PCI compliance on each platform?

BigCommerce: PCI DSS Level 1 certified at the platform level. As a merchant on BC, you generally complete SAQ-A (the lightest self-assessment) because cardholder data never touches your servers. Easy.

Magento self-hosted: depends on your checkout. Use a hosted payment gateway (Stripe Checkout, PayPal, Braintree hosted-fields) and you’re SAQ-A or SAQ-A-EP. Use server-side card capture (rare in 2026, not recommended) and you’re SAQ-D — full PCI scope, audits, quarterly scans, expensive.

Adobe Commerce: similar to Magento OS; the official Adobe Commerce + hosted-gateway setup is SAQ-A or SAQ-A-EP.

For 95% of merchants on either platform, PCI is SAQ-A — equivalent burden. For high-volume merchants who need cardholder data residency for fraud / chargeback workflows, the equation gets more nuanced.