Mexico PCI Compliance
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses in Mexico, PCI compliance is far simpler than it sounds. You likely need to complete a short self-assessment questionnaire (SAQ), run quarterly security scans on your website, and answer “yes” to some basic security questions. That’s it — no auditors, no massive security overhauls, no technical certifications required.
Here’s what matters: if you accept credit or debit cards in any form — whether through a terminal, online, or over the phone — you need to be PCI compliant. Your payment processor isn’t trying to make your life difficult; they’re required by Visa, Mastercard, and other card brands to ensure everyone who handles card data follows basic security practices. The good news? Most businesses can achieve compliance in a few hours with the right guidance.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist designed to protect credit card data from theft. The standards are managed by the PCI Security Standards Council (PCI SSC), but it’s your payment processor or acquiring bank that actually enforces them.
When you signed up to accept card payments, you agreed to follow these security standards. Your processor sends you compliance questionnaires because they’re required to verify that their merchants are protecting cardholder data. It’s not optional — every business that accepts cards must comply, from the corner taquería using a mobile reader to major e-commerce sites processing thousands of transactions daily.
The consequences of non-compliance are real but manageable. Your payment processor can fine you (typically starting around $25-100 USD per month for small merchants), and if there’s a data breach, you could face significant liability. In extreme cases, you could lose the ability to accept card payments altogether. But here’s the key: achieving compliance is usually much easier than facing these consequences.
The vast majority of small businesses qualify for simplified compliance through the shortest SAQ types. You won’t need a QSA to audit you, and you won’t need to implement complex technical controls. You just need to understand which requirements apply to your business and document that you’re following them.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit or debit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you process one transaction per month or thousands per day. The moment card data touches your business — whether swiped, dipped, tapped, typed, or spoken over the phone — PCI DSS applies.
Your merchant level determines how you demonstrate compliance. Most small and medium businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total Visa transactions annually). Level 4 merchants typically complete a self-assessment questionnaire rather than undergoing a full assessment by a QSA. Think of merchant levels like weight classes in boxing — they determine what rules apply to you, not whether the rules apply at all.
When your payment processor sends you that compliance questionnaire, they’re not being bureaucratic. They’re required by the card brands to verify that every merchant in their portfolio maintains compliance. The questionnaire they sent is likely an SAQ — a checklist where you confirm which security practices you follow. The specific SAQ type depends on how you accept payments, which we’ll cover next.
Your processor expects you to complete this questionnaire annually and submit an Attestation of Compliance (AOC) confirming your status. Many also require quarterly ASV scans if you have any systems connected to the internet. Miss these deadlines, and those monthly non-compliance fees start adding up quickly.
Which SAQ Do You Need?
Choosing the right SAQ is crucial — pick one that’s too simple and you’re not actually compliant; pick one that’s too complex and you’re doing unnecessary work. Here’s how to determine which one applies to your business:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Fully outsourced (PayPal, Square online) | SAQ A | ~22 | Easiest |
| E-commerce with payment page redirect | SAQ A-EP | ~190 | Moderate |
| Terminal only, no e-commerce | SAQ B | ~42 | Easy |
| Terminal only, connected to internet | SAQ B-IP | ~82 | Easy-Moderate |
| Virtual terminal or phone orders | SAQ C-VT | ~160 | Moderate |
| Paper forms only | SAQ C | ~160 | Moderate |
| Store card data or complex setup | SAQ D | ~340 | Hardest |
If you use a payment terminal like Square, Clover, or traditional bank terminals, you’re likely SAQ B (if the terminal connects via phone line) or SAQ B-IP (if it connects via internet). These terminals handle all the card data, so your compliance requirements focus on physical security and basic network protection.
If you have an e-commerce site using hosted checkout pages from providers like Shopify, Stripe Checkout, or PayPal, you probably qualify for SAQ A — the shortest questionnaire with just 22 yes/no questions. Your website never touches actual card numbers, making compliance straightforward.
If you take payments over the phone or use a web-based virtual terminal to key in card numbers, you’ll need SAQ C-VT. This requires more controls around who can access the system and how you protect any workstations used for payment entry.
If you store card numbers in any form — even in a spreadsheet or written in a notebook — you’re stuck with SAQ D, the full questionnaire. This is where PCI compliance gets genuinely complex. If you’re in this category, your first project should be figuring out how to stop storing card data.
not sure which SAQ applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Each “yes” means you’ve implemented that specific control. Don’t be tempted to answer “yes” to everything just to finish quickly — false attestation can lead to significant liability if there’s a breach.
Here’s what to expect:
The questions start simple: “Do you have a firewall?” But they get specific: “Do you change default passwords on all systems?” When the SAQ asks if you do something, it means you do it consistently, not just sometimes. If the question asks about a written policy, that policy needs to actually exist — you might need to show it to your processor or a QSA later.
Documentation you’ll need:
- Network diagram (even a simple sketch for SAQ B)
- List of who has access to payment systems
- Any security policies you’ve created
- Results from your quarterly ASV scans
- Evidence of security updates and patches
For quarterly ASV scans, you’ll need to work with an Approved Scanning Vendor to scan any systems that connect to the internet. This isn’t optional for most merchants — if you have a website, payment page, or internet-connected terminal, you need quarterly scans. The ASV runs automated security tests and provides a report showing whether you passed. Failed scans need remediation before you can submit your compliance documentation.
Once complete, you’ll generate an Attestation of Compliance (AOC) — a formal document stating you’ve met all requirements. Submit this to your payment processor along with your passing ASV scan reports. Most processors have online portals where you upload these documents, though some still accept email or paper submission.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you need additional services:
Compliance platforms and SAQ tools typically run $120-500 USD annually for small merchants. These platforms guide you through the questionnaire, store your documentation, and track your compliance status. Some payment processors include basic tools with your merchant account.
Quarterly ASV scanning usually costs $200-400 USD per year for a single IP address or domain. You need four passing scans annually, one each quarter. Many compliance platforms bundle ASV scanning with their SAQ tools for better value.
If you need a QSA (only for Level 1 merchants or complex environments), expect $15,000-50,000 USD for a full Report on Compliance (ROC). But remember — most small businesses never need this level of assessment.
Now consider the cost of non-compliance: Monthly fines from your processor start around $25-100 USD for Level 4 merchants but can escalate quickly. If you suffer a breach while non-compliant, you could face forensic investigation costs ($20,000+), card replacement fees, and potential lawsuits. One breach can cost more than a decade of compliance.
For most small merchants, annual compliance costs less than what you’d pay in non-compliance fines over just a few months. It’s not just about avoiding penalties — it’s about protecting your business and your customers’ trust.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your compliance expires annually, and you’ll need to complete a fresh SAQ every year. ASV scans are required quarterly, not just annually — miss one and you’re technically non-compliant even if everything else is perfect.
Set calendar reminders for:
- Annual SAQ renewal (usually on your compliance anniversary date)
- Quarterly ASV scans (every 90 days)
- Security update reviews (monthly is good practice)
- Password changes (every 90 days for payment systems)
Certain changes trigger the need for immediate reassessment. If you add a new payment channel (like starting e-commerce), change payment processors, or significantly modify how you handle card data, you might need to complete a different SAQ type. What qualified you for SAQ A last year might require SAQ D this year if you’ve started storing card numbers.
PCICompliance.com’s compliance dashboard tracks all these dates for you, sending reminders before deadlines and alerting you if any scans fail or attestations expire. You can see your compliance status at a glance and know exactly what needs attention before your processor starts charging fees.
FAQ
What happens if I just ignore the PCI questionnaire?
Your payment processor will start charging non-compliance fees, typically $25-100 USD monthly for small merchants. These fees continue until you complete your requirements. Worse, if you suffer a data breach while non-compliant, you’re liable for all associated costs without the protections compliance provides.
Do I need PCI compliance if I only accept cash and bank transfers?
No, PCI DSS only applies when you accept credit or debit cards. However, the moment you add card acceptance — even for a single transaction — PCI requirements kick in immediately.
Can I just use PayPal or Square to avoid PCI compliance?
Using third-party processors like PayPal or Square can significantly reduce your PCI scope, often qualifying you for the simplest SAQ A. However, you still have compliance obligations — you’re just making them much easier to meet. You still need to complete an annual SAQ and protect any systems that connect to these services.
How do I know if I passed my ASV scan?
Your ASV will provide a report showing “Pass” or “Fail” status. Any high-risk vulnerabilities cause automatic failure. Medium and low-risk findings might be acceptable depending on your processor’s requirements. If you fail, the report includes specific issues to fix before your next scan.
What if my business is too small to afford compliance costs?
Consider the alternatives: monthly non-compliance fees will quickly exceed the annual cost of basic compliance tools. Many processors offer free or discounted compliance programs for their smallest merchants. The real question is whether your business can afford the costs of non-compliance — lost processing ability, breach liability, and customer trust.
Do I need to hire a security consultant?
Most small businesses don’t need external consultants for PCI compliance. SAQ A, B, and B-IP are designed for self-completion. If you’re facing SAQ D or having trouble with technical requirements, a few hours of consultant time might save weeks of confusion, but it’s rarely required.
What’s the difference between PCI compliance and EMV compliance?
EMV (chip cards) is about accepting more secure payment methods and protecting against counterfeit fraud. PCI compliance covers all aspects of card data security, regardless of how cards are read. You need both — EMV protects against card-present fraud, while PCI protects the overall payment environment.
How often do PCI requirements change?
The PCI Security Standards Council updates the DSS periodically to address new threats and technologies. However, they provide substantial notice and transition periods. Your compliance platform or processor will alert you to any changes that affect your SAQ requirements.
Conclusion
PCI compliance might seem daunting when that first questionnaire arrives from your processor, but for most businesses in Mexico, it’s a manageable process that protects both you and your customers. The key is understanding which requirements actually apply to your business and using the right tools to meet them efficiently.
Remember, you’re not alone in this process. Thousands of businesses complete their PCI requirements every day, and with the right guidance, you can too. Start by identifying your SAQ type — that single step eliminates 90% of the confusion around what you actually need to do.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team about building a compliance program that fits your business. With the right tools and guidance, PCI compliance becomes just another part of running a secure, trustworthy business.
