Compliance frameworks
PCI compliance for small businesses: What you need to now

PCI compliance for small businesses: What you need to now

As a small business owner or operator, you have plenty on your mind - tracking and paying taxes, managing profits and losses, building and growing your product, maintaining the cash flow you need, protecting your business’s legal needs, and much more. In the flurry of regulations and best practices, PCI compliance often falls through the cracks, but this can be a costly mistake.

Chances are that your small business needs to be PCI compliant, but where do you begin? Consider this to be your crash course in PCI compliance for your small business.

What is PCI compliance? A brief introduction

Before we dive in, let’s make sure everyone is on the same page. PCI compliance refers to complying with the PCI DSS: the payment card industry data security standard. This is a set of 12 security measures you need to take to protect customers’ payment data when they make purchases with your business.

Do small businesses need PCI compliance?

There is a common misconception that some businesses are too small to need PCI compliance, but that isn’t the case. No business is too small for PCI compliance. It’s a matter of how your customers pay you.

Any company or individual that collects, processes, transmits, or stores payment data needs to be PCI compliant. In other words, if cardholder data passes through your system or your servers (including cloud servers) at any point, you need to follow the PCI standards. This includes businesses that implement third-party payment processing solutions like Stripe and Paypal.

Why does my business need PCI compliance?

PCI compliance can be a complicated, tricky, and expensive process, but it will seem like a cakewalk compared to the potential consequences of ignoring the PCI DSS.

At the most basic level, you want to be PCI compliant to avoid penalty fines. PCI compliance is collectively enforced by the major financial institutions in the payment card industry, like Visa, JP Morgan Chase, and other financial organizations. These institutions can impose serious fines of $5,000 to $100,000 per month on businesses until they reach compliance.

These organizations can also impose other penalties. If your business has a data breach as a result of your non-compliance, they can issue PCI compliance fines for small business breaches and specific incidents. They can also impose other penalties, like raising your transaction fees when you process payments from customers who use their cards or even refusing to do business with you altogether.

As daunting as those consequences can be, the most expensive consequence of skipping PCI compliance is a data breach. These standards are designed to protect cardholder data and secure you against data breaches. If you aren’t abiding by those security protocols and a breach happens, you can lose untold amounts of money in customer reimbursements, not to mention lost business because you’ve broken the trust that customers had in you.

What is the PCI compliance process for small businesses?

The process of becoming PCI compliant can vary from one business to the next. Reaching compliance will depend on the security measures you already have in place - you might only need to check a few tasks off your to-do list to reach compliance or you may need large-scale changes to your system.

Once you have satisfied all 12 requirements listed in the PCI DSS, you’ll need to verify your PCI compliance. For businesses that process 6 million transactions or more per year, that verification process involves hiring a third-party auditor to assess your system and perform an on-site investigation to ensure that you meet all the compliance criteria.

For businesses that process less than 6 million transactions per year (that is, most small businesses), verification is much simpler. You’ll need to complete a Self-Assessment Questionnaire (SAQ) to examine your compliance and you’ll need to sign an Attestation of Compliance (AoC). To verify your compliance with PCI for your small merchant’s website, you’ll submit those two documents along with any supporting documentation that your SAQ requires. This often includes a third-party vulnerability scan of your system.

Where do I begin with PCI compliance for my small business?

PCI compliance might feel like a daunting task ahead, but it doesn’t have to be. You can streamline the process if you know how to start on the right foot.

Try beginning with a PCI compliance software tool. This tool is specially designed to evaluate your PCI compliance. It goes through an in-depth scan of your system to determine which requirements you meet and which ones you don’t. The software gives you a detailed report of those requirements so you know exactly what needs to be done for your business to reach compliance.

From here, you can start addressing each of those missing pieces one by one. This could mean hiring contractors or engineers to put certain security measures in place so it may still be an expensive process, but a compliance platform will save you the time of doing your own examination and hoping you’ve covered all your bases.

More on PCI 

PCI DSS Checklist

How to Get PCI Compliant

Do Companies That Use Shopify Need to be PCI Compliant?

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes