PCI compliance for small business

Any organisation, regardless of size, that transmits, processes or stores cardholder data is subject to the rules laid out in the Payment Card Industry Data Security Standard (PCI DSS). 

The PCI DSS is a set of requirements put forth by the Payment Card Industry Security Standards Council (PCI SSC) to protect sensitive cardholder information during the card transaction process. It is a set of global industry standards created and governed by the major card brands, American Express, Discover Financial Services, JCB International, MasterCard and Visa. 

Small organisations, particularly eCommerce businesses that rely solely on third-party payment service providers to accept card payments, may mistakenly assume PCI DSS requirements don’t apply to them. However, the reality is that even small businesses with very few annual card transactions must maintain and demonstrate their compliance.
Small business PCI compliance, at a glance:
✓ Protecting sensitive cardholder data and/or account information in line with PCI DSS rules is as crucial for small businesses as it is for large businesses. 
✓ PCI DSS is not itself law, but non-compliance can lead to substantial penalties from credit card companies and legal liabilities based on local laws governing data protection and consumer privacy.
✓ For small businesses, partnering with third-party companies to manage PCI DSS compliance is often more cost-efficient than hiring in-house compliance personnel. 
✓ Maintaining PCI DSS compliance requires routine audits, conducted via self-assessment questionnaires or by qualified assessors.
✓ Smaller businesses with fewer than 1 million annual card transactions face less rigorous auditing compared to larger companies with annual transaction volumes over the 1 million mark.

Do I need to be PCI-compliant as a small business?
In short, yes. PCI DSS compliance applies to all businesses that process card transactions. Whether your number of annual card transactions is 10 or 10 million, protecting your customers’ sensitive data is essential, not just to avoid non-compliance penalties, but also to gain customer trust and uphold your company’s reputation. Even minor data breaches can be devastating for the customer whose sensitive financial information was compromised. As a small business owner, you owe it to your customers, your employees, and yourself to be diligent about PCI DSS compliance. 

To the average small business owner, PCI DSS rules may seem complex, technical, and more than a bit daunting, but there are a number of resources designed to support small businesses in maintaining compliance. A good place to start is the PCI Security Standards Council’s website, which includes a ‘Merchant Resources’ section with links to resources for business owners. This includes a directory of qualified professionals available to help small businesses manage PCI DSS compliance. 

Further reading: What is PCI Compliance?

PCI requirements for small businesses
The first step in ensuring that your small business is PCI DSS compliant is to understand the key requirements of PCI DSS based on your company’s size, and the ways in which you must assess, monitor, and demonstrate your company’s compliance. The specifics of this will vary based on your company’s PCI DSS “Compliance Level.”

PCI compliance levels
There are four PCI DSS compliance levels, which are determined by the organisation’s volume of annual card transactions.

  1. Companies with more than 6 million annual card transactions 
  2. Companies with 1-6 million annual card transactions
  3. Companies with 20,000-1 million annual card transactions
  4. Companies with fewer than 20,000 annual card transactions

What constitutes a “small business” varies depending on the country and the entity that’s making the measurement. Even organisations that might be considered a “small business” based on their number of employees or their annual turnover, may still fall under compliance Level 1 or Level 2 based on the number of card transactions they process each year. However, the majority of small businesses fall under compliance Level 3 or Level 4.

The compliance level of your small business will primarily impact the type of PCI DSS audit required and who must conduct the audit. 

Audit requirements by compliance level:
Level 1: Annual on-site assessment by a Qualified Security Assessor (QSA)
Level 2: Annual self-assessment questionnaire (SAQ) or on-site assessment by a QSA (depending on the acquirer)
Level 3: Annual self-assessment questionnaire (SAQ)
Level 4: Annual self-assessment questionnaire (SAQ)

Other compliance requirements for small businesses

  • Quarterly network scans - Businesses in all compliance levels are required to scan their network for vulnerabilities every 90 days, as well as after any significant change to their IT infrastructure.
  • Penetration testing - Level 1 and some Level 2 businesses are required to run an annual penetration test, performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).
  • Vendor oversight - Businesses of all sizes must assess the PCI Compliance of their third-party vendors, including any payment service providers and software companies involved in the card transaction processes. 

Common PCI DSS violations made by small businesses
As the payments industry continues to evolve and adapt to consumer trends and advances in technology, it’s easy for businesses, small businesses in particular, to fall behind on current data security requirements. Below are some of the most common ways in which small businesses beach PCI DSS compliance, typically without even realising they’re doing it. 

Storing unencrypted card data
Businesses that use outdated methods of collecting cardholder information (i.e., card numbers, expiration dates, security codes, etc.) are likely failing to comply with PCI DSS rules. 

For example, a small business that takes orders over the phone may think it’s fine to write down a customer’s card details on a piece of paper in order to process their order at a later time. Or a small business may think it’s OK to collect customers’ card information via an insecure web form that feeds into a spreadsheet where data is left visible and unencrypted. In both cases, cardholder data is left exposed and vulnerable to hacking and theft. 

Weak passwords and access controls
For eCommerce businesses where costumers create an online account, it’s essential that these accounts are kept secure through strict password and access controls. Businesses that allow customers to choose weak passwords (e.g., “password,” or “123456798”) and/or fail to implement security measures like multi-factor authentication (MFA), device recognition, and temporary account lockouts, are leaving customer accounts, and therefore customer data, vulnerable to hackers. 

Insecure Wi-Fi
A small business can have every safeguard perfectly in place to securely encrypt cardholder data, but if the Wi-Fi network they’re using to transmit transaction data is insecure it renders all other security measures useless. Businesses must use private, secure Wi-Fi networks and implement additional security measures, such as firewalls, to protect against unauthorised access to sensitive data. 

Lack of vendor oversight
Compliance failures begin and end with the merchant. Even if the cause of the security breach has to do with a third-party payment service provider or software company, it’s the responsibility of the merchant to protect its customers’ data. One of the most common areas of non-compliance for small businesses is vendor oversight. Many businesses fail to properly assess and review the security infrastructure of the third-parties they work with to process card transactions. Small businesses must consider the PCI DSS compliance of all vendors in addition to their own compliance measures. 

Neglecting compliance paperwork
Even very small businesses with low annual transaction volumes should complete a self-assessment questionnaire (SAQ) each year. It’s often the case that third-party vendors don’t ask for paperwork from smaller merchants, making it easy to forget or overlook this annual task. However, to ensure you’re staying on top of compliance requirements, and to protect your business in the event of a breach, it’s essential to complete an annual PCI DSS self-assessment questionnaire. 

Maintaining PCI DSS compliance as a small businesses
To become PCI DSS-compliant and maintain compliance over time, small businesses must make IT and data security a priority across all areas of the business. Here’s what small business owners can do to facilitate this. 

1. Understand and adhere to the 12 main PCI DSS requirements

The 12 requirements, as laid out in the PCI DSS Quick Reference Guide (PDF), are as follows:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

2. Stay on top of industry trends and get ahead of upcoming requirements.
Businesses that make a point to stay informed of advances in security tools and technologies are able to be proactive and even implement new security measures before they are required by PCI DSS. It’s always better to be ahead of security trends rather than playing catch-up. 

3. Schedule in routine audits and scans.
Businesses that integrate required PCI DSS audits and scans into their annual calendar ensure that these core compliance requirements aren’t accidentally overlooked. 

4. Update software and patch vulnerabilities. 
Be sure to regularly update and patch any software used to process card transactions and/or manage customer accounts. Hackers commonly target outdated software that has known vulnerabilities. When software updates and new patches are available, don’t wait to install them into your system.

5. Seek advice from compliance experts.
The objectives of PCI DSS are simple, but understanding and implementing the requirements are less straightforward. Seeking the advice and expertise of compliance companies and/or qualified compliance professionals is often more cost-efficient and effective than attempting to manage PCI DSS compliance in-house. 

6. Make PCI DSS a standard part of employee training.
By integrating PCI DSS compliance awareness and education into existing employee training programs, small businesses can help ensure that employees understand the importance of protecting cardholder data (and the implications of breaching PCI DSS rules).


My business is very small, with less than a thousand yearly card transactions. Do I still need to demonstrate PCI DSS compliance?
Yes, even small businesses with very low transaction volumes must maintain PCI DSS compliance. Businesses that process fewer than 20,000 annual card transactions are considered ‘PCI Compliance Level 4.’ These businesses must complete an annual self-assessment questionnaire (SAQ) and conduct quarterly vulnerability scans. 

How is PCI DSS enforced? 
Although it often overlaps with federal and local laws, PCI DSS itself is not law and is not overseen by government agencies. Rather, it’s enforced by the card networks through a number of different penalties, which vary based on the size and nature of the compliance breach. Organisations that breach PCI DSS rules can incur tens of thousands of pounds in monthly penalties and, for severe and repeat breaches, may face the complete withdrawal of card payment services.  

Companies that fail to protect cardholder data are often also subject to legal penalties and lawsuits based on local data protection and privacy laws. 

How do I know if my business is PCI DSS compliant?
The best way for an organisation to assess and maintain its PCI DSS compliance is to complete the appropriate audit based on its compliance level. For many small businesses, this means completing an annual self-assessment questionnaire (SAQ), perhaps with the support of a third-party compliance agency. These questionnaires are designed to pinpoint any data security weak points so that they can be remedied effectively. 
Small businesses should also run quarterly network scans, per PCI DSS requirements, in order to detect and address any vulnerabilities within their network infrastructure.

What PCI DSS resources are available for small businesses?
The PCI Security Standards Council’s own website, specifically its  ‘Merchant Resources’ section, provides a thorough overview of current PCI DSS rules, as well as links to additional resources and compliance experts. 

In the UK, the National Federation of Self-Employed and Small Businesses also provides small businesses with legal and compliance advice and support regarding PCI DSS. 

You might also be interested in...

What are the most popular Chinese payment methods?
What exactly is a network token?
How to accept in-person payments in 5 easy steps