France PCI Compliance
Don’t Panic — It’s Simpler Than You Think
So your payment processor just sent you a PCI compliance questionnaire. Maybe it’s sitting in your inbox right now, filled with acronyms and technical jargon that makes your head spin. Take a deep breath — for most small businesses, France PCI compliance is much simpler than it first appears.
Here’s what you actually need to know: if you accept credit cards in your French business, you need to complete a simple self-assessment questionnaire once a year and possibly run some basic security scans. That’s it. For most small merchants, the whole process takes an afternoon, not weeks of technical work.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — to protect credit card data. These companies formed the PCI Security Standards Council (PCI SSC) to manage these standards globally, including for businesses operating in France.
Here’s the key point: if you accept credit cards in any form, PCI compliance applies to you. It doesn’t matter if you’re a boutique in Paris, an online shop in Lyon, or a restaurant in Marseille. Accept cards? You need to be PCI compliant.
Your payment processor or acquiring bank enforces these requirements. They’re the ones who sent you that compliance questionnaire, and they’re required by the card brands to ensure all their merchants maintain compliance. Think of it as a chain of responsibility — the card brands require the banks, the banks require the processors, and the processors require you.
The consequences of non-compliance are real but manageable. Your processor can impose fines (typically €20-100 per month for small merchants), you face liability if there’s a breach, and in extreme cases, you could lose the ability to accept card payments. But here’s the good news: most small businesses qualify for the simplest compliance requirements, and achieving compliance is straightforward once you understand what’s needed.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards, yes. It doesn’t matter how you accept them — in person, online, over the phone, or through a mobile app. Even if you only process a handful of transactions per month, PCI compliance requirements still apply.
Most small businesses fall into Merchant Level 4 — processing fewer than 20,000 e-commerce transactions or up to 1 million total Visa transactions annually. This is good news because Level 4 merchants have the simplest compliance requirements. You complete a self-assessment questionnaire (SAQ) rather than hiring an external auditor.
Your payment processor expects three things from you:
1. Complete the appropriate SAQ annually
2. Run quarterly vulnerability scans if you have any internet-facing systems
3. Submit your attestation of compliance (AOC) to prove you’ve done it
That compliance questionnaire they sent? It’s their way of collecting this information. They need it to satisfy their own compliance requirements with the card brands. Ignore it, and those monthly non-compliance fees start adding up quickly.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept and process payments. Here’s a plain-language guide to figure out which one applies to you:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect customers to payment provider (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site (Stripe Elements, payment iframe) | SAQ A-EP | 139 | Moderate |
| Physical terminal only, dial-up or ethernet connected | SAQ B | 41 | Easy |
| Physical terminal with IP connection | SAQ B-IP | 82 | Easy-Moderate |
| Virtual terminal or phone orders (no card storage) | SAQ C-VT | 79 | Moderate |
| You store card numbers (please reconsider) | SAQ D | 329 | Complex |
Let’s break this down with real examples:
If you use a payment terminal like Square, SumUp, or a traditional bank terminal, you’re likely SAQ B or B-IP. The difference? If your terminal connects via an old phone line, it’s SAQ B. If it connects via internet/ethernet, it’s SAQ B-IP.
If you have an e-commerce site with hosted checkout where customers are redirected to pay (think Shopify payments, PayPal, or Stripe Checkout), you’re likely SAQ A — the simplest one with only 22 questions.
If you take payments over the phone using a virtual terminal or web-based system, you’re probably SAQ C-VT. This applies to hotels, mail-order businesses, or any merchant manually entering card numbers into a system.
If you store card numbers in any form — spreadsheets, customer database, paper files — you’re stuck with SAQ D, the full questionnaire with 329 requirements. Seriously, consider alternatives like tokenization instead.
Not sure which applies? PCICompliance.com’s SAQ Wizard walks you through a few simple questions about your payment setup and tells you exactly which SAQ you need. It takes less than 5 minutes and removes all the guesswork.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your payment security practices. Don’t let the technical language intimidate you — most questions for small merchants are straightforward. Here’s what “yes” actually means:
- “Do you restrict access to cardholder data?” → Yes means only people who need card data to do their job can see it
- “Do you use unique usernames?” → Yes means no shared logins like “admin/admin”
- “Do you have a firewall?” → Yes means your internet router has its firewall turned on
For most small merchants, completing the SAQ takes 1-3 hours. You’ll need to gather some basic information:
- A simple network diagram (even a hand-drawn sketch works)
- List of who has access to payment systems
- Your incident response procedures (can be one page)
- Evidence of your quarterly scans (if required)
Speaking of scans, the quarterly ASV scan trips up many merchants. If you have any internet-facing systems (website, email server, etc.), you need an Approved Scanning Vendor to run external vulnerability scans every three months. It’s automated — you provide your IP addresses, schedule the scan, and fix any critical issues found. Most small businesses pass on the first try.
Once complete, you’ll generate an Attestation of Compliance (AOC) — basically a formal declaration that you’ve completed the requirements. Submit this to your payment processor through their compliance portal, and you’re done for the year.
What It Costs
Let’s talk real numbers. For most small merchants in France, annual PCI compliance costs break down like this:
Compliance platform and SAQ tools: €100-500 per year depending on features. Some payment processors include basic tools for free. Comprehensive platforms like PCICompliance.com that include scanning, guidance, and support typically run €200-400 annually for small merchants.
Quarterly ASV scanning: €100-300 per year for basic external scanning. Many compliance platforms bundle this with their annual fee. You need four passing scans per year, one each quarter.
If you need a QSA: Only required for Level 1 merchants (processing over 6 million transactions annually). QSA assessments run €10,000-50,000 depending on complexity. If you’re reading this guide, you probably don’t need one.
Now consider the cost of non-compliance:
- Monthly fines from your processor: €20-100
- Breach liability: €50-500 per compromised card
- Forensic investigation costs: €20,000-100,000
- Lost ability to process cards: priceless
Do the math — for most small merchants, annual compliance costs less than just a few months of non-compliance fines, and far less than even a small breach. It’s not just about avoiding fines; it’s about protecting your business and your customers.
Staying Compliant Year-Round
PCI compliance isn’t a “set it and forget it” activity. Your compliance resets annually, and you’ll need to:
- Complete your SAQ again (annually)
- Run ASV scans (quarterly if required)
- Update your assessment if payment methods change
- Maintain the security practices you attested to
Set calendar reminders for these key dates:
- Annual SAQ due date (usually the anniversary of your last submission)
- Quarterly scan windows (every 90 days)
- Payment processor compliance deadline (they’ll remind you, but why wait for the warning letters?)
Major changes trigger a reassessment. Adding a new payment channel, changing processors, or significantly modifying your payment environment means updating your compliance status. When in doubt, it’s better to reassess than risk non-compliance.
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sends reminders before deadlines, and maintains your compliance history. No more scrambling when your processor asks for last quarter’s scan report — it’s all in one place.
FAQ
Q: I only process a few transactions per month. Do I really need to comply?
A: Yes, PCI compliance applies to any business that accepts credit cards, regardless of volume. The good news is that small-volume merchants qualify for the simplest SAQ types, making compliance straightforward and affordable.
Q: What happens if I just ignore the compliance questionnaire?
A: Your payment processor will start charging monthly non-compliance fees (typically €20-100). More seriously, if a breach occurs, you’re fully liable for all costs and could lose your ability to accept cards.
Q: Can I just say “yes” to everything on the SAQ?
A: The SAQ is a legal attestation — falsifying it is fraud. Answer honestly, fix any “no” answers where possible, or implement compensating controls. Your processor can help with guidance on acceptable alternatives.
Q: Do I need to hire a security consultant?
A: Most small merchants don’t need outside help. The SAQ is designed for business owners to complete themselves. If you’re confused by a requirement, your payment processor or a compliance platform can provide guidance.
Q: My payment processor says I need quarterly scans, but I don’t have a website. Why?
A: ASV scans check any internet-facing systems, not just websites. This includes email servers, remote access points, or any service accessible from the internet. If you truly have no internet-facing systems, you may not need scans.
Q: I use a third-party processor like PayPal exclusively. Am I still responsible for compliance?
A: Yes, but your requirements are minimal. You’ll likely complete SAQ A with just 22 questions since the payment processing happens entirely on PayPal’s systems. It’s the easiest path to compliance.
Q: What’s the difference between PCI compliance and GDPR?
A: PCI DSS specifically protects payment card data, while GDPR covers all personal data for EU residents. You need to comply with both, but they’re separate requirements with different rules and regulators.
Q: How often do the PCI requirements change?
A: The PCI Security Standards Council updates the standards periodically to address new threats. Major updates happen every 3-4 years with transition periods. Your compliance platform should guide you through any changes.
Take Control of Your Compliance
PCI compliance might seem overwhelming at first glance, but for most businesses accepting cards in France, it’s a manageable process that protects both you and your customers. The key is understanding which requirements actually apply to your business and having the right tools to guide you through the process.
Start by identifying your SAQ type — that alone will show you that compliance is likely simpler than you feared. Complete your assessment honestly, fix any gaps you find, and maintain your compliance throughout the year. It’s not just about checking boxes for your payment processor; it’s about building customer trust and protecting your business from very real financial risks.
PCICompliance.com makes this entire process straightforward. Our free SAQ Wizard identifies exactly which questionnaire you need — no more guessing or wading through technical documentation. Our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard tracks your progress year-round, sending reminders before important deadlines. Whether you’re completing your first SAQ or maintaining ongoing compliance, we provide the tools, guidance, and support to keep you compliant without the complexity. Start with our free SAQ Wizard to see just how simple France PCI compliance can be, or talk to our compliance team for personalized guidance on your specific situation.
