Do I need PCI DSS compliance if I use Stripe or PayPal?

Yes. Even if you never directly handle card numbers, you still need to comply with PCI DSS. Using a third-party processor like Stripe or PayPal reduces your scope significantly — you likely qualify for SAQ A, the simplest self-assessment — but you must still complete that questionnaire annually, maintain a secure website, and ensure no cardholder data leaks through your pages. The responsibility for compliance always sits with the merchant, not the payment provider.

What is the difference between PCI DSS v3.2.1 and v4.0.1?

PCI DSS v4.0.1 (effective 2025) introduces a customized approach for meeting requirements, stronger authentication rules including mandatory multi-factor authentication for all access to the cardholder data environment, enhanced client-side security requirements like script integrity monitoring (Requirement 6.4.3), and continuous security monitoring instead of point-in-time checks. The older v3.2.1 was officially retired on March 31, 2024, so all assessments must now use v4.0.1.

How much does PCI DSS compliance cost for a small e-commerce store?

For a small merchant (Level 4, fewer than 20,000 e-commerce transactions per year) using a hosted payment page, costs can be quite modest: $200–$500 per year for a Self-Assessment Questionnaire (SAQ) if your acquiring bank requires a QSA review, plus the cost of any security tools like WAF, SSL certificates, and vulnerability scanning ($50–$300/month). The real cost is the time and expertise needed to implement and maintain the controls. Partnering with a knowledgeable agency can save both time and money in the long run.

PCI DSS Compliance for E-Commerce Sites: Complete 2025 Guide

Why PCI DSS Compliance Matters More Than Ever in 2025

If you run an online store that accepts credit or debit card payments — and virtually every e-commerce site does — PCI DSS compliance isn’t optional. It’s a contractual obligation enforced by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through your acquiring bank.

Here’s the critical timeline: PCI DSS v4.0.1 is now the only valid standard. The previous version (v3.2.1) was retired on March 31, 2024, and the future-dated requirements of v4.0 became mandatory on March 31, 2025. If your compliance program is still based on the old standard, you’re already behind.

The stakes are high. According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach in the retail sector reached $3.48 million. Beyond breach costs, non-compliant merchants face:

Fines of $5,000 to $100,000 per month from card brands
Increased transaction fees or loss of card processing privileges
Legal liability for fraudulent transactions using stolen data
Reputational damage that can destroy customer trust overnight

Let’s break down exactly what you need to know and do.

What Is PCI DSS? A Quick Refresher

PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

The standard is managed by the PCI Security Standards Council (PCI SSC), founded by the five major card brands. It applies to every entity in the payment chain — from massive payment processors down to a small Prestashop boutique selling handmade candles.

PCI DSS v4.0.1 organizes its requirements into 12 core requirements grouped under 6 goals:

Goal	Requirements
Build and Maintain a Secure Network and Systems	1. Install and maintain network security controls
	2. Apply secure configurations to all system components
Protect Account Data	3. Protect stored account data
	4. Protect cardholder data with strong cryptography during transmission
Maintain a Vulnerability Management Program	5. Protect all systems and networks from malicious software
	6. Develop and maintain secure systems and software
Implement Strong Access Control Measures	7. Restrict access to system components by business need-to-know
	8. Identify users and authenticate access to system components
	9. Restrict physical access to cardholder data
Monitor and Test Networks	10. Log and monitor all access to system components and cardholder data
	11. Test security of systems and networks regularly
Maintain an Information Security Policy	12. Support information security with organizational policies and programs

PCI DSS Merchant Levels: Where Do You Fit?

Not every merchant faces the same validation requirements. Card brands classify merchants into four levels based on annual transaction volume:

Level 1: Over 6 million card transactions per year — requires an annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV).
Level 2: 1 to 6 million transactions per year — annual Self-Assessment Questionnaire (SAQ) and quarterly ASV scans.
Level 3: 20,000 to 1 million e-commerce transactions per year — annual SAQ and quarterly ASV scans.
Level 4: Fewer than 20,000 e-commerce transactions or up to 1 million non-e-commerce transactions per year — annual SAQ; ASV scans as determined by acquirer.

Most small and mid-size online stores fall into Level 3 or Level 4. But don’t let that lull you into complacency — a breach at any level triggers the same consequences.

Understanding SAQ Types for E-Commerce

The Self-Assessment Questionnaire isn’t one-size-fits-all. Which SAQ you complete depends on how you handle cardholder data:

SAQ A — Fully Outsourced Payment Page

This is the simplest questionnaire (26 requirements in v4.0.1). It applies if:

Your entire payment page is hosted by a PCI DSS-compliant third party (e.g., Stripe Checkout, PayPal hosted buttons, Shopify Payments)
Your website never touches, processes, or stores cardholder data
You confirm your third-party provider is PCI DSS compliant

New in v4.0.1: Even SAQ A merchants must now confirm they have controls to prevent scripts on their payment pages from being tampered with (Requirement 6.4.3 and 11.6.1). This is a major change.

SAQ A-EP — Partially Outsourced with Redirect or iFrame

This is more extensive (139 requirements). It applies when your website controls the payment page that redirects to or includes an iframe from a third-party processor. If you use a JavaScript-based integration (like Stripe Elements embedded on your own page), you likely fall here.

SAQ D — The Full Questionnaire

With over 300 requirements, SAQ D applies to merchants who directly handle cardholder data on their own servers. This is increasingly rare for e-commerce — and for good reason. Unless you have a dedicated security team, you should architect your payment flow to avoid SAQ D.

Key PCI DSS v4.0.1 Changes Every E-Commerce Merchant Must Know

The 2025 enforcement of all v4.0.1 requirements introduces several changes that directly impact online stores:

1. Client-Side Script Security (Requirements 6.4.3 and 11.6.1)

This is arguably the biggest change for e-commerce. You must now:

Maintain an inventory of all JavaScript loaded on your payment pages
Ensure each script is authorized and justified
Implement a method to detect unauthorized modifications to scripts

This directly addresses Magecart-style attacks — where malicious JavaScript is injected into checkout pages to skim credit card data. These attacks affected major brands like British Airways (fined £20 million) and Ticketmaster.

Here’s an example of implementing a Content Security Policy (CSP) header to control which scripts can execute on your payment page:

# Nginx configuration for Content Security Policy on payment pages
location /checkout {
    add_header Content-Security-Policy
        "default-src 'self'; 
         script-src 'self' https://js.stripe.com https://www.googletagmanager.com; 
         frame-src https://js.stripe.com https://hooks.stripe.com; 
         connect-src 'self' https://api.stripe.com; 
         style-src 'self' 'unsafe-inline'; 
         img-src 'self' data: https://*.stripe.com; 
         font-src 'self'; 
         object-src 'none'; 
         base-uri 'self';"
        always;

    # Subresource Integrity (SRI) should also be used for all third-party scripts
    # Report-only mode first for testing:
    # add_header Content-Security-Policy-Report-Only "..." always;
}

You should also consider using Subresource Integrity (SRI) hashes on script tags and deploying a real-time monitoring solution that alerts you when scripts change unexpectedly.

2. Multi-Factor Authentication (Requirement 8.4.2)

MFA is now required for all access to the Cardholder Data Environment (CDE) — not just remote access. For e-commerce, this means:

Admin panels (WordPress, Prestashop, Magento back offices)
Server SSH/RDP access
Database management tools
Any cloud console (AWS, hosting control panels)

3. Authenticated Vulnerability Scanning (Requirement 11.3.1.2)

Internal vulnerability scans must now use authenticated scanning (i.e., scanning with valid credentials to get deeper visibility into system vulnerabilities). This catches far more issues than unauthenticated scans.

4. Targeted Risk Analysis (Requirement 12.3.1)

Where the standard allows flexibility in frequency of certain activities (like log reviews or script monitoring), you must perform a documented, targeted risk analysis to justify your chosen frequency. “We check quarterly because we always have” is no longer sufficient.

A Practical PCI DSS Compliance Checklist for 2025

Here’s a condensed, actionable checklist for a typical e-commerce merchant (Level 3–4, using a hosted or iframe-based payment integration):

Network and System Security

Firewall (or cloud security group) rules reviewed and documented
No default passwords on any system component
TLS 1.2 or higher enforced on all pages (not just checkout)
Unnecessary services, ports, and protocols disabled
Web Application Firewall (WAF) deployed in front of your store

Payment Page Security

Payment processing fully outsourced to a PCI DSS-compliant provider
Content Security Policy headers implemented on checkout pages
Inventory of all scripts on payment pages maintained and reviewed
Script integrity monitoring in place (SRI hashes or monitoring tool)
HTTP security headers configured (X-Frame-Options, X-Content-Type-Options, etc.)

Access Control

MFA enabled on all admin and CDE access points
Unique user accounts for every individual (no shared “admin” accounts)
Role-based access control with least-privilege principle
Access reviews conducted at least every six months
Password policy enforced: minimum 12 characters (v4.0.1 increase from 7)

Monitoring and Testing

Quarterly external vulnerability scans by an ASV
Internal authenticated vulnerability scans at least quarterly
Penetration test at least annually (or after significant changes)
Audit logs enabled and retained for at least 12 months
Log monitoring process defined and operational

Policies and Documentation

Information security policy documented and approved by management
Incident response plan documented and tested
Targeted risk analyses performed where required
Security awareness training for all staff annually
Third-party service providers’ PCI compliance validated annually

Common PCI DSS Mistakes E-Commerce Merchants Make

After over 20 years of building and securing e-commerce sites, the team at Lueur Externe has seen these recurring mistakes:

Mistake 1: Assuming “Outsourced = Not My Problem”

Using Stripe, Adyen, or PayPal doesn’t eliminate your PCI obligations. You still control the web page where customers decide to pay. If that page is compromised, a skimmer can capture card data before it reaches the payment processor.

Mistake 2: Ignoring the Admin Panel

Many merchants lock down their storefront but leave their CMS admin panel exposed with weak passwords, no MFA, and no IP restrictions. Your Prestashop /admin-xyz/ or WordPress /wp-admin/ is a prime target.

Mistake 3: Forgetting About Third-Party Scripts

The average e-commerce checkout page loads scripts from 7 to 15 different third-party domains — analytics, chat widgets, A/B testing tools, retargeting pixels. Each one is a potential vector for a Magecart attack. Under v4.0.1, you must inventory and monitor every single one.

Mistake 4: Treating Compliance as a One-Time Event

PCI DSS v4.0.1 explicitly moves toward continuous security rather than annual point-in-time checks. Compliance is a daily operational practice, not a checkbox exercise.

PCI DSS Compliance for Popular E-Commerce Platforms

Prestashop

Prestashop is a self-hosted open-source platform, which means you are responsible for the full server environment. This includes OS patching, PHP updates, database security, and TLS configuration. As a certified Prestashop expert agency, Lueur Externe regularly audits and hardens Prestashop installations to meet PCI DSS requirements — from configuring CSP headers to implementing proper admin access controls and ensuring payment modules use compliant integration methods.

Key actions for Prestashop merchants:

Use only PCI DSS-compliant payment modules (Stripe, PayPal, Adyen official modules)
Keep Prestashop core and all modules updated
Restrict admin access by IP and enforce MFA
Deploy the store on a properly hardened server (Lueur Externe’s AWS-based hosting solutions handle this by design)

WordPress + WooCommerce

WooCommerce follows a similar model. The Stripe for WooCommerce plugin, for example, uses Stripe Elements — which means your checkout page embeds an iframe for card entry but is hosted on your domain. This typically puts you in SAQ A-EP territory.

Critical steps:

Minimize plugins — each one increases your attack surface
Use a reputable managed hosting provider with WAF and intrusion detection
Monitor all scripts loaded on /checkout/ pages
Implement strict Content Security Policy headers

Hosted Platforms (Shopify, BigCommerce)

If you use a fully hosted solution like Shopify, the platform handles most PCI requirements on your behalf. You’ll typically qualify for SAQ A. However, you’re still responsible for:

Your Shopify admin account security (strong passwords, MFA)
Vetting any third-party apps you install
Ensuring your custom theme code doesn’t introduce vulnerabilities

The Cost of Non-Compliance vs. the Cost of Compliance

Let’s put this in perspective with real numbers:

Scenario	Estimated Cost
Annual SAQ completion + ASV scans (Level 4 merchant)	$500 – $2,000/year
Security hardening and monitoring tools	$1,200 – $6,000/year
Professional compliance audit + remediation by an agency	$3,000 – $15,000 (one-time + annual review)
Total proactive compliance budget	$4,700 – $23,000/year
Monthly non-compliance fine (from card brands)	$5,000 – $100,000/month
Average cost of a data breach (retail, IBM 2024)	$3,480,000
Forensic investigation after a breach	$20,000 – $100,000
Customer notification + credit monitoring	$150 – $300 per affected individual
PCI penalty after a breach (Level 4 merchant)	$50,000 – $500,000

The math is simple. Investing a few thousand dollars in proactive compliance is a fraction of the cost of a single incident.

How Lueur Externe Helps E-Commerce Businesses Achieve PCI DSS Compliance

Since 2003, Lueur Externe has been building, hosting, and securing e-commerce websites for businesses across France and internationally. Based in the Alpes-Maritimes (06), the agency combines deep expertise in Prestashop development, WordPress/WooCommerce, AWS infrastructure (Solutions Architect certified), and SEO with a strong focus on security and compliance.

Here’s what a typical PCI DSS compliance engagement looks like:

Gap analysis — We assess your current setup against PCI DSS v4.0.1 requirements and identify gaps.
Architecture review — We ensure your payment integration minimizes your compliance scope (SAQ A whenever possible).
Server hardening — For self-hosted platforms, we configure firewalls, TLS, access controls, logging, and monitoring on AWS or your preferred infrastructure.
Client-side security — We implement CSP headers, script inventories, SRI, and monitoring to meet Requirements 6.4.3 and 11.6.1.
Documentation support — We help you complete your SAQ and prepare the supporting evidence.
Ongoing monitoring — We provide continuous vulnerability scanning, patching, and incident response readiness.

Conclusion: Don’t Wait for a Breach to Take PCI DSS Seriously

PCI DSS compliance in 2025 isn’t the same as it was five years ago. Version 4.0.1 raises the bar significantly, especially for e-commerce merchants who must now actively monitor and secure the client-side scripts on their payment pages.

Whether you’re running a Prestashop store processing 500 orders a month or a multi-brand WooCommerce operation handling tens of thousands of transactions, the requirements apply to you — and the penalties for ignoring them are severe.

The good news? With the right architecture, the right tools, and the right partner, compliance is absolutely achievable without disrupting your business.

Ready to secure your e-commerce site and achieve PCI DSS compliance? Contact Lueur Externe for a free initial assessment. With over two decades of e-commerce and infrastructure expertise, we’ll help you build a security posture that protects your customers, your revenue, and your reputation.