What is PCI DSS compliance, and why does it matter?
Handling card payments comes with a serious responsibility: protecting your customers’ sensitive financial data.
Unfortunately, card data is incredibly valuable to cybercriminals, as it can be quickly monetised through fraudulent purchases, sold on the dark web, or used to commit identity theft, making it something that is frequently targeted, and any business can be affected.
Recently, high-profile cyber attacks impacting major retailers have made headline news, but it’s not just big businesses being affected. According to the UK government's Cyber Security Breaches Survey 2025, the average cost of the most disruptive breach for small businesses was £1,510, with costs rising to £3,400 when excluding incidents reported as having no financial impact.
While there are no official PCI DSS fines issued directly by the PCI Security Standards Council, non-compliance can still result in serious financial penalties imposed by card schemes (e.g. Visa, Mastercard) via your acquiring bank, or payment processor.
Even a single breach can result in fines, lost trust, and damage to your brand. That’s why PCI DSS compliance is not just a box to tick - it’s a fundamental part of running a secure, trustworthy business.
If you are a business that handles, processes, stores, or transmits card payment data, you must be PCI compliant.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security requirements designed to ensure that any business handling cardholder data does so safely and securely.
The Payment Card Industry Security Standards Council (PCI SSC) developed the standard, which includes major card networks like Visa and Mastercard. PCI DSS applies to any organisation, from global enterprises to one-man bands, that stores, processes or transmits payment card data.
What are the PCI DSS requirements?
The PCI DSS is built around 6 principles, each supported by specific technical and operational requirements. Even if you use a third-party payment provider (more on that later), it’s important to understand these principles, as some will still apply to you, especially if your website interacts with the checkout process.
Here’s a breakdown of the 12 requirements, with simplified definitions of what each of them means for your business.
1. Build and maintain a secure network and systems
Requirement What it means 1. Install and maintain network security controls Protect your systems from unauthorised access using properly configured firewalls and other security controls. 2. Apply secure configurations to all system components Change all default passwords and settings on routers, software and payment terminals. 2. Protect cardholder data
Requirement What it means 3. Protect stored account data If you store card data (not recommended for small businesses), it must be encrypted and protected. 4. Protect cardholder data with strong cryptography during transmission over open, public networks Ensure card data is securely encrypted when sent over the internet. Typically, this is done by your payment provider, but your site must use HTTPS (SSL/TLS). -
3. Maintain a vulnerability management programme
Requirement What it means 5. Protect all systems and networks from malicious software Use antivirus and anti-malware tools on all devices that could interact with customer data. 6. Develop and maintain secure systems and software Keep your website, plugins, and software up to date to avoid vulnerabilities. 4. Implement strong access control measures
Requirement What it means 7. Restrict access to system components and cardholder data by business need to know Only authorised users should have access to systems handling card data. 8. Identify users and authenticate access to system components Use unique IDs and secure login practices for anyone accessing sensitive systems. 9. Restrict physical access to cardholder data Applies more to in-person retail, but important if you store printed customer data or use shared office spaces. 5. Regularly monitor and test networks
Requirement What it means 10. Log and monitor all access to system components and cardholder data Keep logs of who accessed what, when and why. Some payment providers offer monitoring tools. 11. Test security of systems and networks regularly Run vulnerability scans and security tests to find weaknesses. For small businesses using hosted checkouts, this is often handled by your provider. 6. Maintain an information security policy
Requirement What it means 12. Support information security with organisational policies and programmes Even small teams should have basic policies and training in place to ensure the secure handling of customer and payment data.
PCI compliance levels for merchants
PCI DSS compliance requirements vary by the volume of card transactions you process annually.
| Merchant level | Annual card transactions | Typical business type | Requirements |
|---|---|---|---|
| Level 1 | Over 6 million | Large online retailers | Annual audit by a QSA + quarterly scans |
| Level 2 | 1 to 6 million | Mid-sized businesses | Annual SAQ + quarterly scans |
| Level 3 | 20,000 to 1 million (e-commerce only) | Growing online retailers | Annual SAQ + quarterly scans |
| Level 4 | Fewer than 20,000 (e-commerce) or up to 1 million (other) | Most small businesses | Annual Self-Assessment Questionnaire (SAQ) |
QSA = Qualified Security Assessor
Most small online retailers fall under Level 4, with relatively simple requirements. However, as SMEs and microbusinesses often have limited resources, partnering with a PCI-compliant payment service provider can ease some of the burden when it comes to meeting the requirements.
Merchants that fall into Levels 2, 3, or 4 are generally required to complete a Self-Assessment Questionnaire (SAQ) annually.
If your business falls under these levels, you are not required to undergo a formal on-site PCI DSS assessment by a Qualified Security Assessor (QSA), and instead, self-assess your compliance status.
What is a SAQ, and which version should you complete?
There are multiple SAQ types depending on how your business stores, processes or transmits cardholder data:
SAQ A
- For merchants who fully outsource all cardholder data functions to PCI DSS validated third parties.
- No electronic storage, processing or transmission of cardholder data on your systems.
- Typically used by e-commerce or mail/telephone order (MOTO) merchants using a fully hosted payment page.
- Covers the fewest PCI DSS requirements (just 22), making it the simplest SAQ.
SAQ A-EP
- For e-commerce merchants who outsource payment processing but still have a website that could impact cardholder data security (e.g. through scripts or embedded elements).
- You don’t store, process, or transmit card data on your systems, but your website influences the security of the transaction.
- More comprehensive than SAQ A because it includes website security responsibilities.
SAQ B
- For merchants using only standalone, dial-out payment terminals (e.g. using phone line or mobile connections).
- These terminals are not IP-connected and don’t store cardholder data.
- Usually applies to small shops with very basic processing setups.
SAQ B-IP
- For merchants using standalone payment terminals that connect to the internet (IP-based), but are isolated from other systems.
- Terminals must be PCI-approved and no cardholder data may be stored electronically.
- Requires basic network security controls.
SAQ C
- For merchants with payment application systems (e.g. POS) that are connected to the internet, but do not store cardholder data.
- Systems must be segmented from the rest of the network.
- Appropriate for small businesses using integrated POS systems.
SAQ C-VT
- For merchants who manually enter a single transaction at a time using a web-based virtual terminal on a computer connected to the internet.
- The computer must not store cardholder data and must be dedicated only to the virtual terminal.
- Used by small businesses that take orders by phone and enter details into a web portal.
SAQ P2PE-HW
- For merchants using only hardware-based, PCI-validated Point-to-Point Encryption (P2PE) solutions.
- No storage of cardholder data is permitted on any system.
- All systems must be within the P2PE solution scope and must follow the provider's P2PE instruction manual.
SAQ D for Merchants
- For merchants who do not fit into any of the other SAQ categories.
- Typically includes merchants storing cardholder data electronically or handling complex payment environments.
- Covers all PCI DSS requirements – the most rigorous and comprehensive SAQ.
All of the documents you need can be found in the PCI SCC Document Library. If you’re not sure which SAQ you need to complete, first, read through the PCI SSC’s SAQ Instructions and Guidelines document.
Once you’ve determined the SAQ you need to complete, download the form, and complete all questions. After that, you’ll need to complete the corresponding Attestation of Compliance (AOC) document, which must be signed by an officer or authorised individual.
Finally, submit the SAQ and AOC to your acquiring bank or payment processor. Many acquirers and processors provide an online PCI compliance portal or partner with a PCI service provider to upload these documents, whereas others will accept them via email, or will need to send them to a dedicated account manager to complete this for you.
The benefits of working with a PCI-compliant provider
The simplest and most effective way to stay compliant as a small business is to work with a PCI-compliant payment provider. These are third-party services (like Ecommpay) that handle cardholder data on your behalf.
What can they provide?
Hosted payment pages
Hosted payment pages are secure, third-party pages where your customer completes their payment. Because the entire transaction happens off your website, card data never touches your server, significantly reducing your PCI DSS compliance scope. Many providers allow you to customise these pages with your branding, so the experience still feels seamless.
Tokenization and encryption of cardholder data
Payment tokenization is a security measure used in electronic transactions to safeguard sensitive card details. It works by substituting the actual card information with a unique identifier, or token, so that the real data is never exposed during the payment process. This helps to minimise the risk of fraud and data breaches.
Tokens can be safely stored and used for repeat payments or subscriptions, while the original card data is encrypted and stored securely by the provider. This removes the need for your business to store or process sensitive data directly.
Fraud detection and chargeback management
Top-tier providers will offer robust risk management tools, which include features such as real-time fraud screening, rules-based risk filters, and tools for managing chargebacks and disputes. These systems help spot suspicious behaviour, flag high-risk transactions, and reduce the chances of fraudulent payments slipping through.
Secure plug-ins for e-commerce platforms
Providers typically offer ready-made integrations for popular platforms like WooCommerce, BigCommerce, and Magento. These plug-ins are built to follow PCI best practices and are regularly updated, so you can set up secure payments without writing code or hiring developers.
Regular security audits and PCI DSS certification
Reputable providers undergo annual audits by Qualified Security Assessors (QSAs) and must pass rigorous assessments to maintain their PCI DSS certification. This ongoing validation ensures they are continuously compliant with the latest standards and can be trusted to handle cardholder data securely.
What are the benefits for small businesses?
For smaller online businesses, working with a PCI-compliant provider is often the most efficient and cost-effective way to manage payment security.
Reduced compliance scope
Using a hosted checkout or redirect means you’re not handling cardholder data on your own systems. In most cases, this qualifies you for SAQ A, the simplest version of the Self-Assessment Questionnaire. It’s short, straightforward, and doesn’t require technical audits or vulnerability scans.
Lower risk
Because providers take responsibility for data encryption, secure storage, and infrastructure security, your risk exposure drops significantly. They use advanced security measures and are far better equipped to detect and respond to threats than most small businesses.
Faster setup
Most providers offer plug-and-play integrations that can be set up in minutes, not weeks. This means you can start accepting secure payments quickly, without investing in expensive custom development or IT support.
Access to advanced tools
You also benefit from tools that would be costly or complex to build in-house, such as:
- Fraud scoring and rules engines
- 3D Secure 2 (for Strong Customer Authentication)
- Tokenised repeat billing and subscriptions
- Real-time transaction monitoring
- Dispute and chargeback dashboards
These tools not only enhance security but also help you run your business more smoothly and confidently.
Your PCI DSS responsibilities as a merchant
Even if you use a PCI-compliant provider, you are still responsible for the following:
- Choosing a compliant provider (check they are listed on Visa/Mastercard PCI registries)
- Completing the correct SAQ each year
- Keeping your website secure (SSL certificate, updated software and plug-ins)
- Avoiding card data storage on your servers
- Maintaining evidence of compliance
Integration best practices
- Use hosted checkout pages or secure iframes/tokenized fields
- Never embed raw card input fields directly on your site
- Keep all third-party scripts secure and up to date
- Regularly review your provider’s documentation for any changes
PCI DSS isn’t just for large companies. Small businesses are just as vulnerable to breaches, and compliance helps reduce risk and build trust.
Ecommpay is a fully licensed principal member of Mastercard and Visa, and its payment platform has been certified to Level 1 PCI DSS. To ensure you’re following best practices and protecting your business and its customers, speak to the team or sign up for our tailored payment solution for small businesses.