PrestaShop PCI Compliance
Bottom Line Up Front
If you just received a PCI compliance questionnaire and you’re feeling overwhelmed, take a deep breath. For most PrestaShop store owners, PCI compliance is actually simpler than it sounds. You’re likely looking at a straightforward self-assessment questionnaire (SAQ) that takes an hour or two to complete, not the complex audit you might be imagining. Here’s what you actually need to know to get compliant and stay that way.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to anyone who accepts credit card payments. Think of it as the minimum security baseline for protecting your customers’ card data. It’s not a law, but it might as well be — if you want to accept credit cards, you need to be PCI compliant.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But here’s who you’ll actually hear from: your payment processor or acquiring bank — the company that handles your credit card transactions. They’re the ones who sent you that compliance questionnaire, and they’re the ones who can fine you or even terminate your merchant account if you don’t comply.
The consequences of non-compliance are real but manageable. Your processor can impose monthly fines (typically $20-100 for small merchants), you’ll be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards. But here’s the good news: most small businesses, including PrestaShop stores, qualify for the simplest compliance requirements.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you process one transaction a year or thousands daily. Using PrestaShop with any payment module means you need to comply.
Your merchant level determines how much documentation you need to provide. Most PrestaShop stores are Level 4 merchants (processing fewer than 20,000 e-commerce transactions annually). At this level, you complete a self-assessment questionnaire rather than hiring an expensive auditor.
Your payment processor expects you to:
- Complete the right SAQ for your payment setup
- Pass quarterly vulnerability scans if required
- Submit an Attestation of Compliance (AOC) annually
- Fix any security issues that come up
That questionnaire they sent? It’s their way of ensuring you’re meeting these requirements. They need it for their own compliance — they have to prove all their merchants are following the rules.
Which SAQ Do You Need?
The Self-Assessment Questionnaire you need depends entirely on how you handle card data. Here’s the decision tree in plain language:
| Your Payment Setup | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment provider (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| Payment form on your site (Stripe Elements, embedded forms) | SAQ A-EP | 139 | Moderate |
| Standalone terminal separate from PrestaShop | SAQ B | 41 | Easy |
| Terminal connected to PrestaShop | SAQ B-IP | 82 | Moderate |
| Take orders by phone/email | SAQ C-VT | 86 | Moderate |
| Store card numbers in PrestaShop | SAQ D | 329 | Complex |
For PrestaShop stores specifically:
- Using PayPal Express or Stripe Checkout where customers leave your site? That’s SAQ A
- Using Stripe Elements or similar where the form is on your site? That’s SAQ A-EP
- Taking phone orders and entering them manually? That’s SAQ C-VT
- Storing card numbers in your database? Please stop doing that — but it’s SAQ D
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. “Yes” means you’re doing what the question asks, not that you have the vulnerability it’s asking about. For example, “Do you have a firewall?” — answering “yes” is good.
Here’s what to expect:
- SAQ A: About 30 minutes, mostly confirming you don’t touch card data
- SAQ A-EP: 1-2 hours, includes questions about your website security
- Other SAQs: 2-4 hours depending on complexity
Documentation you’ll need:
- Your payment processor agreements
- Network diagram (even a simple one)
- Security policies (we provide templates)
- Scan reports from your ASV (if required)
The quarterly ASV scan is required for any SAQ except A and B. An Approved Scanning Vendor runs automated security scans of your PrestaShop store to check for vulnerabilities. It’s not as scary as it sounds — the scan runs automatically and most issues it finds are minor (outdated software versions, SSL configuration).
Once complete, you’ll submit:
1. Your completed SAQ
2. The Attestation of Compliance (AOC) — a formal declaration that you’re compliant
3. Your passing ASV scan report (if required)
4. Any other documents your processor requests
What It Costs
Let’s talk real numbers for PrestaShop PCI compliance:
Compliance platforms and tools: $50-300 annually for small merchants. This typically includes:
- SAQ questionnaire platform
- Compliance tracking
- Policy templates
- Basic support
ASV scanning: $200-500 annually for quarterly scans. Some compliance platforms include this.
If you need a QSA: Only required for Level 1 merchants or if your processor specifically demands it. Budget $10,000-50,000 for a formal assessment. (You probably don’t need this.)
The cost of NON-compliance:
- Monthly non-compliance fees: $20-100
- If you have a breach: $5,000-50,000 in fines
- Lost ability to process cards: priceless
Honest assessment? For most PrestaShop merchants, annual compliance costs less than what you’d pay in non-compliance fees over just a few months.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your compliance expires annually, and you’ll need to:
- Complete your SAQ again each year
- Run quarterly vulnerability scans (if required)
- Update your assessment if you change payment methods
- Fix any vulnerabilities your scans find
Set calendar reminders for:
- Annual SAQ due date (usually your anniversary date)
- Quarterly scan windows
- Policy review dates
Changes that trigger a new assessment:
- Switching payment providers
- Adding new payment methods
- Changing how you handle card data
- Major PrestaShop upgrades that affect payment processing
PCICompliance.com’s compliance dashboard tracks all these dates and sends automatic reminders. You’ll never miss a deadline or wonder about your compliance status.
FAQ
I’m just a small PrestaShop store. Do I really need to do this?
Yes, but it’s probably simpler than you think. If you’re using standard payment modules like PayPal or Stripe, you’re likely looking at SAQ A — just 22 questions that mostly confirm you’re not storing card data. The whole process takes about 30 minutes once a year.
What happens if I ignore the compliance questionnaire?
Your payment processor will start charging monthly non-compliance fees (usually $20-100). Eventually, they may increase your transaction rates or even terminate your merchant account. It’s much easier to just complete the questionnaire.
Do I need to hire a security consultant?
For most PrestaShop stores, no. The self-assessment questionnaires are designed for business owners to complete themselves. If you’re SAQ A or A-EP (the most common for e-commerce), the questions are straightforward and relate to basic security practices.
My payment provider says they’re PCI compliant. Doesn’t that cover me?
No, their compliance covers their systems, not yours. You’re still responsible for your PrestaShop store’s security and how you integrate with their services. Think of it this way: they secure the highway, but you still need to secure your own car.
How do I know if I’m storing credit card data?
Check your PrestaShop database for any tables containing card numbers. Look in your order history, customer records, and any custom modules. If you see full card numbers anywhere (even if encrypted), you’re storing card data. The safest approach? Use tokenization or hosted payment forms so card data never touches your servers.
What if my vulnerability scan fails?
Don’t panic — most failures are for minor issues like outdated SSL protocols or software versions. Your ASV provides a report showing exactly what needs fixing. Common issues include old TLS versions, unnecessary services running, or outdated PrestaShop modules. Fix the issues and rescan.
Can I just say “yes” to everything on the SAQ?
Absolutely not. False attestation is considered fraud and can result in serious penalties. Answer honestly — if you can’t answer “yes” to a requirement, you need to either implement the control or document a compensating control.
How often do I need to complete this?
Your SAQ and AOC are due annually. Vulnerability scans (if required) run quarterly. Your payment processor will send reminders, but it’s your responsibility to track these dates. Missing deadlines means immediate non-compliance fees.
Conclusion
PrestaShop PCI compliance doesn’t have to be overwhelming. For most merchants, it’s a straightforward annual process that protects both your business and your customers. The key is understanding which SAQ applies to your specific setup and staying on top of the annual requirements.
Start by identifying your SAQ type — PCICompliance.com’s free SAQ Wizard makes this simple. From there, you’ll need the right tools to complete your assessment and maintain compliance year-round. Our platform provides everything in one place: the questionnaire platform, ASV scanning service for your quarterly scans, remediation guidance when issues arise, and a compliance dashboard that tracks all your deadlines.
Whether you’re completing your first SAQ or renewing your annual compliance, having the right support makes all the difference. Start with our free SAQ Wizard to identify exactly what you need, or reach out to our compliance team for personalized guidance on your PrestaShop setup.
