Compliance
If you take card payments — in a shop or online — PCI DSS applies to you, and 51 new v4.x requirements became mandatory in 2025. What that means for a small merchant, plain-English, without the jargon.
If you take card payments — in a storefront or online — PCI DSS applies to you, full stop. There's no revenue floor and no small-business exemption: the standard covers "all entities involved in payment card processing — including merchants, processors, acquirers, issuers, and service providers" (PCI Security Standards Council). And the rules just got stricter. This guide explains what a small merchant actually has to do, in plain English.
PCI DSS is not a U.S. federal law. It's a contractual security standard created by the card brands (Visa, Mastercard, and the rest) and enforced through your payment processor and acquiring bank. That distinction matters for how you talk about it: the requirement reaches you through your processor agreement, not a statute. But "not a law" doesn't mean optional — non-compliance can mean fines passed down from the processor, forensic-audit costs after an incident, and in the worst case losing your ability to accept cards at all, which is existential for a shop.
PCI DSS version 4.x introduced 64 new requirements. Of those, 51 were "future-dated" — best practices during a transition window that became mandatory on March 31, 2025 (PCI SSC). That date has passed, so those controls are in force now, not coming.
The new requirements lean heavily toward:
The attack that most threatens an online store isn't a server breach — it's client-side skimming, often called Magecart. An attacker injects malicious JavaScript into your checkout page, and it quietly copies each customer's card number as they type, in the browser, before the data ever reaches your processor. You can be "PCI compliant" on paper and still be bleeding cards if the payment page itself is tampered with.
PCI DSS v4.x added requirements specifically to detect and prevent payment-page script tampering. If you run your own storefront stack, this is the part to take seriously. And it connects to a broader trend: Verizon's 2026 DBIR found software-vulnerability exploitation is now the #1 way attackers get in, at 31% of breaches (Verizon DBIR) — an outdated e-commerce plugin is exactly that kind of door.
The single biggest lever on a small merchant's PCI burden is scope — how much of your environment touches card data. A shop that fully redirects checkout to a compliant provider carries far less scope (and a simpler self-assessment questionnaire) than one whose own site assembles the payment page. The controls that shrink scope and satisfy underwriters overlap:
Treat PCI scope and your cyber-insurance posture as one project — the controls overlap almost entirely. The Cyber Insurance Readiness Sprint maps your environment against the PCI v4.x controls and the cyber questionnaire in a fixed-scope, seven-business-day engagement, and produces the segmentation confirmation, MFA coverage, and logging evidence both your acquirer and your carrier want. See the Retail, E-commerce & Hospitality security page for how it runs.
If you accept cards, PCI DSS applies — no exemption — and the 51 newly-mandatory v4.x requirements are in force as of March 31, 2025. It's a contractual standard, not a law, but the consequences of ignoring it are real. For online stores, the sharpest risk is client-side skimming on the payment page. Shrink your scope, secure the systems that touch cards, confirm your SAQ, and document it once for the processor and the carrier.
Not sure which PCI requirements actually apply to your store? Book a PCI readiness assessment.
Last updated
June 17, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Yes. PCI DSS applies to every entity that stores, processes, or transmits cardholder data — merchants, processors, and service providers alike — with no small-business exemption. It is not a government law; it's a contractual standard the card brands enforce through your payment processor and acquiring bank. If you accept cards, your processor agreement already obligates you.
Version 4.x added 64 new requirements. 51 of them were 'future-dated' as best practices and became mandatory on March 31, 2025 — so they're in force now. They emphasize stronger authentication (including MFA), tighter access control, and — important for online stores — protecting the payment page against client-side script attacks.
You still have PCI obligations, but outsourcing the payment page can dramatically shrink your scope and which self-assessment questionnaire (SAQ) you complete. The catch for online stores: if your own website delivers any part of the payment page, you carry more scope than merchants who fully redirect. Confirm your SAQ type with your acquirer before assuming you're in the simplest bucket.
Client-side skimming (often called Magecart) is when an attacker injects malicious JavaScript into a checkout page to copy card numbers as customers type them — the data is stolen in the browser before it ever reaches the processor. PCI DSS v4.x added requirements specifically to detect and prevent payment-page script tampering, which is why it matters for any e-commerce merchant.
Related reading
A plain-English PCI DSS 4.0.1 guide for small merchants covering how to choose the right SAQ, what changed in the v4.0.1 SAQ set, and where merchants usually scope themselves wrong.
Read articleIf you make anything for the defense supply chain — even as a sub-tier subcontractor — CMMC may now gate your contracts. Here's who's actually in scope, what Level 2 requires, and what non-defense manufacturers should do instead.
Read articleMost dealerships that arrange financing are 'financial institutions' under the FTC Safeguards Rule — which means a specific, named cybersecurity program is required by regulation. Here's what's on the list and how to satisfy it.
Read article