Affiliate Marketing Site PCI
Your Payment Processor Just Sent You a PCI Compliance Questionnaire — Now What?
If you run an affiliate marketing PCI program or website that processes credit card payments, and you just received a compliance questionnaire from your payment processor, take a deep breath. For most small businesses, PCI compliance is far simpler than it initially appears. You don’t need to become a security expert overnight, and you probably won’t need to hire expensive consultants. This guide will walk you through exactly what you need to know and do.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) to protect credit card data. If your affiliate marketing business accepts card payments — whether through your website, over the phone, or in person — these rules apply to you.
The PCI Security Standards Council (PCI SSC) maintains the standards, but your acquirer (the bank or payment processor that handles your card transactions) enforces them. When they sent you that questionnaire, they’re essentially asking you to prove you’re following these security rules.
Here’s what happens if you ignore it: Your payment processor can fine you (typically $5,000-$100,000 per month), you’ll be liable for fraud losses if there’s a breach, and in severe cases, you could lose the ability to accept credit cards entirely. The good news? Most small businesses qualify for the simplest compliance requirements, which you can often complete in an afternoon.
Do You Need to Be PCI Compliant?
The simple answer: If you accept credit cards in any form, yes, you need to be PCI compliant. This includes:
- Taking payments through your affiliate marketing website
- Processing cards over the phone for premium services
- Running physical card transactions at events or meetups
- Storing customer card numbers for recurring subscriptions (though you should really stop doing this)
Your merchant level determines how much documentation you need to provide. Most small businesses processing fewer than 6 million transactions annually are Level 4 merchants, which means you’ll complete a Self-Assessment Questionnaire (SAQ) rather than undergo a full on-site assessment.
That questionnaire your payment processor sent? It’s their way of checking that you’re meeting the security standards. They need this documentation annually to satisfy their own compliance requirements with the card brands.
Which SAQ Do You Need?
The SAQ (Self-Assessment Questionnaire) is your primary compliance document. There are different types based on how you handle card data. Here’s how to determine which one applies to your affiliate marketing business:
| How You Accept Payments | SAQ Type | Complexity | Questions |
|---|---|---|---|
| Redirect to payment gateway (PayPal, Stripe Checkout) | SAQ A | Simple | ~22 |
| Embedded payment form (Stripe Elements, Authorize.Net Accept.js) | SAQ A-EP | Moderate | ~139 |
| Standalone terminal (Square, Clover) | SAQ B | Simple | ~41 |
| Terminal connected to internet | SAQ B-IP | Moderate | ~82 |
| Phone/mail orders only | SAQ C-VT | Moderate | ~160 |
| Store card numbers or custom integration | SAQ D | Complex | ~329 |
For affiliate marketing sites, you’re most likely SAQ A if you redirect customers to PayPal or Stripe for payment, or SAQ A-EP if you use an embedded payment form that keeps card data away from your servers.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.
How to Complete Your SAQ
Your SAQ consists of yes/no questions about your security practices. When you answer “yes,” you’re confirming that you’ve implemented that specific security control. Here’s what the process looks like:
Step 1: Gather Your Information
You’ll need:
- Payment processing statements showing your transaction volume
- List of all payment channels (website, phone, in-person)
- Network diagram if you process payments on-site
- Vendor documentation for your payment gateway
Step 2: Answer the Questions Honestly
Each question asks about a specific security practice. For example, “Do you review security policies at least annually?” A “yes” means you actually have written policies and review them yearly — not just that you think about security sometimes.
Step 3: Schedule Your Quarterly Scan
If your SAQ requires it (most do), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). These automated scans check your website for security vulnerabilities. They typically take 24-48 hours and cost $100-300 per quarter.
Step 4: Complete Your Attestation
After finishing the questionnaire, you’ll sign an Attestation of Compliance (AOC) — essentially a declaration that your answers are accurate and you’ll maintain these security practices.
Step 5: Submit to Your Processor
Upload your completed SAQ and AOC to your payment processor’s compliance portal. Keep copies for your records.
The entire process typically takes 2-4 hours for simple SAQ types, or 1-2 days for more complex scenarios.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your setup:
For Most Small Businesses (SAQ A or B):
- Compliance platform/tools: $200-500 annually
- Quarterly ASV scans: $400-1,200 annually
- Total: $600-1,700 per year
For More Complex Setups (SAQ C-VT or D):
- Compliance platform: $500-2,000 annually
- ASV scans: $400-1,200 annually
- Possible penetration testing: $5,000-15,000 annually
- Potential QSA assessment: $15,000-50,000 (only for Level 1-2 merchants)
The Cost of Non-Compliance:
- Monthly processor fines: $5,000-100,000
- Breach liability: $50-90 per compromised card
- Forensic investigation: $10,000-100,000
- Loss of card processing privileges: Potentially business-ending
When you compare the numbers, annual compliance typically costs less than a single month’s non-compliance fine.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your annual assessment must be renewed each year, with quarterly ASV scans throughout. Here’s how to stay on track:
Set Up Your Compliance Calendar:
- Annual SAQ renewal (same month each year)
- Quarterly ASV scans (every 90 days)
- Security policy reviews (annually)
- Employee training refreshers (annually)
Know Your Triggers for Reassessment:
- Adding new payment channels
- Changing payment processors
- Implementing new payment software
- Storing card data when you didn’t before
- Significant network changes
Use Compliance Tracking Tools:
PCICompliance.com’s dashboard sends automatic reminders for upcoming scans and assessments. You’ll never miss a deadline or face surprise non-compliance fines.
Keep Your Documentation Ready:
When your processor asks for proof of compliance next year, you’ll need:
- Current year’s SAQ and AOC
- Four passing ASV scan reports
- Evidence of security policy reviews
- Training completion records
FAQ
Q: I only process a few transactions per month. Do I still need to comply?
A: Yes. PCI DSS applies to any business that accepts credit cards, regardless of volume. Even one transaction per year requires compliance.
Q: Can’t I just check “yes” to all the questions and submit?
A: This is fraud and can result in massive fines and personal liability if there’s a breach. Answer honestly — it’s better to implement missing controls than to lie about having them.
Q: My payment gateway says they’re PCI compliant. Doesn’t that cover me?
A: No. Their compliance covers their systems, not yours. You’re still responsible for your own environment and practices, though using a compliant provider does reduce your scope.
Q: What if I fail my ASV scan?
A: You’ll receive a report detailing the vulnerabilities found. Fix them and request a rescan. You need a passing scan each quarter, not a perfect scan on the first try.
Q: Do I need to hire a QSA?
A: Most small businesses don’t. QSA assessments are typically required only for Level 1 merchants (over 6 million transactions annually) or after a breach.
Q: What’s the difference between PCI compliance and SOC 2 or ISO 27001?
A: PCI DSS is specifically for credit card security. SOC 2 and ISO 27001 are broader security frameworks that may overlap with PCI requirements but serve different purposes.
Q: Can I just stop accepting credit cards to avoid this?
A: While that would eliminate PCI requirements, it would likely hurt your business more than the cost of compliance. Most customers expect card payment options.
Q: What if I only accept payments through PayPal?
A: If customers enter card details only on PayPal’s site (not yours), you likely qualify for SAQ A, the simplest form. You still need to complete it annually and maintain compliance.
Your Next Steps
PCI compliance might seem overwhelming at first glance, but for most affiliate marketing businesses, it’s a manageable process that protects both you and your customers. The key is identifying your correct SAQ type and systematically working through the requirements.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard takes the guesswork out of determining your questionnaire type — just answer a few questions about how you accept payments, and we’ll identify exactly which SAQ applies to your business. From there, our platform guides you through each requirement, handles your quarterly ASV scans automatically, and maintains all your compliance documentation in one secure dashboard. Whether you’re completing your first SAQ or renewing for another year, our compliance experts are available to answer questions and ensure you’re meeting all requirements. Start with our free SAQ Wizard to see how simple compliance can be, or speak with our team to get personalized guidance for your affiliate marketing business’s specific needs.
