Open padlock with combination lock on keyboard

CyberSource PCI Compliance

by

CyberSource PCI Compliance

Bottom Line Up Front

If you just received a PCI compliance questionnaire from CyberSource (or any payment processor) and you’re feeling overwhelmed — take a breath. For most small businesses, PCI compliance is simpler than you think. You probably qualify for one of the shorter questionnaires that takes about an hour to complete, and the entire process is less complicated than doing your business taxes.

Here’s what matters right now: Yes, you need to complete this. No, it’s not as scary as it looks. And yes, we’ll walk you through exactly what CyberSource PCI compliance means for your business.

What Is PCI Compliance (In Plain English)

PCI compliance means following security rules that protect credit card information. Think of it like the health code for restaurants, but for businesses that accept card payments. Just as restaurants follow food safety rules to protect customers, you follow PCI rules to protect their payment information.

The PCI DSS (Payment Card Industry Data Security Standard) was created by the major card brands — Visa, Mastercard, Discover, American Express, and JCB — through an organization called the PCI Security Standards Council. But here’s the key: they don’t enforce it directly. Your payment processor (like CyberSource) does. That’s why you received that questionnaire.

What Happens If You Don’t Comply?

Your payment processor can:

  • Fine you (typically $5,000 to $100,000 per month of non-compliance)
  • Hold you liable for fraud losses if card data gets stolen
  • Terminate your merchant account (you lose the ability to accept cards)

But here’s the good news: most small businesses qualify for the simplest compliance options. You’re not facing the same requirements as Amazon or Target.

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit cards in any form, yes.

It doesn’t matter if you:

  • Only process five transactions a month
  • Use a simple card reader
  • Never see the actual card numbers
  • Only accept payments online

If you take credit cards, you need to be PCI compliant.

Your Merchant Level

Most small businesses are Level 4 merchants (processing fewer than 20,000 Visa transactions annually). This is good news — Level 4 has the simplest requirements:

  • Complete an annual SAQ (Self-Assessment Questionnaire)
  • Run quarterly vulnerability scans if you have an e-commerce site
  • Keep your Attestation of Compliance (AOC) on file

CyberSource sent you that questionnaire because they’re required to verify your compliance annually. It’s not personal — every merchant gets one.

Which SAQ Do You Need?

The SAQ is your compliance questionnaire, and there are different versions based on how you accept payments. Think of it like tax forms — there’s a 1040EZ for simple situations and longer forms for complex ones.

Here’s how to figure out which one you need:

How You Accept Payments Your SAQ Type Number of Questions
Outsourced completely (PayPal, Square online) SAQ A 22 questions
E-commerce with hosted payment page (Stripe Checkout, Authorize.net) SAQ A-EP 139 questions
Standalone terminals only (Square Reader, Clover) SAQ B 41 questions
Terminals + internet connection (most modern terminals) SAQ B-IP 82 questions
Call center / phone orders (manual entry) SAQ C-VT 85 questions
Old-school / complex setup (storing cards, custom software) SAQ D 329 questions

Most small businesses fall into the first four categories. If you’re not sure which applies, PCICompliance.com’s SAQ Wizard asks you a few simple questions and tells you exactly which form you need — no guessing required.

Common Examples

  • Coffee shop with a Square terminal: SAQ B or B-IP
  • Shopify store: SAQ A (if using Shopify Payments)
  • Restaurant taking phone orders: SAQ C-VT
  • Dental office with practice management software: Often SAQ C or D (depends on the software)

How to Complete Your SAQ

Once you know which SAQ you need, here’s what to expect:

What the Questions Look Like

The questions are yes/no format: “Do you have a firewall protecting your payment systems?”

“Yes” means: You have it, it’s configured correctly, and you can prove it if asked.

Don’t overthink this. For many questions, especially on simpler SAQs, the answer is “Not Applicable” because your payment provider handles it for you.

Documentation You’ll Need

Gather these before you start:

  • Network diagram (can be hand-drawn for small setups)
  • List of who has access to payment systems
  • Vendor agreements with your payment providers
  • Security policies (even informal ones count)

The Quarterly Scan Requirement

If you have an e-commerce website, you need quarterly ASV scans. These are automated security scans that check your website for vulnerabilities. Here’s the process:

1. Sign up with an Approved Scanning Vendor (PCICompliance.com is one)
2. Enter your website URL
3. The scan runs automatically (takes about 20 minutes)
4. Fix any critical issues found
5. Get your passing scan report

The scans happen every 90 days. Most issues found are minor — outdated software versions or unnecessary services running.

Submitting Your Compliance

After completing your SAQ:
1. Generate your Attestation of Compliance (AOC)
2. Upload both documents to CyberSource’s merchant portal
3. Include your passing scan reports if required
4. Keep copies for your records

That’s it. You’re compliant for the year (remember those quarterly scans though).

What It Costs

Let’s talk real numbers:

Typical Costs for Small Merchants

  • SAQ completion platform: $200-500/year
  • Quarterly ASV scanning: $200-400/year (often bundled)
  • Total annual cost: $300-900 for most small businesses

When Costs Go Up

You might pay more if you:

  • Need help completing the questionnaire (consultant fees)
  • Have failing scans that need remediation
  • Require a QSA assessment (only for Level 1 merchants or by special request)

The Cost of NON-Compliance

  • Monthly fines: $5,000-100,000
  • Breach liability: Average of $150 per compromised card
  • Lost business: Can’t accept cards anymore
  • Reputation damage: Customers lose trust

Put simply: annual compliance costs less than a single month’s non-compliance fine.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done activity. Here’s your annual cycle:

Annual Requirements

  • Complete your SAQ
  • Submit your AOC
  • Update any changed information

Quarterly Requirements

  • Run ASV scans (if applicable)
  • Review and fix any findings
  • Keep passing reports on file

What Triggers a New Assessment

You’ll need to reassess if you:

  • Change how you accept payments (add e-commerce, new terminals)
  • Switch payment processors
  • Start storing card data (please don’t)
  • Have a security incident

PCICompliance.com’s compliance dashboard tracks all these dates and sends reminders. No more sticky notes or calendar alerts.

FAQ

Q: I only process 10 transactions a month. Do I really need to do this?

A: Yes. PCI compliance applies to any business that accepts credit cards, regardless of volume. The good news is you likely qualify for the simplest SAQ type.

Q: What if I just ignore this questionnaire?

A: CyberSource will send reminders, then warnings, then fines. Eventually, they’ll terminate your merchant account. It’s much easier to spend an hour completing the questionnaire.

Q: Can I just check “yes” to everything?

A: That’s fraud, and you’ll be liable if there’s a breach. Answer honestly — many questions won’t apply to your business anyway. “Not Applicable” is a valid answer.

Q: I use Square for everything. Why do I need to worry about this?

A: Even with Square handling the technical security, you still have responsibilities. You need to complete SAQ B or B-IP annually. Square doesn’t do this for you.

Q: How do I know if I’m storing credit card numbers?

A: Check your business software, spreadsheets, email, and paper files. If you can see full card numbers anywhere after the transaction, you’re storing them. This puts you in SAQ D territory — consider stopping this practice.

Q: What’s the difference between PCI compliance and being secure?

A: PCI compliance is the minimum security standard for handling card data. Being secure means going beyond the minimum. Compliance gets you started, but real security is an ongoing practice.

Q: My web developer says my site is PCI compliant. Is that enough?

A: Your site might be secure, but you still need to complete and submit your SAQ. Technical compliance and administrative compliance both matter. Your developer handled one part — you need to handle the other.

Q: How long does the SAQ take to complete?

A: For most small merchants: SAQ A takes 30-45 minutes, SAQ B takes about an hour, SAQ A-EP or C takes 2-3 hours. SAQ D is a multi-day project and might require professional help.

Conclusion

CyberSource PCI compliance doesn’t have to be overwhelming. For most businesses, it’s a straightforward annual process: identify your SAQ type, answer the questions honestly, run your scans if needed, and submit your paperwork. The whole thing takes less time than preparing your business tax returns.

The key is getting started. Once you know which SAQ applies to your business, the path forward is clear. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You can start with the free SAQ Wizard to get immediate clarity on your requirements, or talk to our compliance team if you need guidance. Either way, you’ll move from confused to compliant faster than you might expect.

Remember: every business that accepts cards deals with this. You’re not alone, it’s not as hard as it seems, and there’s help available when you need it.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP