red and black love lock

Ansible for PCI Automation

by

Ansible for PCI Automation

Your PCI Compliance Journey Starts Here (Don’t Panic)

If you just received a PCI compliance questionnaire from your payment processor and you’re staring at acronyms like SAQ, AOC, and ASV wondering what you’ve gotten yourself into — take a deep breath. For most small businesses, PCI compliance is simpler than it sounds. Yes, you need to complete it (your ability to accept credit cards depends on it), but no, you don’t need a computer science degree to understand it.

This guide will walk you through exactly what PCI compliance means for your business, which forms you need to fill out, and how to get it done without losing your mind or breaking the bank. By the end, you’ll understand why that questionnaire landed in your inbox and how to complete it correctly.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. These companies formed the PCI Security Standards Council (PCI SSC) to write and maintain these standards. Think of it as a security checklist designed to protect credit card data wherever it travels.

Here’s the key point: if your business accepts, processes, stores, or transmits credit card information in any way, these rules apply to you. It doesn’t matter if you’re a Fortune 500 company or a food truck — if you take card payments, you need to be PCI compliant.

Your acquirer (the bank or payment processor that handles your credit card transactions) enforces these rules. They’re the ones who sent you that compliance questionnaire. They have to verify that every merchant in their portfolio follows PCI standards because if there’s a breach, they share the liability.

The consequences of non-compliance are real but manageable:

  • Monthly fines from your processor (typically $5-$100 per month for small merchants)
  • Liability for fraud losses if your business is breached
  • Loss of card processing privileges (worst case scenario)
  • Increased processing fees as a “non-compliant” merchant

The good news? Most small businesses qualify for the simplest compliance paths. You’re not building Fort Knox — you’re following basic security practices that protect both your business and your customers.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes.

It doesn’t matter if you:

  • Use a mobile card reader like Square
  • Have an online store
  • Take payments over the phone
  • Mail in credit card forms (please stop doing this)
  • Let customers save their card on file

If credit card numbers touch your business in any way, PCI compliance applies to you.

Your Merchant Level

PCI groups merchants into four levels based on annual transaction volume:

  • Level 4: Under 20,000 e-commerce transactions OR up to 1 million total transactions annually (most small businesses)
  • Level 3: 20,000 to 1 million e-commerce transactions annually
  • Level 2: 1 to 6 million transactions annually
  • Level 1: Over 6 million transactions annually

As a Level 4 merchant (which includes most readers of this guide), you’ll complete a Self-Assessment Questionnaire (SAQ) rather than undergo a full onsite assessment. This is good news — it means you can handle compliance yourself without hiring an auditor.

What Your Payment Processor Expects

That questionnaire your processor sent? They need it completed annually, along with:
1. The appropriate SAQ based on how you accept payments
2. An Attestation of Compliance (AOC) — basically your signature saying the SAQ is accurate
3. Evidence of quarterly vulnerability scans if you have any internet-facing systems
4. Proof that you’ve fixed any security issues found

Missing these deadlines triggers those monthly non-compliance fees. But complete them on time, and you’ll maintain your good standing (and current processing rates).

Which SAQ Do You Need?

The PCI Security Standards Council offers different SAQs based on how you handle card data. Think of them like tax forms — you pick the one that matches your situation. Here’s the decision tree in plain language:

How You Accept Payments Your SAQ Type Complexity Number of Questions
Redirect to payment gateway (PayPal, Stripe Checkout) SAQ A Simplest 22
Payment page on your website (Stripe Elements, PayPal Pro) SAQ A-EP Simple 139
Standalone terminal only (no connected systems) SAQ B Simple 41
Terminal connected to internet/computer SAQ B-IP Moderate 82
Phone orders entered into virtual terminal SAQ C-VT Moderate 80
Any other method OR you store card numbers SAQ D Complex 329

Let’s break down the common scenarios:

If you use Square, Clover, or similar terminals: You’re likely SAQ B (if the terminal is completely standalone) or SAQ B-IP (if it connects to your network or internet).

If you have an e-commerce site:

  • Using Shopify, WooCommerce with Stripe Checkout, or similar hosted payment pages? That’s SAQ A.
  • Using payment forms that load on your website (even if the data goes directly to the processor)? That’s SAQ A-EP.

If you take orders over the phone: Entering them into a virtual terminal online? You need SAQ C-VT.

If you store card numbers anywhere (spreadsheets, customer database, email): You need SAQ D, and you should strongly consider stopping this practice.

Not sure which one applies? PCICompliance.com’s SAQ Wizard walks you through a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.

How to Complete Your SAQ

Once you know which SAQ applies, the actual completion process is straightforward:

What the Questionnaire Looks Like

SAQs consist of yes/no questions about your security practices. For example:

  • “Are all payment card terminals physically secured?”
  • “Do you have a firewall between your computer and the internet?”
  • “Are passwords changed regularly?”

When you answer “yes,” you’re confirming that control is in place. “No” means you need to implement that control or explain why it doesn’t apply to your environment.

Timeline Expectations

  • SAQ A: 30-45 minutes
  • SAQ B/B-IP: 1-2 hours
  • SAQ A-EP/C-VT: 2-4 hours
  • SAQ D: Multiple days (and you probably need help)

Documentation You’ll Need

Gather these before you start:

  • List of all payment terminals and their locations
  • Your network diagram (for SAQ A-EP and above)
  • Security policies (even basic ones count)
  • Vendor agreements for any third-party payment services
  • Results from your last vulnerability scan

The Quarterly Vulnerability Scan

If your SAQ type requires it (anything except SAQ A and B), you’ll need quarterly ASV scans. An Approved Scanning Vendor runs automated tests against your internet-facing systems looking for security holes.

The scan itself takes minutes to run and costs around $50-150 per quarter. If it finds issues, you fix them and rescan. Once you have a clean scan, you submit it with your SAQ.

Submitting Your Compliance Package

Your processor wants:
1. Completed SAQ with all questions answered
2. Signed AOC (this generates automatically when you finish the SAQ)
3. Passing ASV scan (if required)
4. Evidence of remediation for any previously identified issues

Submit these through your processor’s compliance portal, and you’re done for the year (except for those quarterly scans).

What It Costs

Let’s talk real numbers for PCI compliance:

Compliance Platform/Tools

  • Basic SAQ tools: Free to $30/month
  • Full compliance platforms: $50-200/month
  • PCICompliance.com: Starts at $25/month including SAQ wizard and compliance tracking

ASV Scanning

  • Per scan: $50-150
  • Annual package: $200-500 for all four quarterly scans
  • Many compliance platforms include this

Professional Help

  • QSA consultation: $150-500/hour (rarely needed for small merchants)
  • Full QSA assessment: $15,000-50,000 (only for Level 1 merchants)
  • Compliance coaching: $500-2,000 one-time setup

The Cost of NON-Compliance

  • Monthly processor fines: $5-100 for Level 4 merchants
  • Breach liability: Average $150 per compromised card
  • Forensic investigation: $10,000-100,000 if breached
  • Lost ability to accept cards: Devastating for most businesses

Reality check: Annual compliance for most small merchants costs less than a single month of non-compliance fines. It’s not a profit center for processors — they genuinely want you compliant to reduce everyone’s risk.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done exercise. Your processor will ask for updated documentation every year, and some requirements need attention quarterly or even monthly.

Annual Requirements

  • Complete and submit your SAQ
  • Review and update security policies
  • Train staff on security procedures
  • Test your incident response plan

Quarterly Requirements

  • Run ASV vulnerability scans (if required)
  • Review firewall and router configs
  • Check that security patches are current
  • Verify user access lists are accurate

When You Need a New Assessment

  • Adding new payment channels (starting e-commerce, adding phone orders)
  • Changing payment processors or gateways
  • Significant network or system changes
  • Moving to a system that stores card data

Tracking Your Compliance Status

Set calendar reminders for:

  • Annual SAQ due date (usually 30 days before your anniversary date)
  • Quarterly scan windows
  • Security update schedules
  • Staff training sessions

PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and maintains your compliance history in one place. No more scrambling to find last year’s AOC when your processor asks for it.

FAQ

Do I really need to do this if I’m just a small business?

Yes, but it’s simpler than you think. If you accept credit cards, PCI compliance is mandatory regardless of size. The good news is that small merchants get the simplest questionnaires and lowest-cost compliance options. Your SAQ will likely take less than two hours annually.

What happens if I just ignore the compliance questionnaire?

You’ll face monthly fines and increased liability. Most processors charge $5-100 monthly for non-compliance. Worse, if there’s a breach, you’re fully liable for fraud losses and investigation costs. Some processors will eventually terminate your merchant account.

Can I just say “yes” to everything on the SAQ?

Don’t do this — false attestation is fraud. The SAQ is a legal document. If you’re breached and the investigation reveals false answers, you face serious liability. Answer honestly and fix any gaps before submitting.

How do I know if I’m storing credit card data?

Search everywhere card numbers might hide. Check databases, spreadsheets, email, customer notes, and even old paper files. If you find stored card data, securely delete it immediately and consider whether you need SAQ D going forward.

Is PCI compliance the same as being secure?

PCI is a security baseline, not comprehensive protection. Following PCI requirements significantly improves your security posture, but smart merchants go beyond the minimum. Think of PCI as the foundation of your security program.

My payment processor says I need a certificate of compliance. What’s that?

They want your Attestation of Compliance (AOC). This generates automatically when you complete your SAQ. It’s a formal document stating you’ve met all applicable PCI requirements. Download it from your compliance portal and submit it to your processor.

Do I need to hire a QSA to help me?

Probably not if you’re a small merchant. Level 4 merchants can self-assess using SAQs. You only need a QSA for Level 1 assessments or if your acquirer specifically requires one. Most small businesses complete compliance without professional help.

How is PCI compliance different from Ansible PCI compliance automation?

Ansible helps larger organizations automate security controls. If you’re reading this beginner’s guide, you probably don’t need automation tools yet. Focus on understanding your requirements first. Ansible becomes relevant when you’re managing multiple systems and need consistent security configurations.

Your Next Steps

PCI compliance feels overwhelming until you understand what actually applies to your business. For most merchants, it’s an annual questionnaire that takes a few hours, some basic security practices you should be doing anyway, and quarterly scans if you have online systems.

The path forward is clear:
1. Identify which SAQ type matches your payment methods
2. Complete the questionnaire honestly
3. Fix any security gaps you discover
4. Submit your documentation on time
5. Set up reminders for next year

PCICompliance.com makes this entire process manageable. Our free SAQ Wizard identifies exactly which questionnaire you need — just answer a few questions about how you accept payments. Our ASV scanning service handles your quarterly vulnerability scans with automatic scheduling and clear remediation guidance. And our compliance dashboard tracks your progress, stores your documentation, and reminds you when annual updates are due.

You don’t need to become a security expert to achieve PCI compliance. You just need the right tools and a clear understanding of what’s required. Start with our free SAQ Wizard to identify your requirements, or reach out to our compliance team if you need guidance. We’ve helped thousands of merchants navigate their first PCI assessment, and we’re here to help you too.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP