PCI DSS 4.0: What a Small Business Actually Has to Do

If you take cards, this is about you

There’s a common belief among small business owners that PCI compliance is a big-company problem — something for retailers with a server room, not a two-truck HVAC outfit or a salon in Belleville. That belief is wrong, and it’s costing people money.

If your business accepts, processes, stores, or sends credit card information — through a Square reader, a Stripe checkout, a terminal by the register, or an invoice with a “pay now” link — you are subject to PCI DSS. One card a month still counts.

What PCI DSS is. It stands for Payment Card Industry Data Security Standard. It’s not a government law; it’s a set of security rules the card brands (Visa, Mastercard, and the rest) require of every business that handles card payments. Your payment processor is the one that enforces it on you.

What changed with version 4.0

PCI DSS 4.0 is the current version. The older 3.2.1 was retired in March 2024, so 4.0 is now the only one that counts. A second wave of its requirements moved from “recommended” to “required” in March 2025.

Most of the changes modernize basic security: stronger passwords, multi-factor authentication on the systems that touch card data, tighter control over who can access what, and clearer rules about how payment information moves through your business — including over email. The theme is simple: card data should be handled deliberately, not floating around in inboxes and text threads.

The part that costs you money either way

Here’s what most owners never connect: your processor may already be charging you for non-compliance, and you’re paying it without knowing what it is.

Most merchant agreements include a non-compliance fee — a monthly charge that kicks in when you haven’t completed your annual compliance paperwork. It’s usually $20 to $100 a month, buried in your statement as a vague line item. That’s $240 to $1,200 a year, charged not because you did anything wrong, but because a form went unfinished.

Pull your last processor statement and look for anything labeled “non-compliance,” “PCI,” or “regulatory” fee. If it’s there, you’ve been paying for a problem you can usually fix in an afternoon.

How you actually prove compliance

For nearly every small business, proving compliance means completing a Self-Assessment Questionnaire (SAQ) — a yearly form your processor provides. There are several versions, and the one you need depends on how you take payments:

• If your payments are fully handled by an outside service (a hosted checkout, a Square reader), you usually qualify for a short version.
• If you key cards into a terminal or computer, the form is longer.

The good news: most small businesses qualify for a short SAQ, and completing it honestly is usually what stops the non-compliance fee. Your processor can tell you which one applies to you.

Where small businesses quietly fail

The same handful of gaps show up over and over:

• Storing card numbers where they don’t belong — in email, text messages, a notebook by the register, or a spreadsheet. Don’t keep card numbers, full stop.
• Using a personal Gmail for anything that touches payments. Personal accounts aren’t built for this and fail several requirements by design.
• Weak or shared passwords, and no multi-factor authentication on the systems that matter.
• Never completing the SAQ — which guarantees the fee whether or not your setup is actually secure.

What to do, in order

1. Check your statement for a non-compliance fee, or just call your processor and ask if you’re compliant.
2. Get your SAQ from the processor and complete it — ask which version applies if you’re not sure.
3. Stop storing card data anywhere it shouldn’t live. Let your processor hold it.
4. Move to a real business email and turn on multi-factor authentication on your key accounts.
5. Shrink the problem — the less card data that touches your own systems, the fewer rules fall on you.

None of this requires a consultant or a security team. It requires knowing the rules exist and spending a couple of hours closing the obvious gaps.

Where to start

If you’d rather find out where you stand before you start filling out forms, our free email and domain check looks at the payment-adjacent gaps too — whether your business email is set up safely, and where your setup is likely to trip a compliance requirement. You get a written summary in plain language, no sales call.

Get a free email & domain check →

For the bigger picture on how personal email and payments collide, read why your @gmail.com is now a business risk.