Does my Small Business Need to Certify PCI Compliance?

The term ‘small business’ is relative. It could refer to customer volumes, turnover, reach, service provision, staff numbers, physical size, or maybe you live and work in a quiet little town. Regardless, you still need to be PCI compliant in order to accept credit cards. There are two reasons why. One, you can’t process any credit card without a merchant account, no matter how few customers pay by card. The merchant account (which you open with a payment processor) connects your bank, your customers’ bank, and the credit card network.

Working with Visa

In essence this means you need a payment processor, even if only one customer pays by credit card the whole year. And while PCI compliance is not required by law, it’s mandatory for networks like Visa. That’s the second reason: Visa doesn’t recognize any transactions passed through payment processors that aren’t PCI compliant. Another key factor is the level of your business. Any business that processes fewer than 20,000 card transactions a year is categorized as a Level 4 business. The process of PCI verification for Level 4 merchants involves three things:

  • SAQ (Self-Assessment Questionnaire)
  • Quarterly network scan by ASV (Approved Scanning Vendor)
  • Form for Attestation of Compliance

The PCI Council has laid out 12 recommendations that protect your customers’ physical cards as well as their virtual data. SAQs can be downloaded online. You can fill it out and see how well you score against their required security regulations.

Getting validated

The other two steps – scanning and attestation – will be done by your merchant processor. Their systems have to be reviewed by an ASV every three months, to make sure they’re still secure and compliant. If you have a good payment processor, they’ll walk you through the process of maintaining PCI compliance. Incidentally, there are different validation categories labelled A to D (B has two sub-categories).

  • A – Card-not-present i.e. no face-to-face sales. This is for strictly online transactions
  • B (i) – Imprint only i.e. swiping cards
  • B (ii) – Stand-alone POS i.e. swiping on portable keypads
  • C – Internet commerce without card data storage
  • D – All other merchants that store customer card data

The SAQ you fill depends on your validation category. If your business doesn’t retain customer data e.g. if they swipe and go, you need a different set of security measures, so you fill a different SAQ.

For more information on whether your small business needs to certify PCI compliance, or to sign up for a merchant account, please call (888) 924-2743 or go to

Leave a Comment