What do SMEs need to do to comply with the PCI DSS?

Organisations that accept card payments are responsible for the security of customers’ payment information and must comply with the PCI DSS (Payment Card Industry Data Security Standard).

The PCI DSS is a set of tools and measures to help you protect payment card data. It applies to all organisations that transmit, process or store such information, but SMEs (small and medium-sized organisations) should be extra vigilant.

They are the most likely to be targeted by cyber criminals and the repercussions of a data breach could threaten their ability to stay in business.


Challenges for small merchants

The PCI DSS is technically complex, with 12 compliance requirements based on common information security practices.

The key to compliance is identifying and securing the points where cardholder information could be compromised. These might include compromised card readers, paper stored in a filing cabinet, a weak database or a secret tap into your wireless network.

Compliance was further complicated following the introduction of the GDPR (General Data Protection Regulation) in May 2018, which created additional rules for the way organisations process and store EU residents’ personal data.

Because both sets of requirements cover similar topics, a failure to meet the PCI DSS’s requirements might also be a violation of the GDPR, in which case, the organisation would face significant enforcement action from their supervisory authority and the possibility of fines.



To meet the PCI DSS’s requirement, the majority of SMEs can self-audit and complete an SAQ (self-assessment questionnaire) as well as conducting quarterly ASV (Approved Scanning Vendors) scans.

There are nine types of SAQ that apply in different circumstances:

  • SAQ A: For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants.
  • SAQ A-EP: For e-commerce merchants that don’t receive cardholder data but do control the method through which data is redirected to a third-party payment processor.
  • SAQ B: For merchants that only process credit card data via imprint machines or via a standalone dial-out terminal.
  • SAQ B-IP: For merchants that don’t store card data in electronic format but use IP-connected POI (point-of-interaction) devices. These merchants may handle either card-present or card-not-present transactions.
  • SAQ C-VT: For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.
  • SAQ C: For merchants that process cardholder data via POS (point-of-sale) systems or other payment application systems connected to the Internet.
  • SAQ D: For those that don’t fit into any of the above categories. It is often referred to as ‘Report on Compliance Light’, because it requires organisations to go through all 12 PCI DSS requirements, albeit on a reduced scale. There are two versions of SAQ D: one for merchants and one for service providers.
  • SAQ P2PE-HW: For merchants that use card-present transactions, meaning it is not applicable to organisations that deal in e-commerce.
  • Merchants that use a PCI-validated point-to-point encryption (P2PE) solution and have implemented it successfully are eligible for SAQ P2PE-HW.

Need the skills to complete an SAQ?

Compliance through a self-assessment questionnaire seems straightforward, but each form contains hundreds of questions that require a comprehensive understanding of the PCI DSS.

So, although the SAQ gives you a solid framework from which to work, it doesn’t remove the burden from you entirely.

To understand how to complete a self-assessment, you should therefore gain the necessary understanding of the Standard.

 PCI DSS Foundation CourseOur PCI DSS Foundation Course is the ideal place to start. This one-day course provides a comprehensive introduction to the Standard and delivers practical guidance on how it applies to certain organisations.

Register for this course >>


PCI DSS Implementation Training CourseIf you’re looking for something more in-depth, you might prefer our PCI DSS Implementation Training Course.

Over three days, you’ll learn everything you need to know about adopting the PCI DSS’s requirements. At the end of the course, you have the option to sit an exam and potentially receive the PCI DSS Implementation qualification.

Register for this course >>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.