PCI-DSS Compliance Basics for Digital Spiritual Businesses: 2026 Guide
PCI-DSS 4.0 is live. Most solo practitioners are Level 4. SAQ A, the 12 requirements, and what your hosted checkout handles vs. what you must do.
PCI-DSS 4.0 became mandatory on March 31, 2025, replacing version 3.2.1. The standard applies to every merchant that accepts, processes, stores, or transmits credit or debit card data - regardless of business size or transaction volume. A solo astrologer accepting card payments for readings is subject to the same framework as a large e-commerce retailer; the practical requirements are just proportionally scaled.
The most important practical fact for most spiritual practitioners: if you use a hosted checkout (Dodo Payments, Payhip, or a similar hosted page where buyers enter card details on the processor's infrastructure), you qualify for the simplest compliance path. Your card data never touches your servers. Your annual compliance obligation is a 13-question form.
What PCI-DSS Is and Who It Applies To
The Payment Card Industry Data Security Standard (PCI-DSS) is administered by the PCI Security Standards Council, a consortium of card networks (Visa, Mastercard, Amex, Discover, JCB). It is not a government law - it is a contractual requirement enforced through your relationship with your merchant acquirer (the bank or processor that clears your card transactions).
PCI-DSS applies when a merchant accepts card payments. It does not apply to:
- Businesses accepting only cryptocurrency (via NowPayments, for instance) with no card component
- Cash-only businesses
If you accept even one card transaction, PCI-DSS applies.
Source: pcisecuritystandards.org (official PCI SSC); trio.so "PCI-DSS Compliance for Small Business: Complete 2026 Guide"; venn.com "Ultimate Guide to PCI DSS Compliance 2026".
Merchant Levels: Where Solo Practitioners Fall
PCI-DSS compliance requirements scale by merchant level, determined by annual transaction volume:
Level | Transaction volume | Compliance requirement |
|---|---|---|
Level 1 | Over 6 million card transactions/year | On-site QSA audit + quarterly network scans |
Level 2 | 1-6 million transactions/year | Annual self-assessment (SAQ) + quarterly scans |
Level 3 | 20,000-1 million e-commerce transactions/year | Annual SAQ + quarterly scans |
Level 4 | Fewer than 20,000 e-commerce OR fewer than 1 million total transactions/year | Annual SAQ (no audit required); scans may be required by acquiring bank |
Virtually all solo spiritual practitioners fall into Level 4. There is no on-site audit, no qualified security assessor (QSA), and no expensive certification process. The compliance path is a self-assessment questionnaire completed annually.
Source: securetrust.com "The Complete PCI DSS Compliance Checklist for Small Businesses"; securityjourney.com "PCI DSS for Small Businesses 2026".
PCI-DSS 4.0 Changes That Affect Solo Practitioners
Version 4.0 introduced several changes relevant even at Level 4:
Password requirements upgraded: Minimum password length is now 12 characters (alphanumeric mix required). The previous minimum was 7 characters. If your hosting control panel, payment dashboard, or business account passwords are shorter than 12 characters, this is a specific remediation step.
Multi-factor authentication expanded: MFA is now required for all access to the cardholder data environment (CDE) - not only for remote access. For most practitioners using hosted checkout (SAQ A), the CDE is the processor's infrastructure, not yours. You still need MFA on your payment dashboard login and any admin account that touches payment settings.
Risk-based compliance model: 4.0 allows merchants to tailor security controls to their specific environment with documented justification. For a solo practitioner using a fully hosted checkout, many requirements can be addressed with a brief written justification that card data never touches practitioner-controlled infrastructure.
Source: beaconpayments.com "How PCI DSS 4.0 Will Affect Your Business in 2026"; petronellatech.com "PCI DSS Compliance Checklist 2026: All 12 Requirements".
The 12 PCI-DSS Requirements: Simplified for Solo Practitioners
# | Requirement | Solo practitioner reality |
|---|---|---|
1 | Firewall configuration for systems touching card data | If no card data on your systems: document that; no firewall config needed on your laptop |
2 | No vendor-supplied default passwords | Change default passwords on your router, hosting panel, and all admin accounts |
3 | Protect stored cardholder data | Best practice: store nothing. Never save card numbers. Your processor stores them on your behalf |
4 | Encrypt card data transmission over public networks | Your processor handles encryption on their checkout page; your VPN covers your admin access |
5 | Anti-virus / anti-malware software | Install and maintain on every device you use for business |
6 | Secure systems and applications | Keep OS and software updated; do not use unsupported software versions |
7 | Restrict card data access on need-to-know basis | Solo practitioner: only you access payment data |
8 | Unique ID for each person with computer access | Solo: you have your own login; do not share credentials |
9 | Restrict physical access to card data | If you store no card data: document it |
10 | Track and monitor access to card data | Processor's dashboard logs handle this; review payment logs periodically |
11 | Regularly test security systems | Basic: run vulnerability scan if required by acquirer; otherwise document your testing approach |
12 | Maintain a security policy | A one-page written policy describing your security practices satisfies this requirement |
Source: pcisecuritystandards.org; uschamber.com "PCI Compliance Guide for Small Business".
What Your Payment Processor Handles vs. What You Must Do
The most important question for a practitioner evaluating their compliance burden: what does your payment setup look like?
Hosted checkout (Dodo Payments, Payhip hosted checkout, NowPayments card option): The buyer enters card details on the processor's page - not on your website. Card data never touches your server. The processor handles Requirements 3 (storage), 4 (encryption in transit), and 6 (secure applications) for the card data layer.
YOU still must:
- Use strong passwords (12+ characters, MFA) on payment dashboard and business accounts (Requirement 2 and 8)
- Run anti-virus on your devices (Requirement 5)
- Never embed a raw card input form directly on your own website - use the processor's iframe or redirect (not doing this is the most common SAQ A disqualifier)
- Complete an annual SAQ and maintain a written security policy (Requirement 12)
Do not build your own card input form. This is the line that moves a practitioner from the simple SAQ A path to the complex SAQ D path with 220+ questions. An iframe from Dodo Payments embedded on your site keeps card input on the processor's infrastructure. A custom `<input type="text">` field on your own site page that submits card numbers to your server is a PCI scope expansion you do not want.
Source: squareup.com "PCI Compliance: Everything You Need to Know"; securityjourney.com "PCI DSS for Small Businesses".
SAQ A: The Right Form for Most Spiritual Practitioners
Self-Assessment Questionnaire A (SAQ A) applies to merchants who:
- Accept card payments only through a fully outsourced payment processor
- Use an iframe or redirect for payment (card data never on their own systems)
- Do not store, process, or transmit any cardholder data
SAQ A has approximately 13 questions. It covers basic organizational security practices - written security policy, access controls, and confirming the outsourced setup. For a practitioner using Dodo Payments or Payhip hosted checkout, SAQ A is the correct and simplest form.
SAQ D is the comprehensive form: 220+ questions for merchants who process card data directly. This applies to merchants running their own payment servers or storing card data. A solo digital practitioner using hosted checkout should never need SAQ D.
Annual SAQ completion is required. Some acquiring banks also require a quarterly Approved Scanning Vendor (ASV) scan of publicly accessible IP addresses, even for Level 4 merchants.
Source: securetrust.com "PCI DSS Compliance Checklist"; petronellatech.com "PCI DSS Compliance Checklist 2026".
Penalties for Non-Compliance
PCI-DSS is enforced through card network agreements with acquiring banks, which pass penalties to merchants. The financial consequences:
- Card network fines to acquiring banks: $5,000-$100,000/month for non-compliance, which banks pass to merchants
- Data breach costs: average $2.98 million (IBM Security 2024 report) - a figure that includes notification, legal, remediation, and reputational costs
For a solo practitioner processing a modest number of card transactions, the direct compliance cost is low: time spent completing SAQ A annually, plus the cost of a PO box (for the CAN-SPAM address requirement, which overlaps in context). The risk from a data breach, however, is not proportional to business size - even a small breach creates remediation costs and reputation damage.
Source: trio.so "PCI-DSS Compliance for Small Business 2026"; burkecpa.com "What Your Business Needs to Know About PCI Compliance in 2026".
NowPayments and Crypto: PCI-DSS Does Not Apply
If you accept only cryptocurrency payments through NowPayments, PCI-DSS does not apply - no card data is involved. This is a genuine compliance simplification for practitioners who choose crypto-first payment rails. The tradeoff is a smaller potential customer base (not all clients pay in crypto).
Practitioners who accept both card (via a hosted checkout like Dodo Payments or Payhip) and crypto (via NowPayments) are subject to PCI-DSS for the card component and not for the crypto component. The SAQ A path covers the card component.
For the broader payment decision for spiritual businesses, see the accept payments for esoteric business guide and the NowPayments vs BTCPay vs Coinbase Commerce comparison.
Frequently Asked Questions
Do I need to hire a QSA (Qualified Security Assessor) to complete PCI-DSS compliance?
No. Level 4 merchants - which covers virtually all solo spiritual practitioners - complete a self-assessment questionnaire (SAQ A, for hosted checkout users) without a QSA. QSA involvement is required only for Level 1 merchants (over 6 million transactions/year) and for merchants who cannot complete the SAQ accurately without expert help. SAQ A has approximately 13 questions and can be completed in an hour.
What happens if Dodo Payments or Payhip has a data breach on their systems?
If the breach occurs on the processor's infrastructure - not yours - the processor bears the primary PCI liability for that breach. Your SAQ A compliance documentation demonstrates you handled your side of the requirements correctly: you used a compliant hosted checkout, you did not store card data, and you maintained proper access controls on your accounts. This is the primary benefit of using a PCI-compliant hosted checkout: the most catastrophic risk (card data exposure) lives with the processor, not with you.
Does using a VPN satisfy any PCI-DSS requirements?
A VPN satisfies part of Requirement 4 (encrypting transmission of cardholder data over open networks) when you access your payment dashboard over public Wi-Fi. PCI-DSS recommends network security controls for remote access to business systems. For the VPN comparison, see the NordVPN vs Surfshark vs ExpressVPN comparison for spiritual businesses.
If I use Stripe as my underlying processor (via a third-party platform like Stan Store), who is responsible for PCI compliance?
The answer depends on the platform's PCI scope. Stan Store and similar platforms that use Stripe's hosted checkout flow handle card data on Stripe's infrastructure - not yours. In that configuration, you are still a merchant subject to PCI-DSS at Level 4, but SAQ A likely applies because card data does not touch your systems. [VERIFY how your specific platform (Stan Store, or any Stripe-integrated platform) handles PCI scope - confirm with the platform support whether they maintain PCI compliance documentation on your behalf or require you to complete an SAQ.]
How do I write the one-page security policy required by Requirement 12?
Requirement 12 calls for a documented information security policy. For a solo practitioner using hosted checkout, a one-page document covering the following satisfies it: (1) that you accept card payments only through a compliant hosted checkout and never store card data, (2) your password policy (12+ characters, MFA on all payment and business accounts), (3) your device security practices (anti-virus installed, OS kept current), (4) your access control practice (you are the only person with access; no shared credentials), and (5) your incident response procedure (immediately contact your processor in the event of suspected compromise). Date the document, sign it, and update it annually when you complete your SAQ.
