What Is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards developed by the Payment Card Industry Security Standards Council (PCI SSC) โ a body formed by Visa, Mastercard, American Express, Discover, and JCB. The standards apply globally, including in Canada.
If your business stores, processes, or transmits cardholder data (credit or debit card information), you must comply with PCI DSS. This applies to virtually every business that accepts card payments in Canada.
PCI Compliance Levels
Your compliance requirements depend on how many card transactions you process annually:
| Level | Annual Transactions | Requirements |
|---|---|---|
| Level 1 | Over 6 million/year | Annual on-site audit by a QSA + quarterly network scans |
| Level 2 | 1โ6 million/year | Annual Self-Assessment Questionnaire (SAQ) + quarterly scans |
| Level 3 | 20,000โ1 million e-commerce | Annual SAQ + quarterly scans |
| Level 4 | Under 20,000 e-commerce / under 1M other | Annual SAQ (may not require scans) |
The vast majority of Canadian small and medium businesses are Level 4 merchants. This is the simplest compliance tier.
The 12 PCI DSS Requirements
PCI DSS version 4.0 (current as of 2026) has 12 core requirements:
- Install and maintain a firewall to protect cardholder data
- Don't use vendor-supplied defaults for system passwords and security parameters
- Protect stored cardholder data โ encrypt, truncate, or don't store it at all
- Encrypt transmission of cardholder data across open networks
- Use and update antivirus software on all systems
- Develop and maintain secure systems and applications
- Restrict access to cardholder data on a need-to-know basis
- Assign unique IDs to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a security policy that addresses information security for all personnel
How Modern Payment Processors Simplify PCI Compliance
The good news: if you use a modern payment processor properly, the hardest parts of PCI compliance are handled for you.
Tokenization
When you use Stripe, Helcim, Square, or Shopify Payments, your customers' card data never touches your servers. The card number is tokenized โ replaced with a random identifier โ before it reaches you. This means you never store cardholder data, dramatically reducing your PCI scope.
Hosted Payment Pages
Using a hosted payment page (Stripe Checkout, Helcim's hosted page) means your website never sees card numbers at all. The customer enters their card on the processor's secure page, and you receive only a token.
P2PE (Point-to-Point Encryption)
Certified P2PE terminals encrypt card data immediately at the card reader โ before it ever reaches your POS software. Square's hardware and Helcim's terminals are P2PE certified, meaning your in-person card data is also never exposed on your local network.
PCI SAQ Types โ Which Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in several versions:
- SAQ A: For merchants using hosted payment pages (easiest โ just 22 questions). This is most Shopify, Stripe Checkout, and Helcim hosted-page users.
- SAQ B: For merchants using imprint machines or standalone terminals (not connected to internet). Rare today.
- SAQ C-VT: For merchants using a virtual terminal on a computer.
- SAQ D: For merchants storing card data or using complex payment environments (hardest โ 329 questions).
Most small Canadian businesses using modern processors will complete SAQ A. It takes 15โ20 minutes.
PCI Fees โ What Processors Charge
| Processor | PCI Compliance Fee |
|---|---|
| Helcim | $0 (included) |
| Stripe | $0 (included) |
| Square | $0 (included) |
| Moneris | ~$9.95/month if not self-compliant |
| Clover | Varies โ check contract |
| Older bank merchant services | $9.95โ$19.95/month common |
Some older payment processors charge a "PCI non-compliance fee" of $10โ$30/month if you haven't submitted your annual SAQ. This is a revenue grab โ complete your SAQ to avoid it.
Steps to Achieve PCI Compliance as a Canadian Small Business
- Choose a compliant processor: Stripe, Helcim, Square, and Shopify Payments all make this easy.
- Use a hosted payment page or P2PE terminal: This minimizes your scope.
- Complete your SAQ annually: Log into your processor's dashboard โ most provide an SAQ wizard.
- Never store card numbers: Don't write down card numbers, don't store them in spreadsheets. Use tokens only.
- Secure your network: Use a firewall, change default passwords, use WPA2+ WiFi.
- Keep software updated: POS software, operating systems, and antivirus must be current.
Bottom Line
PCI compliance sounds intimidating but is manageable for most Canadian small businesses. Use a modern processor (Stripe, Helcim, Square), use their hosted checkout or P2PE terminal, complete your annual SAQ A (15 minutes), and you're done. The businesses that get into trouble are those that try to store card data themselves or use outdated payment systems.