PCI Compliance for Small Businesses: What You Actually Need to Do (and What's BS)

Every merchant that touches a card number has to deal with PCI compliance. And every merchant that I've audited has been overpaying for it — usually $200 to $400 a year for what should cost about $30.

Here's the plain-English version of what PCI DSS actually requires, who it applies to, and which fees on your statement are legitimate versus pure processor markup.

What PCI DSS Actually Is

PCI DSS — Payment Card Industry Data Security Standard — is a set of rules written by Visa, Mastercard, Amex, Discover, and JCB. They formed a council back in 2006 because they were sick of paying out fraud claims when merchants stored card numbers in spreadsheets.

Three things to understand up front:

It's not a law. PCI DSS is a contractual obligation between you and the card networks. Breaking it doesn't send you to court — it sends you to your processor's fine schedule.
It applies the second you touch a card number. Swipe, dip, tap, type, store, transmit — doesn't matter.
Your processor enforces it. They're the ones who get fined by Visa, so they pass that burden to you via attestation forms.

The Four Merchant Levels

Visa and Mastercard split merchants into four levels based on annual card volume. The level determines how much paperwork you owe.

Level 1: 6M+ transactions/year. Mandatory on-site audit by a Qualified Security Assessor (QSA). Expensive — think $50K+ a year.
Level 2: 1M–6M transactions/year. Annual Self-Assessment Questionnaire (SAQ) plus quarterly network scans.
Level 3: 20K–1M e-commerce transactions/year. Annual SAQ plus quarterly scans.
Level 4: Under 20K e-commerce or under 1M total. Annual SAQ — that's it. This is where almost every small business lives.

If you're reading this and you process less than $1M a year in card volume, you're a Level 4 merchant. Your entire PCI obligation is a yearly questionnaire that takes about 30 minutes.

SAQ Types in Plain English

There are nine SAQ types. You only fill out one. Which one depends on how you take payments.

SAQ A: E-commerce that fully outsources payment pages (Stripe Checkout, PayPal redirect, iframe). 22 questions. Easiest.
SAQ A-EP: E-commerce where your site loads the card form but a third party processes it (Stripe Elements, hosted-fields). 191 questions. Worse.
SAQ B: Card-present with a dial-up terminal, no internet connection. Rare now.
SAQ B-IP: IP-connected terminal that handles encryption on the device. Most modern card-present setups.
SAQ C / C-VT: POS systems on a network, or virtual terminals. More questions, more scans.
SAQ D: Everything else — including any merchant that stores card numbers. 329 questions. Avoid this category if you can.
SAQ P2PE: You use a certified point-to-point encryption terminal. Only 35 questions — this is the dream.

The lesson: don't store card numbers, and use a P2PE terminal. Your SAQ goes from 329 questions to 22 or 35.

The 12 Requirements (Translated)

PCI DSS v4.0 has 12 core requirements. Here's what they actually mean for a small business:

1 & 2: Firewall & default passwords. Change your router's default password. Use a firewall (your router has one — turn it on).
3: Protect stored card data. Just don't store it. If you must, use tokenization so the actual PAN never lives on your servers.
4: Encrypt transmission. Your terminal and gateway already do this. For e-commerce: use HTTPS, period.
5 & 6: Antivirus & patching. Run Windows Update or macOS updates. Install antivirus on any computer that handles payments.
7, 8, 9: Access control. Each employee gets their own login. No shared passwords. Lock the back office when no one's in it.
10: Log access. Your POS already logs who logged in when. You're fine.
11: Test for vulnerabilities. Quarterly external network scans if you're Level 2 or 3. Level 4 is mostly off the hook.
12: Security policy. A one-page written policy that says “we follow these rules.” Templates are free online.

How to Actually Self-Attest

Every Level 4 merchant attests once a year. The process:

Log into your processor's PCI portal (most use SecurityMetrics, Trustwave, or Aperia).
Pick the SAQ type that matches how you take cards.
Answer the questions (mostly yes/no).
Sign the Attestation of Compliance (AOC).
If your SAQ requires scans, the portal runs them quarterly on autopilot.

That's it. Total time: 30–60 minutes per year. Total cost: $0 if your processor includes it, ~$30/year if they don't.

The PCI Fees That Are BS

Now the part that costs merchants real money. Look at your last statement and you'll likely see two PCI-related line items.

The “PCI Compliance Fee” — $99 to $199/year

This is the annual fee your processor charges to give you access to their PCI portal. Sometimes called “PCI Program Fee.” Sometimes billed quarterly at $25-$50/quarter so it's less obvious.

Reality: the underlying SecurityMetrics or Trustwave portal costs the processor about $20-$30 per merchant per year. They mark it up 4-10x. Some honest processors waive it entirely or charge $0-$25.

The “PCI Non-Compliance Fee” — $19 to $49/month

This one is more aggressive. If you don't complete your attestation by the deadline, the processor charges you a monthly penalty until you do. Some processors don't actively remind you, which means merchants pay $250-$500/year in penalties for paperwork they didn't know existed.

I've seen merchants who paid the non-compliance fee for seven years straight because no one ever told them they could just fill out a 22-question form to make it stop.

What's Legitimate

A flat PCI fee of $0–$30/year is fair (covers the portal).
A breach assistance reserve fund is legitimate at ~$5/month if it's actually a fund.
Quarterly scan fees ($5-$15/quarter) are reasonable for SAQ B-IP, C, or D merchants.

Everything else is markup dressed up as a compliance line item. If your effective rate has $200+/year in PCI fees baked in, you're being charged for something the processor is barely spending $30 on.

The Real Risk if You Skip It

Forget the monthly penalty for a second. The real risk is a breach.

If you get hit with a data breach and you're not PCI compliant at the time, the card brands can fine you anywhere from $5,000 to $100,000 per month until you remediate. They'll also charge back every fraudulent transaction to you. Plus forensic investigation costs (typically $20K-$50K), plus state breach notification costs.

For a Level 4 merchant, an annual SAQ is the cheapest insurance policy you'll ever buy. Just don't pay your processor $400 a year to babysit you through it.

The Bottom Line

PCI compliance for a small business is genuinely easy: use a modern P2PE terminal, don't store card numbers, fill out the SAQ once a year. The hard part is finding a processor that doesn't use PCI as a profit center.

Send me your last statement and I'll tell you exactly how much of your “compliance” line is real and how much is markup. Or check your math on a free savings calculator first.