PCI DSS · 1 July 2026
PCI DSS for small businesses: a practical starter guide
Many small businesses assume PCI DSS is only for big retailers. It isn’t. If you take card payments in any form, the standard applies to you — but the good news is that, for most SMEs, staying compliant can be genuinely straightforward. This guide shows you how.
Does PCI DSS really apply to a small business?
Yes. PCI DSS applies to any organisation that stores, processes or transmits cardholder data, regardless of size. A one-person consultancy taking the occasional card payment is in scope just as much as a national chain. What differs is the amount of validation you need to do — and for most small businesses that means completing a Self-Assessment Questionnaire (SAQ) rather than a formal external audit.
Your acquiring bank (the bank that processes your card transactions) is usually the party that asks you to confirm your compliance.
The golden rule: keep card data away from your systems
For a small business, the smartest strategy is almost always to make sure card data never touches your own systems. If you don’t store, process or transmit card data yourself, the vast majority of PCI DSS requirements simply don’t apply to you.
In practice that means:
- Taking online payments through a hosted or redirect payment page provided by a compliant payment provider
- Directing phone payments through a compliant payment service rather than keying card numbers into your own devices
- Using a standalone card terminal for in-person payments rather than storing anything electronically
- Never writing card numbers on paper, saving them in spreadsheets, or leaving them in emails or voicemails
Get this right and you’ll typically qualify for one of the shorter SAQs. Our guide to reducing PCI DSS scope explains the techniques in more depth.
Which SAQ will a small business usually need?
It depends entirely on how you take payments. Common small-business scenarios include:
| How you take payments | Likely SAQ |
|---|---|
| Online only, via a hosted/redirect page | A |
| Online, but your site handles the payment page | A-EP |
| In person, standalone internet-connected terminal | B-IP |
| Phone payments via a web-based virtual terminal | C-VT |
| You store card details electronically | D |
Our SAQ types guide walks through each option. Choosing the right one is important, because it defines exactly which controls you need.
The basics you should have in place
Whichever SAQ applies, a handful of sensible controls will cover most of what’s expected of a small business:
- Change default passwords on terminals, routers and any payment-related equipment
- Keep devices updated and protected with anti-malware where relevant
- Limit who can take payments and make sure each person has their own login
- Don’t store card data unless you have a genuine, documented need
- Train your team so everyone knows how to handle card details safely
- Have a simple incident process in case something goes wrong
None of this is exotic — it’s good business hygiene that also supports your wider data protection obligations under UK GDPR.
Common small-business mistakes
The pitfalls we see most often are:
- Writing card numbers on paper to process later — this pulls paper handling and storage into scope
- Emailing card details internally or to customers
- Recording phone calls without pausing during the card-reading step
- Assuming the payment provider handles everything, without confirming your own SAQ obligations
- Never revisiting it, so the assessment lapses year on year
Keeping it proportionate
PCI DSS for a small business shouldn’t be a burden. The aim is to take payments in a way that keeps card data out of your hands, complete the right (usually short) SAQ once a year, and keep the evidence tidy. Done well, it becomes a quick annual task rather than a source of stress. If any of the terminology is unclear, our glossary is a handy reference.
Do you need a quarterly scan?
Some SAQs — notably A-EP, B-IP, C and D — require quarterly vulnerability scans by an Approved Scanning Vendor (ASV) of any internet-facing systems in scope. Others, such as SAQ A and SAQ C-VT, generally do not. This is another reason the shortest applicable SAQ is worth aiming for: it can remove the need for regular scanning altogether. If you keep card data entirely off your own systems, you’ll usually avoid this requirement.
A realistic annual routine for an SME
For most small businesses, staying compliant looks like this across the year:
- Confirm nothing has changed in how you take payments
- Complete the appropriate SAQ and attestation
- Run any required scans if your SAQ calls for them
- Refresh staff awareness on handling card details safely
- File the paperwork so it’s ready if your bank asks
That’s genuinely the whole cycle for a typical small business. It doesn’t require an IT department or specialist tools — just a clear understanding of how you take payments and a commitment to keeping card data out of your systems.
What compliance is really protecting
It’s easy to see PCI DSS as bureaucracy, but the underlying purpose is straightforward: protecting your customers’ card details and protecting your business from the fallout of a card-data breach. For a small business, a breach can be existential — the costs, the fines passed down by the card brands, and the loss of customer trust can be severe. A little routine attention to how you take payments is a modest price for that protection.
How we can help
We understand that, for a small business, compliance is something you want handled simply and affordably so you can get back to running your business. We offer a transparent, fixed-fee engagement that confirms whether and how PCI DSS applies to you, identifies the right SAQ, and supports you through completing it with plain-English guidance. To find out more, see our PCI DSS service or get in touch for a friendly, no-obligation chat.
Need help in practice? See our PCI DSS service.