PCI DSS for E-commerce: Complete Compliance Guide
Quick Answer
E-commerce merchants must comply with PCI DSS if they accept online card payments. Most can use SAQ A (22 questions) by using hosted payment pages, or SAQ A-EP (191 questions) with JavaScript integrations like Stripe Elements. Key concerns include securing checkout pages, managing third-party scripts, and protecting against skimming attacks.
PCI DSS Compliance for Online Stores
If you run an online store that accepts credit or debit card payments, PCI DSS applies to you. The good news: e-commerce merchants have some of the best options for minimizing their compliance scope by outsourcing payment handling to third-party processors. The challenge: even with outsourced payments, your website still plays a role in the transaction chain.
Key Takeaways
- Most e-commerce merchants can qualify for SAQ A (22 questions) with a fully hosted payment page
- JavaScript-based integrations (Stripe Elements, Braintree Drop-In) require SAQ A-EP (191 questions)
- PCI DSS 4.0 adds new requirements for managing third-party scripts on payment pages
- Web skimming attacks (Magecart-style) are the top threat to e-commerce card data
- Tokenization eliminates card data from your environment, dramatically reducing scope
Payment Integration Options and SAQ Impact
| Integration Type | How It Works | SAQ Type | Questions |
|---|---|---|---|
| Hosted payment page (redirect) | Customer leaves your site to enter card details on processor's page | SAQ A | 22 |
| Hosted iframe | Processor's payment form embedded in your page via iframe | SAQ A | 22 |
| JavaScript integration | Payment fields rendered on your page via processor's JS library | SAQ A-EP | 191 |
| Direct API integration | Your server collects and sends card data to processor's API | SAQ D | 329 |
| Custom checkout page | You build and host the entire payment form | SAQ D | 329 |
✅ The best choice for most e-commerce sites
Use a hosted payment page (like Stripe Checkout) or a processor-hosted iframe to qualify for SAQ A. This reduces your PCI DSS questionnaire from 329 questions to just 22, and eliminates the need for most security controls on your web servers.
New PCI DSS 4.0 Requirements for E-commerce
PCI DSS 4.0 introduced several requirements that specifically impact e-commerce merchants, particularly around payment page security and third-party script management.
- Requirement 6.4.3: All payment page scripts must be authorized, inventoried, and monitored for tampering
- Requirement 11.6.1: Deploy a mechanism to detect unauthorized changes to payment pages and HTTP headers
- Requirement 12.3.1: Perform a targeted risk analysis for payment page script management
- These requirements specifically target Magecart-style web skimming attacks
- Content Security Policy (CSP) headers and Subresource Integrity (SRI) are recommended implementation methods
Protecting Against Web Skimming
Web skimming (also called Magecart attacks or e-skimming) is the injection of malicious JavaScript into e-commerce checkout pages to steal card data as customers enter it. This is the number one threat to e-commerce payment security and the primary driver behind PCI DSS 4.0's new script management requirements.
Anti-Skimming Defense Strategy
Inventory all scripts on payment pages
Document every JavaScript file, inline script, and third-party resource loaded on your checkout pages. Remove any that are not strictly necessary.
Implement Content Security Policy
Deploy CSP headers that whitelist only approved script sources. This prevents unauthorized scripts from loading on your payment pages.
Use Subresource Integrity (SRI)
Add integrity attributes to script tags so browsers verify that files have not been tampered with before executing them.
Deploy real-time monitoring
Use a client-side security tool or WAF that monitors for unauthorized DOM changes, new script injections, and data exfiltration attempts on payment pages.
Regularly audit third-party scripts
Review all third-party analytics, marketing, and chat scripts that load on your site. Each one is a potential attack vector if compromised.
E-commerce Platform Considerations
Your e-commerce platform choice significantly impacts your PCI DSS compliance posture:
SaaS vs Self-Hosted E-commerce Platforms
| Feature | SaaS (Shopify, BigCommerce) | Self-Hosted (WooCommerce, Magento) |
|---|---|---|
| PCI compliance responsibility | Platform handles most PCI requirements | You are responsible for all server-side controls |
| Typical SAQ | SAQ A (hosted checkout) | SAQ A-EP or SAQ D (depending on integration) |
| Server management | None required | Full server hardening required |
| Payment page security | Managed by platform | You must manage script security |
| Typical cost | $29-$299/month + PCI compliance costs of $500-$2,000/year | $50-$500/month hosting + $5,000-$50,000/year PCI compliance |
Does Shopify make me PCI compliant?
Shopify provides a PCI DSS Level 1 compliant platform and handles payment processing through their hosted checkout. You still need to complete SAQ A annually and ensure your own practices (like not storing card data in order notes or spreadsheets) are compliant. Shopify reduces your burden significantly but does not eliminate it entirely.
Do I need PCI DSS if I only use PayPal?
If you accept PayPal as your only payment method and customers are always redirected to PayPal's site to complete payment, your PCI scope is minimal. However, if you also accept credit cards through PayPal's payment processing services, PCI DSS still applies.
How do subscription billing services affect PCI DSS scope?
Subscription billing services that tokenize card data (like Stripe Billing or Recurly) store the actual card numbers in their PCI-compliant vault. You only handle tokens, which are out of PCI scope. This significantly reduces your compliance burden to SAQ A level.
What about mobile commerce and in-app payments?
Mobile commerce follows similar rules to web e-commerce. Using Apple Pay, Google Pay, or processor SDKs that handle card data reduces your PCI scope. If your mobile app directly collects card numbers through your own UI, you need SAQ D-level compliance.
Find E-commerce PCI DSS Solutions
Compare payment gateways, WAF providers, and client-side security tools for e-commerce PCI DSS compliance.
Browse E-commerce Security Tools