Skip to content

Resource · Guide

PCI Compliance for High-Risk Merchants

Reviewed by GivePayments compliance teamLast updated 7 min read

PCI compliance, adhering to the PCI DSS, applies to every merchant that accepts cards, including high-risk ones; there's no high-risk exemption. What differs for high-risk merchants is the scrutiny and the fraud exposure, which raise the stakes. The most effective compliance strategy is to minimize the cardholder data you touch by using a PCI Level 1 gateway with tokenization and hosted pages, which shrinks your scope to the simplest assessment.

PCI isn't different for high-risk merchants, the stakes are

Let's clear up the first confusion immediately: there is no separate, lighter, or harsher version of PCI DSS for high-risk businesses. The Payment Card Industry Data Security Standard applies to every merchant that stores, processes, or transmits cardholder data, full stop. A supplement brand, a coaching business, and a corner store are all bound by the same twelve requirements.

What changes when you're high-risk isn't the rulebook, it's the consequences of getting it wrong. High-risk verticals are more frequently targeted by fraudsters, more closely watched by acquirers, and more likely to feel the impact of a breach in the form of held funds or a terminated account. So for a high-risk merchant, PCI compliance is two things at once: a baseline requirement you can't skip, and a practical line of defense against exactly the fraud and chargeback problems that already make your account fragile. This guide walks the requirements in that context, explains the levels and SAQs, and shows what the right gateway takes off your plate.

The 12 requirements, in a high-risk context

PCI DSS organizes into twelve requirements across six goals. Here's the practical version, with the emphasis a high-risk merchant should actually care about.

#Requirement (plain version)Why it bites harder for high-risk
1–2Install firewalls; don't use vendor default passwordsBasic hygiene attackers probe first; high-risk sites get probed more
3Protect stored cardholder dataThe biggest scope-driver, storing card data is the riskiest thing you can do
4Encrypt cardholder data in transitCard-not-present, e-commerce-heavy models live or die on this
5–6Anti-malware; build and maintain secure systemsUnpatched carts and plugins are the common breach vector
7–8Restrict access by need-to-know; authenticate every userLimits blast radius if a credential is stolen
9Restrict physical access to dataMatters even for CNP if you keep any records
10Log and monitor all access to data and networksThe evidence trail acquirers and forensics rely on
11Regularly test security systems (scans, pen tests)Quarterly network scans are a hard requirement for most
12Maintain an information-security policyThe governance acquirers expect a high-risk merchant to have

The throughline across all twelve: every requirement gets easier the less cardholder data your own systems handle. Requirement 3, protecting stored card data, is the single largest source of PCI scope and breach risk, and the smartest high-risk strategy is to not store it at all. More on that below.

PCI levels, which one are you?

Your PCI level is set by your annual card transaction volume, and it determines how you validate compliance.

  • Level 1, the largest merchants (generally 6M+ transactions/year per brand) and any merchant that's suffered a breach. Requires an annual onsite assessment by a Qualified Security Assessor (QSA) and quarterly scans.
  • Level 2, roughly 1M–6M transactions/year. Typically an annual SAQ plus required scans, sometimes with additional validation.
  • Level 3, roughly 20,000–1M e-commerce transactions/year. SAQ plus scans.
  • Level 4, under 20,000 e-commerce transactions/year (or up to 1M total). SAQ plus scans.

Most small and mid-size high-risk merchants are Level 3 or 4 and validate with a Self-Assessment Questionnaire rather than a full audit. Your processor or acquirer confirms your level, and it's worth knowing that a breach can push any merchant up to Level 1 validation regardless of volume, which is one more reason the data-minimization approach pays off.

SAQ types, and why the right setup gets you the shortest one

The SAQ (Self-Assessment Questionnaire) is the form merchants below Level 1 use to attest to compliance, and there are several versions matched to how you accept payments. The key insight: the SAQ you qualify for is a direct function of how much cardholder data your systems touch.

The smallest is SAQ A, for e-commerce merchants who fully outsource card capture and storage to a PCI-compliant third party, the customer's card details never hit your servers. Merchants who key in or transmit card data through their own systems face longer questionnaires (SAQ A-EP, SAQ D, and others) with far more controls to attest to. The difference between SAQ A and SAQ D is the difference between a short annual form and a substantial compliance project.

So the practical lever is clear: arrange your payments so card data is captured and stored by a compliant processor, not by you, and you collapse your assessment to the simplest tier.

What a PCI Level 1 gateway offloads for you

This is where the right processor does real work. GivePayments runs on PCI DSS Level 1 compliant infrastructure, the highest validation level, and the point of that isn't a badge; it's that we can take cardholder data off your hands. Two mechanisms do it:

Tokenization replaces the actual card number with a meaningless token in your systems. You can still bill, refund, and run recurring charges using the token, but the real card data lives in our validated environment, not yours, so even if your systems were breached, there's no card data to steal.

Hosted payment pages capture the card on our page rather than yours, so the sensitive details never transit your servers at all. Combined with tokenization, this is what moves an e-commerce merchant to the minimal SAQ A and removes Requirement 3's storage burden almost entirely.

For a high-risk merchant, that's the highest-leverage compliance decision available: instead of hardening your own environment to safely store card data, you stop storing it. The compliance scope shrinks, the breach surface shrinks, and the riskiest requirement largely moves to a processor built to handle it. Our payment gateway and developer tools are built around exactly this, tokenization and hosted pages first, and the security posture is detailed on our security page.

The bottom line for high-risk merchants

PCI compliance is mandatory whether you're high-risk or not, but how heavy it feels is largely your choice. Touch a lot of cardholder data and you take on the full weight of the standard plus the elevated breach risk that comes with a high-risk profile. Minimize the data you touch, through a PCI Level 1 gateway with tokenization and hosted pages, and you collapse your scope to the simplest assessment while removing the most dangerous part of compliance from your environment entirely.

If you want high-risk processing on PCI Level 1 infrastructure that keeps cardholder data off your systems, get approved, or read how we screen and decide in how our underwriting works.

FAQ

PCI compliance FAQ

What is PCI compliance and does it apply to high-risk merchants?

PCI compliance means adhering to the PCI DSS (Payment Card Industry Data Security Standard), the card brands' security rules for any business that stores, processes, or transmits cardholder data. It applies to every merchant that accepts cards, high-risk or not, there's no exemption for being high-risk. What changes for high-risk merchants is the stakes: they're more likely to be targeted for fraud and more scrutinized by acquirers, so getting PCI right is both a requirement and a practical defense.

What PCI level am I as a merchant?

PCI levels are set by annual card transaction volume. Level 1 is the largest (generally over 6 million transactions a year per card brand, or any merchant that's had a breach), down to Level 4 for the smallest (under 20,000 e-commerce transactions). Most small and mid-size merchants are Level 3 or 4 and validate with a Self-Assessment Questionnaire; Level 1 merchants require an annual onsite audit by a Qualified Security Assessor. Your acquirer or processor confirms your level.

How do high-risk merchants stay PCI compliant?

The most effective move is to minimize the cardholder data you touch. By using a PCI-compliant gateway with tokenization and hosted payment pages, card data is captured and stored by the processor's validated systems rather than yours, which dramatically shrinks your PCI scope and the SAQ you have to complete. Beyond that, staying compliant means completing the right SAQ or audit annually, running required network scans, and maintaining the security controls in the 12 requirements year-round, not just at assessment time.

Is GivePayments a Level 1 PCI compliant processor?

Yes, GivePayments operates on PCI DSS Level 1 compliant infrastructure, the highest level of validation, which is what lets us handle cardholder data on your behalf and reduce your compliance burden. When card data is captured and tokenized on our Level 1 systems through a hosted page or our gateway, the sensitive data stays out of your environment, which both shrinks your scope and removes the riskiest part of compliance from your plate.

What is an SAQ and which one do I need?

An SAQ (Self-Assessment Questionnaire) is the form most merchants below Level 1 use to validate PCI compliance. There are several types matched to how you accept payments, for example, SAQ A for e-commerce merchants who fully outsource card handling to a compliant third party (the smallest questionnaire), and more extensive ones for merchants who touch card data directly. The less cardholder data your systems handle, the shorter your SAQ; a hosted, tokenized gateway is what gets most e-commerce merchants to the simplest SAQ A.

Want processing on PCI Level 1 infrastructure?

Tokenization and hosted pages keep cardholder data off your systems and collapse your PCI scope to the simplest assessment.