a computer keyboard with a padlock on top of it

UAE PCI Compliance

by

UAE PCI Compliance

If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. UAE PCI compliance might sound intimidating, but for most small businesses, it’s far simpler than you think. This guide will walk you through exactly what you need to know and do — in plain English.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. If your business accepts credit or debit card payments — whether in person, online, or over the phone — these requirements apply to you.

The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through the PCI Security Standards Council. But here’s what matters to you: your payment processor or acquiring bank is the one who enforces it. They’re the ones who sent you that compliance questionnaire, and they’re the ones who need to see proof that you’re protecting cardholder data.

What Happens If You’re Not Compliant?

The consequences range from annoying to business-ending:

  • Monthly fines from your processor (typically AED 200-2,000 per month)
  • Full liability if there’s a data breach involving your customers’ cards
  • Increased transaction fees
  • Potential loss of your ability to accept card payments

But here’s the good news: most small businesses qualify for the simplest types of compliance questionnaires. You’re not facing the same requirements as major retailers or payment processors. Your compliance process might take just a few hours per year.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes. This includes:

  • Physical card readers or terminals
  • Online payments through your website
  • Phone orders where customers give you their card number
  • Mobile payment apps
  • Even if you only process one card payment per year

Your Merchant Level

Your merchant level determines how complex your compliance requirements are. Most small businesses are Level 4, which means:

  • You process fewer than 20,000 e-commerce transactions per year, OR
  • You process fewer than 1 million total transactions per year
  • You complete a self-assessment questionnaire (SAQ) instead of hiring an external assessor
  • You need quarterly vulnerability scans if you have any internet-facing systems

What Your Payment Processor Expects

That questionnaire they sent you? It’s their way of verifying that you’re following the security requirements for your type of card processing. They need:
1. A completed Self-Assessment Questionnaire (SAQ) — there are different types based on how you accept payments
2. An Attestation of Compliance (AOC) — basically your signature saying the information is accurate
3. Quarterly ASV scans if you have any systems connected to the internet
4. Evidence that you’ve fixed any vulnerabilities found

Which SAQ Do You Need?

The biggest confusion in PCI compliance is figuring out which questionnaire applies to your business. Here’s the decision tree in plain language:

If You Use a Payment Terminal

Do you swipe, dip, or tap cards on a standalone terminal like Square, SumUp, or a traditional bank terminal? You likely need SAQ B (if the terminal connects via phone line) or SAQ B-IP (if it connects via internet).

If You Have an E-commerce Website

Does your website redirect customers to a third-party checkout page (like PayPal or a bank’s payment gateway)? You probably need SAQ A.

Do customers enter their card details on your website, but the payment fields are provided by your payment processor (like Stripe Elements)? That’s likely SAQ A-EP.

If You Take Payments Over the Phone

Do customers call and give you their card number? You need SAQ C-VT if you don’t store the card data electronically.

If You Store Card Numbers

Are you saving card numbers in your computer, database, or filing cabinet? You need SAQ D — and you should seriously consider stopping this practice.

Payment Scenario SAQ Type Complexity Questions to Answer
Standalone terminal only B or B-IP Simple ~30 questions
Redirect to payment gateway A Simplest ~20 questions
Payment fields on your site A-EP Moderate ~130 questions
Phone orders, no storage C-VT Moderate ~80 questions
Any card data storage D Complex ~330 questions

Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which questionnaire you need.

How to Complete Your SAQ

Once you know which SAQ type you need, the actual completion process is straightforward:

What the Questionnaire Looks Like

Your SAQ is a series of yes/no questions about your security practices. For example:

  • “Do you have a firewall configured to protect cardholder data?
  • “Do you change vendor-supplied defaults for passwords?”
  • “Do you have an incident response plan?”

What ‘Yes’ Really Means

When you answer “yes” to a question, you’re confirming that you’ve implemented that security control. This doesn’t mean perfection — it means you have a reasonable practice in place. For instance, “Do you restrict access to cardholder data?” doesn’t require biometric scanners. It might just mean you keep your payment terminal in a locked office.

Documentation You’ll Need

Gather these before you start:

  • Your network diagram (even a simple sketch works for small businesses)
  • List of who has access to payment systems
  • Your information security policies (many templates available)
  • Results from your quarterly ASV scans

The Quarterly ASV Scan

If you have any internet-facing systems (like a website or cloud-based point-of-sale), you need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks for security holes in your systems. It typically takes 24-48 hours to complete and costs AED 400-800 per scan.

Submitting Your Compliance

Once you’ve completed your SAQ and passed your ASV scan (if required), you’ll submit:
1. The completed SAQ
2. The Attestation of Compliance (AOC) — your signature page
3. Your passing ASV scan reports
4. Any remediation evidence requested

Submit these through your processor’s compliance portal or to the compliance email they provided.

What It Costs

Let’s talk real numbers for UAE PCI compliance costs:

Compliance Platform and Tools

  • Basic SAQ completion tools: Free to AED 500/year
  • Full compliance platforms with guidance: AED 1,000-3,000/year
  • Includes SAQ wizard, policy templates, and compliance tracking

Quarterly ASV Scanning

  • Per scan: AED 400-800
  • Annual cost: AED 1,600-3,200
  • Some compliance platforms include this in their annual fee

If You Need a QSA

Most Level 4 merchants don’t need a Qualified Security Assessor (QSA). But if you do:

  • Full assessment: AED 20,000-100,000+ depending on scope
  • Only required for Level 1 merchants or when your acquirer specifically demands it

The Cost of Non-Compliance

This is where it gets expensive:

  • Monthly non-compliance fees: AED 500-2,000
  • Data breach costs: AED 200-1,000 per compromised card
  • Forensic investigation: AED 40,000-200,000
  • Loss of card processing ability: Priceless (and business-ending)

Honest assessment: For most small merchants in the UAE, annual compliance costs less than two months of non-compliance fines. It’s not just about avoiding penalties — it’s about protecting your business and customers.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done activity. Your compliance status resets annually, and you need quarterly scans throughout the year.

Annual Requirements

  • Complete your SAQ questionnaire every year
  • Update it if your payment processes change
  • Renew your Attestation of Compliance

Quarterly Requirements

  • Run ASV scans every 90 days (if applicable)
  • Fix any failing vulnerabilities within 30 days
  • Keep scan reports for your records

What Triggers a New Assessment

You’ll need to reassess your SAQ type if you:

  • Add a new payment channel (like starting e-commerce)
  • Change payment processors or terminals
  • Start storing cardholder data
  • Significantly change your network architecture

Tracking and Reminders

Set calendar reminders for:

  • Annual SAQ due date (usually your anniversary date with your processor)
  • Quarterly scan windows
  • Policy review dates
  • Security update schedules

PCICompliance.com’s compliance dashboard tracks all these dates automatically and sends you reminders before deadlines.

FAQ

Do I really need PCI compliance for my small business in the UAE?

Yes, if you accept credit or debit cards in any way. The requirements apply regardless of business size or location within the UAE.

What if I only process a few cards per month?

Volume doesn’t matter for compliance requirements — only for determining your merchant level. Even one transaction requires PCI compliance.

My payment processor handles everything. Am I still responsible?

Yes, you’re always responsible for your portion of the payment process. Even with fully outsourced processing, you need to complete SAQ A and manage physical security of any payment terminals.

How long does the SAQ take to complete?

For simple SAQ types (A, B), expect 2-4 hours including documentation gathering. More complex types can take days or weeks, especially the first time.

What’s the difference between PCI compliance and other security standards?

PCI DSS specifically protects payment card data. Other standards like ISO 27001 or NIST cover broader information security but don’t replace PCI requirements for card processing.

Can I just pay the non-compliance fee instead of doing all this?

Technically yes, but you’re still liable for any breach. Non-compliance fees add up quickly, and you risk losing your ability to accept cards entirely.

Do I need special software to complete my SAQ?

No, you can complete it manually. However, compliance platforms make it much easier with guided questions, requirement explanations, and automatic validation.

What if I fail my ASV scan?

You have 30 days to fix the vulnerabilities and rescan. Most failures are due to outdated software or weak passwords — relatively simple fixes.

Conclusion

UAE PCI compliance might seem overwhelming when that first questionnaire arrives, but it’s manageable once you understand what’s actually required. Most small businesses need only the simplest SAQ types, a few hours per year, and basic security practices you should have anyway.

The key is identifying your correct SAQ type and staying organized with quarterly scans and annual assessments. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team to get your UAE business compliant quickly and keep it that way.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP