How To Guide
How to Comply with PCI DSS for Payment Processing
Non-compliance risks fines and losing card acceptance.
Overview
12 requirements across 6 categories. Most SMBs use Self-Assessment.
Step 1: Your Level
Determine scope.
1
Levels
- Level 4: Under 20K e-commerce transactions
- Most small businesses are Level 4
- SAQ A: Fully outsourced via Stripe/PayPal
Pro Tip:
Using Stripe/PayPal reduces scope to SAQ A, the simplest.
Step 2: Controls
Required security.
1
Key Controls
- Firewall for cardholder data
- No default passwords
- Encrypt in transit with TLS 1.2+
- Restrict access to need-to-know
- Unique user IDs
- Log all access
Step 3: Validate
Prove compliance.
1
Process
- Complete SAQ annually
- Quarterly external vulnerability scans
- Submit to payment processor
- Retain evidence 3 years
2
Reduce Your PCI Scope
- The single most effective strategy: Never let card data touch your systems
- Use hosted payment pages: Stripe Elements, PayPal buttons, Adyen Drop-in
- These redirect card entry to the payment provider's servers
- Your servers never see, process, or store card numbers
- This reduces your scope to SAQ A — the simplest compliance level
- If using a physical card terminal: Ensure it connects directly to the processor
- Segment the cardholder data environment from the rest of your network
Pro Tip:
Using Stripe Elements or a similar hosted payment page eliminates 80% of PCI requirements overnight. If you currently process cards on your own servers, migrating to a hosted solution is the fastest path to compliance.
3
Network Segmentation for PCI
- Isolate all systems that touch card data onto a separate network segment
- Use firewall rules to strictly control traffic in and out of this segment
- No unnecessary services should run on systems in the cardholder environment
- Document all data flows: Where card data enters, moves through, and exits your systems
- Regularly test segmentation controls — run scans from outside the segment
- If segmentation fails, your entire network comes into PCI scope
4
Quarterly Vulnerability Scanning
- External vulnerability scans must be performed by an Approved Scanning Vendor (ASV)
- Scans must pass with no high-severity vulnerabilities
- Common ASVs: Qualys, Tenable, Rapid7 — costs vary from 500-2,000 pounds annually
- Failed scans must be remediated and rescanned until passing
- Internal vulnerability scanning should also be performed quarterly
- Keep a record of all scan reports — your acquiring bank may request them
- Address vulnerabilities within 30 days of discovery
5
Maintaining Compliance Year-Round
- PCI compliance is continuous, not just an annual exercise
- Monitor security controls daily — do not wait until audit time
- Log review: Review logs of cardholder data access daily
- Change detection: Monitor critical files for unauthorised changes
- Access review: Quarterly review of who has access to cardholder data
- Update your SAQ immediately when payment processing methods change
- Keep your acquiring bank informed of any significant changes to your setup
Need Professional Help?
Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.