PCI Compliance for Small Business — A Realistic US Guide

Last updated: 29 May 2026

If you run a small business in the US and you take card payments, you're on the hook for PCI DSS. Doesn't matter if you process ten cards a month or ten thousand a year — the standard applies the moment a customer hands over a PAN. The good news is the 2026 version of PCI DSS (v4.0.1) is actually friendlier to small merchants than v3.2.1 was, provided you set up the right way from day one. The bad news is that most SMBs we speak to have set up the wrong way without realizing it, and they're carrying scope they don't need to carry.

We're a PCI DSS Level 1 service provider — that's the heaviest tier, the one with the annual on-site audit and the Report on Compliance. We sit at that level so our small-business customers don't have to. This guide walks through what PCI compliance actually means for a US small business in 2026, what it costs, the SAQ you should be aiming for, and the three or four practical moves that drop the bill by 70-90% compared with the path most CPAs and IT consultants will quote you.

What does PCI compliance for small business actually mean?#

PCI DSS — the Payment Card Industry Data Security Standard — is the rulebook the card brands (Visa, Mastercard, Amex, Discover, JCB) wrote to protect cardholder data. It applies to anyone who stores, processes, or transmits card data, full stop. There's no small-business carve-out. What changes with size is the validation path: how you prove you're compliant, not whether you have to be.

For a US small business in 2026, that means three things. First, you need to know your merchant level — for almost all SMBs that's Level 4. Second, you need to fill in the right Self-Assessment Questionnaire (SAQ) once a year, and have your card payment setup actually match what you've checked. Third, you need quarterly external network scans by an Approved Scanning Vendor (ASV) if any of your systems are internet-facing and in scope.

The thing most small businesses get wrong is treating PCI as paperwork. It isn't. The SAQ asks specific technical questions — "Is cardholder data encrypted in transit?", "Do you maintain a firewall configuration?", "Are administrative accounts protected with MFA?" — and checking yes when the answer is no isn't compliance, it's a fraud claim waiting to happen. If a breach gets traced back to a control you said you had but didn't, your acquirer's indemnity clauses kick in and you pay the forensic investigation, the card brand fines, and the customer notification costs personally. The FTC also takes a dim view of misrepresenting your security posture — they've brought enforcement actions against small merchants under Section 5 of the FTC Act for exactly this.

Merchant levels: where US small businesses actually sit#

The card brands split merchants into four levels based on annual transaction volume. The exact thresholds vary slightly by brand, but Visa USA's framework is the one most US acquirers use, and it looks like this:

Level 1 is more than 6 million Visa transactions a year — full Report on Compliance, on-site QSA audit, the works. Level 2 is 1 to 6 million — SAQ D plus a quarterly scan and, for some acquirers, an annual on-site review. Level 3 is 20,000 to 1 million e-commerce transactions — SAQ A or SAQ A-EP depending on setup. Level 4 is everything else: under 20,000 e-commerce transactions or under 1 million across all channels.

If you're a US small business, you're almost certainly Level 4. That's the level where you self-attest. Your acquirer doesn't send anyone round to inspect your office. You fill in the SAQ, sign the Attestation of Compliance, send it to the acquirer (or upload it to their portal — Chase Paymentech, Worldpay from FIS, Elavon, Global Payments all run merchant portals for this), and you're done for the year. The annual cost can be as low as $500 if your setup is clean. We've broken down the full cost of PCI compliance guide by merchant level in the pillar piece — worth reading if you want the comparison.

Picking the right SAQ — the single biggest cost lever#

The Self-Assessment Questionnaire you fill in dictates pretty much everything else. There are nine SAQs in PCI DSS v4.0.1, but only four of them realistically apply to a small business:

SAQ A is the shortest — 22 questions. It applies if you outsource all your card processing to a PCI-compliant third party and your website never touches card data (you redirect to a hosted payment page, or you take phone payments through a channel-separated provider). This is the goal. If you can get to SAQ A, you've cut your audit scope by about 95%.

SAQ A-EP is for e-commerce merchants who use an iframe or JavaScript on their own pages to render the payment form, even if the actual card capture happens on the provider's infrastructure. It's around 150 questions because your web server is technically in scope for script-integrity rules. The cost difference between SAQ A and SAQ A-EP is usually 4–5x — it's worth getting this distinction right before you sign anything.

SAQ B-IP covers card-present merchants using IP-connected PIN entry devices (PEDs). It's around 80 questions. Most small retailers, restaurants, and service businesses with a modern card terminal fall here.

SAQ D-Merchant is the heavy one — about 300 questions covering everything in the standard. You end up here if you store card data, process card data through systems you control, or your setup doesn't fit any of the simpler SAQs. Cost wise, you're looking at $4,000-$20,000 a year for a small business doing SAQ D properly, plus quarterly scans and remediation work. Most US SMBs we see sitting on SAQ D could be on SAQ A with a one-time payment platform change.

What PCI compliance for small business actually costs in 2026#

Here's the honest cost breakdown for a Level 4 US small business, by scenario:

Best case (SAQ A, outsourced): $500-$1,500 a year. That's the ASV scan (around $25-$75 a month, often bundled with your payment provider), your time to complete the SAQ (around 4-8 hours once a year), and a basic security awareness training program. If you use Paytia for phone payments and a tokenizing gateway like Stripe Checkout or Authorize.Net hosted forms for online, you sit here. No QSA, no penetration testing, no on-site audit.

Card-present SMB (SAQ B-IP): $800-$2,500 a year. Same ASV scan plus more time on the SAQ — call it a couple of days a year — plus terminal management and a documented incident response plan. Most small retailers and restaurants with a Square, Clover, or Toast terminal land here.

SAQ A-EP: $2,500-$8,000 a year. Now you're paying for vulnerability scans of your web server, content security policy work to satisfy the script-integrity rules in Requirement 6.4.3 and 11.6.1, and usually some external help to navigate the questions. A lot of US e-commerce SMBs end up here without realizing it because their developer dropped a Stripe Elements form into their checkout instead of redirecting to Stripe's hosted page.

SAQ D-Merchant: $6,000-$30,000 a year. This is the one to avoid. You're paying for quarterly internal and external scans, an annual penetration test, a documented information security policy, formal change management, log monitoring infrastructure, file integrity monitoring, MFA for all admin access, plus probably a fractional QSA or vCISO to keep the wheels on. We've seen small businesses with $700K revenue spend $22K a year here because nobody told them they didn't have to.

If you're working with an SBA-backed lender or seeking SBA financing, watch for PCI compliance attestation requirements in your loan covenants — some lenders now ask for proof of current SAQ submission as a condition of the facility. Our piece on the cost of PCI compliance guide goes through the moves to drop one SAQ category at a time — it's the cheapest hour you'll spend this quarter.

The phone-payments trap most US SMBs walk into#

This one catches small businesses out constantly. Roughly a third of US SMBs take some card payments by phone — a contractor taking final settlement after a job, a B&B confirming a booking, a small wholesaler taking a top-up order, a dental office taking a deposit. The instinct is to type the card number into the same web checkout you use online, or write it on a sticky note while you process it on a card terminal.

Both of those approaches put you straight into SAQ D-Merchant territory. The moment a cardholder reads their PAN aloud over a phone line into your environment — your headset, your call recording, your CRM, the screen of the laptop the agent is using — every piece of equipment in that chain is in PCI scope. Your call recordings are in scope. Your computer is in scope. The router on your desk is in scope. The Wi-Fi network at home if you're working from there is in scope. And if you're in a healthcare practice taking payments by phone, you're also dragging HIPAA scope across the same equipment — the OCR has been clear that voice recordings containing PHI plus payment data are double-regulated.

The fix is channel separation. The customer keys their card details into their phone keypad as DTMF tones, those tones get masked from the agent and the call recording, and the digits travel down a separate path direct to the payment processor. The agent never hears the card number. Nothing in your environment ever stores or transmits cardholder data. You drop out of SAQ D and back to SAQ A, which is the SAQ A you'd be on anyway if you only took online payments. We cover the mechanics in our DTMF masking glossary entry and the solution itself sits at take card payments over the phone.

Practical PCI checklist for a US small business in 2026#

Here's the practical work, in the order we'd do it if we were starting from scratch with a small business client.

First, get your transaction volumes and merchant level confirmed in writing from your acquirer. Don't guess. If you're a Level 4 merchant, ask them which SAQ they expect from you — different US acquirers default to different ones, and some will accept SAQ A where others insist on SAQ A-EP for the same setup. Get it in writing because it dictates everything else.

Second, map every place cardholder data touches your business. Online checkout, phone calls, paper forms, email (please, never email — PCI explicitly forbids unencrypted PAN over email), web chat, recurring billing, refunds. For each channel, you want to be able to say in one sentence: "the PAN goes from the customer directly into our payment provider's environment without ever entering ours." If you can't say that, fix the channel before you fill in the SAQ.

Third, set up MFA on every administrative login that touches anything in scope. Your acquirer portal. Your gateway's merchant dashboard. Your CRM if it ever holds customer data. PCI DSS v4.0.1 made MFA mandatory for non-console admin access — there's no exemption for small business and "we're tiny" isn't a defense at SAQ time. Use an authenticator app, not SMS. (NIST has been telling people to stop using SMS for second-factor for years; PCI v4.0.1 finally caught up.)

Fourth, write a one-page incident response plan. Who calls the acquirer, what number, what forensic firm you'd use, how you'd notify customers, and how you'd meet your state's breach notification deadline. All 50 states plus DC, Puerto Rico, and the Virgin Islands have data breach notification laws now — and most run a clock measured in days, not weeks. The SAQ asks if you have one. "Yes" requires that the document exists. It doesn't need to be a 40-page corporate document — a one-pager that everyone in the business has seen is fine and arguably better.

Fifth, schedule the ASV scan. If you have any IP-facing infrastructure in scope — and you probably do, even if it's just a router with port 443 open — you need quarterly external vulnerability scans by an Approved Scanning Vendor. Most payment providers bundle this for around $30-$75 a month. Don't try to DIY this; the SAQ requires an ASV's signed report, not a Nessus output.

Sixth, train your staff annually. Doesn't matter if there are two of you or twenty. PCI Requirement 12.6 mandates security awareness training for everyone who handles cardholder data. A 20-minute online module, signed off, in a folder. Done.

Seventh, fill in the SAQ. Check the questions honestly. If something's not in place, fix it before you sign — not after. The Attestation of Compliance is a sworn statement to your acquirer. Lying on it isn't a paperwork crime, it's contractual fraud and it voids your card processing agreement. It also opens the door to FTC enforcement under the unfair-or-deceptive-practices test in Section 5.

The v4.0.1 changes that matter for US small business#

PCI DSS v4.0.1 became mandatory in March 2025, replacing v3.2.1. For a US small business in 2026, four changes matter more than the rest.

MFA for any admin access into the cardholder data environment. We've covered this above, but the small-business angle is that it now applies to your acquirer portal and gateway dashboard, not just to anything you self-host.

Script-integrity rules in Requirement 6.4.3 and 11.6.1. If you embed any JavaScript on your payment page — Google Tag Manager, analytics, a chat widget — you have to maintain an inventory of those scripts, justify each one, and detect unauthorized changes. This is a big deal for SAQ A-EP merchants. The simplest small-business fix is to redirect to a hosted payment page (SAQ A) so the script-integrity rules don't apply to your site at all.

Targeted risk analysis. PCI v4.0.1 introduces a "customized approach" alongside the prescriptive controls. For a small business, you probably won't use it — the customized approach requires a written risk analysis for each control, and that's more work than just following the defined approach. But if your QSA or acquirer ever pushes you onto a customized path, push back. Defined approach is usually cheaper.

Password length and complexity. PCI v4.0.1 requires a minimum of 12 characters for user passwords (up from 7 in v3.2.1) with appropriate complexity. Check your CRM, your acquirer portal password, your gateway password — anywhere in scope. Small businesses miss this because their password policies haven't been touched since 2019.

Compliance ≠ security: where US small businesses go wrong#

This is the part that bites people. PCI compliance is a minimum bar, not a security strategy. We see small businesses pass their SAQ and then suffer a breach because they assumed compliance was enough. It isn't.

PCI doesn't cover business email compromise — and BEC is now the single biggest cause of payment fraud against US small businesses, according to the FBI's IC3 2024 report (BEC losses topped $2.9 billion). PCI doesn't cover invoice redirection scams, where a supplier's email gets spoofed and your accounts team wires money to a fraudster. PCI doesn't cover deepfake voice calls from "your CEO" asking for an urgent ACH transfer. None of that is in the standard.

The minimum-viable security stack for a US small business in 2026 is: PCI compliance plus DMARC/DKIM/SPF properly configured on your email domain (CISA has been pushing this hard since the 2024 federal mandate), plus MFA on every business-critical account (not just the in-scope ones), plus a paid backup solution with offline copies, plus an annual phishing simulation if you have more than five employees. None of that is expensive — call it $2,500-$5,000 a year on top of PCI. It's the difference between passing your SAQ and not getting cleaned out.

When a US small business should hire a QSA#

Almost never. The whole point of Level 4 is that you self-attest. Hiring a QSA (Qualified Security Assessor) for a Level 4 SAQ is like hiring a CPA to fill in your Form 1040-EZ when you've got one W-2 and a savings account. They'll do it, you'll get a tidy report, and you'll have spent $4,000-$10,000 on something you could have done in a day.

The genuine exceptions: you're transitioning between SAQs and want a sense-check before you sign; you've had a near-miss and want a second pair of eyes; you're being acquired and the buyer wants formal sign-off. In any of those cases, a QSA-led gap analysis for $2,000-$4,500 is sensible. Just don't engage them for a full ROC when you're a Level 4 merchant.

SMB compliance partners vs platform-first#

There's a growing US market of "PCI compliance for small business" subscription services — typically $50-$200 a month for a portal that walks you through the SAQ, runs your ASV scans, and stores your policy documents. They're fine. They genuinely save time. But they don't change what SAQ you're on; they just help you fill it in.

The bigger lever is platform-first compliance: pick payment infrastructure that takes cardholder data completely out of your environment, so the only SAQ left to fill is SAQ A. That's $500 a year of self-attestation work, not $200 a month of subscription. We're biased here — that's literally what Paytia does for phone payments — but the math is the math. Reducing scope beats managing scope every time. The in-house vs outsourced comparison sits in PCI cost in-house vs outsourced.

The cost of getting it wrong#

A US small business with a single card breach is looking at: forensic investigation ($10,000-$35,000), card brand fines ($5,000-$100,000 depending on volume and severity), customer notification costs ($3-$10 per affected customer factoring in state notification rules), monthly fines from your acquirer if you can't remediate quickly ($5,000-$15,000/month), state attorney general response costs (varies wildly — California, New York, Massachusetts, and Illinois all have aggressive AG offices), and reputational damage that's hard to quantify but real. Total realistic exposure for an SMB with a meaningful breach is $40,000-$350,000.

The forensic investigation alone often kills small businesses, because it has to be done by an approved PFI (PCI Forensic Investigator) at $300-$500/hour, and you have no negotiating power once you're a customer notifying victim. We've covered the full picture in hidden costs of PCI non-compliance. The headline is that the cheapest PCI work you'll ever do is the work you do before the breach.

Industry-specific notes for US small business PCI#

Some SMB sectors have wrinkles worth flagging. They don't change the underlying PCI rules, but they affect which channels you're using and where scope creeps in.

Contractors and home services: the classic trap. Plumbers, electricians, HVAC techs, painters, cleaners taking final payment by phone after a job. You're standing in someone's house with their card details on a sticky note. That single workflow drags every device you own — phone, truck laptop, home Wi-Fi router — into scope. Either send a payment link from your invoicing software (QuickBooks Online, FreshBooks, Jobber all do this), or use a channel-separated phone payment service. Don't read card numbers off sticky notes.

B&Bs, vacation rentals, and small accommodation: booking-confirmation calls where you take a card to guarantee a no-show fee. Same fix — payment link or channel separation. The added wrinkle is that PMS systems (property management systems) often store card-on-file for incidentals. Check that the storage is happening in the PMS provider's tokenized vault, not in a local database on your back-office laptop. If you can see a card number anywhere in the PMS, it's in your scope and needs to come out. Watch for state-specific resort tax handling at the same time — Florida, Hawaii, and Nevada in particular have rules about what gets disclosed on the receipt.

Nonprofits: PCI applies to you exactly the same as a commercial business. Donation pages, phone donations, monthly giving sign-ups by phone — all card data, all in scope. The 501(c)(3) status you hold doesn't change anything. Our piece on payment infrastructure for non-profits covers this. Tax-exempt status doesn't grant PCI exemption — the card brands don't care who you are.

Healthcare practitioners: independent dentists, physical therapists, chiropractors, optometrists, mental health practitioners taking copays or deposits over the phone or final settlement after a session. Watch for any cardholder data in your practice management system — and watch for PHI sitting alongside it. HIPAA Security Rule applies to the PHI; PCI DSS applies to the card data; OCR will fine you for the first and your acquirer will fine you for the second. Many SaaS PMS platforms tokenize properly; some legacy ones store PANs in clear and have done since 2008. If you're running an old on-premise system, audit it before SAQ time. The OCR's HHS breach portal will publish your name if you have a reportable breach affecting 500+ patients, so the reputational stakes are real.

Insurance brokers and independent agents: taking premium payments by phone is the default and absolutely needs channel separation. Your E&O carrier will also want to see documented compliance — most US E&O policies for independent agents now exclude losses arising from inadequate payment security. See insurance payments for sector context.

Choosing payment providers as a US small business#

The provider you pick has more impact on your PCI bill than any other decision. Three things to check before you sign:

Does the provider offer a hosted payment page or full redirect for online, not just embedded fields? Stripe Elements, Authorize.Net Accept.js, NMI iframe — these are all in scope for SAQ A-EP, not SAQ A. Check whether the provider also offers a hosted-redirect option (most do, but it's often buried in the docs). Stripe Checkout and Authorize.Net Accept Hosted are the SAQ A versions.

Does the provider handle phone payments natively, or do they expect you to bolt a third-party tool on? Most big US acquirers don't offer channel-separated phone capture themselves. They'll point you at a specialist (us, or one of the legacy contact-center compliance vendors). The cost of the specialist is usually $40-$250/month for a small business and pays back the first year against the scope reduction.

Does the provider issue you the SAQ paperwork and ASV scanning, or do you arrange those separately? Bundled is cheaper and the paperwork's tidier. Chase Paymentech's Safetech, Stripe's Radar/compliance bundle, Authorize.Net's PCI Manager (via TrustWave), NMI's compliance bundle — all package ASV scanning into the monthly fee for Level 4 merchants. Worth $30-$75/month not to think about it.

How to actually fill in SAQ A — a walk-through#

SAQ A is 22 yes/no questions across four control objectives. Here's the honest read on what each section asks for and what counts as a passing answer for a US small business.

Build and maintain a secure network (Requirement 2): the questions are about default passwords on any system component you operate that's in scope. For SAQ A merchants, this is usually "no in-scope systems" — but you still answer the question. If you have a router or POS device in scope, the answer is "we change defaults, document the change, and review annually."

Protect cardholder data (Requirements 3 and 4): SAQ A says you don't store, process, or transmit cardholder data. The questions confirm that. Honest answer: "we redirect all card capture to <provider name>, who is PCI DSS Level 1 compliant (attestation on file). No PAN ever enters our environment." Attach the provider's Attestation of Compliance — they all provide it on request.

Maintain a vulnerability management program (Requirement 6 and 8): patching, access control, MFA. The answers are "yes" if you actually do those things. The MFA question is the one most SMBs fail. Turn on MFA for your gateway dashboard, your acquirer portal, your hosting account, and your email before you answer this section.

Implement strong access control (Requirements 9 and 12): physical security for in-scope locations, security awareness training, incident response plan. "Yes, training is delivered annually via <provider> with sign-off" and "yes, our IR plan is at <document location> and was last reviewed on <date>" are the answers you want to be able to give.

Sign the Attestation of Compliance, upload it to your acquirer's portal, schedule the next year's review for around eleven months from now. Done.

Common SMB mistakes that fail audits#

From years of seeing small business PCI work, the same handful of mistakes account for most failed SAQs and post-breach forensic findings.

Reusing the same password across multiple in-scope systems. PCI v4.0.1 requires unique passwords for unique accounts. SMBs share a single "office" login between everyone — that's a fail.

Taking card details by email "just this once." PCI explicitly prohibits transmission of unencrypted PAN over messaging technologies including email and SMS. There's no "emergency override." If you get an email with a card number in it, delete it (don't reply, don't forward, don't archive) and ask the customer to use your payment link instead.

Storing the CVV after authorization. Sensitive Authentication Data (the CVV/CVC2 and full track data) cannot be stored post-auth under any circumstances. Some legacy POS systems still cache CVVs in transaction logs — that's an immediate breach finding. See our SAD glossary entry for the full rule.

Not maintaining the SAQ in between renewals. The SAQ describes a state of the world. If your infrastructure changes — new website, new gateway, new phone system — the SAQ you signed three months ago is no longer accurate. Update it, re-sign it, send it to your acquirer.

Putting the SAQ on a shelf and forgetting about it. PCI is annual. Your acquirer expects a fresh SAQ every twelve months. Missing the deadline triggers automated non-compliance fees, typically $20-$80/month, until you submit. Diary the renewal date.

What changes between now and 2027#

Two things on the horizon worth knowing about. PCI DSS v4.0.2 is expected sometime in late 2026 or early 2027 — a maintenance release rather than a major version. Expect minor clarifications around the script-integrity rules and possibly some tightening on the customized-approach evidence requirements. Nothing that materially changes which SAQ a small business sits on.

The bigger shift is on the card brand side. Visa USA and Mastercard are both pushing for tokenization-by-default on card-on-file scenarios — meaning that even if you store a token (which is fine), the underlying card data must be in a tokenization vault rather than brand-issued network tokens. This affects subscription businesses, recurring billing, anyone with a card-on-file model. The detail is in our SAQ glossary entry on the changes, but for a small business the practical impact is: ask your provider whether they're using their own tokenization or brand network tokens, and check the cost difference.

Beyond that, the regulatory direction is towards stronger authentication everywhere. The CFPB and state regulators are watching authentication fraud closely, and the FTC's safeguards rule (which now covers many non-bank financial-service SMBs after the 2023 updates) overlaps with PCI in messy ways. For small business, the safe play is to be on payment infrastructure that already supports 3DS2 and step-up authentication out of the box. All the tier-1 US providers do; check yours.

The one-page small business PCI plan#

If you read nothing else, this is the minimum-viable plan for a US SMB taking card payments in 2026:

Confirm Level 4 with your acquirer in writing. Confirm which SAQ they want from you. Aim for SAQ A. If you take phone payments, move to a channel-separated provider before the next SAQ. If you take online payments, switch from embedded checkout to hosted redirect. Turn on MFA on every in-scope login. Write a one-page incident response plan that covers your state's breach notification timeline. Pay $30-$75/month for bundled ASV scanning if you have any in-scope IPs. Train your staff annually (20-minute module, signed off). Complete and submit the SAQ before your acquirer's deadline. Diary next year's review.

Total time investment after the initial setup: roughly two days a year. Total cost after the initial infrastructure work: $500-$1,800/year all in. Total risk reduction versus a non-compliant SAQ D setup: enormous. That's PCI compliance for small business done properly.

What good looks like for a US small business in 2026#

Here's the setup we'd recommend for almost any US small business taking card payments today. Online: Stripe / Authorize.Net / NMI / Chase Paymentech with a redirect or hosted payment page (not Elements, not a custom checkout). Phone: a channel-separated DTMF capture provider so card numbers never enter your call. Card-present: a modern PED from a tier-1 acquirer (the SAQ B-IP terminals). Email: never, for cardholder data. Web chat: payment link only, never typed card details.

With that setup, you're SAQ A or SAQ A and SAQ B-IP combined. Your annual PCI cost lands around $700-$2,000. Your audit time is around eight hours a year. Your scope is essentially zero. You can scale from $250K revenue to $6M revenue without changing anything. And if you ever do have a breach, your forensic investigator will spend half an hour, conclude there was no cardholder data in your environment, and you'll be looking at notification costs instead of forensic costs.

That's what "PCI compliance for small business" actually means in 2026: pick the right infrastructure, file the SAQ once a year, sleep at night. The companies struggling with PCI are the ones who tried to keep cardholder data in-house and discovered, two years in, that they're spending $18K a year defending controls they never needed in the first place.

How this fits in the cluster#

This piece sits inside our broader cost of PCI compliance guide — the pillar piece that maps every PCI cost line across merchant levels and SAQs, with the math behind each scenario. If you've read this and you want to drill into the audit-line costs specifically, that's where to go next.

Next steps#

If you're a US small business taking card payments and you're not sure which SAQ you're on, or you've got a feeling you're sitting in SAQ D when you don't need to be, we'll walk through it with you. Get in touch for a 20-minute scoping call — no pitch, just an honest read on where your scope sits and what it'd take to drop a category. Or watch a live Paytia demo if you want to see channel-separated phone capture working before you commit to anything.