A wooden block spelling cybersec on a table

NetSuite SuiteCommerce PCI

by

NetSuite PCI Compliance: A Business Owner’s Guide to Payment Security

The Bottom Line Up Front

Just received a PCI compliance questionnaire from your payment processor? Take a deep breath — for most NetSuite businesses, PCI compliance is simpler than you think. If you’re using NetSuite SuiteCommerce with a hosted payment page or integrated payment processor, you’re already on the easier side of compliance. Here’s what you actually need to know to check this box and keep accepting credit cards.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) exists to protect credit card data — and yes, it applies to you if you accept card payments through your NetSuite store. Think of it as the security rulebook for anyone who touches credit card information.

The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council (PCI SSC). But here’s who actually enforces it: your acquirer (the bank that processes your credit card transactions) or payment processor. They’re the ones who sent you that compliance questionnaire.

The Consequences Matter

Non-compliance isn’t just paperwork trouble. Your payment processor can:

  • Fine you monthly (typically $25-100 for small merchants, but it can escalate)
  • Hold you liable for fraud losses if there’s a breach
  • Suspend your ability to accept credit cards entirely

The Good News

Most small and mid-size NetSuite businesses qualify for the simplest SAQ (Self-Assessment Questionnaire) types. If you’re using SuiteCommerce with properly configured payment methods, you’re likely looking at a straightforward compliance process — not the complex audits that larger retailers face.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes. This includes:

  • Online through your NetSuite SuiteCommerce site
  • Over the phone using NetSuite’s order management
  • Through integrated point-of-sale systems
  • Via email or fax (please stop doing this)

Your Merchant Level

Most businesses fall into Merchant Level 4 — processing fewer than 1 million transactions annually. This means:

  • You complete an annual self-assessment (SAQ)
  • You run quarterly network scans if you have e-commerce
  • No on-site audit required

Your payment processor determines your level based on transaction volume. The compliance questionnaire they sent indicates which level they’ve assigned you.

What Your Payment Processor Expects

When your acquirer sends that annual compliance questionnaire, they want:
1. A completed SAQ appropriate to how you accept payments
2. Quarterly ASV (Approved Scanning Vendor) scan results if required
3. An AOC (Attestation of Compliance) — basically your signature saying it’s all true
4. Evidence that you’re maintaining security year-round

Which SAQ Do You Need?

The type of SAQ you complete depends on how credit card data flows through your NetSuite environment. Here’s the decision tree in plain language:

Your NetSuite Payment Setup SAQ Type Complexity
SuiteCommerce with fully hosted checkout (customer redirected to payment page) SAQ A Simplest – ~22 questions
SuiteCommerce with payment fields on your site (using iframes or JavaScript) SAQ A-EP Simple – ~139 questions
Standalone terminals not connected to NetSuite SAQ B Simple – ~41 questions
NetSuite integrated with payment terminals SAQ B-IP Moderate – ~82 questions
Taking orders by phone through NetSuite SAQ C-VT Moderate – ~84 questions
Storing card numbers in NetSuite (custom fields, notes, etc.) SAQ D Complex – 300+ questions

Common NetSuite Scenarios

If you use NetSuite with Stripe, PayPal, or Authorize.net in redirect mode: You’re likely SAQ A eligible. The customer enters payment data on the processor’s page, not yours.

If you use NetSuite’s native payment processing with SuiteCommerce: You’re probably SAQ A-EP. Payment fields appear on your site but card data goes directly to the processor.

If customer service takes orders over the phone: Add SAQ C-VT to your compliance scope, even if online payments are SAQ A.

Not sure which one fits? PCICompliance.com’s SAQ Wizard asks a few questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.

How to Complete Your SAQ

Your SAQ is a series of yes/no questions about your security practices. Here’s what to expect:

What “Yes” Really Means

When you answer “yes” to a question like “Are systems protected with anti-virus software?”, you’re stating:

  • The control is implemented
  • You can prove it if asked
  • It’s maintained consistently

Documentation You’ll Need

Gather these before starting:

  • Network diagram showing how payments flow
  • Policy documents (even simple ones count)
  • Vendor compliance certificates from your payment processor
  • ASV scan results (if required for your SAQ type)

The Quarterly ASV Scan

If you accept payments online through NetSuite, you need quarterly vulnerability scans from an Approved Scanning Vendor. This automated scan:

  • Checks your public-facing systems for vulnerabilities
  • Runs in minutes without disrupting your site
  • Produces a report showing pass/fail status
  • Must show a clean “passing” scan each quarter

Submitting Your Compliance Package

Once complete, submit to your acquirer:
1. Your completed SAQ
2. The AOC (pre-filled based on your SAQ answers)
3. Passing ASV scan reports (if applicable)
4. Any additional documents your processor requires

Most processors accept uploads through their merchant portal. Keep copies — you’ll need them next year.

What It Costs

Let’s talk real numbers for NetSuite PCI compliance:

Compliance Platform and Tools

  • SAQ completion software: $200-500 annually for small merchants
  • Compliance management platforms: $500-2,000 annually
  • NetSuite-specific compliance tools: $1,000-3,000 annually

Quarterly ASV Scanning

  • Basic ASV scans: $100-200 per quarter
  • ASV with remediation support: $200-400 per quarter
  • Unlimited scanning packages: $1,000-2,000 annually

If You Need Professional Help

  • QSA consultation (SAQ D merchants): $5,000-15,000
  • Compliance project management: $2,000-5,000
  • NetSuite security configuration: $3,000-10,000

The Cost of NON-Compliance

  • Monthly processor fines: $25-100 (escalating over time)
  • Breach liability: $50-90 per compromised card
  • Forensic investigation: $10,000-100,000+
  • Lost ability to process cards: Devastating

Honest assessment: For most NetSuite merchants, annual compliance costs less than a single month of non-compliance fines. It’s not just about checking boxes — it’s protecting your business.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done exercise. Your processor expects:

Annual Requirements

  • Complete your SAQ each year (same time annually)
  • Update your network documentation
  • Review and update security policies
  • Train staff on payment security

Quarterly Requirements

  • Run ASV scans (for e-commerce)
  • Review scan results and fix any failures
  • Document remediation efforts

What Triggers a New Assessment

  • Changing payment processors
  • Adding new payment channels
  • Modifying your NetSuite payment configuration
  • Experiencing a security incident
  • Significantly increasing transaction volume

Making It Manageable

Set up a compliance calendar:

  • Monthly: Review who has access to payment data in NetSuite
  • Quarterly: Run ASV scans, review results
  • Annually: Complete SAQ, update policies, conduct training

PCICompliance.com’s compliance dashboard tracks all these deadlines, sends reminders, and maintains your compliance history — turning a complex process into a simple checklist.

FAQ

Q: I only process a few hundred transactions per month. Do I really need to comply?

Yes, PCI DSS applies to any business that accepts credit cards, regardless of volume. The good news? Smaller volume means simpler compliance requirements. You’re likely eligible for an easier SAQ type and won’t need an on-site assessment.

Q: Can’t I just let NetSuite handle all the security?

NetSuite provides a secure platform, but PCI compliance is a shared responsibility. While NetSuite secures their infrastructure, you’re responsible for how you’ve configured it, who has access, and how your business processes card data. Think of it like renting a secure building — the landlord provides locks, but you still need to use them properly.

Q: What happens if I ignore the compliance questionnaire?

Your payment processor will start with reminder notices, then move to monthly fines (starting around $25-100). Eventually, they can suspend your merchant account, meaning you lose the ability to accept credit cards. Some processors also increase your transaction rates for non-compliant merchants.

Q: How do I know if I’m storing card numbers in NetSuite?

Check custom fields, customer notes, and any PDF attachments in NetSuite. Run searches for patterns that look like credit card numbers (16 digits, starting with 4, 5, or 6). If you find any, stop storing them immediately and work on becoming compliant with SAQ D requirements — or better yet, remove the data and qualify for an easier SAQ.

Q: Is PCI compliance the same as being secure?

PCI compliance is a baseline — it ensures you’re following fundamental security practices. True security goes beyond compliance to include regular security awareness training, incident response planning, and staying current with threats. Consider PCI your security foundation, not your ceiling.

Q: Do I need to hire a QSA?

Most NetSuite merchants don’t need a QSA. You only need one if you’re processing more than 1 million transactions annually (Merchant Level 1-3) or if your acquirer specifically requires it. Level 4 merchants complete self-assessment questionnaires without QSA involvement.

Q: How long does the SAQ take to complete?

For SAQ A (simplest): 1-2 hours with documentation ready. For SAQ A-EP or C-VT: 4-8 hours including gathering evidence. For SAQ D: Plan for several weeks and consider professional help.

Q: Can I just click “yes” to everything and submit it?

Technically yes, but it’s a terrible idea. False attestation is fraud, and if there’s a breach, investigators will verify your answers. Non-compliant merchants face unlimited liability for fraud losses — the few hours saved aren’t worth the risk.

Conclusion

NetSuite PCI compliance doesn’t have to be overwhelming. Most businesses using SuiteCommerce with modern payment processors qualify for straightforward SAQ types that take just a few hours annually. The key is understanding which SAQ fits your payment setup and staying organized with quarterly scans and annual updates.

Remember, PCI compliance protects your business as much as it protects your customers. Those monthly non-compliance fees add up quickly, and the liability from a breach can devastate a small business. A few hours of compliance work each year is a small price for keeping your payment processing active and your business protected.

Ready to check PCI compliance off your list? PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Whether you’re facing your first compliance deadline or looking to streamline your annual process, start with our free SAQ Wizard to get personalized guidance for your NetSuite configuration. Or talk to our compliance team — we’ve helped thousands of businesses navigate PCI requirements, and we speak both NetSuite and compliance fluently.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP