Salesforce Commerce Cloud PCI Compliance: What You Need to Know
Here’s the bottom line: If you just received a PCI compliance questionnaire from your payment processor and you’re using Salesforce Commerce Cloud, take a deep breath. For most businesses, achieving PCI compliance is simpler than you think. You’re likely looking at completing a straightforward self-assessment questionnaire (SAQ) that takes a few hours, not the complex audit you might be imagining. This guide will walk you through exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts credit card payments. If you process, store, or transmit credit card data — even if it’s just through your Salesforce Commerce Cloud store — you need to be PCI compliant.
The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through the PCI Security Standards Council. But here’s who actually enforces it: your acquiring bank or payment processor — the company that handles your credit card transactions. That’s who sent you the compliance questionnaire, and that’s who you’ll submit your completed assessment to.
What happens if you’re not compliant? Your payment processor can fine you (typically $5,000-$100,000 per month), you’ll be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards entirely. The good news? Most small and mid-size businesses qualify for the simplest compliance paths, which means answering a shorter questionnaire and implementing basic security measures you probably already have in place.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. It doesn’t matter if you only process ten transactions a month or if Salesforce Commerce Cloud handles everything for you. If credit card numbers touch your business in any way, PCI compliance applies to you.
Your merchant level determines how you demonstrate compliance. Most businesses are Level 4 merchants (processing fewer than 1 million Visa transactions annually). Level 4 merchants typically complete a self-assessment questionnaire rather than hiring an external auditor. Here’s what each level means:
- Level 1: Over 6 million transactions annually (requires annual on-site assessment by a QSA)
- Level 2: 1-6 million transactions annually (annual self-assessment, quarterly network scans)
- Level 3: 20,000-1 million transactions annually (annual self-assessment, quarterly network scans)
- Level 4: Under 20,000 e-commerce or up to 1 million other transactions annually (annual self-assessment, quarterly network scans may be required)
That compliance questionnaire your payment processor sent? They’re required to verify your compliance annually. They need you to complete a Self-Assessment Questionnaire (SAQ) and submit an Attestation of Compliance (AOC). Think of the SAQ as a checklist of security practices, and the AOC as your signature saying “yes, we did this.”
Which SAQ Do You Need?
The type of SAQ you complete depends on how you handle credit card data. With Salesforce Commerce Cloud, your SAQ type typically depends on your payment integration method. Here’s how to determine which one applies to you:
| Payment Scenario | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Using fully hosted payment page (customer redirected to payment processor) | SAQ A | 22 | Simplest |
| Using payment iframe or JavaScript (Stripe Elements, PayPal) | SAQ A-EP | 191 | Moderate |
| Physical card terminals, no electronic storage | SAQ B | 41 | Simple |
| Physical terminals with IP connection | SAQ B-IP | 82 | Simple |
| Taking payments by phone/mail, no electronic storage | SAQ C-VT | 84 | Moderate |
| Any electronic card data storage or complex setup | SAQ D | 329+ | Complex |
For Salesforce Commerce Cloud users, you’re most likely looking at:
- SAQ A if you use a fully hosted checkout where customers are redirected away from your site
- SAQ A-EP if you use an integrated payment solution where card data passes through your e-commerce environment
- SAQ D if you’ve customized the platform to store card data (please reconsider this approach)
Not sure which applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ you need — no guesswork required.
How to Complete Your SAQ
Your SAQ is a questionnaire with yes/no questions about your security practices. “Yes” means you have that security control in place and working. “No” means you need to implement it or explain why it doesn’t apply to you. Here’s what to expect:
The Process:
1. Download the correct SAQ from the PCI Security Standards Council or use PCICompliance.com’s guided questionnaire
2. Answer each question honestly — the questions are straightforward, like “Do you change default passwords?” and “Is your payment page encrypted with HTTPS?”
3. Gather supporting documentation — you’ll need your network diagram (even a simple one), security policies, and vendor agreements
4. Complete your quarterly ASV scan if required — this is an automated security scan of your public-facing systems
5. Submit your SAQ and AOC to your payment processor
Quarterly ASV Scans:
If you’re processing online, you’ll likely need quarterly vulnerability scans by an Approved Scanning Vendor (ASV). These automated scans check your public-facing systems for security vulnerabilities. They typically take 24-48 hours to complete and cost $200-500 per year for all four quarterly scans. PCICompliance.com includes ASV scanning in our compliance packages.
Timeline:
For most merchants, completing your first SAQ takes 2-8 hours spread over a few days. Subsequent years are faster since you’re just updating your previous answers.
What It Costs
Let’s talk real numbers for PCI compliance:
Compliance Tools and Support:
- SAQ completion platform: $200-1,500/year depending on features
- Quarterly ASV scanning: $200-500/year for all four scans
- Compliance management dashboard: Often included with SAQ tools
- Expert support: $500-2,000 if you need help completing your first assessment
If You Need a QSA:
Only Level 1 merchants and some Level 2 service providers need a Qualified Security Assessor. If you do need one, expect:
- QSA assessment: $15,000-50,000+ depending on scope
- Penetration testing: $5,000-25,000 if required
The Cost of Non-Compliance:
- Monthly non-compliance fees: $5,000-100,000 from your processor
- Breach liability: Average small business breach costs $120,000+
- Lost business: Losing the ability to accept cards can be catastrophic
For most small merchants using Salesforce Commerce Cloud, annual compliance costs less than $1,000 — far less than a single month of non-compliance fines.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly milestones. Here’s how to stay on track:
Annual Requirements:
- Complete and submit your SAQ every 12 months
- Review and update security policies
- Train staff on security procedures
- Test your incident response plan
Quarterly Requirements:
- Run ASV scans if you process online
- Review user access and remove unnecessary accounts
- Check that security patches are up to date
- Monitor for any changes that might affect your SAQ type
What Triggers a New Assessment:
- Changing payment processors or methods
- Adding new payment channels (like adding phone orders to your online store)
- Significant changes to your Salesforce Commerce Cloud configuration
- Starting to store card data (don’t do this without talking to a QSA)
PCICompliance.com’s compliance dashboard sends automatic reminders for all these milestones and tracks your progress throughout the year. No more scrambling when your processor sends their annual reminder.
FAQ
Q: I only process a few transactions a month. Do I really need to comply?
A: Yes, PCI compliance applies regardless of transaction volume. The good news is that low-volume merchants typically qualify for the simplest SAQ types, making compliance straightforward and affordable.
Q: Doesn’t Salesforce Commerce Cloud handle PCI compliance for me?
A: Salesforce Commerce Cloud maintains PCI compliance for their platform, but you’re still responsible for your implementation and configuration. You need to complete an SAQ that covers how you’ve set up and use the platform.
Q: How long does PCI compliance last?
A: PCI compliance is valid for one year from your assessment date. You’ll need to complete a new SAQ annually and perform quarterly ASV scans if required by your SAQ type.
Q: What if I fail my ASV scan?
A: Failed scans are common on the first attempt — they identify vulnerabilities that need fixing. You have time to remediate issues and rescan. PCICompliance.com provides remediation guidance and unlimited rescans.
Q: Can I just ignore the compliance request from my processor?
A: Ignoring PCI requirements leads to monthly non-compliance fines, increased liability if there’s a breach, and potentially losing your ability to accept credit cards. The fines alone far exceed the cost of compliance.
Q: Do I need to hire a security consultant?
A: Most small businesses don’t need external consultants for PCI compliance. Guided SAQ tools and basic support are sufficient for Level 3 and 4 merchants using standard payment setups.
Q: What’s the difference between PCI compliance and SOC 2 or ISO 27001?
A: PCI DSS specifically covers credit card data security and is required for card acceptance. SOC 2 and ISO 27001 are broader security frameworks that may complement but don’t replace PCI requirements.
Q: How do I know if I’m storing credit card data?
A: Check your Salesforce Commerce Cloud configuration, databases, logs, and file systems for credit card numbers. If you can see full card numbers anywhere after a transaction, you’re storing them and need to complete SAQ D.
Conclusion
PCI compliance for Salesforce Commerce Cloud doesn’t have to be overwhelming. For most businesses, it means completing a straightforward self-assessment questionnaire once a year and running quarterly security scans. The entire process typically takes a few hours and costs less than your monthly coffee budget.
The key is identifying which SAQ type applies to your specific payment setup and staying organized with annual requirements. PCICompliance.com makes this simple — our free SAQ Wizard determines exactly which questionnaire you need based on your Salesforce Commerce Cloud configuration, our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard keeps you on track year-round. Whether you’re completing your first assessment or maintaining ongoing compliance, we provide the tools and support to make PCI compliance manageable. Start with our free SAQ Wizard to identify your requirements, or talk to our compliance team for guidance specific to your Salesforce Commerce Cloud setup.
