Book free assessment
Home / Guides / PCI Compliance Checklist
Free download · Payments

The PCI compliance checklist for SMBs

A plain-English self-assessment of the controls a PCI-DSS questionnaire expects from any business that takes card payments — so you can find your gaps before your acquiring bank does. Free, no obligation.

Get the checklistWhat's inside
What's inside

The PCI controls, grouped so they make sense

The checklist tracks the PCI-DSS control areas to the way a small business actually operates — so you can score yourself honestly and shrink your scope where you can.

  • Map your cardholder data — where card data is stored, processed or transmitted, and how to reduce scope.
  • Secure network & access — firewalls, segmentation, MFA, unique logins and least-privilege access.
  • Protect stored data — tokenization, encryption and never storing what you don't need (like the CVV).
  • Patch, monitor & log — anti-malware, timely patching and audit logs that prove controls run.
  • Policies & training — an information-security policy and staff awareness of card-handling rules.
  • The "most-missed" flags — the items that trip up small merchants most often, called out for you.

Want the full picture? See our PCI-DSS compliance guide and how we support retail businesses.

Send me the checklist

Enter your details and we'll email the PCI compliance checklist right away. No spam, no obligation.

We'll only use your details to send the checklist and the occasional helpful update. Unsubscribe anytime.

Who it's for

Made for businesses that take cards

🛍️

Retail & hospitality

In-store terminals, online checkout or both. See which controls apply and how to keep your SAQ simple.

📞

Phone & mail order

Taking card details over the phone carries real risk. Check how you capture, handle and never store them.

💻

Owners & IT leads

Pressure-test your payment setup against what a PCI-DSS questionnaire actually asks, control by control.

FAQ

PCI questions, answered

Scope

Does PCI-DSS apply to my small business?

If you store, process or transmit payment card data in any way — in person, online or over the phone — PCI-DSS applies to you. The level of validation (SAQ type) depends on how you take payments and your transaction volume.

How does reducing PCI scope help?

The fewer systems that touch cardholder data, the fewer controls you have to prove. Using validated payment terminals and hosted/tokenized checkout can shrink your scope dramatically — the checklist shows where this applies.

The checklist

Will the checklist complete my SAQ for me?

No. The checklist helps you self-assess the IT and security controls a PCI-DSS Self-Assessment Questionnaire asks about, so you can find your gaps first. Your acquiring bank or payment provider defines which SAQ you must formally complete.

Found a PCI gap you'd rather hand off?

Book a free IT & security risk assessment and we'll turn your checklist into a prioritized plan. No obligation.

Book a free risk assessment