Almost every online seller hits the same wall: their processor sends an email about PCI compliance for an ecommerce store, with a 200-question form and a $20-a-month "non-compliance fee" already showing up on their statement. Most merchants either ignore it or panic-buy a consultant. Both are wrong.
The truth is that for the vast majority of Shopify, WooCommerce, and BigCommerce stores, PCI is a 30-minute self-assessment — not a six-month project. Here's exactly what you need to do, what your platform already covers, and what you'll get fined for if you skip it.
What PCI DSS actually is
PCI DSS (Payment Card Industry Data Security Standard) is a contractual requirement from Visa, Mastercard, AmEx, and Discover, enforced through your acquiring bank. It's not a law, but if you accept cards you've signed agreements that require compliance. The penalty for ignoring it is real: $5,000–$100,000 per month in fines if you have a breach and weren't compliant.
The 4 merchant levels (and why most stores are Level 4)
Your level is set by how many card transactions you process per year:
- Level 1 — over 6 million transactions/year. Annual on-site audit by a QSA. Big-box only.
- Level 2 — 1–6 million/year. Annual self-assessment + quarterly scans.
- Level 3 — 20,000–1 million ecommerce transactions/year. Self-assessment + quarterly scans.
- Level 4 — under 20,000 ecommerce transactions/year. Self-assessment only. This is 95%+ of stores.
Which SAQ form applies to you
The Self-Assessment Questionnaire (SAQ) you fill out depends on how cards touch your site:
- SAQ A — fully outsourced. Your checkout redirects to or iframes Stripe, Shopify Payments, or PayPal. ~22 questions. This is most stores.
- SAQ A-EP — your site loads the payment form directly (e.g., Stripe Elements injected into your page). ~191 questions and quarterly ASV scans required.
- SAQ D — you store, process, or transmit raw card data. Avoid this at all costs.
What Shopify, WooCommerce, and BigCommerce actually cover
Platforms cover their slice of PCI; you still own yours.
Shopify
Shopify is a Level 1 PCI Service Provider. If you use Shopify Payments or any approved gateway through Shopify's checkout, you qualify for SAQ A. You still need to complete the SAQ once a year — Shopify doesn't do that for you.
WooCommerce
WooCommerce itself is software you host, so PCI scope depends on your gateway plugin. Stripe and PayPal redirect/iframe plugins keep you in SAQ A. Direct card-on-page integrations push you into SAQ A-EP and require a quarterly Approved Scanning Vendor (ASV) scan of your server.
BigCommerce
BigCommerce is also a Level 1 Service Provider. With its hosted checkout you stay in SAQ A. Custom checkouts can pull you into A-EP — verify with your developer.
The 30-minute compliance checklist for SAQ A stores
If you qualify for SAQ A (most stores do), here's the entire annual workflow:
- Log into your processor's PCI portal (Stripe, Shopify, your acquirer's compliance partner like SecurityMetrics or Trustwave).
- Confirm SAQ A when prompted — answer the ~22 yes/no questions.
- Attest that you don't store, process, or transmit cardholder data on your systems.
- Use unique, strong admin passwords with 2FA on your store backend, hosting, and email.
- Keep all third-party scripts on your checkout reviewed — no random pixels or chat widgets injected into the payment page.
- Save the Attestation of Compliance (AoC) — that's your proof.
The $20-a-month "non-compliance fee" — and how to kill it
Acquirers tack on PCI non-compliance fees ($15–$50/month) the moment you miss the annual SAQ. They reverse the fee retroactively as soon as you complete it. Set a yearly calendar reminder — that one task is worth $200–$600/year.
When to hire help
Bring in a QSA or PCI consultant only if: you're crossing into Level 2 volume; you're moving to a custom checkout (SAQ A-EP or D); you've had a breach; or you handle B2B card-on-file flows. For everything else, the platform + your processor's portal is enough.
PCI compliance for an ecommerce store sounds intimidating but is genuinely simple for the SAQ A merchants who make up most of the market. Use a hosted or iframed checkout, complete the short self-assessment annually, keep your admin accounts locked down, and you're done. Save the consultant fee for when you actually scale into a higher merchant level.
Frequently asked questions
Do I need PCI compliance if I only use Stripe or Shopify Payments?+
Yes. Stripe and Shopify cover their infrastructure as Service Providers, but you're still the merchant of record and must complete an annual SAQ A and attest to your own controls.
What happens if I don't do my PCI SAQ?+
Your processor will start charging a non-compliance fee (typically $15–$50/month) and, in the event of a breach, you'd face fines of $5,000–$100,000/month plus card brand assessments.
Is SAQ A really enough for a Shopify store?+
If you use Shopify Payments or an approved gateway through Shopify checkout, yes — SAQ A is the correct form. Custom-built checkouts that handle card data on your domain require SAQ A-EP.
How often do I have to renew PCI compliance?+
Annually. SAQ A merchants resubmit once per year. SAQ A-EP and higher levels also require quarterly ASV vulnerability scans.
Talk to an ecommerce payments specialist
Get a free side-by-side comparison tailored to your platform, AOV, volume, and risk profile.
No obligation. Fast review for online stores.