red padlock on black computer keyboard

Heartbleed Vulnerability PCI Fix

by

Heartbleed Vulnerability PCI Fix

Don’t Panic — Your PCI Compliance Journey Starts Here

You just opened an email from your payment processor with “PCI Compliance Required” in the subject line. Maybe it included a questionnaire with dozens of technical-sounding questions about firewalls and encryption. Your first thought: “What is this, and do I really need to deal with it?”

Here’s the bottom line: Yes, you need to be PCI compliant if you accept credit cards — but for most small businesses, it’s much simpler than that intimidating questionnaire makes it seem. Many merchants complete their compliance requirements in under an hour once they understand which path to take.

Let me walk you through exactly what PCI compliance means for your business, which questionnaire you actually need (hint: it’s probably not the long one), and how to get it done without hiring a team of security consultants.

What Is PCI Compliance (In Plain English)

PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules created by the major card brands (Visa, Mastercard, American Express, and Discover) to protect credit card data. If you accept any of these cards — whether swiped, dipped, tapped, or typed online — these rules apply to you.

The card brands formed the PCI Security Standards Council (PCI SSC) to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) enforces PCI compliance. That’s who sent you that questionnaire.

Why Should You Care?

Beyond the “it’s required” answer, there are real consequences for non-compliance:

  • Monthly fines from your payment processor (typically $50-$500 per month for small merchants)
  • Liability for fraud losses if card data is compromised at your business
  • Loss of card processing privileges — yes, they can shut off your ability to accept cards
  • Breach costs that can reach tens of thousands of dollars, even for small businesses

The good news? Most small merchants qualify for the simplest compliance paths. You’re not held to the same standards as Target or Amazon.

Your Merchant Level Matters

PCI groups merchants into four levels based on annual transaction volume:

  • Level 4: Under 20,000 e-commerce transactions OR under 1 million total transactions annually (that’s you)
  • Level 3: 20,000 to 1 million e-commerce transactions annually
  • Level 2: 1 to 6 million transactions annually
  • Level 1: Over 6 million transactions annually

As a Level 4 merchant, you complete a Self-Assessment Questionnaire (SAQ) rather than hiring an outside assessor. This is excellent news for your compliance costs and complexity.

Do You Need to Be PCI Compliant?

Simple answer: If you accept, process, store, or transmit credit card data in any way, you need to be PCI compliant.

This includes:

  • Running cards through a terminal at your store
  • Taking orders over the phone
  • Processing payments through your website
  • Storing customer card numbers for recurring billing (please reconsider this)
  • Even if you only process one card per month

Your payment processor expects you to:
1. Complete the appropriate SAQ annually
2. Run quarterly vulnerability scans if you have any internet-facing systems
3. Submit your Attestation of Compliance (AOC) to prove you’ve done the work
4. Fix any security issues the scans find

That compliance questionnaire they sent? It’s their way of making sure you’re meeting these requirements. Ignore it, and those monthly non-compliance fees start adding up fast.

Which SAQ Do You Need?

Here’s where most merchants get overwhelmed. There are nine different SAQ types, but most small businesses only need to worry about four. Let me break down which one applies to you:

Your Payment Scenario Your SAQ Type Number of Questions Difficulty Level
Payment page fully hosted by processor (PayPal, Square Online, Stripe Checkout) SAQ A 22 Easiest
E-commerce site that touches card data (even briefly) SAQ A-EP 191 Moderate
Standalone terminal with dial-up or Ethernet SAQ B 41 Easy
Terminal connected to your computer/network SAQ B-IP 82 Easy-Moderate
Taking payments over the phone SAQ C-VT 84 Moderate
Paper forms, storing card data, or custom payment systems SAQ D 329 Call a QSA

Common Scenarios Made Simple

“I use Square/Clover/Similar Terminal”

  • Standalone terminal with dial-up or cellular: SAQ B
  • Terminal connected to your POS system: SAQ B-IP

“I have an online store”

  • Customers redirected to PayPal/Stripe to pay: SAQ A
  • Payment form on your site (even if data goes straight to processor): SAQ A-EP
  • You see or store full card numbers: SAQ D (and please stop)

“I take orders over the phone”

  • Using virtual terminal from processor: SAQ C-VT
  • Writing down card numbers: SAQ D (seriously, stop this)

“I run a professional office (doctor, lawyer, accountant)”

  • Payment terminal at front desk: SAQ B or B-IP
  • Billing software that stores cards: SAQ D (consider switching to tokens)

Not sure which one fits? PCICompliance.com’s free SAQ Wizard asks you a few simple questions about how you take payments and tells you exactly which SAQ you need — no technical knowledge required.

How to Complete Your SAQ

Once you know which SAQ applies, the process is straightforward:

What You’re Actually Doing

The SAQ is a series of yes/no questions about your security practices. For example:

  • “Are default passwords changed on all systems?”
  • “Is antivirus software installed and current?”
  • “Do you have a firewall?”

“Yes” means you’re doing it. “No” means you need to fix it before you can be compliant. There’s no partial credit in PCI compliance.

Documentation You’ll Need

For most small merchant SAQs, you’ll need:

  • Network diagram (can be hand-drawn showing how your payment devices connect)
  • List of who has access to payment systems
  • Copies of your security policies (templates are fine for small businesses)
  • ASV scan results (if required for your SAQ type)

The Quarterly ASV Scan

If your payment systems connect to the internet (including cloud-based POS systems), you need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks for security holes in your internet-facing systems.

What it’s checking:

  • Open ports that shouldn’t be
  • Outdated software with known vulnerabilities (like Heartbleed)
  • Weak encryption settings
  • Missing security patches

Most scans take 15-30 minutes to run and cost $50-150 per quarter. You need four passing scans (one per quarter) to be compliant.

Submitting Your Compliance

After completing your SAQ and getting passing scans:
1. Sign the Attestation of Compliance (AOC) — your declaration that everything is accurate
2. Submit to your payment processor through their portal
3. Save copies for your records
4. Set reminders for next year

Total time investment for most Level 4 merchants: 2-4 hours annually, plus 15 minutes per quarterly scan.

What It Costs

Let’s talk real numbers for small business PCI compliance:

Compliance Tools & Platforms

  • SAQ completion platform: $100-300 annually
  • Many processors include this in their merchant services

ASV Scanning Service

  • Quarterly scans: $50-150 per scan ($200-600 annually)
  • Required for SAQ A-EP, B-IP, C, C-VT, and D

If You Need Professional Help

  • Consultant assistance: $500-2,000 for SAQ help
  • Full QSA assessment: $10,000+ (only for Level 1 merchants or complex situations)

The Cost of NON-Compliance

  • Monthly non-compliance fees: $50-500
  • Breach liability: $10,000-100,000+
  • Lost ability to process cards: Devastating

Bottom line: Annual compliance for most small merchants costs less than two months of non-compliance fees. It’s not a profit center for processors — they genuinely want you compliant to reduce everyone’s fraud risk.

Staying Compliant Year-Round

PCI compliance isn’t a “set it and forget it” achievement. Your compliance resets annually, and certain changes require immediate attention:

Annual Requirements

  • Complete your SAQ questionnaire
  • Run four quarterly ASV scans (if required)
  • Update your AOC attestation
  • Review and update security policies

What Triggers a Reassessment

  • Changing payment processors or methods
  • Adding new payment channels (like adding e-commerce to a retail store)
  • Major network changes that affect payment systems
  • A security breach (even a small one)

Making It Easy

Set calendar reminders for:

  • Quarterly ASV scans (every 90 days)
  • Annual SAQ renewal (30 days before expiration)
  • Policy review (annually)
  • Employee security training (annually)

PCICompliance.com’s compliance dashboard tracks all these dates for you, sending automatic reminders and keeping your compliance documentation organized in one place.

FAQ

I’m just a small business. Do I really need to do all this?

Yes, but “all this” is probably much less than you think. If you use modern payment terminals or hosted checkout pages, you likely qualify for SAQ A or B — the simplest questionnaires with under 50 questions. Most small merchants complete their annual compliance in under two hours.

What happens if I ignore that compliance questionnaire?

Your processor will start charging monthly non-compliance fees (typically $50-500) until you complete it. Worse, if card data gets compromised at your business, you’re liable for all fraud losses and forensic investigation costs. Some processors will eventually terminate merchants who remain non-compliant.

Can I just say “yes” to everything on the questionnaire?

That’s fraud, and it won’t protect you. If there’s a breach and the investigation reveals you lied on your SAQ, you’re facing significant liability. Plus, most SAQs require you to provide evidence like ASV scans that can’t be faked. Answer honestly — it’s better to fix issues than lie about them.

Do I need to hire a security consultant?

Probably not. Most Level 4 merchants can complete their SAQ using online tools and guidance. You might need help if you’re SAQ D (storing card data) or have unusual payment setups. But for standard retail or e-commerce scenarios, a good compliance platform provides all the guidance you need.

How do I know if I’m storing credit card data?

Search your systems for 16-digit numbers starting with 4 (Visa), 5 (Mastercard), 3 (Amex), or 6 (Discover). Check databases, spreadsheets, email, and paper files. If you find full card numbers anywhere except active transaction logs, you’re storing card data and need to either stop or complete SAQ D.

My processor says I need something called an ASV scan. What is that?

An Approved Scanning Vendor (ASV) scan is an automated security check of your internet-facing systems. It looks for vulnerabilities like missing patches, weak passwords, and outdated software. Think of it like an automated security checkup that runs quarterly. Most scans take 15-30 minutes and cost under $150.

What’s this about Heartbleed? Do I need to worry about old vulnerabilities?

ASV scans check for all known vulnerabilities, including older ones like Heartbleed. You don’t need to track every security issue — that’s what the quarterly scans handle. If your scan fails due to Heartbleed or any other vulnerability, the report tells you exactly what to fix. Most hosting providers and IT vendors patched Heartbleed years ago.

Can I just use SAQ A for everything since it’s easiest?

Only if you truly qualify for it. Using the wrong SAQ is considered non-compliance and won’t protect you in case of a breach. Be honest about how you handle payments — the right SAQ for your actual setup is always easier than dealing with breach liability later.

Your Next Steps to PCI Compliance

PCI compliance sounds overwhelming when you first encounter it, but for most small businesses, it’s a manageable annual task that protects both you and your customers. The key is identifying which SAQ applies to your specific payment setup and using the right tools to complete it efficiently.

Start by understanding how you actually process payments — not how you think you do it, but what really happens when a customer pays you. Use that information to select the right SAQ type. Then work through the questionnaire methodically, fixing any gaps you find. Schedule your quarterly ASV scans if required, submit your attestation, and you’re done until next year.

PCICompliance.com streamlines this entire process. Our free SAQ Wizard eliminates the guesswork by asking simple questions about your payment methods and identifying exactly which questionnaire you need. Our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard tracks your progress year-round, sending reminders when it’s time to renew. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and guidance to make PCI compliance as painless as possible. Start with our free SAQ Wizard to identify your requirements, or contact our compliance team for personalized guidance on your path to PCI compliance.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP