← Back to Blog
Security & ComplianceFebruary 9, 2026

PCI Compliance Guide for E-Commerce Businesses

Understanding PCI DSS requirements and how to protect customer payment data

If your business accepts credit or debit cards online, PCI DSS (Payment Card Industry Data Security Standard) compliance isn't optional—it's a requirement from card networks and often a contractual obligation with your payment processor. Yet many e-commerce businesses don't fully understand what compliance entails or think it doesn't apply to them. This guide breaks down PCI compliance in practical terms and shows you how to achieve and maintain it.

What is PCI DSS and Who Must Comply?

PCI DSS is a set of security standards created by major card brands (Visa, Mastercard, American Express, Discover) to protect cardholder data. It applies to any organization that stores, processes, or transmits credit card information, regardless of size or transaction volume.

For more insights on this topic, see our guide on Website Security Audit Checklist for 2026.

Common Misconceptions

  • "We use Stripe/Square, so we don't need to be compliant" — False. You still need to complete a Self-Assessment Questionnaire and validate compliance annually.
  • "Small businesses are exempt" — False. Even processing one card transaction requires compliance. Validation level varies by volume.
  • "PCI is only about credit card numbers" — False. It also covers CVV codes, expiration dates, cardholder names, and transaction history.
  • "We're automatically compliant if we pass a scan" — False. Passing a network scan is one requirement, but compliance requires meeting all applicable standards.

Compliance Levels by Transaction Volume

Card networks categorize merchants into four levels based on annual Visa transaction volume:

  • Level 1: 6+ million transactions/year — Requires annual on-site security assessment by Qualified Security Assessor (QSA)
  • Level 2: 1-6 million transactions/year — Annual Self-Assessment Questionnaire (SAQ) and quarterly network scans
  • Level 3: 20,000-1 million e-commerce transactions/year — Annual SAQ and quarterly scans
  • Level 4: Under 20,000 e-commerce transactions/year — Annual SAQ and quarterly scans (same as Level 3)

Most small to mid-size e-commerce businesses fall into Level 3 or 4. Even at these levels, non-compliance can result in fines of $5,000-$100,000 per month plus potential liability for fraud.

The 12 PCI DSS Requirements (Simplified)

PCI DSS organizes security controls into 12 requirements across 6 categories:

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain firewall configuration — Protect cardholder data with firewalls between public networks and internal systems
  • Requirement 2: Don't use vendor-supplied defaults — Change default passwords, remove unnecessary accounts, disable unused services

Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data — Minimize storage, encrypt what you must keep, never store CVV/PIN after authorization
  • Requirement 4: Encrypt transmission of cardholder data — Use TLS 1.2+ for all card data transmission over public networks

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software — Deploy anti-malware on systems commonly affected by malware
  • Requirement 6: Develop and maintain secure systems — Patch security vulnerabilities, follow secure coding practices, protect web applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access by business need-to-know — Grant access based on job function, use role-based access control
  • Requirement 8: Assign unique ID to each person with access — No shared accounts, strong authentication, password policies
  • Requirement 9: Restrict physical access to cardholder data — Control facility access, secure media, destroy data before disposal

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data — Log all access, review logs daily, retain logs one year
  • Requirement 11: Regularly test security systems and processes — Quarterly network scans, annual penetration testing, file integrity monitoring

Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security — Written security policy, security awareness training, incident response plan

Choosing the Right SAQ (Self-Assessment Questionnaire)

Most e-commerce businesses complete an SAQ rather than a full audit. Choosing the correct SAQ type is critical—using the wrong one means you're not actually compliant.

Common SAQ Types for E-Commerce

  • SAQ A: Card-not-present merchants who completely outsource payment processing (redirect to payment processor's site). Shortest questionnaire (~22 questions). Example: You redirect to PayPal and customers enter card details entirely on PayPal's site.
  • SAQ A-EP: E-commerce merchants who outsource but where payment page is hosted on merchant site (iframe, hosted fields). ~180 questions. Example: Stripe Elements embedded in your checkout page.
  • SAQ D: Merchants who store, process, or transmit card data on their own systems. Most comprehensive (~300 questions). Example: You built custom payment processing or store card numbers.

SAQ Selection Decision Tree

Ask yourself these questions to determine your SAQ:

  1. Do customers enter card data on your website or app?
    • No (they're redirected to processor site) → SAQ A
    • Yes, continue to question 2
  2. Does card data pass through your server at any point?
    • No (using hosted fields/iframe that sends directly to processor) → SAQ A-EP
    • Yes (card data touches your server) → SAQ D

Red flag: If you're not 100% certain whether card data touches your servers, assume it does and complete SAQ D or hire a QSA to assess. Choosing the wrong SAQ creates false compliance.

Achieving Compliance: Practical Implementation

Here's how to actually implement PCI requirements for a typical e-commerce business using hosted payment solutions.

Step 1: Minimize Your PCI Scope

The less card data you handle, the easier compliance becomes. Use these strategies:

  • Use payment service providers — Stripe, Square, PayPal, Authorize.net handle card data for you
  • Implement hosted fields — Card number fields are iframes from your payment processor, data never touches your server
  • Use payment tokens — Store tokens instead of card numbers for recurring billing
  • Avoid card data in logs — Ensure card numbers never appear in application logs, error messages, or database records
  • Don't email card details — Train staff to never request or send card numbers via email

Step 2: Secure Your Infrastructure

  • Use reputable hosting — Choose hosts with PCI-compliant infrastructure (AWS, Google Cloud, Azure with proper configuration)
  • Implement SSL/TLS properly — TLS 1.2 minimum, strong cipher suites, valid certificates covering all domains
  • Enable web application firewall — Cloudflare, AWS WAF, or equivalent to block common attacks
  • Patch systems regularly — Automate security updates where possible, test patches before deployment
  • Segment your network — Separate payment processing systems from other parts of your infrastructure

Step 3: Implement Access Controls

  • Unique accounts for everyone — No shared logins, each person has individual credentials
  • Multi-factor authentication — Required for admin access to servers, databases, and payment systems
  • Role-based permissions — Grant minimum necessary access based on job function
  • Regular access reviews — Quarterly review of who has access to what, remove unnecessary permissions
  • Offboarding process — Immediately revoke access when employees or contractors leave

Step 4: Configure Logging and Monitoring

  • Enable comprehensive logging — Track user access, authentication attempts, system changes
  • Centralize logs — Aggregate logs from all systems to prevent tampering and enable analysis
  • Daily log review — Automated alerts for suspicious activity, manual review of critical systems
  • Retain logs properly — Minimum one year, with three months immediately available for analysis
  • Protect log data — Logs must be immutable and access-controlled

Step 5: Run Quarterly Vulnerability Scans

  • Use Approved Scanning Vendor (ASV) — List available at pcisecuritystandards.org
  • Scan all public-facing systems — Web servers, APIs, any system accessible from internet
  • Remediate findings — Fix all high and critical vulnerabilities before rescanning
  • Achieve passing scan — Must pass quarterly scan to maintain compliance
  • Document scan results — Retain scan reports as evidence of compliance

Step 6: Complete Annual SAQ and Attestation

  • Answer all questions accurately — Work with technical team to verify answers
  • Mark non-compliant items — If you can't answer "yes" to a requirement, document remediation plan
  • Sign attestation of compliance — Executive sign-off that you've completed assessment and meet requirements
  • Submit to acquirer — Provide completed SAQ and attestation to your payment processor
  • Renewal annually — Compliance is not one-time, must be validated every year

Common Compliance Pitfalls to Avoid

These mistakes frequently cause compliance failures:

Technical Pitfalls

  • Card data in unexpected places — Check backups, disaster recovery copies, archived logs, development/staging databases
  • Using wrong SAQ type — Claiming SAQ A when you should complete A-EP or D
  • Failing to update after changes — Architecture changes may change your compliance requirements
  • Not segmenting properly — Entire network in scope because payment systems aren't isolated
  • Weak passwords on admin accounts — Using same credentials across multiple systems

Process Pitfalls

  • Missing quarterly scans — Forgetting to schedule or complete required vulnerability scans
  • No incident response plan — Requirement 12 mandates documented breach response procedures
  • Inadequate logging — Not capturing required data or not retaining logs long enough
  • Ignoring third-party compliance — Assuming all service providers are compliant without verification
  • No security policy — Written information security policy is required, not optional

Maintaining Ongoing Compliance

Compliance isn't a destination—it's an ongoing process. Create a compliance calendar:

Monthly Tasks

  • Review access logs for anomalies
  • Verify backup completion and test restore process
  • Update software and security patches

Quarterly Tasks

  • Run ASV vulnerability scan
  • Review user access lists, remove unnecessary permissions
  • Review and update security policies as needed

Annual Tasks

  • Complete Self-Assessment Questionnaire
  • Conduct or commission penetration testing (if required for your level)
  • Review and update incident response plan
  • Provide security awareness training to all staff
  • Validate third-party service provider compliance

After Major Changes

  • Reassess SAQ type if payment processing architecture changes
  • Update network diagrams and data flow documentation
  • Re-evaluate PCI scope if new systems are introduced

Related Reading

Need Help with PCI Compliance?

Open Door Digital specializes in helping e-commerce businesses achieve and maintain PCI DSS compliance. We'll assess your current state, recommend the appropriate SAQ type, implement necessary security controls, and guide you through the validation process. Our services include quarterly scanning coordination and annual SAQ completion assistance.

Schedule a Compliance Consultation

More from the Blog