How to Become PCI Compliant: Step-by-Step Guide (2026)
To become PCI compliant, you need to determine your merchant level, reduce your cardholder data environment, complete the right SAQ, pass an ASV scan, and submit your Attestation of Compliance to your acquiring bank—here’s exactly how to do it.
The short answer: Becoming PCI compliant requires 7 steps: (1) determine your merchant level (1–4) based on annual transaction volume, (2) map your cardholder data environment, (3) choose the right Self-Assessment Questionnaire (SAQ), (4) fix gaps in your security controls against the 12 PCI DSS requirements, (5) run a quarterly ASV vulnerability scan, (6) submit your SAQ or Report on Compliance, and (7) file your Attestation of Compliance with your acquirer. Most small businesses complete this process in 2–4 weeks for free or near-free.
📋 Table of Contents
What Is PCI DSS Compliance?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security requirements created and maintained by the PCI Security Standards Council (PCI SSC)—a body founded jointly by Visa, Mastercard, American Express, Discover, and JCB—to protect cardholder data from theft and fraud.
If your business accepts, processes, stores, or transmits credit or debit card data in any form, you are required to be PCI DSS compliant. This applies regardless of your size—from a solo freelancer accepting card payments to a Fortune 500 retailer. The current version, PCI DSS v4.0.1, became the only active version as of April 2025, replacing v3.2.1.
The biggest practical change for most merchants: Requirements 6.4.3 and 11.6.1 became mandatory on March 31, 2025. These require merchants who accept online payments to implement script management controls and tamper-detection mechanisms on their payment pages—even if they use a third-party payment processor. Using a hosted payment page or redirect (rather than an iframe) can help you avoid these new requirements entirely.
PCI compliance is not a one-time event. It is an ongoing program of security controls, quarterly scans, and annual assessments. Think of it less like a certification you earn and more like a standard your business continuously operates to.
The 4 PCI Merchant Levels Explained
Your merchant level determines how you validate PCI compliance—specifically whether you need a full external audit or can complete a self-assessment. Levels are determined by your total annual card transaction volume across all channels (in-store, online, phone, mail).
Annual on-site QSA audit + Report on Compliance (ROC) + Quarterly ASV scans + Annual penetration test + Attestation of Compliance
Annual SAQ + Quarterly ASV scans + Annual penetration test + Attestation of Compliance. Mastercard may require QSA for SAQ D.
Annual SAQ + Quarterly ASV scans + Attestation of Compliance. No mandatory pen test (though strongly recommended).
Annual SAQ + Quarterly ASV scans (recommended) + Attestation of Compliance. Specific requirements depend on your acquiring bank.
If your business has experienced a data breach that resulted in compromised cardholder data, card networks may automatically reclassify you to Level 1—requiring a full QSA audit regardless of your transaction volume. This is one reason maintaining compliance proactively is so critical.
Service Provider Levels
If you are a service provider (a business that stores, processes, or transmits cardholder data on behalf of others—such as a payment gateway, hosting provider, or SaaS platform), different thresholds apply. Level 1 service providers process over 300,000 transactions per year and must undergo an annual QSA-led audit. Level 2 service providers handle fewer transactions and can complete an SAQ.
7 Steps to Become PCI Compliant
Determine Your PCI Merchant Level
Count your total card transactions processed across every channel over the past 12 months. Include in-person, online, phone, and mail orders. Contact your acquiring bank or payment processor if you’re unsure—they can confirm your level based on the reporting they have on file. Your level determines which validation path you’ll follow.
If you use a payment processor like Stripe, Square, or a GT Setu-integrated processor, they may already have your transaction count and can tell you your level. Choosing a compliant processor is one of the most important decisions in your PCI journey.
Define and Reduce Your Cardholder Data Environment (CDE)
Your Cardholder Data Environment is every system, network segment, and process that stores, processes, or transmits cardholder data—or that could impact its security. The larger your CDE, the more PCI requirements apply to you and the harder compliance becomes.
The single most powerful thing you can do to simplify PCI compliance is to reduce your CDE scope. You achieve this by:
- Using a hosted payment page or redirect—your servers never touch card data
- Using a PCI-compliant payment processor that tokenizes all cardholder data
- Avoiding storing card numbers, CVVs, or full-track data anywhere in your systems
- Segmenting your payment systems from the rest of your network
A merchant who redirects customers to a third-party payment page may qualify for SAQ A—just 24 questions. A merchant who processes cards on their own server could face SAQ D with over 300 questions. The difference is entirely about CDE scope.
Choose the Right SAQ Type
The Self-Assessment Questionnaire you need depends on how you accept card payments and what happens to cardholder data in your environment. See the full SAQ breakdown below. Choosing the wrong SAQ is a common and costly mistake—if you under-scope your environment, you may fail to implement critical security controls.
Remediate Gaps Against the 12 PCI DSS Requirements
Go through each PCI requirement that applies to your environment and identify where your current controls fall short. Common gaps for small merchants include: no formal firewall rules, default passwords on networking equipment, no anti-malware on systems, and no documented security policies. See the full requirements breakdown below.
Prioritize based on risk and effort. Many small merchants discover their biggest gap is simply not having a documented security policy—which is free to create.
Run an ASV Vulnerability Scan
An Approved Scanning Vendor (ASV) scan tests your external-facing IP addresses and systems for known vulnerabilities. ASV scans are required quarterly for all merchant levels. You must pass—meaning zero high-severity vulnerabilities—before your compliance is considered complete for that quarter.
If your payment processing is fully hosted by a third party (e.g., you redirect customers to PayPal’s site and never have card data on your own IP addresses), you may not have any IPs in scope for ASV scanning. Confirm with your acquirer. ASV scans typically cost $100–$500/quarter from vendors like Trustwave, Qualys, and SecurityMetrics.
Complete Your SAQ or Report on Compliance (ROC)
Level 1 merchants must have a Qualified Security Assessor (QSA) conduct an on-site audit and produce a Report on Compliance (ROC). This process typically takes 4–8 weeks and costs $15,000–$50,000+ depending on environment complexity.
Levels 2–4 complete their applicable SAQ—a structured questionnaire where you answer “yes,” “no,” or “N/A” to each requirement, attaching supporting evidence. The SAQ process typically takes 2–4 weeks. Many merchants work with a PCI compliance consultant or use automated compliance platforms to streamline this.
Submit Your Attestation of Compliance (AoC)
Once your SAQ or ROC is complete and your ASV scans are passing, you submit your Attestation of Compliance to your acquiring bank or payment processor. The AoC is a formal declaration—signed by an officer of your company—that your business meets PCI DSS requirements. Your acquirer files this with the card brands.
Compliance must be validated annually. Put a calendar reminder for 11 months out to begin your next assessment cycle before your current compliance expires.
The 12 PCI DSS Requirements
PCI DSS is built around 12 core requirements, organized into 6 control objectives. Here is a complete overview. Not all requirements apply equally to all merchants—your CDE scope and SAQ type determine which apply to you.
🔒 Build & Maintain a Secure Network
🗃️ Protect Account Data
🛡️ Maintain a Vulnerability Management Program
🔑 Implement Strong Access Control
📊 Monitor & Test Networks
📋 Maintain an Information Security Policy
Small merchants using fully hosted third-party payment pages (SAQ A) are typically only responsible for a handful of requirements—primarily Requirements 8, 9, and 12. Merchants who process card data on their own systems must comply with all 12. The PCI SSC’s merchant resources include detailed guidance on scoping.
Which SAQ Do You Need?
There are 8 SAQ types in PCI DSS v4.0. The one you use depends entirely on how you accept card payments. Picking the wrong one can leave critical security gaps—or burden you with far more work than necessary.
Card-not-present merchants only. All payment functions fully outsourced to a PCI-compliant third party. You redirect customers away from your site to pay (no iframe). You never handle cardholder data. Most e-commerce businesses using Stripe, Square, or PayPal hosted checkouts qualify.
E-commerce merchants using an iframe. Your page partially loads the payment form (e.g., an embedded Stripe Elements form). Card data goes directly to the processor, but your server could theoretically affect the payment page. New v4.0 script controls apply.
Imprint-only or standalone dial-up terminals. No electronic cardholder data storage. Used by old-school merchants using standalone terminal hardware not connected to other systems or the internet.
Standalone IP-connected payment terminals. Terminals certified as PTS POI devices with an approved P2PE solution. No electronic cardholder data storage. Common for retail and restaurant environments.
Payment application systems connected to the internet. You use a payment application (like a POS) but don’t store electronic cardholder data. Applies to many retail stores with internet-connected POS systems.
Virtual terminal users. You manually key card data into a web-based virtual terminal provided by a third party. No electronic storage. Common for phone-order businesses and service professionals.
Point-to-point encryption hardware terminals only. You use a validated P2PE solution listed by PCI SSC. Card data is encrypted at the point of interaction and never accessible on your systems. Significantly reduces compliance burden.
All other merchants. If you don’t qualify for any of the above SAQs, you complete SAQ D—the most comprehensive questionnaire covering all 12 PCI DSS requirements. Common for merchants who store card data or have complex environments.
Many online merchants incorrectly assume they qualify for SAQ A when they actually need SAQ A-EP. If your checkout page contains the payment form (even via an iframe), you likely need SAQ A-EP (~151 questions). Only merchants who fully redirect customers away from their site to pay qualify for SAQ A (24 questions). Using a hosted checkout redirect—rather than an embedded iframe—is an easy way to qualify for the simpler SAQ A.
How Much Does PCI Compliance Cost?
Compliance costs vary dramatically by merchant level and how you handle card data. Here’s a realistic breakdown:
SAQ A has 24 yes/no questions and is free to complete. If no systems are in scope for ASV scanning, scan cost is $0. Most small e-commerce businesses fall here.
ASV scans: $100–$500/quarter. Possible consultant fee to complete SAQ D accurately: $500–$2,000. Security tooling (firewall, logging, AV): varies.
ASV scans, annual pen testing ($2,000–$10,000), compliance platform or consultant, possible QSA review for SAQ D validation.
Annual QSA audit: $15,000–$50,000. Penetration testing: $5,000–$20,000. ASV scans, security tooling, staff time. Total ongoing program cost can exceed $100K for complex environments.
| Item | Typical Cost | Frequency | Required For |
|---|---|---|---|
| SAQ completion (self) | Free | Annual | Levels 2–4 |
| ASV vulnerability scan | $100–$500 per scan | Quarterly | All levels with IPs in scope |
| Penetration testing | $2,000–$15,000 | Annual | Levels 1 & 2 (mandatory); 3 & 4 (recommended) |
| QSA audit + ROC | $15,000–$50,000+ | Annual | Level 1 only |
| PCI compliance consultant | $500–$5,000 | As needed | Optional for Levels 2–4 |
| Compliance platform (SaaS) | $1,200–$12,000/yr | Annual subscription | Optional (speeds up process) |
| Non-compliance fine (per month) | $5,000–$100,000 | Monthly (if non-compliant) | Levied by card networks |
What Happens If You’re Not PCI Compliant?
Non-compliance isn’t just a technicality. Card networks and acquiring banks actively enforce PCI requirements, and the consequences of a breach as a non-compliant merchant are severe.
After a data breach, non-compliant merchants can be held liable for all costs associated with fraudulent card usage, card replacement, and regulatory fines—not just the initial penalty. For a small business, a single breach can easily exceed $100,000 in total costs. Reducing your payment processing risk starts with PCI compliance.
How to Simplify (or Eliminate) Your PCI Compliance Burden
The smartest compliance strategy isn’t just passing PCI—it’s reducing how much of your infrastructure is in scope for PCI in the first place. Here’s how:
1. Use a Hosted Payment Page (Redirect)
When customers leave your website to complete payment on your processor’s hosted page, your systems never interact with card data. This typically qualifies you for SAQ A—just 24 questions—and eliminates most PCI requirements from your scope entirely. Most major processors (Stripe, Square, PayPal) offer hosted checkout options. This is the simplest, cheapest path to PCI compliance for small businesses.
2. Use Tokenization
Tokenization replaces actual card numbers with a meaningless string of characters (a “token”) that is useless to attackers. When your payment processor tokenizes card data before it hits your systems, the actual card number never exists in your environment—dramatically shrinking your CDE scope.
3. Use a P2PE-Certified Terminal
For in-person retailers, using a Point-to-Point Encryption (P2PE) terminal certified by PCI SSC qualifies you for SAQ P2PE—only 35 questions. Card data is encrypted at the hardware level and never accessible in readable form anywhere on your network.
4. Choose a Processor That Reduces Your Compliance Burden
Not all payment processors are equal when it comes to helping you maintain PCI compliance. When evaluating processors, ask:
- Does their integration allow me to qualify for SAQ A (hosted redirect)?
- Do they provide PCI compliance tools and documentation?
- Do they offer tokenization as a standard feature?
- Will they assist with ASV scan coordination?
See our guide on how to choose a payment processor for your business for a detailed walkthrough of what to look for beyond just processing rates.
5. Reduce Fees While Staying Compliant — Dual Pricing with GT Setu
PCI compliance is about securing your payment environment. But once you’re compliant, the next question most merchants ask is: how do I stop giving away 2.5–3% of every sale to the card networks?
GT Setu offers a dual pricing program that is fully PCI-compliant and eliminates your effective processing cost. At checkout, customers see two prices—a cash/ACH price and a card price. They choose. If they pay by card, the processing fee is built transparently into their price. You receive your full base price either way.
PCI-Compliant Dual Pricing — What Your Customers See
Includes processing fee — clearly disclosed
Your standard price
Dual pricing is legal in most US states when disclosed properly at the point of sale—which GT Setu handles automatically. Because GT Setu works with PCI-compliant processors and never introduces new cardholder data handling to your environment, it doesn’t add to your PCI compliance burden. You save on fees and stay compliant. See our guides on:
- How to pass credit card fees to customers legally
- Can I charge customers a credit card fee?
- Is it legal to add a credit card surcharge?
- How to save on credit card processing fees
- How to lower credit card processing fees
How Long Does PCI Compliance Take?
For Level 1 merchants, the QSA audit and ROC process typically takes 4–8 weeks after remediation is complete.
PCI Compliance by Payment Processor
Your choice of payment processor significantly affects your PCI compliance path. Here’s how some popular processors approach it:
| Processor | Hosted Page Available | Easiest SAQ | Tokenization | PCI Tools |
|---|---|---|---|---|
| Stripe | Yes (Stripe Checkout) | SAQ A | Yes | Compliance guide + documentation |
| Square | Yes | SAQ A or B-IP | Yes | Basic compliance support |
| Adyen | Yes | SAQ A | Yes | Dedicated compliance team |
| Braintree | Yes (Drop-in UI) | SAQ A | Yes | Compliance documentation |
| Heartland | Varies by integration | SAQ A or D | Yes | E2E encryption options |
| Worldpay | Yes | SAQ A | Yes | Enterprise compliance tools |
| WooCommerce Payments | Yes (via Stripe) | SAQ A | Yes | Stripe-backed compliance |
For a full comparison, see our guide on the best payment processors for e-commerce small businesses and the best payment processors for retail stores.
Explore fees and compliance details for specific processors:
Frequently Asked Questions
PCI Compliant — Now Stop Paying Processing Fees
GT Setu’s dual pricing program works with PCI-compliant processors to eliminate your credit card processing costs. We’ll show you exactly how much your business could save, for free.
Get Your Free Savings Analysis →Related Articles
Team Merchant Insiders is the editorial and research team behind Merchant Insiders, an independent U.S.-focused publication covering credit card processing, payment pricing, and fee optimization for small and mid-size businesses.
Our team combines hands-on experience in merchant services with deep research into processing fees, pricing models, compliance rules, and processor contracts.