PCI DSS (Payment Card Industry Data Security Standard) compliance is not optional for any business that accepts credit or debit cards. Failure to comply can result in fines from the card networks, higher processing fees, and — most seriously — liability for fraudulent charges if your systems are breached. The good news is that for most small businesses, PCI compliance is achievable with relatively straightforward steps. The important news is that the standard has been updated: PCI DSS version 4.0 became mandatory on April 1, 2024, replacing version 3.2.1.

What Is PCI DSS and Who Does It Apply To?

PCI DSS is a set of security standards developed by the Payment Card Industry Security Standards Council (PCI SSC), which is governed by Visa, Mastercard, American Express, Discover, and JCB. The standard applies to every business that stores, processes, or transmits cardholder data — which means virtually every business that accepts credit or debit cards.

The standard is organized around 12 core requirements covering network security, data protection, vulnerability management, access control, monitoring and testing, and information security policy. PCI DSS 4.0 introduced 51 new requirements, with full enforcement of all requirements required by March 31, 2025.

The Four PCI Compliance Levels

Merchants are categorized into four compliance levels based on their annual transaction volume. Understanding your level determines what compliance validation you need to complete.

Level 1 applies to merchants processing more than 6 million Visa or Mastercard transactions per year, or any merchant that has experienced a data breach. Level 1 merchants must undergo an annual on-site assessment by a Qualified Security Assessor (QSA) and quarterly network scans.

Level 2 applies to merchants processing 1 million to 6 million transactions per year. Level 2 merchants complete an annual Self-Assessment Questionnaire (SAQ) and quarterly network scans.

Level 3 applies to merchants processing 20,000 to 1 million e-commerce transactions per year. Level 3 merchants complete an annual SAQ and quarterly network scans.

Level 4 applies to merchants processing fewer than 20,000 e-commerce transactions per year, or up to 1 million other transactions per year. This is where the vast majority of small businesses fall. Level 4 merchants complete an annual SAQ and may be required to complete quarterly network scans.

What Changed in PCI DSS 4.0

PCI DSS 4.0 introduced several significant changes that affect small businesses. Password requirements have been strengthened — all system passwords must now be at least 12 characters and include a mix of character types. Multi-factor authentication (MFA) is now required for all access to the cardholder data environment, not just remote access. E-commerce merchants must now manage and monitor all payment page scripts to prevent skimming attacks (where malicious code is injected into payment pages to steal card data). Security awareness training must now be conducted at least annually for all personnel with access to cardholder data.

Self-Assessment Questionnaires (SAQs)

Most small businesses complete their PCI compliance through a Self-Assessment Questionnaire rather than a full audit. There are several SAQ types, and the right one for your business depends on how you accept and process payments.

SAQ A is for merchants who have fully outsourced all payment processing to a PCI-compliant third party and do not store, process, or transmit cardholder data electronically. This is the simplest SAQ and applies to many small businesses that use a hosted payment page or a third-party payment processor.

SAQ B is for merchants who use standalone dial-up or IP-connected terminals that are not connected to any other systems.

SAQ C is for merchants who use payment application systems connected to the internet.

SAQ D is the most comprehensive and applies to merchants who store cardholder data or do not qualify for a simpler SAQ type.

Practical Steps for Small Business PCI Compliance

For most small Utah businesses, PCI compliance comes down to a few practical steps. Use a PCI-compliant payment processor and terminals — if you are using equipment and software provided by a reputable processor, much of the technical compliance work is handled for you. Complete your annual SAQ honestly and thoroughly. Ensure your Wi-Fi network is secured and separate from your payment systems. Train your employees on basic security practices, including how to recognize phishing attempts and why they should never write down card numbers.

Your payment processor should provide PCI compliance support as part of your merchant services agreement. At UBC Unlimited, we help our Utah clients understand their compliance obligations and navigate the SAQ process. Contact us if you have questions about PCI compliance for your business.