PCI DSS Compliance Software — Complete Guide
PCI DSS applies to anyone who touches cardholder data. But "how much compliance you need" varies enormously based on how you accept payments. Most small businesses can self-certify in a few hours. Here's how to know what you actually need.
On This Page
Who PCI DSS applies to
PCI DSS applies to any entity that stores, processes, or transmits cardholder data — defined as the primary account number (PAN), plus expiration date, cardholder name, or service code when stored with the PAN.
| You are... | PCI DSS applies? | What you need |
|---|---|---|
| Merchant using Stripe / Square hosted checkout | Yes, but minimal scope | SAQ A — simplest form, ~20 questions |
| Merchant processing cards on your own servers | Yes, full scope | SAQ C, D, or QSA depending on volume |
| SaaS company storing card data for billing | Yes — card data in scope | SAQ D or QSA; consider tokenization to reduce scope |
| Payment processor | Yes, Level 1 | Annual QSA audit required |
| Company that only uses third-party checkout (never touches card data) | Minimal | SAQ A; verify your implementation qualifies |
PCI DSS merchant levels
| Level | Annual transactions | What's required |
|---|---|---|
| Level 1 | 6M+ (Visa/MC) or any compromised merchant | Annual QSA on-site audit + quarterly network scans + AOC |
| Level 2 | 1M–6M transactions/year | Annual SAQ + quarterly scans + AOC; bank may require QSA |
| Level 3 | 20K–1M e-commerce transactions | Annual SAQ + quarterly scans + AOC |
| Level 4 | Under 20K e-commerce or up to 1M other | Annual SAQ recommended; requirements set by your acquiring bank |
Note: Transaction counts are per card brand. Visa, Mastercard, Amex, and Discover each have their own counting. In practice, most acquirers (your bank or payment processor) enforce their own PCI requirements on top of the baseline — check with your acquiring bank for their specific requirements.
Most small and mid-size businesses are Level 4. If you process under 1 million transactions/year and use a hosted payment page, your compliance burden is an SAQ A and quarterly scans — typically achievable in one afternoon.
SAQ types — which one applies to you
| SAQ type | Payment environment | Questions (approx) |
|---|---|---|
| SAQ A | All payment functions outsourced to PCI-compliant third party; no card data on your systems (Stripe Checkout, PayPal, etc.) | ~20 |
| SAQ A-EP | E-commerce, third party handles card data but your website scripts or redirects are involved | ~190 |
| SAQ B | Only imprint machines or standalone dial-out terminals; no electronic storage of card data | ~40 |
| SAQ B-IP | Standalone IP-connected payment terminals; no cardholder data on other systems | ~80 |
| SAQ C | Payment application on internet-connected systems; no electronic storage of card data | ~160 |
| SAQ C-VT | Web browser-based virtual terminals from a PCI-validated provider | ~65 |
| SAQ D (Merchants) | All other merchants not covered by A, B, B-IP, C | ~340 |
| SAQ D (Service Providers) | Service providers that store/process/transmit cardholder data | ~340 |
The SAQ A is the goal. By using a hosted payment page (Stripe Checkout, Braintree Hosted Fields, PayPal Smart Buttons), you can ensure card data never touches your servers or JavaScript. This moves you to SAQ A — the simplest possible compliance path.
Scope reduction — the most important PCI strategy
Scope reduction means architecting your payment systems so that card data never enters your environment. Less scope = fewer controls = lower compliance cost.
- Use hosted payment pages: Stripe Checkout, Braintree, PayPal Buttons. Card data goes directly to the processor. Your server only sees a payment confirmation, never card numbers. SAQ A.
- Tokenization: Your processor gives you a token (meaningless value) instead of the card number. Use Stripe Customer IDs or Braintree Payment Methods instead of storing PANs. Even if your database is compromised, there are no card numbers to steal.
- Point-to-point encryption (P2PE): Hardware terminals encrypt card data before it can reach your network. Eliminates your POS system from PCI scope.
- Network segmentation: Isolate your payment processing systems from the rest of your network to reduce the in-scope environment.
Every architectural decision that keeps card data away from your systems reduces your PCI scope — and therefore reduces your compliance cost and breach risk simultaneously.
PCI compliance tools and services
| Tool / Service | What it does | Best for | Cost |
|---|---|---|---|
| ControlScan | SAQ wizard, ASV scans, PCI guidance | SMBs completing SAQ A–D | $200–1,500/yr |
| SecurityMetrics | SAQ, ASV scans, pen testing, QSA services | Mid-market merchants, Level 1–3 | $300–5,000/yr + QSA fees |
| Coalfire | QSA firm, penetration testing, advisory | Level 1 merchants, processors | $20,000–70,000 (QSA audit) |
| Trustwave | QSA firm, ASV, managed security, SAQ | Larger merchants, banks | $500–50,000+ depending on scope |
| Vanta / Drata | GRC platform with PCI module | Tech companies doing SOC 2 + PCI combined | $15,000–30,000/yr combined |
| Your acquirer's portal | SAQ + compliance dashboard via payment processor | Small merchants; Stripe, Square, PayPal offer these | Often free or included |
For most small businesses: Your payment processor (Stripe, Square) offers a built-in PCI compliance portal. Start there. It's designed for your use case and often free or included. You don't need a $1,500/yr third-party tool to complete an SAQ A.
PCI compliance cost breakdown
| Scenario | Annual cost | Notes |
|---|---|---|
| Level 4, SAQ A (Stripe hosted checkout) | $0–500 | SAQ is free; ASV scans via your processor's portal or $50–200/quarter from an ASV |
| Level 3–4, SAQ C or D | $500–3,000 | SAQ plus quarterly ASV scans plus gap remediation time |
| Level 2 with AOC requirement | $2,000–10,000 | SAQ, scans, AOC, possibly consultant support |
| Level 1 QSA audit | $20,000–70,000 | On-site assessment by a QSA firm; annual requirement |
| Penetration test (if required) | $5,000–20,000 | Required for Level 1; depends on scope and firm |
Non-compliance fines if a breach occurs: $5,000–$100,000/month imposed by card brands, plus forensic investigation costs ($50,000–200,000+), plus card replacement and fraud liability reimbursements. Compliance is cheap insurance.
Want to reduce PCI scope to near-zero? Businesses that accept Solana USDC payments skip card processing entirely — no card numbers, no PAN storage, no PCI scope. One USDC = $1.00 (stablecoin, no volatility), transaction fees ~$0.00025. Not for every transaction, but for recurring B2B invoices and contractor payments it can eliminate a compliance layer entirely. See: Solana USDC payments guide →
🧭 SideGuy: Do you actually need a PCI compliance tool?
- ✅ Yes if: you're Level 1 (6M+ transactions) — you need a QSA firm; you're Level 2–3 with a formal AOC requirement; your acquiring bank has sent you a PCI compliance deadline notice; you've had a security incident involving card data.
- 🟡 Maybe if: your SAQ has 100+ questions and you're unsure how to answer them; you store card data (even tokens) and want documentation of your controls.
- ❌ Probably not if: you use Stripe Checkout or PayPal and never touch card numbers — complete the SAQ A through your processor's portal (it's free) and you're done. A $1,000/yr third-party tool adds no compliance value for a standard hosted checkout integration.
Quick check: Does your website or server ever receive raw card numbers? If the answer is no (Stripe Checkout, PayPal Smart Buttons), your compliance is an SAQ A form — solvable in an afternoon at no cost.
PCI DSS Glossary
- PAN (Primary Account Number)
- The payment card number — the 16-digit sequence embossed on the card. The core of what PCI DSS is designed to protect.
- Cardholder Data
- The PAN plus expiration date, cardholder name, or service code when stored with the PAN.
- SAQ (Self-Assessment Questionnaire)
- Self-certification tool for merchants not required to undergo a formal QSA audit. Multiple types (A through D) based on how cardholder data is handled.
- QSA (Qualified Security Assessor)
- A PCI Security Standards Council-certified auditor qualified to perform on-site PCI assessments. Required for Level 1 merchants.
- ASV (Approved Scanning Vendor)
- A company approved by the PCI SSC to conduct quarterly external vulnerability scans of your internet-facing systems. Required at most merchant levels.
- AOC (Attestation of Compliance)
- A formal document certifying that PCI DSS requirements are met. Required for Level 1–3 merchants and service providers. Signed by the merchant and their QSA or ISA.
- Tokenization
- Replacing a card number with a surrogate value (token) that has no exploitable meaning. Stripe Customer IDs are tokens — your servers store the token, not the card number.
- P2PE (Point-to-Point Encryption)
- Encryption of card data from the point of interaction (card swipe/dip) to a secure decryption environment, preventing capture of card data in transit.
- CDE (Cardholder Data Environment)
- The systems and networks that store, process, or transmit cardholder data. PCI DSS requirements apply to your CDE. Smaller CDE = lighter compliance burden.
More in the compliance cluster
FAQ
What are the PCI DSS merchant levels?
Level 1: 6M+ transactions — requires QSA on-site audit. Level 2: 1M–6M — SAQ + AOC. Level 3: 20K–1M e-commerce — SAQ. Level 4: under 20K e-commerce or 1M total — SAQ recommended. Most small businesses are Level 4.
Do I need PCI compliance if I use Stripe?
Yes, but it's simple. Using Stripe Checkout or Stripe's hosted payment pages typically qualifies you for SAQ A — about 20 questions, free to complete via Stripe's dashboard. Card data never touches your servers so scope is minimal.
What is the easiest way to reduce PCI scope?
Use a hosted payment page from a PCI-certified processor (Stripe Checkout, PayPal, Braintree). Card data goes directly to the processor — your systems never see raw card numbers. This typically qualifies you for SAQ A, the simplest form.
Want help figuring out your merchant level and which SAQ type applies to your payment setup?
Text PJ · 773-544-1231