PCI compliance for small business: a practical checklist.

What PCI DSS is

The Payment Card Industry Data Security Standard (PCI DSS) is the set of security controls that protects cardholder data — the card number, expiration, and related authentication data — wherever your business stores, processes, or transmits it. It is maintained by the PCI Security Standards Council (PCI SSC), a body founded by the major card brands.

One thing to be precise about: PCI DSS is not a government law or regulation. It is a contractual security standard. The card brands — Visa, Mastercard, American Express, Discover, and JCB — require it through their network rules, and they enforce it on merchants through the acquiring banks that process your transactions. When you signed a merchant agreement to accept cards, you agreed to comply. The teeth are contractual: fines passed down through your acquirer, higher transaction fees, or, in a serious case, losing the ability to take cards at all.

That is why scope is broad. Any business that accepts a card — a retail shop, a restaurant, a hotel, a clinic, a professional office, an online store — is in scope. There is no minimum. If you take card payments, PCI DSS applies to you.

Merchant levels, and which one you are

PCI sorts merchants into four levels by annual card transaction volume. The thresholds below are the Visa and Mastercard definitions; the other brands use similar tiers. Your acquiring bank tells you which level applies, but the volumes are predictable.

• Level 1. More than 6 million card transactions a year, or any merchant that has had a breach. Requires the most rigorous validation.
• Level 2. 1 million to 6 million transactions a year.
• Level 3. 20,000 to 1 million e-commerce transactions a year.
• Level 4. Fewer than 20,000 e-commerce transactions a year, or up to 1 million transactions across any channel.

Most small and mid-sized businesses are Level 4. That matters because the validation burden scales with the level. A Level 1 merchant has an annual on-site assessment by a Qualified Security Assessor (QSA) that produces a Report on Compliance. A Level 4 merchant generally validates by completing a Self-Assessment Questionnaire and, depending on how it accepts cards, running quarterly network scans. The controls themselves are the same at every level; what differs is how you prove you meet them. Knowing your PCI compliance level is the first step, because it tells you which validation path you owe.

The 12 requirements

PCI DSS organizes its 12 requirements under six goals (control objectives). In practical terms:

• Build and maintain a secure network and systems. Requirement 1 — install and maintain network security controls (firewalls). Requirement 2 — apply secure configurations and change vendor-supplied defaults like default passwords.
• Protect account data. Requirement 3 — protect stored account data; the simplest path is to not store it. Requirement 4 — encrypt cardholder data with strong cryptography when it crosses open, public networks.
• Maintain a vulnerability management program. Requirement 5 — protect all systems and networks from malicious software. Requirement 6 — develop and maintain secure systems and software, including timely patching.
• Implement strong access control measures. Requirement 7 — restrict access to cardholder data on a need-to-know basis. Requirement 8 — identify users and authenticate access, including multi-factor authentication. Requirement 9 — restrict physical access to cardholder data.
• Regularly monitor and test networks. Requirement 10 — log and monitor all access to system components and cardholder data. Requirement 11 — test security systems and networks regularly.
• Maintain an information security policy. Requirement 12 — support information security with organizational policies and a program everyone follows.

A note on versions: the current standard is PCI DSS v4.0.1, a limited revision published in June 2024. The prior v3.2.1 was retired on March 31, 2024, and the future-dated v4.x requirements became mandatory on March 31, 2025. The six goals and twelve requirements above carry across v4.x; what changed are the specifics underneath them.

A PCI compliance checklist

Here is a scannable PCI compliance checklist for a small merchant. The first several lines map to the 12 requirements; the rest cover the validation work a Level 4 business actually has to do.

• A firewall protects the network, and the cardholder data path is segmented from the rest of the business.
• Vendor-default passwords and settings have been changed on every device, including the router and the POS.
• Card numbers are not stored; if any account data is retained, it is protected and rendered unreadable.
• Cardholder data is encrypted whenever it travels over public networks.
• Anti-malware protection is deployed and current on every system that can reach cardholder data.
• Systems and applications are patched on a defined cadence, and the POS software is supported and up to date.
• Access to cardholder data follows least privilege and need-to-know.
• Every account has a unique ID, and MFA is enforced on access to the cardholder data environment.
• Physical access to devices and any media that touch card data is controlled.
• Access to systems and cardholder data is logged, retained, and reviewed.
• Security systems are tested regularly, including the quarterly ASV scan if your acceptance method requires one.
• A written information security policy exists, and staff are trained on it.
• Your merchant level is confirmed with your acquiring bank.
• The correct Self-Assessment Questionnaire is completed, with an Attestation of Compliance on file.
• Guest Wi-Fi is isolated from the network the POS uses.

Validating: SAQ vs. ROC

How you prove compliance depends on your level and how you accept cards. Level 1 merchants produce a Report on Compliance (ROC) from a QSA. Everyone else generally completes a Self-Assessment Questionnaire (SAQ) — a checklist you attest to. There are several SAQ types, and the right one depends entirely on your setup:

• SAQ A — e-commerce or mail/telephone merchants who fully outsource card handling to a PCI-validated processor and never touch card data.
• SAQ A-EP — e-commerce sites that don't receive card data directly but control the payment page (redirects, iframes).
• SAQ B — standalone dial-out terminals or imprint machines, with no electronic storage.
• SAQ B-IP — standalone, PTS-approved IP-connected terminals, no electronic storage.
• SAQ C-VT — a single transaction at a time, keyed into a web-based virtual terminal.
• SAQ C — payment applications connected to the internet, no storage.
• SAQ P2PE-HW — merchants using only a validated point-to-point encryption (P2PE) solution.
• SAQ D — everyone else, including merchants who store card data; the longest questionnaire.

The practical lesson is scope. Using a PCI-validated processor, P2PE hardware, or tokenization — and not storing card numbers — pushes most of the standard onto the provider and shrinks what you have to validate, often to the short SAQ A. The less your systems touch raw card data, the smaller your PCI footprint.

What an MSP owns, and what stays with you

An MSP serving a merchant owns the technical work: the segmented network and firewall, the MFA deployment, the secure configuration and patching, the logging and monitoring infrastructure, the EDR on every device, the SOC, the isolated guest Wi-Fi, and the encryption settings. The MSP can also help select a PCI-validated processor and P2PE so card data never lands on your systems, and produce the configuration evidence the SAQ asks for.

The business owns the parts the standard places on the merchant. You sign the Attestation of Compliance — that is an owner-level attestation, not something an MSP can sign for you. You own the merchant relationship with your acquiring bank, the written security policy, staff handling of cards at the counter, and the business decisions about how you accept payment. The MSP supplies the controls and the proof; you own the program and the attestation.

How a Micro-IT engagement maps to PCI DSS

A merchant on the Micro-IT managed stack gets the technical controls of PCI DSS deployed and documented. Managed Site ($149+/site) delivers the segmented network and firewall, with the POS on its own VLAN and guest Wi-Fi isolated — the single most effective way to keep the rest of the business out of scope. Managed Endpoint ($79/device) brings EDR on every device, patching, secure configuration, and 24/7 SOC monitoring and logging. Managed Inbox ($20/mailbox) adds enforced MFA and anti-phishing on the accounts staff use. On top of that: encryption in transit, change management, and help selecting a PCI-validated processor with P2PE or tokenization so card numbers never touch your systems.

That maps directly to most of the 12 requirements — network controls, secure configuration, malware protection, access control, MFA, logging and monitoring, testing, and policy support — while scope reduction keeps the assessment small. The Attestation of Compliance and the acquiring-bank relationship stay with your leadership. We do not sell a fixed PCI package price, because the right scope depends on how you accept cards. Start with the free risk assessment, see plans to build an estimate, or call 270.816.5726.

Frequently asked questions