Facebook Shops PCI Compliance
You just got an email from your payment processor with a “PCI DSS Compliance Questionnaire” attached. Your heart sinks. What is this? Do you need a security team? Is this going to cost thousands of dollars?
Here’s the truth: Facebook Shops PCI compliance is probably much simpler than you think. If you’re selling through Facebook Shops with Facebook Pay handling all the card processing, you’re in the easiest compliance category. This guide will walk you through exactly what you need to do — in plain English, without the jargon that makes PCI sound more complicated than it actually is.
What Is PCI Compliance (In Plain English)
PCI compliance isn’t some mysterious technical requirement — it’s simply a set of security standards designed to protect credit card data. If you accept credit cards in any way (even through Facebook Shops), these standards apply to you.
The Payment Card Industry Data Security Standard (PCI DSS) was created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — through something called the PCI Security Standards Council. Think of it as the card brands getting together and saying, “Anyone who touches credit card data needs to follow these security rules.”
Your payment processor or acquiring bank enforces these standards. That’s who sent you the compliance questionnaire, and that’s who will follow up if you don’t complete it.
What happens if you ignore PCI compliance? Your processor can fine you (typically $5,000 to $100,000 per month for non-compliance), you’ll be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards entirely. The good news? For most small businesses — especially those using platforms like Facebook Shops — compliance is straightforward and inexpensive.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:
- Physical stores with card terminals
- E-commerce websites
- Phone or mail orders
- Mobile payment apps
- Facebook Shops, Instagram Shopping, or any social commerce platform
Your merchant level determines how much documentation you need. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a self-assessment questionnaire rather than hiring an outside assessor.
When your payment processor sent you that compliance questionnaire, they weren’t trying to make your life difficult. They’re required by the card brands to ensure all their merchants maintain compliance. Think of it like a health inspection for restaurants — the standards exist to protect everyone, and your processor needs to verify you’re following them.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Here’s the decision tree in plain language:
| How You Accept Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| Facebook Shops only (Facebook Pay handles everything) | SAQ A | Simplest (20 questions) | About 30 minutes |
| E-commerce with redirect to payment page (PayPal, Stripe Checkout) | SAQ A | Simplest (20 questions) | About 30 minutes |
| E-commerce with payment fields on your site | SAQ A-EP | Simple (190 questions) | 2-4 hours |
| Physical terminal only (Square, Clover) | SAQ B or B-IP | Simple (40 questions) | 1-2 hours |
| Take cards over the phone | SAQ C-VT | Moderate (80 questions) | 2-3 hours |
| Store card numbers anywhere | SAQ D | Complex (340+ questions) | Requires IT team |
For Facebook Shops merchants, you’re almost certainly SAQ A — the simplest type. Facebook Pay handles all the actual card processing, so you never touch the card data. You’re essentially just telling Facebook what to charge.
not sure which SAQ applies to you? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need. No guessing, no reading through complex flowcharts.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. For SAQ A (which most Facebook Shops merchants use), you’ll answer questions like:
- “Do you have a written security policy?”
- “Do you use unique passwords for admin accounts?”
- “Do you install security updates?”
When the question asks if you do something, “yes” means you actually do it — not that you plan to or think you should. Be honest. If you answer “no” to a question, you’ll need to either implement that control or explain why it doesn’t apply to your business.
Documentation you’ll need:
- Your vendor list (who provides your e-commerce platform, hosting, etc.)
- Your security policies (even simple one-page documents count)
- Evidence of security updates and patches
For most SAQ types, you’ll also need quarterly ASV scans. An Approved Scanning Vendor runs automated security scans of your website to check for vulnerabilities. It’s like a safety inspection for your online systems — the scan runs automatically and emails you a report. If it finds issues, you fix them and rescan.
Once you’ve completed your questionnaire and passed your scan, you’ll submit:
1. Your completed SAQ
2. The Attestation of Compliance (AOC) — a form stating you’ve met all requirements
3. Your passing ASV scan report (if required)
Your payment processor will tell you exactly where to submit these. Many now have online portals where you upload everything.
What It Costs
Let’s be honest about costs — PCI compliance isn’t free, but it’s probably less expensive than you fear:
Compliance platform and tools: $100-300/year for small merchants
- Includes SAQ wizard, compliance tracking, and basic support
- Some payment processors include this with your merchant account
Quarterly ASV scanning: $40-100/quarter ($160-400/year)
- Required for most online merchants
- Some compliance platforms include this in their annual fee
If you need a QSA: $5,000-50,000+ (but you probably don’t)
- Only required for Level 1 merchants or those with complex environments
- Most Facebook Shops merchants never need this
The cost of NON-compliance:
- Monthly fines: $5,000-100,000 from your processor
- Breach liability: Average small business breach costs $150,000+
- Lost ability to process cards: Priceless (in the worst way)
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. Think of it as insurance — except it’s required insurance that actually makes your business more secure.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your compliance expires annually, and you’ll need to:
- Complete your SAQ questionnaire each year
- Run quarterly ASV scans (if required for your SAQ type)
- Update your assessment if your payment methods change
Set up these reminders now:
- Annual SAQ due date (usually the anniversary of your last submission)
- Quarterly scan dates (every 90 days)
- Security update check (monthly is good practice)
Major changes trigger a new assessment:
- Adding a new payment channel (like opening a physical store)
- Changing payment providers
- Starting to store card numbers (please don’t)
- Significant changes to your website or payment flow
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and shows your compliance status at a glance. You’ll never wonder “When was my last scan?” or “Is my compliance current?”
FAQ
Do Facebook Shops handle PCI compliance for me?
Facebook Pay handles the actual card processing, which is why you qualify for SAQ A. However, you still need to complete your annual self-assessment and maintain basic security practices for any systems that connect to your Facebook Shops account.
What if I only sell occasionally through Facebook?
Volume doesn’t matter — if you accept even one credit card payment, PCI DSS applies. The good news is that low-volume merchants are Level 4, which means self-assessment rather than external audits.
Can I just ignore the compliance questionnaire?
Your payment processor will start with reminder emails, then monthly fines (typically $25-100 for small merchants), escalating to thousands per month. Eventually, they can terminate your ability to accept cards. It’s much easier to just complete the questionnaire.
How long does the SAQ take to complete?
For Facebook Shops merchants using SAQ A, expect 30-60 minutes for your first assessment. Future years are faster since you’re just confirming that your practices haven’t changed. The key is having your documentation ready.
Do I need to hire a security consultant?
Most Facebook Shops merchants don’t need outside help. The questions in SAQ A are straightforward — things like “Do you use unique passwords?” If you’re comfortable with basic computer security, you can handle it yourself.
What’s the difference between SAQ A and SAQ A-EP?
SAQ A is for merchants who fully outsource payment processing (like Facebook Shops with Facebook Pay). SAQ A-EP is for e-commerce merchants whose customers enter card data on the merchant’s website, even if it goes directly to a processor.
What if I fail my ASV scan?
ASV scans often find minor issues like outdated software versions. You get a detailed report, fix the issues (usually by installing updates), and rescan. Most merchants pass within 1-2 attempts. You’re not “failing” — you’re identifying and fixing vulnerabilities.
My processor says I need PCI compliance but I don’t store card numbers. Why?
PCI DSS applies to anyone who accepts, processes, stores, or transmits card data — not just storage. Even if Facebook handles everything, you’re still part of the payment chain and need to maintain basic security standards.
Conclusion
PCI compliance for Facebook Shops doesn’t have to be overwhelming. For most merchants, it’s a simple annual questionnaire that takes less than an hour to complete. Yes, there are requirements to meet and scans to run, but the process is manageable — especially with the right tools.
The key is to start now. That compliance questionnaire from your processor isn’t going away, and the longer you wait, the more stressful it becomes. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team.
Your Facebook Shops business is already set up for the simplest path to compliance. Now you just need to document it, scan it, and submit it. You’ve got this — and we’re here to help every step of the way.
