Understanding PCI Compliance: A Merchant's Checklist

Here's a question most merchants don't ask until it's too late: what actually happens if you fail a PCI audit?

Spoiler: it's not just a fine. It's account termination, legal liability if there's a data breach, and a black mark that makes it substantially harder to find a new processor. PCI compliance — Payment Card Industry Data Security Standard — is a contractual requirement baked into every merchant account agreement you've ever signed. Yet most merchants have only a fuzzy idea of what it actually requires, what level applies to them, or how much work it really is.

PCI DSS is a set of security rules created by Visa, Mastercard, American Express, Discover, and JCB. It applies to any business that stores, processes, or transmits credit card data. And yes, that's basically everyone who accepts cards.

The 4 Levels of PCI Compliance

Merchants get sorted into four levels based on transaction volume over 12 months. Your level determines how much validation you need and how often.

Level 1 — over 6 million card transactions per year. You need an annual on-site assessment by a Qualified Security Assessor (QSA), quarterly network scans by an Approved Scanning Vendor (ASV), and a Report on Compliance (ROC). This is enterprise territory.

Level 2 — 1 to 6 million transactions per year. Annual Self-Assessment Questionnaire (SAQ) and quarterly ASV scans. Some Level 2 merchants also need a ROC depending on their acquirer's requirements.

Level 3 — 20,000 to 1 million e-commerce transactions per year. Annual SAQ plus quarterly scans. E-commerce only — online transactions get their own category because of the higher data security risk.

Level 4 — everyone else. Fewer than 20,000 e-commerce transactions or up to 1 million total. This is where most small businesses live. Annual SAQ and quarterly scans. Some acquirers are more lenient about enforcement at this level, but don't count on it.

Self-Assessment Questionnaires: What You Need to Know

The SAQ is how most merchants prove compliance. There are multiple versions, each designed for a specific setup. Picking the wrong one is one of the most common mistakes out there.

SAQ A — you fully outsource card data processing and don't store, process, or transmit any cardholder data. Think redirect to a third-party payment page. Only 22 questions. The easy route.

SAQ A-EP — e-commerce merchants who outsource processing but have some control over data transmission. This is the most common SAQ for small e-commerce businesses with embedded checkout forms. 191 questions.

SAQ B — imprint machines or standalone dial-out terminals that don't store card data. Rare these days.

SAQ B-IP — standalone PTS-approved payment terminals with IP connectivity that don't store cardholder data. Think retail terminal plugged into the internet.

SAQ C-VT — web-based virtual terminals connected to a third-party processor, no electronic card data storage. For businesses that key in transactions through a browser.

SAQ D — the big one. Over 300 questions. For any merchant that doesn't qualify for SAQ A through C-VT. If you store cardholder data or have a complex setup, this is your burden. It's time-consuming and costly.

What Small Businesses Actually Need

If you're a small business running a few hundred transactions a month through Stripe or Square, your PCI compliance is actually pretty simple. You qualify for SAQ A (hosted redirect) or SAQ A-EP (embedded form). No need for a QSA or a full ROC.

Your annual routine: fill out the right SAQ, run quarterly ASV scans if your SAQ requires them, and attest to compliance. Many gateways offer integrated tools that walk you through it step by step. Some handle the SAQ entirely if you use their hosted checkout.

The golden rule for small businesses: never store full card numbers, CVV codes, or magnetic stripe data. Use a modern gateway that tokenizes everything. If sensitive data never touches your servers, your compliance burden shrinks massively.

Common PCI Compliance Mistakes

Even well-meaning merchants mess these up. Here's what to watch for.

• Using the wrong SAQ. Merchants pick SAQ A because it's shortest, even when their setup requires A-EP or D. Certifying against the wrong requirements is itself a compliance failure.
• Storing prohibited data. PCI DSS bans storing CVV codes, magnetic stripe data, or PINs after authorization. Full card numbers need tokenization, truncation, hashing, or encryption. Period.
• Missing quarterly scans. Lots of merchants do the annual SAQ but blow off the quarterly network scans. One missed window can trigger non-compliance alerts and fines.
• Treating compliance as a one-time thing. Your environment changes — new software, different hosting, website updates. Each change affects your compliance. Annual validation catches issues before they become problems.
• Ignoring third-party vendors. Plugins, themes, third-party services that touch payment data become part of your compliance scope. A vulnerability in a random plugin can make you non-compliant.

Consequences of Non-Compliance

The penalties range from fines to losing your ability to process payments entirely. Worth knowing what's at stake.

The card brands can fine acquirers $5,000 to $100,000 per month for non-compliance. Guess who passes those costs through? Your bank or processor, with extra administrative fees tacked on.

More immediately, your processor can jack up your rates, impose higher reserves, or put holds on your settlements. If there's a data breach while you're non-compliant, you assume full liability. Legal costs, forensic investigations, civil penalties — we're talking hundreds of thousands of dollars easily.

Worst case: account termination. And once you're terminated for PCI non-compliance, finding a new processor becomes much harder and much more expensive.

A Practical PCI Compliance Checklist

Use this list to stay on track each year:

• Know your merchant level based on annual transaction volume.
• Pick the correct SAQ type for your processing setup.
• Stop storing full card numbers, CVV codes, and stripe data. Use tokenization.
• Audit your website and server for unauthorized cardholder data storage.
• Complete and submit your annual SAQ to your acquirer or processor.
• Schedule and pass quarterly ASV scans. Automate them so you don't forget.
• Document your policies: data retention, access control, incident response.
• Train every employee who handles payment data on PCI requirements.
• Review third-party vendors and plugins for compliance impact. Remove anything outdated or unnecessary.
• Set calendar reminders for your SAQ due date and quarterly scan windows.

PCI compliance doesn't have to be overwhelming. For most small and medium businesses, it's a few hours of work per year once your systems are set up right. Invest that time — it protects you from financial disasters and keeps you processing without interruptions.