Elavon PCI Compliance
The Bottom Line (We Know Why You’re Here)
You just received a compliance questionnaire from Elavon asking about your PCI compliance status, and you’re wondering what it all means. Here’s the good news: for most small and medium-sized businesses, PCI compliance is simpler than it sounds. You don’t need a security team or expensive consultants — just a clear understanding of what’s required and the right tools to get it done.
If you accept credit cards through Elavon (or any payment processor), you need to complete an annual self-assessment questionnaire and possibly run quarterly security scans. That’s it for most merchants. This guide will walk you through exactly what Elavon needs from you and how to get compliant without the headaches.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. Think of it as a security checklist designed to protect credit card data from theft.
The card brands created these standards through the PCI Security Standards Council, but it’s your payment processor (in this case, Elavon) who actually enforces them. They’re required to make sure all their merchants follow these security practices.
Here’s what matters to you:
- If you accept credit cards, you must be PCI compliant — no exceptions
- Non-compliance can result in monthly fines from Elavon (typically $20-100/month)
- If there’s a data breach and you’re not compliant, you could be liable for fraud losses and forensic investigation costs
- The good news: most businesses qualify for simplified compliance questionnaires that take 30-60 minutes to complete
Do You Need to Be PCI Compliant?
Simple answer: Yes. If you accept credit card payments in any form — swiped, dipped, tapped, keyed, or online — PCI compliance applies to you.
Your merchant level determines how much documentation Elavon requires:
- Level 4 (under 20,000 transactions/year): Self-assessment questionnaire only — that’s 90% of small businesses
- Level 3 (20,000 – 1 million transactions/year): Self-assessment plus quarterly network scans
- Level 2 (1-6 million transactions/year): Same as Level 3
- Level 1 (over 6 million transactions/year): Annual on-site assessment by a QSA
Most small to medium businesses fall into Level 3 or 4, which means you can handle compliance yourself using Elavon’s questionnaire.
That compliance notice from Elavon is their annual reminder to complete your assessment. They’re required to verify that every merchant maintains compliance, and they’ll keep sending reminders (and eventually fines) until you complete it.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Here’s the decision tree in plain language:
| How You Take Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Outsourced completely (PayPal, Square online) | SAQ A | 22 | Easiest |
| E-commerce with hosted checkout page | SAQ A-EP | 191 | Moderate |
| Standalone terminals only (no connected systems) | SAQ B | 41 | Easy |
| Terminals connected to your network | SAQ B-IP | 82 | Easy-Moderate |
| Call center/phone orders only | SAQ C-VT | 85 | Moderate |
| Multiple payment channels or storing card data | SAQ D | 329 | Complex |
| Card-present only with validated P2PE solution | SAQ P2PE | 35 | Easy |
Real-world examples to help you identify yours:
- Restaurant with a Clover terminal: SAQ B-IP if connected to internet, SAQ B if standalone
- Online store using Shopify Payments: SAQ A (Shopify handles all the card data)
- Doctor’s office taking payments over the phone: SAQ C-VT
- Retail store with integrated POS system: Usually SAQ B-IP or SAQ D
Not sure which one? Our SAQ Wizard at PCICompliance.com asks you a few simple questions about your payment setup and tells you exactly which questionnaire applies — no guessing required.
How to Complete Your SAQ
Once you know which SAQ type you need, here’s what to expect:
The questionnaire format is straightforward — each question asks if you have a specific security control in place. You answer “Yes,” “No,” or “Not Applicable.” For example:
- “Do you change default passwords on all systems?”
- “Is antivirus software installed and regularly updated?”
- “Do you have a firewall protecting your payment systems?”
For each “Yes” answer, you’re confirming that control is in place. Some questions may ask for documentation like security policies or network diagrams, but most don’t require proof unless Elavon requests it.
Time to complete:
- SAQ A: 30 minutes
- SAQ B: 45 minutes
- SAQ A-EP, B-IP, C-VT: 1-2 hours
- SAQ D: 4-8 hours (you might want help with this one)
The quarterly vulnerability scan applies if you have any systems connected to the internet that handle payments (SAQ A-EP, B-IP, C-VT, or D). An Approved Scanning Vendor (ASV) runs automated scans of your public-facing systems looking for vulnerabilities. It’s not invasive — think of it as a security checkup for your internet connection.
After completing your SAQ, you’ll sign an Attestation of Compliance (AOC) — basically a formal declaration that your answers are accurate. Submit both documents through Elavon’s compliance portal, and you’re done for the year.
What It Costs
Let’s talk real numbers for PCI compliance:
Compliance platform fees (if you use a service like PCICompliance.com):
- SAQ completion tools: $100-300/year
- Compliance tracking dashboard: Often included
- Expert support: $50-200/hour if needed
ASV scanning costs (required for most online merchants):
- Quarterly scans: $200-500/year total
- Remediation support: Usually included
- Unlimited rescans: Important for fixing any issues found
If you need a QSA (only for complex environments or Level 1 merchants):
- Assessment fees: $5,000-50,000 depending on scope
- Most small merchants never need this
The cost of NON-compliance:
- Elavon monthly fines: $20-100/month
- Breach liability: $50-500 per compromised card
- Forensic investigation: $10,000-100,000+
- Loss of card processing privileges: Business-ending
Bottom line: Annual compliance for a typical small merchant costs less than $500 — far less than a single month of non-compliance fines or the smallest data breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with some ongoing obligations.
Your compliance calendar should include:
- Annual SAQ completion (usually due on your Elavon contract anniversary)
- Quarterly ASV scans (if required) every 90 days
- Security updates and patches as they’re released
- Employee training on payment security basics
What triggers a new assessment:
- Changing how you accept payments (adding e-commerce, for example)
- Switching payment processors or adding new ones
- Major network or system changes
- A security incident or breach
Making it manageable: Set calendar reminders 30 days before each deadline. Better yet, use a compliance management platform that tracks everything automatically and sends alerts when action is needed. PCICompliance.com’s dashboard shows your compliance status at a glance and alerts you before any deadline.
Frequently Asked Questions
What happens if I ignore Elavon’s compliance request?
Elavon will typically send several reminders, then begin charging monthly non-compliance fees (usually $20-100). Eventually, they may increase your processing rates or terminate your merchant account. It’s much easier to just complete the questionnaire.
Do I need to hire a security consultant?
For most small merchants using standard payment setups, no. The SAQ is designed for business owners to complete themselves. If you process millions of transactions or have complex payment systems, then yes, professional help makes sense.
What’s the difference between PCI compliance and EMV compliance?
EMV refers to chip card acceptance — the physical security of the card. PCI compliance covers data security for all payment methods. You need both: EMV terminals to reduce fraud liability and PCI compliance to protect cardholder data.
Can I just say “yes” to all the questions?
Absolutely not. False attestation is fraud and makes you fully liable for any breach losses. The questions are straightforward — if you can’t honestly answer “yes,” you need to implement that security control first.
How do I know if I’m storing credit card data?
Search your systems for spreadsheets, databases, or documents containing card numbers. Check email folders, customer databases, and filing cabinets. If you find any, stop immediately — storing card data dramatically increases your compliance burden and risk.
What if my ASV scan fails?
Don’t panic — initial scan failures are common. The ASV provides a report showing what needs fixing (usually software updates or firewall adjustments). Fix the issues, request a rescan, and repeat until you pass. Most issues are simple configuration changes.
Does using Square or PayPal make me automatically compliant?
Not quite. While these services reduce your compliance scope to the simplest SAQ A, you still need to complete and submit the questionnaire annually. The good news is it’s only 22 questions and takes about 30 minutes.
What if I only process a few transactions per year?
PCI compliance applies to any merchant who accepts cards, regardless of volume. However, Elavon may not actively enforce compliance for very low-volume merchants. Check your merchant agreement — compliance is likely still required.
Moving Forward with Confidence
Elavon PCI compliance doesn’t have to be overwhelming. For most merchants, it’s a simple annual questionnaire that takes less time than doing your taxes. The key is understanding which requirements apply to your specific situation and having the right tools to stay on track.
Start by identifying your SAQ type — that determines everything else. If you’re unsure, PCICompliance.com’s free SAQ Wizard walks you through a few simple questions about your payment setup and tells you exactly which questionnaire applies. From there, our platform guides you through each requirement, handles your ASV scanning needs, and keeps your compliance documentation organized year-round. Whether you need help completing your first SAQ or managing compliance across multiple locations, our tools and compliance experts make the process straightforward and stress-free.
