Retail / E-Commerce Compliance

Regulations That Apply

Regulation	What It Covers
PCI DSS v4.0.1	Required for all merchants that accept, process, store, or transmit card data
State Breach Laws	All 50 states — vary by trigger and timing
CCPA / CPRA	If meeting California revenue or data volume thresholds
Other State Privacy Laws	VA, CO, CT, UT, TX, OR, MT and others — thresholds vary
FTC Act §5	Unfair and deceptive practices — covers privacy promises
PA 73 Pa. Stat. §2301	PA Breach Notification Act — applies if PA residents are affected

What You Need In Place

• PCI scope minimization (P2PE, tokenization)
• Network segmentation around the cardholder data environment
• Quarterly vulnerability scans
• Annual penetration testing (PCI Req 11.4)
• Self-Assessment Questionnaire (SAQ) completion
• Multi-factor authentication on admin access
• File integrity monitoring
• Privacy notice and consumer rights workflows

Common Threats In This Sector

Retailers and e-commerce operators face both card-data theft (subject to PCI DSS) and customer-data exposure (subject to a growing patchwork of state privacy laws). The threat profile shifted toward web-based attacks as card-present skimming declined.

• Web skimming (Magecart-style attacks) inserting card-stealing JavaScript on checkout pages
• Card fraud testing — attackers using stolen cards against your site to validate them before larger fraud
• Customer account takeover attempts using credentials from other breaches
• Phishing for admin credentials on e-commerce platforms (Shopify, WooCommerce, BigCommerce, Magento)
• Inventory or pricing manipulation via compromised admin access
• ADA website accessibility lawsuits (separate from cyber but a real legal exposure)

Documentation You’ll Be Asked For

PCI DSS v4.0.1 became the active standard in 2024, with future-dated controls phasing in over 2024–2025. State privacy laws (CCPA/CPRA in California, plus VCDPA, CTDPA, CPA, UCPA, and others) add separate documentation requirements for consumer data.

• PCI DSS v4.0.1 Self-Assessment Questionnaire (SAQ) appropriate to the payment flow — A, A-EP, B, B-IP, C, C-VT, or D
• Attestation of Compliance (AoC) signed annually
• State privacy law mapping for any state where customers reside (notice, consumer rights workflows)
• Vendor management documentation for payment processor and any third-party scripts on checkout
• Incident response plan with state data-breach notification timelines
• ADA Title III compliance assessment against WCAG 2.2 Level AA
• Quarterly external vulnerability scan results from an Approved Scanning Vendor (ASV) for SAQ A-EP, B-IP, C, or D

Where Most Small Retailers Fall Short

Acquirers, payment processors, and class-action plaintiffs all surface the same recurring gaps. The PCI DSS v4.0.1 transition added new controls that small merchants are still working through.

• Wrong SAQ chosen — commonly using SAQ A when the site truly requires SAQ A-EP because of third-party scripts
• No state privacy law mapping — assuming CCPA is the only one that matters
• Unauthorized scripts and pixels on checkout pages that violate PCI DSS v4 script-management requirements
• No regular vulnerability scanning even when SAQ requires it
• Admin MFA missing on the e-commerce platform and payment dashboards
• No accessibility statement or WCAG audit; the legal exposure from ADA suits often exceeds the cyber risk