---
title: "PCI DSS Compliance for Small Businesses | Bytes Unlimited"
description: "PCI DSS (Payment Card Industry Data Security Standard) applies to any business handling credit card data. Learn the merchant levels, SAQ types, and what compliance actually requires for SMBs."
canonical: https://www.bytesunlimited.com/glossary/pci-dss/
---

 GLOSSARY · Compliance 

#  Payment Card Industry Data Security Standard PCI DSS 

 Security framework that any business handling credit card data must comply with. Set by the major card brands; enforced through banks and payment processors via contract, not government regulation. 

## Detailed definition

**PCI DSS** is the security framework that applies to any business that accepts, stores, processes, or transmits credit card data. Unlike [HIPAA](/glossary/hipaa/), it’s not a government regulation — it’s a contractual obligation enforced by the card brands (Visa, Mastercard, Amex, Discover, JCB) through your acquiring bank or payment processor. Fail to comply and you can lose the ability to accept cards, plus face fines after a breach.

## Merchant levels — your obligations depend on volume

Card brands tier merchants by annual transaction count. The thresholds vary slightly by brand, but Visa’s are illustrative:

| Level | Annual Visa transactions               | Validation requirement                                      |
| ----- | -------------------------------------- | ----------------------------------------------------------- |
| 1     | 6M+                                    | Annual on-site audit by a Qualified Security Assessor (QSA) |
| 2     | 1M-6M                                  | Annual Self-Assessment Questionnaire (SAQ) + on-site option |
| 3     | 20K-1M e-commerce                      | Annual SAQ                                                  |
| 4     | Under 20K e-commerce or under 1M total | Annual SAQ                                                  |

Most SMBs are Level 3 or 4 — they complete a Self-Assessment Questionnaire annually rather than hiring a QSA.

## SAQ types — your specific obligations depend on architecture

The SAQ you complete depends on how cardholder data flows through your environment:

* **SAQ A** — fully outsourced e-commerce; you redirect to a hosted payment page, never touch card data
* **SAQ A-EP** — e-commerce site that controls the page presenting the payment form (even if the form posts directly to a payment processor)
* **SAQ B / B-IP** — standalone terminals or imprint-only environments
* **SAQ C-VT** — virtual terminal only
* **SAQ C** — payment application connected to the internet, no e-commerce
* **SAQ D** — anything that doesn’t fit the above; the comprehensive one with 300+ controls

Most small e-commerce sites can structure their payment flow to qualify for SAQ A, which is dramatically simpler than SAQ A-EP or SAQ D. This is by far the most leverage you have — designing the integration so card data never touches your servers at all.

## The 12 requirements summarized

PCI DSS organizes into 12 requirements across six control groups:

1. **Build and maintain a secure network** — firewall configuration, vendor defaults
2. **Protect cardholder data** — storage minimization, encryption in transit
3. **Maintain a vulnerability management program** — antivirus, secure development
4. **Implement strong access control** — least privilege, unique IDs, physical access
5. **Regularly monitor and test networks** — logging, vulnerability scanning, penetration testing
6. **Maintain an information security policy** — documented, reviewed annually

For SMB clients, the bulk of the technical work is at the [firewall](/glossary/ngfw/), [MFA](/glossary/mfa/), [EDR](/glossary/edr/), patching, and logging layers — which overlap heavily with HIPAA and SOC 2 work if those also apply.

HOW WE HELP

## Related Bytes Unlimited services

* [ Security & Compliance PCI DSS, HIPAA, and general security posture work. Endpoint protection, MFA, awareness training, audit-ready documentation.](/services/security/)

RELATED TERMS

## See also

* [ BAA ](/glossary/baa/)

AUTHORITATIVE SOURCES

## External references

* [ PCI Security Standards Council  (opens in new tab) ](https://www.pcisecuritystandards.org/)

##  Need help applying PCI DSS to your business? 

 We've done this kind of work across New York. First conversation is free. 

[ Get In Touch ](/contact/) [ Back to Glossary ](/glossary/)

## Sitemap

- [Site map](https://www.bytesunlimited.com/sitemap.md)
- [llms.txt](https://www.bytesunlimited.com/llms.txt)
- [Canonical URL list](https://www.bytesunlimited.com/sitemap.xml)
