Content – Updated Sept 2025
The Allianz Risk Barometer report for 2020 found that cyber incidents posed the biggest risk to businesses in 2020. The risk is only compounded for small businesses, most of whom do not have the required IT security expertise to fight a cyber attack once it has already begun. And one business area is especially prone to cyberattacks – payments. Hence the reason for risk reduction and compliance for payment processing.
A wide variety of businesses store sensitive consumer information such as credit card details, addresses, KYC data, and more in order to make payments easier and faster. Unfortunately, this type of sensitive information is often targeted by bad actors due to its value. Thankfully, there are several sets of standards, known as IT Security Frameworks, including PCI DSS, the global payments compliance framework developed to help businesses protect their data, employees, and customers.
In this article, we’ll take a comprehensive look at the IT Security Framework for online payments – PCI DSS and everything that small and medium businesses need to know about PCI DSS to effectively implement it.
What is PCI DSS?
PCI DSS, short for Payment Card Industry Data Security Standard (PCI DSS) is one of many security standards created to protect cardholder data after a joint effort by Visa, MasterCard, American Express, Discover Financial Services, and JCB International. Today, PCI DSS is used by thousands of companies that incorporate payment processing into their business.
The framework’s main aim is to ensure a secure transaction between the customer and the business and prevent data theft and breaches by bad actors. PCI DSS is not a regulation, consequently, businesses aren’t required by law to comply. That said, businesses must comply with PCI DSS if they are to use any major payment processor.
There are four compliance levels in PCI DSS.
There are four compliance levels in PCI DSS, based on the number of transactions completed annually:
- PCI DSS Compliance Level 1: Over 6 million card transactions annually (all channels combined)
- Level 2: 1 million to 6 million transactions annually
- Level 3: 20,000 to 1 million e-commerce transactions annually
- Level 4: Fewer than 20,000 e-commerce transactions annually, or up to 1 million total transactions across all channels
Note On Past Breaches: Merchants who have experienced a data breach compromising cardholder data may be elevated to Level 1 regardless of transaction volume.
Note On Card Brands: Also worth noting: card brands (Visa, Mastercard, Amex, etc.) have slightly different thresholds. Amex, for example, uses 2.5 million as the Level 1 threshold, not 6 million.
How to become PCI DSS compliant?
To become a PCI DSS Compliant company, PSI Security Standards Council (PSI SSC) has outlined 12 requirements. These requirements are further allocated to 6 objectives. Some changes to requirements might apply based on the merchant level, however, since this article is for small businesses, we will assume that the readers are level 4 merchants.
Requirements to become compliant with PCI DSS are:
- Building and maintaining a secure network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protecting cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintaining a vulnerability management program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Implementing strong access control measures
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
Restrict physical access to cardholder data
- Regularly monitoring and testing networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintaining an Information Security Policy
- Maintain a policy that addresses information security for all personnel
There are different tools and solutions available to help Canadian businesses comply with PCI DSS requirements.
A Note On Level 4 Compliance
The dirty little secret of PCI compliance for small business is a doozy.
Most small businesses process fewer than 20,000 online card transactions per year. That makes them Level 4 merchants, the lowest tier.
For Level 4, “compliance” often means:
- Fill out a Self-Assessment Questionnaire (SAQ)
- Run a quarterly vulnerability scan (sometimes)
- Attest that you’re following the requirements
That’s it. No external audit. No penetration testing. No QSA (Qualified Security Assessor) review.
The “app” or SAQ wizards that walk merchants through the questionnaire make it easy, but also risky. You can be “compliant” and still at risk.
You click through some questions, check a few boxes, and you get a “compliant” certificate.
But is your business actual secure and protected? Often no. But you’ve satisfied the paperwork requirement.
As a small business owner, you can truthfully check “yes” on “Do you use a firewall?” because your router likely has one built in. Whether it’s properly configured is another matter. You can check “yes” on password requirements because they have a password policy, even if nobody follows it.
The SAQ is self-reported. Nobody verifies the answers unless there’s a breach.
We urge small business owners to take good care of the items listed in the SAQ, to truly protect your business.
Tools For Assessing Compliance With PCI DSS
If you already follow information security best practices, some of PCI DSS requirements may sound familiar and chances are, you may already meet certain requirements. Even if you’re unsure, there are two ways to assess your compliance with PCI DSS:
#1 - Qualified Assessors:
The PCI Security Standards Council has created two programs for assessing compliance:
- Qualified Security Assessor (QSAs)
- Approved Scanning Vendor (ASVs)
Both of these programs are approved to assess your PCI DSS compliance by the latter (ASVs) also perform vulnerability scans of internet-connected assets of the company.
We do not offer PCI compliance services. For help in PCI Compliance help in Toronto, take a look at Control Gap.
#2 - The Self-Assessment Questionnaire:
The SAQ is a useful tool for businesses that want to self-assess their PCI DSS compliance. It’s important to note that not every business is eligible to self-certify and there are different types of SAQs available based on your compliance level and payment method.
Cost of becoming PCI DSS compliant
The cost for a Canadian small business to be PCI DSS compliant will vary based on a number of factors including compliance level, payment card brand, compliance assessment method, etc. Therefore, the numbers stated are approximations.
For small businesses, PCI DSS compliance costs will generally start around $300 CAD and increase based on your business requirements. At the lower end, businesses that are eligible for Self Assessment Questionnaire (SAQs) only need $200 to $400 CAD. For Approved Scanning Vendor or ASV, the cost will increase by around $380 CAD for every asset you own (IP address).
If you do not meet PCI DSS requirements, remediation efforts can cost anywhere between $500 CAD to over $15,000 CAD, depending on how many of the 300 sub-requirements you do not meet. And finally, training and policy development may cost an additional $100-$150 CAD per employee.
In total, the yearly cost of a PCI DSS compliance, for a small business and a level four merchant can vary from $1000 to $10,000 CAD.
Benefits PCI DSS Compliance
It’s also important to understand the cost of non-compliance. Falling prey to a cyber attack that compromises your customer’s payment details will not only attract government litigation but also result in serious damage to your reputation. In fact, 66 percent of customers said they would not do business with a company where sensitive/financial information was leaked.
On the other hand, PCI DSS compliant businesses have an easier time meeting customer expectations and passing vendor screenings. Additionally, PCI DSS compliance also comes up with powerful benefits such as:
- A competitive advantage
- Following international security regulations is a great way to build your reputation, especially as a small business. If you have any competition that doesn’t follow these regulations, you are automatically ahead of them.
- A deterrent to a data breach
- Bad actors do their research and knowing you have a secure IT infrastructure makes you less appealing as a target. PCI DSS is one of the best ways to avoid a cyber attack, especially if you cannot hire full-time cybersecurity professionals.
- And if a breach does happen, sensitive information will be worthless to the attacker due to the encryption.
- Helps comply with other security standards
- PCI DSS compliance requirements might indeed seem tedious and extensive. However, being PCI DSS Compliant will help you follow other security standards, such as SOC2 and ISO 27001, more easily since many of the requirements are similar. Furthermore, the cost of following other standards becomes considerably lower.
For Level 4 merchants using hosted payment platforms like Stripe, Square, or Shopify, PCI DSS compliance is often handled through your payment processor’s self-assessment tools.
If you need quarterly ASV scans, the PCI Security Standards Council maintains an official list of Approved Scanning Vendors. Many offer affordable plans for small businesses starting around $100-200 USD per year.
TUCU focuses on broader security frameworks like NIST Framework and ISO 27001 as well as Vendor Security Screenings Support that protect your entire business infrastructure, not just payment transactions. If you’re exploring IT security beyond PCI compliance, we should talk.
