If your business handles credit card payments, PCI compliance is an essential security measure. 

However, many business owners, especially those just starting out or scaling up, have a hard time understanding what PCI DSS (Payment Card Industry Data Security Standard) entails. It’s a detailed process that can feel both confusing and overwhelming. 

As a payments provider, we’re well-versed in PCI compliance and can help guide you through this process. 

In this guide, we’ll break down the essentials of PCI compliance and answer common questions to help you stay secure and avoid costly penalties. 

What Is PCI Compliance? 

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure all companies that accept, process, store, or transmit credit card information maintain a secure environment. 

The PCI Security Standards Council – founded by major credit card brands like Visa, MasterCard, American Express, Discover, and JCB – developed these standards to help prevent data breaches and fraud. 

Being PCI compliant means your business adheres to these standards, protecting both your customers and your company from potential risks. 

Why Is PCI Compliance Important? 

• Legal & Contractual Obligation: Card brands and payment processors require businesses to comply. 

• Risk Mitigation: Non-compliance increases the risk of data breaches, fraud, and cyberattacks. 

• Avoiding Fines: Penalties for non-compliance can range from $5,000 to $100,000 per month. 

• Customer Trust: Demonstrating security strengthens consumer confidence in your brand. 

PCI Compliance Levels 

PCI compliance is broken down into four levels, based on transaction volume: 

Most small-to-medium businesses fall into Level 3 or 4, where completing a Self-Assessment Questionnaire (SAQ) and performing quarterly vulnerability scans is often enough. 

Level 1 merchants – those who process more than 6 million card transactions per year – are required to use a third-party auditor. These audits are performed by qualified security assessors, also known as QSAs. These auditors are approved by the PCI SSC to conduct an on-site review to ensure compliance. 

The Basics of PCI Compliance 

When your business is considered PCI Compliant, you meet the following requirements: 

Basic requirements: 

• Build and maintain a secure network and system 

• Protect cardholder data 

• Maintain a vulnerability management system 

• Implement strong access control measures 

• Regularly monitor and test networks 

• Maintain an information security policy and procedures 

Common PCI Compliance Questions Answered 

1. Why didn’t I need to be PCI compliant with Square?

You didn’t need to worry about PCI compliance with Square because they act as a payment facilitator (PayFac), meaning they handle the security, compliance, and certification requirements on behalf of all their merchants. Essentially, you operate under Square’s PCI scope rather than your own.  

While this makes setup simple, it also means you’re bound by Square’s policies and risk rules. If Square changes its terms or decides your business type no longer fits within its acceptable use categories, your account could face sudden holds, restrictions, or even shutdowns without warning. 

That’s why it’s crucial to work with a reliable provider like Valmar, especially if you’re in a high-risk industry.  

2. What is an SAQ and which one do I need?

An SAQ (Self-Assessment Questionnaire) is a set of yes/no questions that help determine your PCI compliance. There are multiple types (A, A-EP, B, C, D, etc.), each depending on how you process payments (e.g., online vs. in-store vs. using third-party platforms). 

• SAQ A: For merchants fully outsourcing payment processing (e.g., using a hosted checkout like Stripe Checkout). 

• SAQ B: For merchants using standalone dial-out terminals. 

• SAQ D: For merchants storing cardholder data or handling complex environments. 

Your processor or security vendor can help determine the right form. 

3. What happens if I’m not PCI compliant?

Non-compliance can result in: 

• Hefty monthly fines from card networks. 

• Increased liability in case of a data breach. 

• Termination of your merchant account. 

It’s not just a formality and failure to comply can impact your business significantly. 

4. Do I need to complete PCI compliance every year?

Yes. PCI compliance is not a one-time task. You must validate it annually, and in most cases, complete quarterly vulnerability scans (if applicable). 

5. Is storing credit card information allowed?

Not usually. Storing cardholder data (especially sensitive data like CVV or magnetic stripe) is strongly discouraged and restricted. Most small businesses should avoid storing any card data and instead use tokenization or outsource to a PCI-compliant provider. 

6. Is PCI compliance the same as general cybersecurity?

Not exactly. PCI DSS is a specific set of standards, while cybersecurity is broader. However, PCI compliance is a good baseline for strong payment security practices. 

7. How much does it cost to be PCI Compliant?

The cost of PCI Compliance can vary greatly depending on your organization level and setup.  

For small businesses, PCI compliance can cost around $300 per year. For larger enterprises requiring an assessment, PCI compliance can be upwards of $70,000. 

How to Get Started with PCI Compliance 

1. Check with your payment processor : Many offer built-in tools or partner services. 
2. Identify your SAQ type: Based on how you process payments. 
3. Complete the SAQ annually: Be honest and accurate. 
4. Perform quarterly scans: If your environment requires it. 
5. Fix gaps or vulnerabilities: Remediation is key for validation. 

PCI compliance doesn’t have to be intimidating. With the right tools and understanding, most businesses can stay compliant without excessive overhead. Whether you’re running a small Shopify store or a growing SaaS platform, ensuring PCI compliance is a fundamental step in protecting your business and customers.