PCI compliance (Payment Card Industry Data Security Standard, or PCI-DSS) is the set of security rules every business that accepts credit cards must follow. The goal is to protect cardholder data wherever it lives in your business, your checkout page, your virtual terminal, your point-of-sale system, your stored customer records. How much PCI work your business actually has to do depends on how the card data flows through your systems.

What PCI-DSS actually requires

The PCI-DSS standard is published by the PCI Security Standards Council and currently runs to a few hundred pages. The core requirement is straightforward: card data must be protected during capture, transmission, storage, and disposal. The detailed rules cover things like encryption, network security, access controls, vulnerability scanning, written security policies, and incident response.

Every merchant who accepts cards is responsible for PCI compliance. The card networks (Visa, Mastercard, Discover, American Express) require it via your merchant account agreement. Non-compliance penalties can include monthly fines, higher processing rates, and ultimately termination of your ability to accept cards.

The four PCI merchant levels

The card networks classify merchants into four levels based on annual transaction volume. Higher levels carry more demanding compliance work.

  • Level 1: 6 million+ Visa/Mastercard transactions per year. Requires annual on-site assessment by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV).
  • Level 2: 1 to 6 million transactions per year. Requires annual self-assessment questionnaire (SAQ) and quarterly ASV scans.
  • Level 3: 20,000 to 1 million e-commerce transactions per year. Requires annual SAQ and quarterly ASV scans.
  • Level 4: Fewer than 20,000 e-commerce transactions per year, or up to 1 million total transactions. Requires annual SAQ. ASV scans may or may not apply depending on how card data is handled.

The vast majority of small and mid-sized businesses are Level 4. The compliance work is real but manageable, especially if the business uses a hosted payment page or tokenization to keep card data out of its own systems.

SAQ types, and why you want SAQ A

For Level 4 merchants, the annual Self-Assessment Questionnaire (SAQ) is the main compliance task. There are several SAQ types depending on how your business processes cards. Choosing the right SAQ, or more accurately, designing your payment flow so you qualify for the simplest one, is the biggest decision a small business makes about its PCI burden.

  • SAQ A (about 20 questions): For merchants who fully outsource card handling, the card data never touches the merchant's website or servers. This is what you get if you use a hosted payment page (redirect or iframe), an off-site invoicing page, or a third-party shopping cart that handles the card on its own domain.
  • SAQ A-EP (about 200 questions): For merchants whose website partially handles the card, typically via JavaScript that captures the card and posts it to the gateway. Card data still does not land on the merchant's server, but the merchant's pages can affect the security of the transaction.
  • SAQ D (more than 300 questions): For merchants who store, process, or transmit card data on their own systems. The biggest compliance lift, the most operational work, and the only SAQ where you need quarterly external vulnerability scans.

Going from SAQ D to SAQ A is the single biggest PCI-burden reduction available to most small businesses. The way to do it: use a hosted payment page from a PCI Level 1 gateway so card data never reaches your own infrastructure.

Why a PCI Level 1 gateway matters

When you use a payment gateway, you are trusting that gateway to handle card data correctly on your behalf. A PCI Level 1 certified gateway has gone through the most demanding annual on-site PCI audit and passed. That means the gateway itself meets the highest tier of card-data security standards.

The practical benefit for the merchant: when card data only enters the gateway's interface (not yours), most of your PCI scope shifts to the gateway. You qualify for SAQ A instead of SAQ A-EP or SAQ D. The annual compliance work drops from hundreds of questions and quarterly scans to a 20-question questionnaire.

CoreGateway is PCI-DSS Level 1 certified. Card data is captured directly into the gateway via the hosted payment page or via secure tokenization in the API, never on merchant servers.

Common ways merchants accidentally expand PCI scope

Even with a Level 1 gateway, a small business can blow up its own PCI scope through habits that quietly route card data through unprotected systems. The four most common mistakes:

  1. Writing card numbers down on paper or in email. Card data on paper in an unlocked drawer, in an email thread, or in a chat tool counts as storage. It puts the merchant in SAQ D territory regardless of what the gateway is doing.
  2. Storing card numbers in a CRM or spreadsheet. Same problem, storage outside the PCI-compliant vault means full scope. Use the gateway's customer vault and store only the token reference instead.
  3. Taking card numbers over the phone and typing into a generic form. If the form is not part of a PCI Level 1 gateway, the card was just transmitted through your phone system, your laptop, and your network in cleartext. Use a virtual terminal hosted by a Level 1 gateway instead.
  4. Letting employees take screenshots or photos of cards. Often happens in trade-show or event sales when staff are processing offline. Train the team to use the gateway's vault tokenization or hosted page instead.

Annual compliance for a Level 4 merchant on SAQ A

For a typical small-to-mid-sized business using a PCI Level 1 hosted payment page, the annual compliance routine is straightforward:

  1. Complete the SAQ A questionnaire. About 20 yes/no questions about how card data flows in your business. Most merchants can complete it in under an hour with a clean payment setup.
  2. Sign the Attestation of Compliance (AOC). A short document confirming that the SAQ answers are accurate.
  3. Submit to your acquirer (or processor) as required. Some processors require you to submit annually; some only require you to keep the SAQ and AOC on file in case of audit.
  4. Refresh your security awareness training and your incident response plan. Light annual exercises, not heavy lifts.

SAQ A merchants typically do not require quarterly external vulnerability scans. Higher SAQ levels (A-EP, D) require quarterly ASV scans which add real cost and complexity.

The bottom line

PCI compliance is a real obligation for every merchant who accepts cards, but the actual annual workload depends almost entirely on how your business handles card data. The simplest path: use a PCI Level 1 gateway with a hosted payment page so card data never touches your own systems, qualify for SAQ A, and complete a short annual questionnaire.

The hardest path: store cards in your own systems, take cards by phone into your own software, and end up on SAQ D with quarterly scans and hundreds of compliance questions. The difference between those two outcomes is the gateway and payment flow you choose, not the size of your business.