[{"data":1,"prerenderedAt":931},["ShallowReactive",2],{"\u002Fnow\u002Fpci-for-ecommerce":3,"\u002Fnow\u002Fpci-for-ecommerce-surround":921},{"id":4,"title":5,"api":6,"authors":7,"body":13,"category":907,"date":908,"description":909,"extension":910,"features":6,"fixes":6,"highlight":6,"image":911,"improvements":6,"meta":913,"navigation":914,"path":915,"seo":916,"stem":919,"__hash__":920},"posts\u002F3.now\u002Fpci-for-ecommerce.md","PCI DSS Compliance for E-commerce (2026)",null,[8],{"name":9,"to":10,"avatar":11},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":12},"\u002Fimages\u002Fjustinleapline.png",{"type":14,"value":15,"toc":881},"minimark",[16,20,23,28,31,48,51,70,74,77,144,147,161,169,173,176,280,283,290,294,297,302,305,309,312,320,324,327,331,334,348,355,359,362,365,397,400,420,423,426,430,462,469,473,476,502,505,509,512,538,541,545,601,605,608,612,658,662,712,716,759,763,766,784,787,804,816,820,826,832,838,844,850,853,856],[17,18,19],"p",{},"E-commerce is where PCI DSS intersects with real business growth. You launch on Shopify or Magento, traffic grows, you start handling more transactions, and suddenly your acquirer sends a letter about Level 2 requirements. Or your legal team asks whether your checkout page is scanning third-party scripts under the new v4.0.1 rules. Or an AOV shift pushes you past a compliance threshold nobody mentioned when you configured your payment stack.",[17,21,22],{},"PCI for e-commerce is not fundamentally hard. But it has specific patterns that differ from brick-and-mortar retail, card-not-present B2B, and financial services. This guide is for e-commerce merchants — DTC brands, marketplaces, subscription businesses, and online retailers — who want to run PCI compliance without spending more than they need or missing requirements that suddenly become enforceable.",[24,25,27],"h2",{"id":26},"the-2026-enforcement-reality-for-e-commerce","The 2026 Enforcement Reality for E-commerce",[17,29,30],{},"Two changes matter more than anything else for online merchants:",[32,33,34,42],"ul",{},[35,36,37,41],"li",{},[38,39,40],"strong",{},"Requirements 6.4.3 and 11.6.1"," are now enforced. If you have any third-party scripts on your payment or checkout pages, you must inventory them, justify each one, and monitor them for unauthorized change. This is aimed squarely at Magecart-style skimming attacks, and it applies to merchants of every size.",[35,43,44,47],{},[38,45,46],{},"SAQ A scope has narrowed."," The conditions for using SAQ A have tightened. If your payment page includes any non-iframe JavaScript that could affect checkout behavior, you may no longer qualify for SAQ A and have to use SAQ A-EP or higher.",[17,49,50],{},"If you haven't reviewed your SAQ eligibility in 2025 or 2026, do it now. It's the fastest way to discover a quiet compliance gap.",[17,52,53,54,59,60,64,65,69],{},"For the foundational material this post assumes, start with the ",[55,56,58],"a",{"href":57},"\u002Fframeworks\u002Fpci","PCI framework hub",", the ",[55,61,63],{"href":62},"\u002Fframeworks\u002Fpci\u002Frequirements","PCI requirements overview",", and the ",[55,66,68],{"href":67},"\u002Fframeworks\u002Fpci\u002Fv4-changes","v4.0 changes page",".",[24,71,73],{"id":72},"your-merchant-level-and-what-it-means","Your Merchant Level and What It Means",[17,75,76],{},"The card networks assign merchant levels based on annual Visa or Mastercard transaction volume. Your acquirer enforces level-appropriate compliance:",[78,79,80,96],"table",{},[81,82,83],"thead",{},[84,85,86,90,93],"tr",{},[87,88,89],"th",{},"Level",[87,91,92],{},"Transactions\u002FYear",[87,94,95],{},"Typical Requirement",[97,98,99,111,122,133],"tbody",{},[84,100,101,105,108],{},[102,103,104],"td",{},"Level 1",[102,106,107],{},"Over 6M",[102,109,110],{},"Annual RoC by QSA, ASV scans",[84,112,113,116,119],{},[102,114,115],{},"Level 2",[102,117,118],{},"1M–6M",[102,120,121],{},"Annual SAQ (some require RoC), ASV scans",[84,123,124,127,130],{},[102,125,126],{},"Level 3",[102,128,129],{},"20K–1M e-commerce",[102,131,132],{},"Annual SAQ, ASV scans",[84,134,135,138,141],{},[102,136,137],{},"Level 4",[102,139,140],{},"Under 20K e-commerce",[102,142,143],{},"Annual SAQ, ASV scans (varies)",[17,145,146],{},"The nuances:",[32,148,149,152,155,158],{},[35,150,151],{},"Different card networks have slightly different thresholds",[35,153,154],{},"Acquirers can require Level 1 treatment for any merchant they consider high-risk",[35,156,157],{},"A significant breach can push you up a level regardless of volume",[35,159,160],{},"Multi-brand merchants may aggregate volumes",[17,162,163,164,168],{},"For more, our ",[55,165,167],{"href":166},"\u002Fframeworks\u002Fpci\u002Fcompliance-levels","PCI compliance levels page"," has the full detail.",[24,170,172],{"id":171},"saq-selection-the-most-consequential-decision","SAQ Selection: The Most Consequential Decision",[17,174,175],{},"Self-Assessment Questionnaires vary dramatically in scope and effort. Picking the right one — honestly — is the most important compliance decision for small and mid-sized e-commerce merchants.",[78,177,178,191],{},[81,179,180],{},[84,181,182,185,188],{},[87,183,184],{},"SAQ Type",[87,186,187],{},"When It Applies",[87,189,190],{},"Control Count",[97,192,193,204,215,226,237,247,258,269],{},[84,194,195,198,201],{},[102,196,197],{},"SAQ A",[102,199,200],{},"Outsourced e-commerce with fully hosted payment pages, no merchant handling of CHD",[102,202,203],{},"~20",[84,205,206,209,212],{},[102,207,208],{},"SAQ A-EP",[102,210,211],{},"Merchant controls some part of payment page, even if CHD not stored",[102,213,214],{},"~190",[84,216,217,220,223],{},[102,218,219],{},"SAQ B",[102,221,222],{},"Imprint machines and standalone dial-out terminals only (rare for e-commerce)",[102,224,225],{},"~40",[84,227,228,231,234],{},[102,229,230],{},"SAQ B-IP",[102,232,233],{},"Standalone IP-connected terminals only",[102,235,236],{},"~80",[84,238,239,242,245],{},[102,240,241],{},"SAQ C-VT",[102,243,244],{},"Web-based virtual terminal only",[102,246,236],{},[84,248,249,252,255],{},[102,250,251],{},"SAQ C",[102,253,254],{},"Payment applications with internet connection",[102,256,257],{},"~160",[84,259,260,263,266],{},[102,261,262],{},"SAQ D-Merchant",[102,264,265],{},"Merchants not covered by other SAQs",[102,267,268],{},"~330",[84,270,271,274,277],{},[102,272,273],{},"SAQ D-Service Provider",[102,275,276],{},"Service providers (not merchants)",[102,278,279],{},"~370",[17,281,282],{},"Most pure e-commerce merchants using a hosted checkout (Stripe Checkout, Shopify checkout, BigCommerce checkout) qualify for SAQ A. Many merchants think they qualify for SAQ A but don't because of scripts on their payment pages.",[17,284,285,286,69],{},"For a deeper look, see our ",[55,287,289],{"href":288},"\u002Fframeworks\u002Fpci\u002Fself-assessment-questionnaire","self-assessment questionnaire page",[24,291,293],{"id":292},"scope-reduction-the-right-way","Scope Reduction: The Right Way",[17,295,296],{},"Every PCI DSS requirement applies in scope. Reducing scope is how you reduce cost, effort, and risk. The e-commerce playbook:",[298,299,301],"h3",{"id":300},"hosted-payment-pages","Hosted Payment Pages",[17,303,304],{},"A fully redirected or iframe-based payment page hosted by your processor means your infrastructure never sees PAN. Customer types card data directly into the processor's page; your site never handles it. This is the gold standard for SAQ A eligibility.",[298,306,308],{"id":307},"tokenization","Tokenization",[17,310,311],{},"For subscription businesses and anyone storing credentials-on-file, tokenize immediately. The processor stores the vault; you store a token. Charging a customer means passing the token to the processor for authorization. Your database never contains PAN.",[17,313,314,315,319],{},"See our ",[55,316,318],{"href":317},"\u002Fglossary\u002Ftokenization","tokenization glossary entry"," for the technical background.",[298,321,323],{"id":322},"third-party-payment-processors","Third-Party Payment Processors",[17,325,326],{},"Using Stripe, Braintree, Adyen, PayPal, or similar processors shifts most scope to them. You still have responsibilities (script monitoring, SAQ completion, AOC review), but you're not operating a CDE yourself.",[298,328,330],{"id":329},"scope-documentation","Scope Documentation",[17,332,333],{},"Whatever your scope reduction approach, document it:",[32,335,336,339,342,345],{},[35,337,338],{},"Data flow diagrams showing where CHD enters, lives, and exits",[35,340,341],{},"Integration specifications with your processor",[35,343,344],{},"AOC from your processor on file",[35,346,347],{},"Written rationale for your SAQ selection",[17,349,350,351,69],{},"For the full scope reduction playbook, see our ",[55,352,354],{"href":353},"\u002Fframeworks\u002Fpci\u002Fscope-reduction","PCI scope reduction page",[24,356,358],{"id":357},"the-v401-script-monitoring-requirement","The v4.0.1 Script Monitoring Requirement",[17,360,361],{},"Requirements 6.4.3 and 11.6.1 changed the compliance picture for every e-commerce merchant that uses third-party scripts. Which is nearly all of them.",[17,363,364],{},"What you must do:",[32,366,367,373,379,385,391],{},[35,368,369,372],{},[38,370,371],{},"Inventory every script"," loaded on your payment or checkout pages",[35,374,375,378],{},[38,376,377],{},"Document business justification"," for each script",[35,380,381,384],{},[38,382,383],{},"Monitor for unauthorized change"," using integrity monitoring (SRI, CSP, or a dedicated script monitoring tool)",[35,386,387,390],{},[38,388,389],{},"Alert on changes"," to script content",[35,392,393,396],{},[38,394,395],{},"Maintain the inventory"," as you add or remove scripts",[17,398,399],{},"Common scripts that trigger this requirement:",[32,401,402,405,408,411,414,417],{},[35,403,404],{},"Analytics (Google Analytics, Meta Pixel, TikTok Pixel, HubSpot)",[35,406,407],{},"A\u002FB testing (Optimizely, VWO)",[35,409,410],{},"Customer support chat widgets",[35,412,413],{},"Heat mapping (Hotjar, FullStory)",[35,415,416],{},"Fraud screening",[35,418,419],{},"Retargeting pixels",[17,421,422],{},"Each one is a potential skimmer vector. Magecart-family attacks have compromised major brands (British Airways, Ticketmaster, NewEgg, Macy's) through third-party scripts. The new requirements exist because regulators and card networks decided this risk was mission-critical.",[17,424,425],{},"Tools that help: Akamai CSM, PerimeterX, Feroot, Jscrambler, c\u002Fside. Some are free for small merchants.",[24,427,429],{"id":428},"other-v401-requirements-to-budget-for","Other v4.0.1 Requirements to Budget For",[32,431,432,438,444,450,456],{},[35,433,434,437],{},[38,435,436],{},"Stronger authentication."," MFA for all administrative and CDE access. Passwords longer and more complex.",[35,439,440,443],{},[38,441,442],{},"Customized Approach."," If you want to meet a control differently, you can — with documented targeted risk analysis.",[35,445,446,449],{},[38,447,448],{},"Targeted risk analysis."," Required for controls where frequency is not prescribed. Document yours.",[35,451,452,455],{},[38,453,454],{},"Network and application penetration testing."," Annual external and internal, plus after significant changes.",[35,457,458,461],{},[38,459,460],{},"Logging expansion."," More event types must be logged; retention is 12 months with 3 months immediately available.",[17,463,464,465,69],{},"For more on v4 changes, see our ",[55,466,468],{"href":467},"\u002Fnow\u002Fpci-dss-v4-transition","v4 transition guide",[24,470,472],{"id":471},"the-subscription-business-pattern","The Subscription Business Pattern",[17,474,475],{},"Subscription e-commerce has unique PCI patterns:",[32,477,478,484,490,496],{},[35,479,480,483],{},[38,481,482],{},"Credentials on file."," You must tokenize; storing raw PAN is not acceptable in modern architectures.",[35,485,486,489],{},[38,487,488],{},"Recurring billing logic."," Your billing system issues charges against tokens. That logic is in scope.",[35,491,492,495],{},[38,493,494],{},"Dunning and retry logic."," When charges fail and you retry, you're handling payment events. Logging applies.",[35,497,498,501],{},[38,499,500],{},"Cancellation and refund flows."," Customer data exposure risk.",[17,503,504],{},"Most modern subscription platforms (Stripe Billing, Recurly, Chargebee, Zuora) handle this well if configured correctly. Verify your integration actually uses tokens end-to-end, not plaintext CHD in transit.",[24,506,508],{"id":507},"marketplace-specific-considerations","Marketplace-Specific Considerations",[17,510,511],{},"Multi-vendor marketplaces (where third-party sellers transact through your platform) have specific complexities:",[32,513,514,520,526,532],{},[35,515,516,519],{},[38,517,518],{},"Are you the merchant of record or facilitator?"," The answer determines your scope.",[35,521,522,525],{},[38,523,524],{},"Funds flow design."," Split payments, escrow, aggregated settlement — each pattern has PCI implications.",[35,527,528,531],{},[38,529,530],{},"Seller onboarding."," KYC\u002FAML layers on top of PCI for regulatory compliance.",[35,533,534,537],{},[38,535,536],{},"Dispute and chargeback handling."," Access to card data for disputes can pull scope in.",[17,539,540],{},"Stripe Connect, Adyen MarketPay, and PayPal for Marketplaces are the common infrastructures. Review their documentation carefully before finalizing your compliance approach.",[24,542,544],{"id":543},"common-pitfalls-for-e-commerce-merchants","Common Pitfalls for E-commerce Merchants",[32,546,547,553,559,565,571,577,583,589,595],{},[35,548,549,552],{},[38,550,551],{},"Claiming SAQ A when you don't qualify."," Third-party scripts on your payment page usually disqualify you.",[35,554,555,558],{},[38,556,557],{},"Storing PAN unintentionally."," Unencrypted backups, logs capturing form submissions, support ticket systems with card data pasted in.",[35,560,561,564],{},[38,562,563],{},"Email and chat with CHD."," Customers paste card numbers into support emails. You must have processes to redact and document.",[35,566,567,570],{},[38,568,569],{},"Sending card data in plain text."," Sales teams taking card info by phone and entering into systems that weren't designed for it.",[35,572,573,576],{},[38,574,575],{},"Forgetting non-production environments."," Dev\u002Fstaging that accidentally logs production traffic containing CHD.",[35,578,579,582],{},[38,580,581],{},"Missing ASV scans."," Quarterly external scans by an approved vendor are required.",[35,584,585,588],{},[38,586,587],{},"Late AOC collection from processors."," Your processor's AOC is on file evidence; expired AOCs are findings.",[35,590,591,594],{},[38,592,593],{},"Ignoring script changes."," The Optimizely test your marketing team deployed last week counts.",[35,596,597,600],{},[38,598,599],{},"Using abandoned plugins."," WordPress, Magento, and Shopify plugins that are unmaintained can be attack vectors.",[24,602,604],{"id":603},"cost-expectations","Cost Expectations",[17,606,607],{},"E-commerce PCI costs vary widely by level and SAQ type.",[298,609,611],{"id":610},"level-4-saq-a-small-merchant","Level 4 (SAQ A, Small Merchant)",[78,613,614,624],{},[81,615,616],{},[84,617,618,621],{},[87,619,620],{},"Line Item",[87,622,623],{},"Typical Cost",[97,625,626,634,642,650],{},[84,627,628,631],{},[102,629,630],{},"ASV quarterly scans",[102,632,633],{},"$500–$2K annual",[84,635,636,639],{},[102,637,638],{},"SAQ completion",[102,640,641],{},"$0–$3K (DIY or consultant)",[84,643,644,647],{},[102,645,646],{},"Script monitoring tool",[102,648,649],{},"$0–$500 monthly",[84,651,652,655],{},[102,653,654],{},"Internal time",[102,656,657],{},"20–40 hours annually",[298,659,661],{"id":660},"level-2-saq-a-ep","Level 2 (SAQ A-EP)",[78,663,664,672],{},[81,665,666],{},[84,667,668,670],{},[87,669,620],{},[87,671,623],{},[97,673,674,681,689,697,704],{},[84,675,676,678],{},[102,677,630],{},[102,679,680],{},"$2K–$8K annual",[84,682,683,686],{},[102,684,685],{},"SAQ completion and consulting",[102,687,688],{},"$10K–$30K",[84,690,691,694],{},[102,692,693],{},"Penetration testing",[102,695,696],{},"$10K–$30K annual",[84,698,699,701],{},[102,700,646],{},[102,702,703],{},"$3K–$15K annual",[84,705,706,709],{},[102,707,708],{},"Internal program",[102,710,711],{},"$50K–$150K annual",[298,713,715],{"id":714},"level-1-roc","Level 1 (RoC)",[78,717,718,726],{},[81,719,720],{},[84,721,722,724],{},[87,723,620],{},[87,725,623],{},[97,727,728,736,744,751],{},[84,729,730,733],{},[102,731,732],{},"QSA assessment",[102,734,735],{},"$50K–$200K",[84,737,738,741],{},[102,739,740],{},"ASV scans",[102,742,743],{},"$5K–$20K annual",[84,745,746,748],{},[102,747,693],{},[102,749,750],{},"$25K–$75K annual",[84,752,753,756],{},[102,754,755],{},"Program staffing",[102,757,758],{},"$150K–$500K annual",[24,760,762],{"id":761},"getting-started","Getting Started",[17,764,765],{},"If you're launching or early:",[767,768,769,772,775,778,781],"ol",{},[35,770,771],{},"Choose a processor with hosted checkout (Stripe, Shopify, BigCommerce) to minimize scope",[35,773,774],{},"Never touch raw PAN in your infrastructure",[35,776,777],{},"Complete SAQ A honestly",[35,779,780],{},"Sign up for ASV scans through your processor or directly",[35,782,783],{},"Inventory scripts on payment pages and add monitoring",[17,785,786],{},"If you're growing past Level 4:",[767,788,789,792,795,798,801],{},[35,790,791],{},"Re-evaluate SAQ eligibility annually",[35,793,794],{},"Add script monitoring if you haven't",[35,796,797],{},"Consider a readiness assessment before Level 2 triggers",[35,799,800],{},"Budget for penetration testing in the coming year",[35,802,803],{},"Document your CHD flow thoroughly",[17,805,806,807,811,812,815],{},"Our ",[55,808,810],{"href":809},"\u002Fnow\u002Fpci-dss-fintech","PCI DSS for fintech guide"," and ",[55,813,814],{"href":467},"PCI DSS v4 transition guide"," complement this post with more detail on specific aspects.",[24,817,819],{"id":818},"faq","FAQ",[17,821,822,825],{},[38,823,824],{},"Q: Does Shopify handle PCI for me?","\nA: Shopify handles PCI for its payment processing. You're still a merchant with SAQ obligations. If you're using Shopify Payments and their hosted checkout, you typically qualify for SAQ A. If you use custom checkouts or certain apps that handle card data, you may need a more extensive SAQ.",[17,827,828,831],{},[38,829,830],{},"Q: Do I need PCI compliance if I only use PayPal?","\nA: Yes, you're still a merchant. PayPal-only with their hosted flow typically means SAQ A. You still need to complete it and keep an AOC from PayPal on file.",[17,833,834,837],{},[38,835,836],{},"Q: What happens if I don't comply?","\nA: Your acquirer can charge non-compliance fees (commonly $10K–$100K monthly), raise your transaction fees, terminate your merchant account, or forward you to the card networks for escalation. After a breach, non-compliance multiplies fines dramatically.",[17,839,840,843],{},[38,841,842],{},"Q: Can I store card numbers for my own customers?","\nA: Only through tokenization or with a CDE that satisfies SAQ D. Storing raw PAN in a typical e-commerce infrastructure is not compliant and not defensible after a breach.",[17,845,846,849],{},[38,847,848],{},"Q: How do I handle PCI for my B2B e-commerce?","\nA: Same standard, different volume dynamics. B2B tends toward higher-value, lower-volume transactions, so you may hit fewer transaction-count thresholds but more scope through invoicing, purchase orders, and card-on-file requirements. Plan for SAQ A-EP or SAQ D in most mid-sized B2B shops.",[851,852],"hr",{},[17,854,855],{},"E-commerce PCI is manageable if you start with the right architecture (hosted payment pages, no PAN storage) and stay disciplined about scope as you grow. The new v4.0.1 script monitoring requirement is the single biggest change in years for online merchants — if you haven't addressed it, put it at the top of your list this quarter.",[17,857,858,859,862,863,862,866,869,870,874,875,69],{},"For the full framework reference, see our ",[55,860,861],{"href":57},"PCI hub",", ",[55,864,865],{"href":62},"PCI requirements",[55,867,868],{"href":166},"compliance levels",", and ",[55,871,873],{"href":872},"\u002Findustry\u002Fecommerce","e-commerce industry resources",". Ready to run your PCI program without spreadsheets? ",[55,876,880],{"href":877,"rel":878},"https:\u002F\u002Fepiski.app",[879],"nofollow","Start with episki",{"title":882,"searchDepth":883,"depth":883,"links":884},"",2,[885,886,887,888,895,896,897,898,899,900,905,906],{"id":26,"depth":883,"text":27},{"id":72,"depth":883,"text":73},{"id":171,"depth":883,"text":172},{"id":292,"depth":883,"text":293,"children":889},[890,892,893,894],{"id":300,"depth":891,"text":301},3,{"id":307,"depth":891,"text":308},{"id":322,"depth":891,"text":323},{"id":329,"depth":891,"text":330},{"id":357,"depth":883,"text":358},{"id":428,"depth":883,"text":429},{"id":471,"depth":883,"text":472},{"id":507,"depth":883,"text":508},{"id":543,"depth":883,"text":544},{"id":603,"depth":883,"text":604,"children":901},[902,903,904],{"id":610,"depth":891,"text":611},{"id":660,"depth":891,"text":661},{"id":714,"depth":891,"text":715},{"id":761,"depth":883,"text":762},{"id":818,"depth":883,"text":819},"practices","2026-03-24","A practical PCI DSS guide for e-commerce merchants in 2026 — scope reduction, SAQ selection, script monitoring under v4.0.1, and building a compliance program that scales with GMV.","md",{"src":912},"\u002Fimages\u002Fblog\u002Fpci-4-0.jpg",{},true,"\u002Fnow\u002Fpci-for-ecommerce",{"title":917,"description":918},"PCI DSS Compliance for E-commerce (2026 Guide)","PCI DSS for e-commerce in 2026 — SAQ selection, scope reduction, hosted payment pages, v4.0.1 script monitoring, and scaling compliance as your online store grows.","3.now\u002Fpci-for-ecommerce","LqCqElQ9eebV6VjMbH8xf_8MU0JIIz_vpMu1Tvl4jws",[922,926],{"title":923,"path":467,"stem":924,"description":925,"children":-1},"PCI DSS v4.0: What Changed and How to Prepare","3.now\u002Fpci-dss-v4-transition","A practical guide to PCI DSS v4.0 changes — new requirements, transition timelines, and what payment security teams need to prioritize now.",{"title":927,"path":928,"stem":929,"description":930,"children":-1},"PCI DSS Compliance for Financial Services (2026)","\u002Fnow\u002Fpci-for-finance","3.now\u002Fpci-for-finance","A practical PCI DSS guide for fintech, banks, and payment processors in 2026 — covering scope, v4.0.1 requirements, high-volume environments, and interaction with banking regulators.",1776395332487]