Back to Blog Merchant Services

What Is PCI Compliance — and What Happens If You're Not?

May 8, 2025 · 6 min read · PCI Consulting Group

PCI DSS — the Payment Card Industry Data Security Standard — is the set of requirements every business that accepts credit or debit cards must meet to protect cardholder data. (And no, it's not a fee that PCI Consulting Group charges — though we get that question more than you'd think.) It's not a law in the traditional sense, but non-compliance carries real consequences: monthly fines, elevated processing rates, and in the event of a breach, liability for every fraudulent charge that flows from it. Most small business owners either don't know their obligations or assume someone else is handling it. Here's what you actually need to know.

PCI Consulting Group offers merchant services for small and mid-size businesses — payment processing setup, statement analysis, and rate optimization.

Who sets PCI standards and who enforces them?

PCI DSS is maintained by the PCI Security Standards Council, a body founded by Visa, Mastercard, American Express, Discover, and JCB. The standards themselves are set by the Council, but enforcement happens through the card brands and your payment processor — not through a government agency.

In practice, your processor is responsible for ensuring their merchants are compliant. They'll require you to complete an annual Self-Assessment Questionnaire (SAQ) and may require periodic network scans depending on your processing environment. If you don't complete these, you'll typically be charged a monthly non-compliance fee — often $25–$100/month — until you do.

The four merchant levels

PCI compliance requirements vary based on how many card transactions your business processes annually:

  • Level 1 Over 6 million transactions/year

    Annual audit by a Qualified Security Assessor (QSA) plus quarterly network scans. This applies to large retailers and e-commerce businesses.

  • Level 2 1–6 million transactions/year

    Annual Self-Assessment Questionnaire plus quarterly network scans.

  • Level 3 20,000–1 million e-commerce transactions/year

    Annual SAQ plus quarterly network scans.

  • Level 4 Under 20,000 e-commerce or under 1 million total transactions/year

    Annual SAQ recommended; quarterly scans may be required depending on your processor. This covers the vast majority of small businesses.

What the Self-Assessment Questionnaire covers

There are several SAQ variants depending on how your business accepts and processes cards. The most common for small businesses:

  • SAQ A

    For merchants who outsource all cardholder data functions to PCI-compliant third parties and never touch card data directly. Simplest questionnaire — around 22 questions.

  • SAQ B

    For merchants using standalone card terminals that dial out to the processor. No electronic cardholder data storage.

  • SAQ C

    For merchants with payment application systems connected to the internet. More comprehensive — covers network security, access control, and monitoring.

  • SAQ D

    The most comprehensive — for merchants who store cardholder data electronically or don't fit other categories. Over 200 questions.

What non-compliance actually costs

Monthly non-compliance fees

Most processors charge $25–$100/month if you haven't completed your annual SAQ. This is the most common consequence — and it adds up quietly over the course of a year.

Higher processing rates

Some processors impose elevated transaction rates on non-compliant merchants as an additional penalty, on top of the monthly fee.

Breach liability

This is the serious one. If your business suffers a data breach while non-compliant, the card brands can hold you liable for the cost of fraudulent transactions, card reissuance, and forensic investigation — costs that can easily reach six figures for a small business breach. PCI compliance doesn't eliminate breach risk, but non-compliance eliminates your defenses when it happens.

Loss of ability to accept cards

In extreme cases of persistent non-compliance or a serious breach, processors can terminate your merchant account — meaning you lose the ability to accept card payments entirely.

Getting and staying compliant

For most small businesses, achieving PCI compliance is a matter of completing the right SAQ, running required network scans, and implementing a handful of security controls — strong passwords, network segmentation, access logging, and keeping software patched. It's not as complicated as it sounds, but it does require someone to actually do it. PCI Consulting Group helps merchants understand their compliance obligations, complete their SAQ, and implement the technical controls required. If you're not sure whether you're currently compliant — or you've been paying a non-compliance fee for months — we can help you get it sorted.

More on Merchant Services

What Is a Payment Gateway and Do You Actually Need One?

March 12, 2026 · 5 min read

Should Your Business Accept ACH Payments?

January 15, 2026 · 5 min read

Card Present vs. Card Not Present: Why It Matters for Your Processing Rates

October 9, 2025 · 5 min read

Not sure if you're PCI compliant?

We'll walk you through your obligations and help you get compliant — and make sure you stop paying unnecessary non-compliance fees.

Talk to us