PCI DSS Compliance for E-commerce (2026)
practices·

PCI DSS Compliance for E-commerce (2026)

A practical PCI DSS guide for e-commerce merchants in 2026 — scope reduction, SAQ selection, script monitoring under v4.0.1, and building a compliance program that scales with GMV.
Justin Leapline Justin Leapline

E-commerce is where PCI DSS intersects with real business growth. You launch on Shopify or Magento, traffic grows, you start handling more transactions, and suddenly your acquirer sends a letter about Level 2 requirements. Or your legal team asks whether your checkout page is scanning third-party scripts under the new v4.0.1 rules. Or an AOV shift pushes you past a compliance threshold nobody mentioned when you configured your payment stack.

PCI for e-commerce is not fundamentally hard. But it has specific patterns that differ from brick-and-mortar retail, card-not-present B2B, and financial services. This guide is for e-commerce merchants — DTC brands, marketplaces, subscription businesses, and online retailers — who want to run PCI compliance without spending more than they need or missing requirements that suddenly become enforceable.

The 2026 Enforcement Reality for E-commerce

Two changes matter more than anything else for online merchants:

  • Requirements 6.4.3 and 11.6.1 are now enforced. If you have any third-party scripts on your payment or checkout pages, you must inventory them, justify each one, and monitor them for unauthorized change. This is aimed squarely at Magecart-style skimming attacks, and it applies to merchants of every size.
  • SAQ A scope has narrowed. The conditions for using SAQ A have tightened. If your payment page includes any non-iframe JavaScript that could affect checkout behavior, you may no longer qualify for SAQ A and have to use SAQ A-EP or higher.

If you haven't reviewed your SAQ eligibility in 2025 or 2026, do it now. It's the fastest way to discover a quiet compliance gap.

For the foundational material this post assumes, start with the PCI framework hub, the PCI requirements overview, and the v4.0 changes page.

Your Merchant Level and What It Means

The card networks assign merchant levels based on annual Visa or Mastercard transaction volume. Your acquirer enforces level-appropriate compliance:

LevelTransactions/YearTypical Requirement
Level 1Over 6MAnnual RoC by QSA, ASV scans
Level 21M–6MAnnual SAQ (some require RoC), ASV scans
Level 320K–1M e-commerceAnnual SAQ, ASV scans
Level 4Under 20K e-commerceAnnual SAQ, ASV scans (varies)

The nuances:

  • Different card networks have slightly different thresholds
  • Acquirers can require Level 1 treatment for any merchant they consider high-risk
  • A significant breach can push you up a level regardless of volume
  • Multi-brand merchants may aggregate volumes

For more, our PCI compliance levels page has the full detail.

SAQ Selection: The Most Consequential Decision

Self-Assessment Questionnaires vary dramatically in scope and effort. Picking the right one — honestly — is the most important compliance decision for small and mid-sized e-commerce merchants.

SAQ TypeWhen It AppliesControl Count
SAQ AOutsourced e-commerce with fully hosted payment pages, no merchant handling of CHD~20
SAQ A-EPMerchant controls some part of payment page, even if CHD not stored~190
SAQ BImprint machines and standalone dial-out terminals only (rare for e-commerce)~40
SAQ B-IPStandalone IP-connected terminals only~80
SAQ C-VTWeb-based virtual terminal only~80
SAQ CPayment applications with internet connection~160
SAQ D-MerchantMerchants not covered by other SAQs~330
SAQ D-Service ProviderService providers (not merchants)~370

Most pure e-commerce merchants using a hosted checkout (Stripe Checkout, Shopify checkout, BigCommerce checkout) qualify for SAQ A. Many merchants think they qualify for SAQ A but don't because of scripts on their payment pages.

For a deeper look, see our self-assessment questionnaire page.

Scope Reduction: The Right Way

Every PCI DSS requirement applies in scope. Reducing scope is how you reduce cost, effort, and risk. The e-commerce playbook:

Hosted Payment Pages

A fully redirected or iframe-based payment page hosted by your processor means your infrastructure never sees PAN. Customer types card data directly into the processor's page; your site never handles it. This is the gold standard for SAQ A eligibility.

Tokenization

For subscription businesses and anyone storing credentials-on-file, tokenize immediately. The processor stores the vault; you store a token. Charging a customer means passing the token to the processor for authorization. Your database never contains PAN.

See our tokenization glossary entry for the technical background.

Third-Party Payment Processors

Using Stripe, Braintree, Adyen, PayPal, or similar processors shifts most scope to them. You still have responsibilities (script monitoring, SAQ completion, AOC review), but you're not operating a CDE yourself.

Scope Documentation

Whatever your scope reduction approach, document it:

  • Data flow diagrams showing where CHD enters, lives, and exits
  • Integration specifications with your processor
  • AOC from your processor on file
  • Written rationale for your SAQ selection

For the full scope reduction playbook, see our PCI scope reduction page.

The v4.0.1 Script Monitoring Requirement

Requirements 6.4.3 and 11.6.1 changed the compliance picture for every e-commerce merchant that uses third-party scripts. Which is nearly all of them.

What you must do:

  • Inventory every script loaded on your payment or checkout pages
  • Document business justification for each script
  • Monitor for unauthorized change using integrity monitoring (SRI, CSP, or a dedicated script monitoring tool)
  • Alert on changes to script content
  • Maintain the inventory as you add or remove scripts

Common scripts that trigger this requirement:

  • Analytics (Google Analytics, Meta Pixel, TikTok Pixel, HubSpot)
  • A/B testing (Optimizely, VWO)
  • Customer support chat widgets
  • Heat mapping (Hotjar, FullStory)
  • Fraud screening
  • Retargeting pixels

Each one is a potential skimmer vector. Magecart-family attacks have compromised major brands (British Airways, Ticketmaster, NewEgg, Macy's) through third-party scripts. The new requirements exist because regulators and card networks decided this risk was mission-critical.

Tools that help: Akamai CSM, PerimeterX, Feroot, Jscrambler, c/side. Some are free for small merchants.

Other v4.0.1 Requirements to Budget For

  • Stronger authentication. MFA for all administrative and CDE access. Passwords longer and more complex.
  • Customized Approach. If you want to meet a control differently, you can — with documented targeted risk analysis.
  • Targeted risk analysis. Required for controls where frequency is not prescribed. Document yours.
  • Network and application penetration testing. Annual external and internal, plus after significant changes.
  • Logging expansion. More event types must be logged; retention is 12 months with 3 months immediately available.

For more on v4 changes, see our v4 transition guide.

The Subscription Business Pattern

Subscription e-commerce has unique PCI patterns:

  • Credentials on file. You must tokenize; storing raw PAN is not acceptable in modern architectures.
  • Recurring billing logic. Your billing system issues charges against tokens. That logic is in scope.
  • Dunning and retry logic. When charges fail and you retry, you're handling payment events. Logging applies.
  • Cancellation and refund flows. Customer data exposure risk.

Most modern subscription platforms (Stripe Billing, Recurly, Chargebee, Zuora) handle this well if configured correctly. Verify your integration actually uses tokens end-to-end, not plaintext CHD in transit.

Marketplace-Specific Considerations

Multi-vendor marketplaces (where third-party sellers transact through your platform) have specific complexities:

  • Are you the merchant of record or facilitator? The answer determines your scope.
  • Funds flow design. Split payments, escrow, aggregated settlement — each pattern has PCI implications.
  • Seller onboarding. KYC/AML layers on top of PCI for regulatory compliance.
  • Dispute and chargeback handling. Access to card data for disputes can pull scope in.

Stripe Connect, Adyen MarketPay, and PayPal for Marketplaces are the common infrastructures. Review their documentation carefully before finalizing your compliance approach.

Common Pitfalls for E-commerce Merchants

  • Claiming SAQ A when you don't qualify. Third-party scripts on your payment page usually disqualify you.
  • Storing PAN unintentionally. Unencrypted backups, logs capturing form submissions, support ticket systems with card data pasted in.
  • Email and chat with CHD. Customers paste card numbers into support emails. You must have processes to redact and document.
  • Sending card data in plain text. Sales teams taking card info by phone and entering into systems that weren't designed for it.
  • Forgetting non-production environments. Dev/staging that accidentally logs production traffic containing CHD.
  • Missing ASV scans. Quarterly external scans by an approved vendor are required.
  • Late AOC collection from processors. Your processor's AOC is on file evidence; expired AOCs are findings.
  • Ignoring script changes. The Optimizely test your marketing team deployed last week counts.
  • Using abandoned plugins. WordPress, Magento, and Shopify plugins that are unmaintained can be attack vectors.

Cost Expectations

E-commerce PCI costs vary widely by level and SAQ type.

Level 4 (SAQ A, Small Merchant)

Line ItemTypical Cost
ASV quarterly scans$500–$2K annual
SAQ completion$0–$3K (DIY or consultant)
Script monitoring tool$0–$500 monthly
Internal time20–40 hours annually

Level 2 (SAQ A-EP)

Line ItemTypical Cost
ASV quarterly scans$2K–$8K annual
SAQ completion and consulting$10K–$30K
Penetration testing$10K–$30K annual
Script monitoring tool$3K–$15K annual
Internal program$50K–$150K annual

Level 1 (RoC)

Line ItemTypical Cost
QSA assessment$50K–$200K
ASV scans$5K–$20K annual
Penetration testing$25K–$75K annual
Program staffing$150K–$500K annual

Getting Started

If you're launching or early:

  1. Choose a processor with hosted checkout (Stripe, Shopify, BigCommerce) to minimize scope
  2. Never touch raw PAN in your infrastructure
  3. Complete SAQ A honestly
  4. Sign up for ASV scans through your processor or directly
  5. Inventory scripts on payment pages and add monitoring

If you're growing past Level 4:

  1. Re-evaluate SAQ eligibility annually
  2. Add script monitoring if you haven't
  3. Consider a readiness assessment before Level 2 triggers
  4. Budget for penetration testing in the coming year
  5. Document your CHD flow thoroughly

Our PCI DSS for fintech guide and PCI DSS v4 transition guide complement this post with more detail on specific aspects.

FAQ

Q: Does Shopify handle PCI for me? A: Shopify handles PCI for its payment processing. You're still a merchant with SAQ obligations. If you're using Shopify Payments and their hosted checkout, you typically qualify for SAQ A. If you use custom checkouts or certain apps that handle card data, you may need a more extensive SAQ.

Q: Do I need PCI compliance if I only use PayPal? A: Yes, you're still a merchant. PayPal-only with their hosted flow typically means SAQ A. You still need to complete it and keep an AOC from PayPal on file.

Q: What happens if I don't comply? A: Your acquirer can charge non-compliance fees (commonly $10K–$100K monthly), raise your transaction fees, terminate your merchant account, or forward you to the card networks for escalation. After a breach, non-compliance multiplies fines dramatically.

Q: Can I store card numbers for my own customers? A: Only through tokenization or with a CDE that satisfies SAQ D. Storing raw PAN in a typical e-commerce infrastructure is not compliant and not defensible after a breach.

Q: How do I handle PCI for my B2B e-commerce? A: Same standard, different volume dynamics. B2B tends toward higher-value, lower-volume transactions, so you may hit fewer transaction-count thresholds but more scope through invoicing, purchase orders, and card-on-file requirements. Plan for SAQ A-EP or SAQ D in most mid-sized B2B shops.

E-commerce PCI is manageable if you start with the right architecture (hosted payment pages, no PAN storage) and stay disciplined about scope as you grow. The new v4.0.1 script monitoring requirement is the single biggest change in years for online merchants — if you haven't addressed it, put it at the top of your list this quarter.

For the full framework reference, see our PCI hub, PCI requirements, compliance levels, and e-commerce industry resources. Ready to run your PCI program without spreadsheets? Start with episki.

PCI DSS v4.0: What Changed and How to Prepare

A practical guide to PCI DSS v4.0 changes — new requirements, transition timelines, and what payment security teams need to prioritize now.

PCI DSS Compliance for Financial Services (2026)

A practical PCI DSS guide for fintech, banks, and payment processors in 2026 — covering scope, v4.0.1 requirements, high-volume environments, and interaction with banking regulators.