systems
• Implementing unique user accounts and MFA
• Setting up a patching schedule
• Writing basic security policies
• Training employees on card handling procedures

Step 5: Complete Your SAQ and Attest

Fill out the appropriate SAQ, sign the Attestation of Compliance (AOC), and submit it to your acquiring bank or payment processor. Many processors have online portals that walk you through this process.

Step 6: Maintain Compliance Year-Round

PCI DSS is not a once-a-year checkbox. Requirements include ongoing activities:

• Quarterly external vulnerability scans (for applicable SAQ types)
• Ongoing monitoring and log review
• Regular patch management
• Annual SAQ completion and attestation
• Annual employee security training
• Immediate response to any security incidents

PCI DSS 4.0: What Changed

PCI DSS 4.0 replaced version 3.2.1, with full enforcement starting March 31, 2025. Key changes that affect small businesses:

• Expanded MFA requirements — MFA is now required for all access to the cardholder data environment, not just remote access
• Customized approach — organizations can meet requirements using alternative methods if they can demonstrate the security objective is met
• Targeted risk analysis — more flexibility, but you need to document your risk-based decisions
• Enhanced authentication — minimum password length increased to 12 characters
• Anti-phishing controls — new requirements for technical controls against phishing attacks
• Script management — new requirements for managing payment page scripts on e-commerce sites

Cost of Compliance for Small Businesses

Here’s what small businesses typically spend:

Item	Estimated Cost
Payment terminal (P2PE validated)	$300 - $800 per terminal
Firewall / network segmentation	$500 - $2,000
Quarterly vulnerability scans (ASV)	$100 - $500 per quarter
SAQ completion assistance	$500 - $3,000
Security awareness training	$200 - $1,000 per year
Policy documentation	$500 - $2,000
Penetration testing (if required)	$3,000 - $10,000
Managed IT services (security component)	$50 - $150 per user/month

Total annual cost for a typical small business: $3,000 - $15,000

Compare that to the cost of a breach or non-compliance fines, and the math is clear.

PCI DSS and Your IT Provider

Your IT provider plays a critical role in PCI DSS compliance. They should:

• Help you segment your network to isolate payment systems
• Manage firewall rules and network security controls
• Deploy and maintain anti-malware and endpoint protection
• Handle patch management for systems in the cardholder data environment
• Set up logging and monitoring
• Support your quarterly vulnerability scans
• Help you complete your SAQ

Questions to Ask Your IT Provider

1. Are you familiar with PCI DSS 4.0 requirements?
2. Can you help us segment our network for PCI compliance?
3. Do you provide quarterly vulnerability scanning through an ASV?
4. How do you handle patch management for our payment systems?
5. Can you support our annual SAQ completion?

Red Flags

• They’ve never heard of PCI DSS
• They suggest storing card numbers “for convenience”
• They can’t explain network segmentation
• They don’t offer vulnerability scanning

The Bottom Line

PCI DSS compliance isn’t optional if you accept credit cards. The good news: most small businesses can achieve compliance without enormous expense, especially if you minimize your scope by letting a validated payment processor handle the heavy lifting.

The key steps are straightforward:

1. Reduce your card data exposure
2. Complete the appropriate SAQ
3. Address any gaps
4. Maintain compliance year-round

The cost of compliance is a fraction of the cost of a breach. And beyond avoiding penalties, PCI DSS compliance means your customers can trust that their payment information is safe with you.

---

Need help assessing your PCI DSS compliance requirements? centrexIT helps businesses implement the network security, monitoring, and controls needed for PCI compliance. Contact us to get started.