Yes. All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. Inherent in having a merchant account is the ability to handle cardholder data. Small businesses are often the targets of hacking activities as frequently as the large retail stores consistently in the news for breaches.