Verifone PCI Compliance
Bottom Line Up Front
Just received a PCI compliance questionnaire from your payment processor? Take a breath. For most small businesses using Verifone terminals or payment solutions, PCI compliance is simpler than you think. If you’re like the thousands of merchants we’ve helped, you’re probably eligible for one of the easier compliance paths — often just a short questionnaire and quarterly security scan. This guide explains exactly what you need to do in plain English, no technical jargon required.
What Is PCI Compliance (In Plain English)
PCI compliance means following security standards designed to protect credit card data. If you accept credit cards — whether through a Verifone terminal, online checkout, or over the phone — these standards apply to you.
The Payment Card Industry Data Security Standard (PCI DSS) was created by the major card brands (Visa, Mastercard, American Express, and Discover) through the PCI Security Standards Council. Your payment processor or acquiring bank enforces these standards because they’re on the hook if card data gets stolen from your business.
Here’s what happens if you’re not compliant: Your processor can fine you monthly (typically $25-$100 for small merchants), you’re liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards entirely. The good news? Most small businesses qualify for the simplest compliance requirements — often just a self-assessment questionnaire that takes 30-60 minutes to complete annually.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. This includes:
- Swiping, inserting, or tapping cards on a Verifone terminal
- Taking payments through your website
- Accepting card numbers over the phone
- Processing mail-order payments
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million Visa transactions annually). Level 4 merchants typically complete a Self-Assessment Questionnaire (SAQ) instead of hiring an assessor.
That compliance questionnaire your payment processor sent? It’s their way of verifying you’re following the security standards. They’re required to collect this documentation annually, and they’ll keep sending reminders (and eventually fines) until you complete it.
Which SAQ Do You Need?
The type of SAQ you complete depends on how you accept payments. Here’s a simple breakdown:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Outsource everything (PayPal, Square standalone) | SAQ A | ~20 | Easiest |
| E-commerce with hosted checkout (Stripe, Shopify) | SAQ A-EP | ~140 | Moderate |
| Standalone terminals only (no connected systems) | SAQ B | ~40 | Easy |
| Terminals connected to your network | SAQ B-IP | ~80 | Moderate |
| Taking cards over the phone only | SAQ C-VT | ~80 | Moderate |
| Mixed methods, no electronic storage | SAQ C | ~140 | Complex |
| Storing card data electronically | SAQ D | 300+ | Most Complex |
For Verifone users specifically:
- Using a standalone Verifone terminal that dials out over phone line? You’re likely SAQ B
- Verifone terminal connected to your network or POS system? You’re likely SAQ B-IP
- Using Verifone’s payment gateway for e-commerce? Check if it qualifies for SAQ A-EP
Not sure which one applies? PCICompliance.com’s free SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.
How to Complete Your SAQ
Your SAQ is a questionnaire with yes/no questions about your payment security practices. Here’s what to expect:
What the questions look like: Most are straightforward — “Do you change default passwords on payment terminals?” or “Is your payment terminal in a secure location?” Answer “yes” only if you actually do what the question asks. If you answer “no,” you’ll need to fix that issue or explain your compensating controls.
Time investment: An SAQ B takes most merchants 30-45 minutes. SAQ A can be done in 20 minutes. The more complex ones (C and D) might take several hours and require gathering documentation.
Documentation you’ll need:
- Your merchant account details
- Network diagram (for SAQ B-IP and above)
- Security policies (for SAQ C and D)
- ASV scan results (required for most SAQ types)
The quarterly ASV scan: If you have any internet-facing systems (including just a business website), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. These automated scans check for security holes hackers could exploit. Schedule your first one when you start your SAQ — it usually takes 24-48 hours to get results.
Submitting your compliance: Once you complete the SAQ and any required scans pass, you’ll sign an Attestation of Compliance (AOC) and submit it to your processor. Keep copies for your records — you might need them for insurance or business partners.
What It Costs
Let’s talk real numbers for PCI compliance:
Compliance tools and SAQ platforms: Free to $30/month for basic tools, $50-150/month for comprehensive platforms with scanning and support. PCICompliance.com’s pricing starts at $XX/month for everything you need.
Quarterly ASV scanning: Usually $50-100 per scan if purchased separately, but often included in compliance platforms. You need four per year.
If you need a QSA: Only required for Level 1 merchants or if your processor specifically demands it. QSA assessments run $10,000-50,000+ depending on complexity. The vast majority of small businesses never need one.
The cost of NON-compliance:
- Monthly fines: $25-100 from your processor
- Breach costs: Average $150,000+ for small merchants
- Lost business: Priceless — you can’t sell if you can’t accept cards
Bottom line: Annual compliance for most small merchants costs less than $1,000 — often under $500. A single month’s non-compliance fine could cover several months of proper compliance tools.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly milestones. Here’s how to stay on track:
Set up your compliance calendar:
- Annual SAQ due date (usually 30-60 days after your processor’s request)
- Quarterly ASV scans (every 90 days)
- Security update reminders for your Verifone terminals
- Password change schedules
What triggers a reassessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or terminals
- Significant network changes
- Storing card data when you didn’t before (please don’t)
Making it manageable: PCICompliance.com’s compliance dashboard tracks all your deadlines, sends automatic reminders, and keeps your documentation organized. You’ll never miss a scan or forget to renew your compliance.
FAQ
I’m just a small business with one Verifone terminal. Do I really need to worry about this?
Yes, but it’s probably simpler than you think. With a single terminal, you likely qualify for SAQ B — about 40 yes/no questions that take 30-45 minutes to complete once a year. Your processor requires it, and the fines for ignoring it add up quickly.
What’s the difference between PCI compliance and EMV compliance?
EMV (chip card) compliance is about accepting chip cards to reduce fraud liability. PCI compliance covers overall card data security, regardless of how you accept payments. You need both — EMV doesn’t replace PCI requirements.
My payment processor says I need an ASV scan. What is that?
An Approved Scanning Vendor scan is an automated security check of your internet-facing systems. Even if you only have a business website (no e-commerce), you probably need quarterly scans. They typically cost $50-100 each or come included with compliance platforms.
Can I just ignore this questionnaire from my processor?
You can, but you shouldn’t. Most processors start with reminder emails, then add monthly non-compliance fees ($25-100), and eventually may suspend your ability to accept cards. The questionnaire takes less time than dealing with the consequences of ignoring it.
I use Verifone’s point-to-point encryption (P2PE). Does that change my requirements?
Yes — if you use a validated P2PE solution, you may qualify for SAQ P2PE, which has only 33 questions. This is one of the easiest paths to compliance. Check if your specific Verifone solution is on the PCI Council’s list of validated P2PE solutions.
How do I know if I’m storing card data?
Check these places: old spreadsheets, customer databases, email systems, paper files, and backup systems. If you find card numbers anywhere, you need to securely delete them and potentially move to SAQ D. When in doubt, search your systems for common credit card number patterns.
What if I fail my ASV scan?
Don’t panic — most merchants fail their first scan. You’ll get a report showing what needs fixing (usually software updates or closing unnecessary ports). Fix the issues and rescan. PCICompliance.com includes unlimited rescans and remediation guidance.
My business is online-only. Do I still need PCI compliance?
Absolutely. E-commerce merchants often face higher risk than brick-and-mortar stores. Depending on your setup, you’ll likely need SAQ A (if using hosted checkout) or SAQ A-EP (if using payment forms on your site). Online businesses typically need quarterly ASV scans too.
Conclusion
PCI compliance for Verifone users doesn’t have to be overwhelming. Whether you’re running a single terminal at your retail counter or processing thousands of transactions through Verifone’s gateway, the path to compliance is clear: identify your SAQ type, complete the questionnaire honestly, schedule your quarterly scans, and submit your documentation.
The key is starting now rather than waiting for those non-compliance fines to pile up. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Most merchants complete their initial compliance in under an hour and spend just minutes per quarter maintaining it. Start with the free SAQ Wizard to see exactly what your compliance journey looks like, or talk to our compliance team if you need guidance on your specific Verifone setup.
