Ireland PCI Compliance: A Practical Guide for Business Owners
The Bottom Line Up Front
If you accept credit cards at your business in Ireland — whether through a terminal, website, or phone — you need to be PCI compliant. The good news? For most small businesses, Ireland PCI compliance is much simpler than it sounds. You’ll likely need to complete a short questionnaire once a year and run quarterly security scans. This guide walks you through exactly what you need to do, step by step, without the technical jargon.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. They formed the PCI Security Standards Council to manage these standards, but your payment processor or acquiring bank is who actually enforces them.
Think of PCI DSS as basic security hygiene for businesses that handle credit cards. The requirements cover things like:
- Keeping payment systems secure
- Protecting customer card data
- Regularly testing your security
- Having policies in place
Your payment processor requires PCI compliance because they’re on the hook if your business gets breached. If hackers steal card numbers from your system, the processor faces fines from the card brands — and they’ll pass those costs to you.
The consequences of non-compliance include:
- Monthly fines from your processor (typically €50-500/month)
- Liability for fraud losses if you’re breached
- Higher processing fees
- Potential loss of card acceptance privileges
But here’s what most compliance companies won’t tell you: if you’re a small merchant using modern payment tools, achieving compliance often takes just a few hours per year. You’re not building Fort Knox — you’re completing a questionnaire that confirms you’re following basic security practices.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit or debit cards in any form, yes.
This applies whether you:
- Use a card terminal in your shop
- Accept payments through your website
- Take card details over the phone
- Store customer card numbers (please don’t)
- Process payments through a mobile app
Your merchant level determines how much documentation you need. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a self-assessment questionnaire — no external auditor required.
That compliance questionnaire your payment processor sent? It’s their annual check to ensure you’re following PCI requirements. They need this documentation to prove to the card brands that their merchants are secure. Ignore it, and you’ll start seeing non-compliance fees on your monthly statements.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Here’s how to determine which one applies to your business:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment provider (PayPal, Stripe Checkout) | SAQ A | 22 | Simplest |
| Website with payment fields (Stripe Elements, Square) | SAQ A-EP | 191 | Moderate |
| Standalone terminal only | SAQ B | 41 | Simple |
| Terminal connected to internet | SAQ B-IP | 82 | Simple |
| Taking payments by phone/mail | SAQ C-VT | 160 | Moderate |
| Storing card numbers | SAQ D | 326+ | Complex |
Common scenarios for Irish businesses:
- Retail shop with Square/Clover terminal: You’re likely SAQ B or SAQ B-IP
- E-commerce on Shopify: You’re SAQ A (Shopify handles everything)
- WooCommerce with Stripe: Probably SAQ A-EP (payment fields on your site)
- Restaurant taking phone orders: You need SAQ C-VT
- Any business storing card numbers: You’re stuck with SAQ D (and should stop storing cards)
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Here’s what the process looks like:
1. Download the correct SAQ from the PCI Security Standards Council website (or use PCICompliance.com’s guided process)
2. Answer each question honestly. “Yes” means you’re doing what the question asks. For example:
- “Do you restrict physical access to payment terminals?” → Yes means terminals aren’t left unattended where customers could tamper with them
- “Is default password changed on all systems?” → Yes means you’ve changed any pre-set passwords
3. Gather required documentation:
- Network diagram (can be hand-drawn for simple setups)
- Security policies (templates available)
- Quarterly ASV scan reports
- Service provider compliance certificates
4. Complete your quarterly ASV scan. An Approved Scanning Vendor checks your internet-facing systems for vulnerabilities. This is required for most SAQ types and takes about 30 minutes to set up. The scan runs automatically and emails you results.
5. Submit your package:
- Completed SAQ
- Attestation of Compliance (AOC) — a form stating you’ve completed the requirements
- ASV scan results
- Upload to your processor’s compliance portal
Most merchants complete their initial SAQ in 2-4 hours. Annual recertification typically takes less time since you’re just updating last year’s answers.
What It Costs
PCI compliance costs vary based on your setup and merchant level:
Compliance platform fees:
- Basic SAQ tools: €10-30/month
- Full compliance platforms: €30-100/month
- Enterprise solutions: €200+/month
Quarterly ASV scanning:
- Standalone service: €30-60 per scan
- Bundled with compliance platform: Often included
If you need a QSA (Level 1 merchants or service providers):
- Full assessment: €15,000-50,000
- Most small merchants never need this
The cost of NON-compliance:
- Monthly fees from processor: €50-500
- If breached: €50-500 per compromised card
- Forensic investigation: €20,000+
- Lost ability to accept cards: Priceless
For most Level 4 merchants, total annual compliance costs less than €500 — far less than a single month’s non-compliance fee or the cost of a breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly components:
Annual requirements:
- Complete your SAQ
- Submit your AOC
- Review and update security policies
Quarterly requirements:
- Run ASV scans (if applicable)
- Review scan results
- Fix any failing vulnerabilities
Set up these reminders:
- Annual SAQ due date (usually your compliance anniversary)
- Quarterly scan windows
- Policy review dates
Changes that trigger reassessment:
- New payment channels (adding e-commerce to retail)
- Switching payment processors
- Starting to store card data
- Major system changes
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and maintaining your compliance history in one place.
Frequently Asked Questions
What happens if I don’t complete my PCI compliance?
Your payment processor will start charging monthly non-compliance fees (typically €50-500). If you’re breached while non-compliant, you’re liable for all fraud losses and investigation costs. Worst case, processors can terminate your merchant account, leaving you unable to accept cards.
Do I need PCI compliance if I only use PayPal?
If PayPal is your only payment method and customers never enter card details on your site, you may not need PCI compliance. However, if you also accept cards directly through any channel, you need to comply.
How long does the SAQ take to complete?
SAQ A takes about 30 minutes. SAQ B takes 1-2 hours. More complex SAQs like C-VT or A-EP typically require 3-4 hours including documentation gathering.
What’s an ASV scan and do I need one?
An ASV (Approved Scanning Vendor) scan checks your internet-facing systems for security vulnerabilities. Most SAQ types require quarterly ASV scans. The scan runs automatically and takes minutes — you just need to provide your website URL or IP address.
Can I use the same SAQ for multiple locations?
If all locations use identical payment setups and follow the same procedures, you can often use one SAQ. Different payment methods at different locations means separate assessments. Your acquirer makes the final determination.
What if I fail a question on the SAQ?
You can’t submit the SAQ with “no” answers — you need to fix the issue first. For example, if you haven’t changed default passwords, change them before marking “yes”. Some issues may qualify for compensating controls if they can’t be directly fixed.
Do I need to hire a QSA?
Level 4 merchants (most small businesses) complete self-assessments without QSA involvement. Only Level 1 merchants and service providers typically need QSA assessments. Your processor will tell you if you need one.
How do I know which merchant level I am?
Merchant levels are based on annual transaction volume. Level 4 (smallest) processes fewer than 20,000 e-commerce or up to 1 million total Visa transactions annually. Your payment processor can confirm your level.
Moving Forward with Confidence
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most Irish businesses, it’s a manageable process. Identify your SAQ type, complete the questionnaire honestly, run your quarterly scans, and submit your documentation annually. That’s really all there is to it.
The key is getting started. The sooner you begin, the sooner those non-compliance fees stop and you’re protected from breach liability. PCICompliance.com simplifies the entire process — our free SAQ Wizard identifies exactly which questionnaire you need based on your payment setup, our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard keeps you on track throughout the year. Whether you’re completing your first SAQ or maintaining ongoing compliance, we provide the tools and guidance to make PCI compliance as painless as possible. Start with our free SAQ Wizard to identify your requirements, or reach out to our compliance team for personalized guidance on your path to compliance.
