PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security requirements established by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) to protect cardholder data from theft and fraud. Any business that accepts, processes, transmits, or stores credit or debit card data is required to comply, regardless of size or transaction volume. PCI DSS is not a government law, but it is a contractual requirement of your merchant agreement – and non-compliance carries real financial and operational consequences.

Yes. If your business accepts card payments in any form (in person, online, over the phone, or through a payment terminal) PCI DSS applies to you. There is no transaction volume threshold below which compliance is optional. Many small business owners assume PCI is only for large retailers, but cybercriminals frequently target smaller businesses precisely because their security tends to be weaker. One transaction per year is enough to put you in scope.

PCI DSS 4.0 became the mandatory standard in March 2024, replacing version 3.2.1 which was retired at that time. Version 4.0 introduces stronger authentication requirements, more flexible approaches to meeting security controls, and greater emphasis on ongoing security as a continuous process rather than an annual checklist. If your business is still referencing 3.2.1 documentation or compliance processes, those need to be updated. We help clients assess and address the changes required under 4.0.

Your cardholder data environment (CDE) is the combination of people, processes, and technology that stores, processes, or transmits cardholder data, including any systems that are connected to or could affect the security of that data. Understanding the scope of your CDE is the foundation of PCI compliance. A smaller, well-defined CDE means fewer systems in scope, simpler compliance requirements, and lower risk. We help you map your CDE accurately as part of our risk assessment process.

No, and this is one of the most common and costly misconceptions among small businesses. Using a hosted payment processor reduces your scope significantly, but it does not eliminate your compliance obligations. Your network, devices, and business practices still need to meet PCI DSS requirements. Even if card data never touches your servers, how you handle your network, access controls, and employee practices still falls within scope. We help you understand exactly what your processor covers and what remains your responsibility.

PCI compliance means your business meets the ongoing security requirements of PCI DSS and has completed the appropriate self-assessment or audit for your merchant level. PCI certification is not a formal term in the standard – there is no single certificate issued to businesses that says they are PCI compliant. What exists are validation artifacts: your completed SAQ, your Attestation of Compliance, and for higher-level merchants, a Report on Compliance from a Qualified Security Assessor. We help you complete the correct documentation for your merchant level and keep it current.

PCI DSS assigns merchant levels based on annual card transaction volume. Level 4 merchants – those processing fewer than 20,000 e-commerce transactions or up to one million total transactions annually – make up the vast majority of small businesses and have the most straightforward compliance path. Your merchant level determines which validation requirements apply to you, including which SAQ you need to complete. We help you determine your correct merchant level as part of our onboarding process.

A Self-Assessment Questionnaire is the primary compliance validation tool for most small and mid-sized businesses. There are several SAQ types, each designed for a different payment processing method. The right SAQ for your business depends on how you accept and handle card data – for example, whether you use a fully hosted payment page, a physical terminal, or manually enter card numbers. We work primarily with the SAQ types most relevant to SMBs and guide you through selecting and completing the correct one accurately.

Our PCI risk assessment follows a structured process that evaluates where card data lives in your environment, how it moves, and where your security controls fall short. The process includes a practice and workflow evaluation, a network asset inventory, a security gap analysis, and breach response planning. The engagement involves one to two days onsite. Within seven days you receive a written report with findings and a prioritized remediation roadmap – audit-ready documentation that shows exactly what needs to be addressed and in what sequence.

Yes, and this is often the most practical first step for small businesses. Scope reduction means restructuring how your business handles card data so that fewer systems and processes fall within PCI’s requirements. The most effective approach is using a fully hosted payment solution that keeps card data entirely off your systems and network. We advise on scope reduction strategies as part of our assessment process and help you implement changes that simplify your compliance obligations without disrupting your operations.

Yes. Most SMB clients fall into lower merchant levels where a QSA is not required for compliance validation. For clients who do need QSA involvement — due to transaction volume, industry requirements, or a specific compliance mandate — we have established QSA partnerships and manage that relationship on your behalf as part of your managed IT services contract. You do not need to source or coordinate with a QSA independently.

Ongoing compliance is managed as part of your monthly managed IT services contract. This includes continuous monitoring, policy updates as requirements evolve, regular reviews to catch new vulnerabilities or scope changes, and coordination with QSA partners when needed. PCI DSS 4.0 places greater emphasis on compliance as a continuous process rather than an annual event – our ongoing management is structured to reflect that expectation.

If a breach occurs involving cardholder data, your obligations under PCI DSS include notifying your acquiring bank, engaging a forensic investigator in some cases, and cooperating with card brand investigations. We assist with the full breach response process – notification requirements, forensic investigation coordination, and documentation of your response. Every managed IT client also receives breach response planning documentation in advance, so your team knows exactly what to do before an incident occurs.

The consequences are significant. Card brands can impose fines on your acquiring bank, which are typically passed directly to you as the merchant. Fines for non-compliant merchants involved in a breach can reach tens of thousands of dollars, and in serious cases much more. Beyond fines, you may lose the ability to accept card payments entirely – a potentially business-ending outcome for most SMBs. You may also face civil liability from affected cardholders. The cost of becoming and staying compliant is a fraction of the cost of a breach while non-compliant.

We work with small and mid-sized businesses across healthcare and dental practices, accounting and professional services firms, charities and nonprofits that accept online donations, and other service businesses that process card payments. Many of our healthcare clients also have HIPAA compliance obligations, and we manage both frameworks together so requirements do not fall through the cracks between them.

Request your free consultation using the form on this page. We will assess your current environment, determine your merchant level and SAQ type, and deliver a written risk assessment with remediation roadmap within seven days of our onsite visit. There is no cost and no obligation to get started.