facebook noscript

PCI Compliance for Small Businesses

March 13, 2020
PCI + Logo

Attaining PCI compliance for small businesses is no small feat, but securing sensitive cardholder data in a PCI compliant manner is easier, faster, and more affordable with an end-to-end PCI compliance solution - like VGS.

Small businesses, from e-commerce merchants to service providers, all need to ask themselves the same question early in the lifespan of their company: do I need PCI compliance?

If you work with payment cards, including both debit and credit cards, then the answer is yes - you do need to comply with the Payment Card Industry Data Security Standard (PCI DSS).

Determining if you need to comply is only the first small obstacle. After that comes the hard work involved in meeting all the PCI compliance requirements.

For small businesses and startups that don’t have in-house compliance and information security officers, becoming PCI compliant is incredibly daunting, overwhelming, and in some cases can stop a business cold. The process is not only a lengthy endeavor, but also costly.

The burden of PCI compliance can be overwhelming for an early-stage business. Securing your systems and designing your data security policies in a compliant way is a massive undertaking, and business leaders often don’t know where to start.

Thankfully, when it comes to PCI DSS compliance for small businesses, there is an alternative to the Do-It-Yourself (DIY) path – an option that keeps you safer while taking your compliance and data security problems off your plate. The client’s responsibilities are limited to maintaining VGS technology and completing very minimal documentation, which VGS can facilitate.

PCI compliance, where to start?

The mere idea of having to become PCI compliant can spur frustration and panic for small business owners.

If you just recently started getting an e-commerce operation off the ground, it may even shock you that you have to deal with such a stringent data security standard at all.

Storing payment card data for subscription and recurring payments can make business much easier for both you and your users – but handling that data comes with the responsibility and significant cost of protecting it as well.

The PCI DSS was set up by the major payment card brands (American Express, Visa, MasterCard, JCB International and Discover -- collectively referred to as the PCI Security Standards Council) to help prevent payment card fraud and ensure that consumers’ personal information remains secure when merchants and service providers are working with payment card data.

But what, exactly, does it mean to be a PCI compliant business?

What does it mean to be PCI compliant?

A PCI compliant business is one that verifiably follows the requirements spelled out in the PCI DSS - which is much more than a firewall and strong passwords. PCI compliance provides independent validation that an organization is adhering to the necessary internal controls protecting cardholder data. For a small-sized business, the costs and overhead in building and managing these controls can be significant.

VGS allows these organizations to meet this same criterion by segmenting the cardholder data itself and placing that within VGS, providing a great deal of flexibility for smaller organizations and allowing them to maintain the PCI compliant narrative while minimizing their overhead and costs.

Do small businesses need to be PCI compliant?

PCI compliance is required for organizations of all sizes, including small businesses.

A small business needs to be PCI compliant if it plans to collect, transmit, or store PCI data (A.K.A. credit card and cardholder data) – no exceptions.

If your business needs to collect, store, or transfer PCI data – like cardholder names or PANs – then you need to abide by the 12 PCI DSS requirements.

If there is no PCI data (credit card or PII data) in your Cardholder Data Environment (CDE), then you are out of the scope of PCI DSS compliance and do not need to become compliant.

The size of your business doesn't matter. What does matter is the number of debit or credit card payments your business gets annually, which determines if you need to obtain PCI Compliance Level 1, Level 2, Level 3, or Level 4.

The compliance levels for merchants, such as online retailers, are:


Level 1 Merchant

  • Merchants that process more than 6 million credit or debit card transactions annually, including in-store, online, or a mixture of both.
  • Any merchant that Visa determines should be a Level 1 merchant to minimize risks to the Visa network.
  • Level 1 merchants need to submit a Report on Compliance (ROC) to prove that they are compliant, which must be validated by a Qualified Security Assessor (QSA)

Level 2 Merchant

  • Merchants that process between 1 million and 6 million credit or debit card transactions per year (regardless of the processing channel, e.g., in-store, online, etc.)

Level 3 Merchant

  • Any merchant that processes 20,000 to 1 million credit or debit cards from e-commerce transactions annually

Level 4 Merchant

  • Any merchant that processes less than 20,000 e-commerce transactions annually

If you are a service provider (defined as a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data) there are only two levels:

Level 1 Service Provider
Includes service providers that process over 300,000 credit card transactions per year.

  • Partners, customers and integration partners may ask Level 2 service providers to validate compliance as a Level 1 provider, and Level 2 service providers often validate as a Level 1 to reap the benefits of joining the Visa Registry, which provides greater marketing visibility and association directly with Visa.
  • Level 1 service providers must submit a Report on Compliance (ROC) to demonstrate that they are compliant, which must be signed by a Qualified Security Assessor (QSA).

Level 2 Service Provider

  • Includes service providers that process less than 300,000 credit card transactions per year.

As you can see above, only Level 1 merchants and service providers need to have their PCI compliance validated by a Qualified Security Assessor (QSA).

All others can self-evaluate their compliance by performing a Self-Assessment Questionnaire (SAQ) and submitting an Attestation of Compliance (AOC), but all levels still need to have the proper data security components in place - which is costly and a lot of work to pull off.

Is PCI compliance helpful to my business?

Compliance being mandatory shouldn't be the only motivator for you to make sure that you've built up a robust PCI data security posture.

Sure, it’s an obligation, but it also unlocks new opportunities for your organization to grow and succeed.

Ensuring that your customers' credit card information is always protected comes with a number of benefits, including enabling your business to:

  • Work with payments processors to create a new online marketplace, helping grow revenues
  • Save time and money so you can bring your products to market faster
  • Demonstrate to your customers that you take their data security seriously and have taken the appropriate steps to safeguard it
  • Partner with card issuers to launch your own branded payment card
  • More easily reach compliance with other frameworks, like HIPAA or SOC 2, since these compliances all include similar controls
  • Minimize risk and impact of a potential sensitive data breach
  • Building a PCI-compliant CDE isn't a nuisance, it's an investment into the future success of your business - a future without any data security disasters.

Why do e-commerce companies ignore PCI DSS compliance?

Considering ignoring PCI compliance?

That wouldn’t be a good idea. You can think of PCI compliance like you do car insurance: it’s required, and you probably wouldn’t have your kids drive your car without it.

Big and small business leaders alike can find themselves considering ignoring PCI requirements for a number of reasons, from not knowing that PCI DSS exists to an unwillingness to complete the work necessary to follow compliance requirements.

The cost of PCI non-compliance is significant; especially so if a data breach occurs, and is exponentially compounded if the breach source is identified as one where PCI controls may have prevented or mitigated the event. Aside from the financial and legal penalties, the brand damage from a preventable breach is equally significant.

How is PCI compliance enforced?

So, what happens if you don’t play by the rules laid out in the PCI standard?

While PCI compliance requirements aren’t laws, they are obligatory for companies to start or continue using card data.

When it comes to enforcement, PCI DSS non-compliance is handled by the card industry brands via the merchant’s acquiring bank. These PCI compliance fines for small business breaches are hefty and can range between $5,000 and $100,000. Non-compliant organizations can be fined monthly until their compliance is attained, but whether or not financial penalties are levied is up to the acquiring bank.

When we talk about PCI compliance fines, however, we’re mostly thinking about what happens when a data breach takes place.

Sure, non-compliance can be reported – but data breaches bring us into a whole new level of expenses.

Exposing sensitive data like cardholder data or credit card numbers generates consequences beyond just fines, with card replacement costs, forensic audits, brand damage, and a number of other costs that your business has to unexpectedly foot the bill for.

Getting hit with these expenses can be a massive risk to the viability of your business as a whole.

How hard is PCI compliance for small businesses?

Attaining PCI DSS compliance is far from an easy experience for any small business, especially one that attempts to do it without any third-party help.

Reaching out to third-party service providers, like for tokenization solutions or payment processing, can certainly make a few pieces of the puzzle a little easier. Each of those are point solutions, however, and come with a hefty price tag while not solving several steps in the compliance journey.

Small and medium-sized businesses (SMBs) that opt to use one or more of these point solutions still won’t have an end-to-end solution - so they will still need to build and manage their own PCI compliance.

Thankfully, there's a nearly-zero-effort possibility as well.

Implementing an all-in-one data security solution that manages all your PCI compliance for you, like VGS, is the option that requires the least amount of effort - and often at the lowest price point too.

VGS takes care of all your business’ collection, transfer, and storage of sensitive data, like cardholder data, so that you never have to actually possess the original sensitive information - like credit card numbers or other cardholder information - and you can gain compliance nearly instantly.

For companies that prefer the more hectic and pricier DIY path, there's a long list of things you need to make sure to do before you can claim to be a PCI compliant business.

What is a PCI compliance checklist?

When organizations start their PCI compliance journey, there are 12 requirements that need to be fulfilled.

All the actions that need to be completed, however, go beyond the basic requirements. Completing all of them involves a few more steps – which is where the PCI compliance checklist comes in.

The PCI compliance checklist is a comprehensive guide that walks small businesses through the necessary steps that DIY compliance involves.

For example, hiring a compliance officer is part of the checklist, but it’s in addition to the 12 requirements of PCI DSS.

We walk through every step in the PCI compliance checklist in our detailed PCI DSS blog post here.

What are the actual expenses involved in PCI compliance?

Becoming PCI compliant isn't cheap - particularly if you follow the DIY route. For a small business or startup, the process can be down right cost-prohibitive.

Doing everything in-house is the most expensive way to go, but If you want to check out an in-depth exploration of how much PCI compliance costs organizations, you can read our guide to budgeting for PCI.

What is a typical annual cost for PCI compliance?

The cost of obtaining and keeping your PCI compliance depends on how much help you get from third-party partners, with the no-help, DIY route being the priciest:

For more details on the specific costs of becoming PCI compliant, check out our in-depth PCI Compliance budgeting blog post.

What are some strategies to minimize the cost of PCI compliance?

When you opt for the DIY PCI compliance route, where you hire all the necessary compliance experts and do everything in-house, the costs can really add up.

From data mapping and setting up the appropriate infrastructure to constantly testing, the DIY option is arduous – and companies often don’t have the right team members already on hand to take care of everything.

Certain aspects of the DIY compliance process can be outsourced to a third party, like for a tokenization solution, but à la carte solutions like this only help with part of the problem.

For the lowest long-term costs possible, working with an all-in-one data security solution for all your compliance needs is the most affordable - as well as the easiest.

The most cost-effective solution for data security and compliance

For a small business owner, the cost of the DIY compliance approach may simply be out of reach.

Thankfully, you don't have to shoulder the burden of PCI compliance requirements if you implement an end-to-end data security solution that manages all your sensitive data handling on your behalf.

VGS' data aliasing technology empowers small businesses to collect, transfer and store sensitive information - like cardholder data - without ever actually possessing it themselves.

Data aliasing retracts and replaces sensitive information in real time, before it ever hits your organization's systems, while still enabling you to work with it just like you would normally. Your customers can set up recurring payments, you can engage in all the data analysis you'd like, and you don't have to worry about protecting it at all.

VGS' one-stop-shop data security software does everything for you, and it's always updated - so you never have to waste any time or money updating and maintaining anything. You can also forget having to worry about doing a self-assessment questionnaire or hiring a security assessor.

Instead, you can focus your time (and saved money) on continuing to develop your core business and grow your customer base.

Get a free demo of VGS here.

Stefan Slattery Stefan Slattery

Head of Growth Marketing


You Might also be interested in...

PCI DSS Ready in 7 Business Days

Get PCI DSS Ready in 7 Days

Stefan Slattery November 17, 2021


What is PCI Compliance? A Comprehensive Guide

Stefan Slattery January 20, 2022

3 fintechs

How Three Fintechs Got to Market Fast by Offloading PCI

Stefan Slattery March 11, 2021