2Checkout PCI Compliance
The Bottom Line (You Can Relax)
If you just received a PCI compliance questionnaire from 2Checkout and you’re feeling overwhelmed, take a deep breath. For most small businesses, PCI compliance is simpler than you think. You probably don’t need to hire expensive consultants or completely overhaul your payment systems. In many cases, you can complete your requirements in an afternoon with the right guidance.
Here’s what you actually need to know: PCI compliance is required for anyone who accepts credit cards (yes, that includes you), but the level of complexity depends entirely on how you handle card payments. If you’re using 2Checkout’s hosted checkout pages — where customers enter their card details directly on 2Checkout’s secure servers — you qualify for the simplest compliance path available. Let’s break down exactly what this means for your business.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules created by the major card brands (Visa, Mastercard, American Express, Discover) to protect credit card information. These rules apply to every business that accepts, processes, stores, or transmits credit card data — from the corner coffee shop to Amazon.
The card brands created an organization called the PCI Security Standards Council (PCI SSC) to manage these standards, but they don’t enforce them directly. Instead, your payment processor or acquiring bank — in this case, 2Checkout — is responsible for making sure you’re compliant. That’s why you received that questionnaire.
What happens if you ignore it? Three things, none of them good:
- Your payment processor can fine you (typically $25-$100 per month for non-compliance)
- If there’s a data breach, you’re liable for the costs — which can reach hundreds of thousands of dollars
- In extreme cases, you could lose the ability to accept credit cards entirely
But here’s the good news: most small businesses using modern payment services like 2Checkout qualify for the simplest compliance requirements. You’re not being asked to implement the same security measures as a major retailer storing millions of card numbers.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. It doesn’t matter if you process one payment per month or one thousand — PCI compliance is mandatory for all merchants.
Your merchant level determines how you prove compliance. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you can self-assess your compliance using a questionnaire rather than hiring an expensive auditor.
When 2Checkout sent you that compliance questionnaire, they’re fulfilling their obligation to the card brands. They need to verify that every merchant using their platform maintains appropriate security measures. For you, this typically means:
- Completing an annual Self-Assessment Questionnaire (SAQ)
- Running quarterly vulnerability scans if you have any systems connected to the internet
- Keeping documentation that proves your compliance
The questionnaire they sent is your starting point. It’s not a test you can fail — it’s a checklist to help you identify and fix any security gaps.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you handle card data. Here’s the decision tree in plain language:
| Your Payment Scenario | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| 2Checkout hosted checkout (customers never enter card data on your site) | SAQ A | Simplest (22 questions) | ~2 hours |
| 2Checkout JavaScript on your site (card data passes through your page) | SAQ A-EP | Simple (139 questions) | ~4-6 hours |
| API integration where you collect card data | SAQ D | Complex (329 questions) | Multiple days + scanning |
| Phone orders entered into 2Checkout virtual terminal | SAQ C-VT | Moderate (80 questions) | ~3-4 hours |
Most 2Checkout merchants qualify for SAQ A — the simplest possible questionnaire. This applies when:
- Customers click a “Pay Now” button on your site
- They’re redirected to 2Checkout’s secure checkout page
- They enter all card details on 2Checkout’s site, not yours
- You never see, touch, or store the card numbers
If you’re using 2Checkout’s inline checkout where the payment form appears embedded on your page, you’ll likely need SAQ A-EP. While more comprehensive than SAQ A, it’s still manageable for most businesses.
Not sure which one applies? PCICompliance.com’s free SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no technical knowledge required.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is straightforward. The questionnaire contains yes/no questions about your security practices. Here’s what the process looks like:
1. Gather your information
- Your 2Checkout account details
- Any contracts with IT vendors who might access your systems
- Documentation of your security policies (even informal ones count)
2. Answer the questions honestly
When a question asks “Do you restrict physical access to cardholder data?” and you’re SAQ A with no card data to protect, the answer is often “N/A” — not applicable. The questionnaire includes guidance on when to use this option.
3. Run your vulnerability scan (if required)
If your SAQ type requires it, you’ll need quarterly ASV (Approved Scanning Vendor) scans. Don’t panic — this is an automated scan that checks your website for common vulnerabilities. It typically takes 15-30 minutes to set up and runs automatically. Most ASV services cost between $100-$300 per year for all four quarterly scans.
4. Complete your Attestation of Compliance (AOC)
This is a formal declaration that you’ve completed the SAQ accurately. Think of it as signing your tax return — you’re attesting that the information is correct to the best of your knowledge.
5. Submit to 2Checkout
Upload your completed SAQ and AOC through 2Checkout’s compliance portal. They’ll review it and confirm your compliance status.
Timeline: For SAQ A merchants, the entire process typically takes 2-3 hours spread over a few days. More complex SAQ types require additional time for implementing any missing controls.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you handle it yourself or need help:
Basic Compliance Costs:
- SAQ completion platform: $150-$500/year (many include ASV scanning)
- Quarterly ASV scanning: $100-$300/year if purchased separately
- Compliance management tools: $200-$600/year for automated tracking and reminders
If You Need Professional Help:
- Consultant assistance: $500-$2,000 for SAQ completion guidance
- Full QSA assessment: $10,000-$50,000 (only required for Level 1 merchants)
The Cost of NON-Compliance:
- Monthly non-compliance fees: $25-$100 from your processor
- Breach liability: $50-$90 per compromised card number
- Forensic investigation: $10,000-$100,000 if you’re breached
- Card brand fines: Up to $500,000 for serious violations
- Loss of processing privileges: Priceless — you can’t run a business without accepting cards
For most small merchants using 2Checkout, annual compliance costs less than $500 — significantly less than a single month of non-compliance fees from a breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an ongoing commitment. Here’s how to stay on track without it becoming a burden:
Annual Requirements:
- Complete your SAQ (anniversary of your last submission)
- Review and update your security policies
- Train any staff who handle payments
Quarterly Requirements:
- Run ASV scans if required by your SAQ type
- Review scan results and fix any failures
- Keep documentation of remediation efforts
When to Reassess:
- You change how you accept payments
- You switch payment processors or add new ones
- You start storing card data (please don’t)
- Your transaction volume significantly increases
Setting up a simple tracking system prevents last-minute scrambles. Set calendar reminders for:
- Quarterly scan dates (every 90 days)
- Annual SAQ renewal (30 days before due date)
- Policy review dates
- Staff training refreshers
PCICompliance.com’s compliance dashboard automates this tracking, sending you reminders before each deadline and maintaining a complete compliance history for your records.
FAQ
Q: I only process a few transactions per month. Do I really need to be PCI compliant?
A: Yes, PCI compliance is required regardless of transaction volume. Even one transaction per year makes you subject to PCI DSS requirements. The good news is that low-volume merchants typically qualify for the simplest compliance methods.
Q: What’s the difference between 2Checkout’s compliance requirements and PCI compliance?
A: 2Checkout’s requirements ARE PCI compliance requirements. As your payment processor, 2Checkout is obligated by the card brands to ensure all their merchants maintain PCI compliance. The questionnaire they sent is the standard PCI DSS Self-Assessment Questionnaire.
Q: Can I just say “yes” to all the questions to pass?
A: Absolutely not. Providing false information on your SAQ is considered fraud and can result in immediate termination of your merchant account, substantial fines, and potential legal action. Answer honestly — many questions may be “not applicable” to your business, which is perfectly acceptable.
Q: Do I need to hire a QSA to help with compliance?
A: Most small businesses using 2Checkout don’t need a QSA. SAQ A and A-EP can typically be completed without professional help. Only Level 1 merchants (processing over 6 million transactions annually) require a QSA-validated Report on Compliance (ROC).
Q: What happens if I fail my ASV scan?
A: Failing an ASV scan isn’t the end of the world — it’s actually common on the first attempt. The scan report will identify specific vulnerabilities to fix. Once you’ve addressed them, you can rescan immediately. Most vulnerabilities are simple fixes like updating software or adjusting server settings.
Q: How does 2Checkout’s hosted checkout reduce my PCI scope?
A: When customers enter card data directly on 2Checkout’s servers, that sensitive information never touches your systems. This dramatically reduces your PCI scope because you’re not transmitting, processing, or storing any cardholder data. That’s why you qualify for SAQ A — the simplest possible validation.
Q: Can I use the same SAQ for multiple payment processors?
A: Generally no. Each processor may have slightly different requirements or need their own documentation. However, the security practices you implement for PCI compliance apply universally, so the actual work doesn’t duplicate — just the documentation.
Q: What’s the difference between PCI compliance and being “PCI certified”?
A: Technically, there’s no such thing as being “PCI certified” — you’re either compliant or non-compliant with the PCI DSS. When people say “certified,” they usually mean they’ve successfully completed their annual validation (SAQ or ROC) and any required scanning.
Moving Forward with Confidence
PCI compliance might seem daunting at first glance, but for most 2Checkout merchants, it’s a manageable process that protects both your business and your customers. By using 2Checkout’s hosted checkout solutions, you’ve already made the smartest choice for minimizing your compliance burden.
Start by identifying which SAQ type applies to your payment setup — this single step eliminates 90% of the confusion. From there, it’s simply a matter of answering questions honestly, implementing any missing controls, and maintaining your compliance year-round.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Whether you’re completing your first SAQ or managing compliance across multiple payment channels, we provide the tools and guidance to make PCI compliance as painless as possible. Start with our free SAQ Wizard to identify your requirements in under five minutes, or talk to our compliance team for personalized guidance on your 2Checkout integration.
