Select regional store:

PCI DSS for smaller businesses

What is the PCI DSS? Why do I have to comply? What resources do I need? How can I do it quickly?

For smaller businesses, complying with the Payment Card Industry Data Security Standard (PCI DSS) can seem like a complex and costly challenge.

IT Governance can support you with a range of products and services to ensure your systems and processes reach the levels required by the regulations.


On this page

What is the PCI DSS?

The PCI DSS was put together by the PCI Security Standards Council (PCI SSC) with the aim of decreasing payment card fraud across the Internet and elsewhere, and increasing credit card data security.

Who should comply?

PCI applies to ALL organisations or merchants, regardless of size or number of transactions, that accept, transmit or store cardholder data. If any customer ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Compliance with the PCI DSS involves applying a number of specific controls or safeguards, including documented policies and procedures as well as a number of technical IT and network configurations. You may also have to provide staff with appropriate training, and have quarterly vulnerability scans.

PCI Compliance and Support Contract for the Smaller Business

This special package brings together essential compliance resources with expert advice at a price that you can afford:

What are the key steps to achieve compliance for smaller merchants?

  1. Before you can start your PCI compliance programme you will need to define what merchant level you are. Your level depends on your transaction volume. Your bank is likely to want to agree the level that applies to you.
  2. Find out which of the self-assessment questionnaires (SAQs) applies to you. You should be able to do this from the table on this page but if you need further assistance, your acquiring bank can help you make this decision.
  3. IT Governance’s PCI SAQ Workshop is a one-day workshop designed to provide attendees with practical advice on completing the relevant SAQ.
  4. Determine your 'cardholder data environment', which defines the scope of your compliance activities. You can talk these issues through with one of our experts. Visit our Live Online Consultancy page and purchase one hour of Live Online consultancy support (it's inexpensive and highly cost-effective) – we'll be able to answer these questions for you and send you a formal, written confirmation.
  5. Assess your current level of compliance with the PCI DSS (use the IT Governance PCI Documentation Compliance Toolkit). Take action to deal with gaps between the requirements of the PCI DSS and your actual practices.
  6. Complete the SAQ applicable to your organisation.
  7. Initiate quarterly vulnerability scans (use our PCI HackerGuardian Approved Scanning Service).
  8. Submit evidence of compliance to your acquiring bank.

You can get started right away by purchasing our PCI Compliance and Support Contract for the Smaller Business online, or you can phone us for more information on 00 800 48 484 484.

Please note: The PCI SSC has released version 3.1 of both the PCI DSS and the Payment Application Data Security Standard (PA-DSS). The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility. Find out more about PCI DSS v3.1 here >>>

For more information call us on 00 800 48 484 484 or email

IT Governance Ltd is a Qualified Security Assessor (QSA) company that has been approved by the PCI SCC.

Other PCI products and services from IT Governance

IT Governance has a comprehensive range of unique products available to help organisations with their PCI compliance programmes:

This website uses cookies. View our cookie policy