a close up of a cell phone on a table

Mollie PCI Compliance (EU)

by

Mollie PCI Compliance (EU)

Bottom Line Up Front

If you just received a PCI compliance questionnaire from Mollie and your heart sank — relax. For most small businesses, PCI compliance is simpler than you think. You probably qualify for one of the easier questionnaire types that takes an hour or two to complete, not the massive audit you’re imagining. This guide will walk you through exactly what Mollie PCI compliance means for your business, which questionnaire you need, and how to complete it without losing your mind.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to anyone who accepts credit card payments. Think of it as basic security hygiene for handling payment cards — like washing your hands before cooking, but for credit card data.

The major card brands (Visa, Mastercard, American Express, Discover) created these standards through the PCI Security Standards Council. They don’t enforce compliance directly — that’s your payment processor’s job. When Mollie sent you that compliance questionnaire, they’re fulfilling their obligation to the card brands to ensure all their merchants protect cardholder data properly.

Here’s what matters: if you’re not compliant, Mollie can fine you (typically €5-100 per month for small merchants), you’re liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept card payments entirely. The good news? Most small businesses can achieve compliance in an afternoon with the right guidance.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit or debit cards through Mollie, yes, you need to be PCI compliant. It doesn’t matter if you process one transaction or thousands — the requirement applies to everyone.

Most small businesses fall into Merchant Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news — Level 4 merchants complete a self-assessment questionnaire rather than hiring an expensive auditor.

Mollie expects you to:

  • Complete the appropriate SAQ (Self-Assessment Questionnaire) annually
  • Run quarterly vulnerability scans if you have any systems connected to the internet
  • Submit your AOC (Attestation of Compliance) to confirm you’ve done the work

That compliance questionnaire Mollie sent? It’s their way of collecting this information. They’re required to verify that all their merchants maintain compliance, and they’ll keep sending reminders until you complete it.

Which SAQ Do You Need?

The biggest confusion around PCI compliance is figuring out which questionnaire applies to your business. There are nine different SAQ types, but most Mollie merchants fall into one of four categories:

How You Accept Payments SAQ Type Complexity Time to Complete
E-commerce with Mollie Checkout or Components SAQ A Easiest 1-2 hours
E-commerce with payment fields on your site SAQ A-EP Easy 2-3 hours
Physical terminal only (no e-commerce) SAQ B Easy 2-3 hours
Taking payments over the phone SAQ C-VT Moderate 3-4 hours
Storing card numbers (please don’t) SAQ D Complex Days/weeks

Let’s break down the most common scenarios for Mollie merchants:

SAQ A – If you redirect customers to Mollie’s hosted payment page or use their pre-built checkout components, you qualify for the simplest questionnaire. Your website never touches card data, so you only answer about 20 questions.

SAQ A-EP – If you embed payment fields directly on your website (even if they’re hosted by Mollie), you need this slightly longer version with about 140 questions. Don’t panic — most are straightforward yes/no questions about your website security.

SAQ C-VT – If you take card payments over the phone and enter them into Mollie’s virtual terminal or dashboard, this questionnaire covers your phone system and computer security.

SAQ D – If you’re storing card numbers in any form — spreadsheets, customer database, even post-it notes — you need the full questionnaire with over 300 questions. Seriously consider changing your processes to avoid this.

Not sure which one fits? PCICompliance.com’s SAQ Wizard asks a few simple questions about how you accept payments and tells you exactly which questionnaire you need.

How to Complete Your SAQ

Once you know which SAQ applies, the actual completion process is straightforward. Here’s what to expect:

The questionnaire presents a series of yes/no questions about your security practices. For example, SAQ A might ask: “Are all payment pages hosted by a PCI DSS compliant payment processor?” If you use Mollie Checkout, the answer is yes. Simple as that.

“Yes” means you’re doing what the question asks. It’s not about perfection — it’s about meeting the requirement. If a question asks about password policies and you require passwords to be at least 7 characters, you can answer yes (even though 8 would be better).

You’ll need to gather some basic documentation:

  • Your Mollie integration details (which payment products you use)
  • Network diagrams if you process payments in a physical location
  • Security policies if you have them (templates are fine for small businesses)
  • Results from your quarterly ASV scan if required

About that ASV scan — if you have any systems connected to the internet (even just your business website), you need quarterly vulnerability scans from an Approved Scanning Vendor. It’s an automated scan that checks for security holes. Schedule it, fix any critical issues it finds, and save the passing report.

After answering all questions, you’ll generate an AOC (Attestation of Compliance) — basically your signature confirming the information is accurate. Submit this to Mollie through their compliance portal, and you’re done for the year.

What It Costs

PCI compliance costs vary, but for most small merchants using Mollie, expect:

Compliance Platform/Tools: €10-50/month for SAQ completion software and guidance. Some merchants complete their SAQ manually for free, but platforms like PCICompliance.com save time and reduce errors.

ASV Scanning: €20-40 per quarterly scan (€80-160/year). Required if you have any internet-facing systems. Many compliance platforms include this.

QSA Assessment: Only required for Level 1 merchants (over 6 million transactions annually). If this is you, budget €10,000-50,000 for a full assessment.

Non-Compliance Costs: This is where it gets expensive. Mollie can charge €25-100/month in non-compliance fees. If you suffer a breach while non-compliant, you’re liable for fraud losses, forensic investigation costs (€20,000+), and potential fines from the card brands (€50,000-500,000).

Honest assessment: for most small merchants, annual compliance costs less than a single month of non-compliance fees, and far less than any breach-related costs.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly obligations. Here’s how to stay on track:

Set up reminders for:

  • Annual SAQ completion (usually on your Mollie contract anniversary)
  • Quarterly ASV scans (every 90 days)
  • Security update patches for your systems

Know what triggers a reassessment. Changed how you accept payments? Added a new location? Started storing card data? You might need a different SAQ type.

Track your compliance status. Whether you use spreadsheets or a compliance platform, know when your next obligations are due. PCICompliance.com’s dashboard shows your compliance status at a glance and sends automatic reminders before deadlines.

Most importantly, integrate security into your daily operations. The easiest way to pass your annual assessment is to actually follow the security practices year-round, not scramble to implement them at questionnaire time.

FAQ

What happens if I ignore Mollie’s PCI compliance requirements?

Mollie will start with reminder emails, then add monthly non-compliance fees to your account (typically €25-100). Eventually, they may suspend your ability to process payments until you comply. The real risk is liability — if you suffer a breach while non-compliant, you’re responsible for all associated costs.

Can I just answer “yes” to everything on the SAQ?

Technically you can, but you’re legally attesting that your answers are accurate. False attestation can result in fines and loss of card processing privileges. Plus, if you’re breached, investigators will check whether you actually implemented what you claimed.

Do I need to hire a QSA to help with compliance?

Most Mollie merchants don’t need a QSA — you can complete your SAQ yourself or with help from a compliance platform. Only Level 1 merchants (over 6 million transactions annually) require a QSA assessment. Level 2-4 merchants self-assess.

What’s the difference between PCI compliance and GDPR?

PCI DSS specifically protects payment card data, while GDPR protects all personal data of EU residents. You need to comply with both, but they’re separate requirements with different rules and penalties. PCI is enforced by your payment processor; GDPR is enforced by data protection authorities.

I only process a few payments per month. Do I still need to comply?

Yes, PCI DSS applies to all merchants regardless of transaction volume. However, your small volume means you’re likely Level 4 with the simplest compliance requirements. You probably qualify for SAQ A or B, which you can complete in a few hours.

How do I know if I’m storing card data?

Check everywhere: databases, spreadsheets, email, paper files, even photos of cards. If you can see full card numbers anywhere in your business after a transaction completes, you’re storing card data. The best practice is to never store it — let Mollie handle that complexity.

What if I fail my ASV scan?

First, don’t panic — failing initially is common. The scan report shows exactly what failed and why. Fix the critical and high-risk vulnerabilities (usually software updates or configuration changes), then rescan. You need a passing scan once per quarter, and you can scan as many times as needed to pass.

Can Mollie help me with PCI compliance?

Mollie provides the secure payment infrastructure and documentation about their compliance, but you’re responsible for your own PCI compliance. They’ll point you to resources and may recommend compliance partners, but they can’t complete your SAQ for you or give specific advice about your implementation.

Conclusion

PCI compliance might seem overwhelming when that first questionnaire arrives from Mollie, but for most merchants, it’s a manageable process that protects both your business and your customers. Identify which SAQ type fits your payment setup, set aside a few hours to complete it properly, and build simple processes to maintain compliance year-round.

Remember, the requirements exist for good reason — to prevent the devastating costs of a data breach. The few hours you invest in compliance today could save your business from significant financial and reputational damage tomorrow.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team for guidance specific to your Mollie integration. Don’t let compliance anxiety keep you from growing your business — with the right tools and guidance, you can check this box confidently and get back to what you do best.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP