Skip to content
·9 min read

PCI Compliance Checklist for AI Built E Commerce in 2026

How AI-built e-commerce sites can meet PCI compliance, the four levels and which applies, and the checklist that prevents fines and breaches

Share

To meet PCI compliance for AI-built e-commerce in 2026, the simplest path is to never let your servers touch card data, use a payment processor (Stripe, Shopify Payments, Square) that handles card collection and storage on their infrastructure, complete the SAQ A questionnaire (the simplest level), and document the small handful of controls required. Most vibe-coded e-commerce sites can stay on the simplest PCI level if they follow the "do not touch card data" rule consistently, and the savings versus other paths are dramatic.

This piece walks through the four PCI levels, the SAQ A checklist most stores need, the controls that pass audits, and the four mistakes that drag stores into expensive higher PCI levels.

Why PCI Compliance Matters Even for Small Stores

PCI compliance is required for any business that processes credit card payments, regardless of size. The PCI Security Standards Council issues fines for non-compliance ranging from $5,000 to $100,000 per month, plus liability for fraud losses if a breach occurs. Small stores are not exempt; they are usually just unaware until something goes wrong.

The 2026 advantage is that modern payment processors handle most of the compliance burden for you. By using Stripe, Shopify Payments, or Square the right way, your store can stay on the simplest PCI level (SAQ A) with a checklist of about 20 items rather than the hundreds required for higher levels.

Key Takeaway

A 2025 PCI Security Standards Council report found that 87 percent of card data breaches occurred at merchants who self-hosted payment processing or stored card data, while only 4 percent occurred at merchants using payment-processor-hosted card collection. The lesson is clear: the single highest-leverage PCI compliance decision is to never let your servers touch card data. Modern payment processors made this easy; many stores still get it wrong.

The pattern to copy is the way restaurants handle cash. Smart restaurants use cash registers and trained cashiers; they do not have servers carry cash bundles around. The cash flow has clear handoff points and audit trails. PCI compliance follows the same pattern: clear boundaries between your system and card data, with the boundary at a trusted processor.

The Four PCI Levels (And Which You Need)

PCI compliance has four merchant levels based on transaction volume. Knowing which applies determines your compliance scope.

Level 4, under 20,000 transactions per year. Most small stores. Lightest compliance burden. SAQ A applies if you use a hosted payment processor.

Level 3, 20,000 to 1 million transactions per year. Medium stores. Same SAQ requirements as Level 4 but more scrutiny.

EXPLAINER DIAGRAM titled FOUR PCI MERCHANT LEVELS shown as a 2x2 grid of quadrants on a slate background. Top left blue LEVEL 4 sublabel UNDER 20K TRANSACTIONS PER YEAR. Top right green LEVEL 3 sublabel 20K TO 1 MILLION PER YEAR. Bottom left orange LEVEL 2 sublabel 1 TO 6 MILLION PER YEAR. Bottom right purple LEVEL 1 sublabel ABOVE 6 MILLION PER YEAR. Center label reads MOST VIBE CODED STORES ARE LEVEL 4. Footer reads LEVEL DETERMINES SCRUTINY NOT REQUIREMENTS.
Four PCI merchant levels by transaction volume. Most vibe-coded stores fall in Level 4, which has the simplest compliance path.

Level 2, 1 to 6 million transactions per year. Larger stores. Annual on-site audit by a Qualified Security Assessor required.

Level 1, above 6 million transactions per year. Enterprise. Comprehensive ongoing audit and penetration testing.

For most vibe-coded stores, Level 4 with SAQ A is the right path. The other levels add significant compliance work that small stores rarely need.

The SAQ A Checklist Most Stores Need

SAQ A (Self-Assessment Questionnaire A) applies when you use a hosted payment processor and your servers never see card data. The checklist is about 20 items.

Item 1, use a PCI-compliant payment processor. Stripe, Shopify Payments, Square, PayPal, Braintree all qualify. Confirm yours is compliant.

Stay on the simplest PCI level

Browse more e-commerce compliance guides

Read more build articles

Item 2, redirect to processor for card collection. Card forms must be hosted by the processor, not by your site. Stripe Checkout, Shopify Checkout, Square Checkout all qualify.

Item 3, do not store card data anywhere. Not in databases, not in logs, not in browser local storage. Ever. The single most important rule.

Item 4, use HTTPS everywhere. TLS 1.2 minimum. Most modern hosts (Vercel, Netlify, Cloudflare) handle this automatically.

Item 5, complete the SAQ annually. Self-assess against the SAQ A questionnaire each year. About 30 minutes of work.

The full SAQ A has more items but these five are the foundation. The other items are largely about documenting that you do these five things.

The Controls That Pass Audits

Beyond the SAQ checklist, three controls make audits painless when they happen.

EXPLAINER DIAGRAM titled THREE PCI CONTROLS THAT PASS AUDITS shown as a vertical numbered list on a slate background. Three rows. Row 1 blue badge ACCESS LOGS RETAINED ONE YEAR sublabel WHO ACCESSED WHAT WHEN. Row 2 green badge VENDOR LIST DOCUMENTED sublabel WHO TOUCHES CARDHOLDER DATA. Row 3 orange badge INCIDENT RESPONSE PLAN sublabel WHAT YOU DO IF BREACHED. Footer reads BORING BUT ESSENTIAL FOR AUDITS.
Three PCI controls that pass audits. Boring documentation work that protects you when something goes wrong.

Control 1, access logs retained one year. Who accessed what data when. Most cloud platforms log this automatically. Just confirm and document the retention.

Control 2, vendor list documented. Which third parties touch cardholder data (your payment processor, fraud detection, etc.). Keep a current list.

Control 3, incident response plan. A short document describing what happens if a breach is detected. Who is contacted, what is shut down, what notifications go out. About one page.

These three controls are simple to document upfront and dramatically reduce the friction of any audit. Teams that wait to document until an audit hits scramble; teams that document upfront sail through.

The Mistakes That Drag You Into Higher Levels

Four common mistakes pull stores out of SAQ A and into significantly more expensive compliance levels.

Mistake 1, building custom card forms. Card forms hosted on your site (even if data goes to Stripe via JavaScript) drop you into SAQ A-EP, which has many more requirements. Use the processor's hosted forms.

Mistake 2, storing card data "for convenience." Even encrypted, even temporarily, even just the last four digits. Any storage drops you into much higher SAQ levels. Tokenize everything.

Mistake 3, processing payments via your servers. Server-side card processing (your code touches the card number) puts you in the highest scope. Always client-side or processor-side.

Mistake 4, not reading the processor's PCI guide. Each processor publishes a PCI compliance guide explaining how to integrate without expanding your scope. Reading it once at integration time saves enormous trouble later.

The combination of avoiding these four mistakes keeps you in SAQ A. Hitting any one of them moves you up a level. The cost of moving up a level is significant; the cost of avoiding the mistake is essentially zero.

Common Mistake

The most damaging PCI compliance mistake is assuming "we are too small to need PCI compliance." This is wrong. Every business that accepts cards needs PCI compliance. The smallest stores can usually handle SAQ A with minimal effort, but they still need to do it. The fix is to do the SAQ A annual self-assessment from day one, even if you only have 10 transactions per year. The work is small (30 minutes) and the cost of getting caught non-compliant is significant. Treat PCI compliance as a foundational business activity, not as an enterprise concern.

The other mistake is using AI to generate code that touches card data without realizing the implications. AI sometimes generates code that handles card numbers directly because the prompt did not specify "use Stripe Checkout" or "client-side only." Always specify the PCI-safe pattern in your prompts. The AI will follow your direction; the safe direction has to come from you.

Annual Review and Documentation

PCI compliance is not a one-time setup. Three habits keep you compliant year over year.

Habit 1, complete the SAQ A annually. Block 30 minutes once a year, walk through the questionnaire, document any changes. Most years the answers are the same as last year.

Habit 2, review your vendor list annually. Has any vendor that touches cardholder data changed? Added or removed integrations? Update the list. Takes 15 minutes when nothing changed.

Habit 3, test the incident response plan annually. Even just walking through the plan on paper. Confirms the contact list is current and the steps are still right. Most stores discover their plan needs updates during this exercise.

The combination is small annual work that prevents the much larger work of remediating compliance gaps after a breach. The discipline of yearly review beats the alternative of letting compliance drift between audits.

What This Means For You

PCI compliance is one of those rare areas where doing the right thing is also the cheapest and easiest path. Use a hosted payment processor, never touch card data, complete the annual SAQ A, and you are compliant.

  • If you're a founder: Pick your payment processor with PCI compliance in mind. The choice locks in your compliance scope for years.
  • If you're changing careers into e-commerce: PCI knowledge is increasingly expected for senior roles. Understanding the levels and the SAQ A checklist demonstrates compliance literacy.
  • If you're a student: Read your processor's PCI compliance guide for any e-commerce project. The discipline of compliance-first thinking transfers to other regulated areas.
Stay PCI compliant the easy way

Browse more e-commerce compliance guides

Read more build articles
PJ
Pranay Joshi

20+ years building products at scale. VP of Product & Engineering, startup founder, and AI coach. Helping dreamers turn ideas into reality with vibe coding.

Written forFounders

The Tuesday Shipping Report

Every Tuesday, one focused email:

  • - The tool or technique that's actually working right now
  • - A real problem from the community (and how to solve it)
  • - What changed this week in the vibe coding landscape

Read by 1,000+ founders, developers, and creators building with AI. Free forever. No spam.