Kajabi PCI Compliance
The Bottom Line Up Front
If you just received a PCI compliance questionnaire and your heart sank, take a breath. For most small businesses accepting credit cards, PCI compliance is simpler than you think. You’re probably looking at a straightforward self-assessment questionnaire (SAQ) that takes an hour or two to complete — not the complex audit you might fear. This guide will walk you through exactly what you need to do to achieve Kajabi PCI compliance and keep your payment processor happy.
What Is PCI Compliance (In Plain English)
PCI compliance means following security standards designed to protect credit card data. The Payment Card Industry Data Security Standard (PCI DSS) applies to every business that accepts, processes, stores, or transmits credit card information — from massive retailers to your local coffee shop.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council (PCI SSC). Think of it as the rulebook for handling credit card data safely. Your acquirer (the bank that processes your card payments) or payment processor enforces these rules by requiring you to prove compliance annually.
Here’s what happens if you ignore that compliance questionnaire sitting in your inbox:
- Your payment processor can fine you (typically $5,000-$100,000 depending on your size)
- If card data gets stolen from your business, you’re liable for fraud losses and investigation costs
- Your processor can terminate your ability to accept credit cards
- You might face lawsuits from customers whose data was compromised
The good news: Most small merchants qualify for the simplest compliance requirements. You don’t need a team of security experts or expensive consultants. You just need to understand which questionnaire applies to your business and answer some straightforward yes/no questions about your payment setup.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form — online, in-person, over the phone — you need to be PCI compliant.
Your merchant level determines how you prove compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a self-assessment questionnaire rather than undergoing a full audit by a Qualified Security Assessor (QSA).
That compliance questionnaire your payment processor sent? It’s their way of ensuring you’re following the security standards. They’re required by the card brands to verify all their merchants maintain compliance. The questionnaire typically arrives annually, though some processors check quarterly.
Your processor expects you to:
- Complete the appropriate Self-Assessment Questionnaire (SAQ)
- Pass quarterly vulnerability scans if you have any internet-facing systems
- Submit an Attestation of Compliance (AOC) confirming you meet all requirements
- Fix any security gaps identified during the process
Which SAQ Do You Need?
The PCI DSS includes multiple SAQ types, each designed for different payment acceptance methods. Here’s how to determine which one applies to your business:
| How You Accept Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | Simplest (22 questions) | ~20 minutes |
| Embedded payment fields on your site (Stripe Elements) | SAQ A-EP | Simple (139 questions) | ~1-2 hours |
| Standalone terminal with dial-up/cellular | SAQ B | Simple (41 questions) | ~30 minutes |
| Standalone terminal connected to your network | SAQ B-IP | Moderate (82 questions) | ~1 hour |
| Phone orders entered into virtual terminal | SAQ C-VT | Moderate (80 questions) | ~1 hour |
| Card data touches your systems | SAQ D | Complex (329 questions) | Days/weeks |
SAQ A: Your customers never enter card data on your website. Instead, you redirect them to a hosted payment page (like PayPal or Stripe Checkout). The payment processor handles all the card data — you never see it.
SAQ A-EP: You use embedded payment fields (like Stripe Elements or Authorize.net Accept.js) where customers enter card data in fields that connect directly to your payment processor. The card data flows through your website but never touches your servers.
SAQ B: You use standalone payment terminals that connect via phone line or cellular — completely separate from your business network. Think of the wireless credit card machines many small retailers use.
SAQ B-IP: Your payment terminals connect to the internet through your business network. This includes most modern point-of-sale systems.
SAQ C-VT: You manually enter card numbers into a web-based virtual terminal. Common for businesses taking phone orders.
SAQ D: You store, process, or transmit card data through your own systems. This is the most complex SAQ and, frankly, most small businesses should avoid this scenario entirely by using tokenization or hosted payment pages.
Can’t figure out which SAQ applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is straightforward. The questionnaire consists of yes/no questions about your payment security practices. Here’s what to expect:
What “Yes” Really Means: When you answer “yes” to a question like “Do you have a firewall configured to protect cardholder data?”, you’re confirming that control is in place. You don’t need perfection — you need to meet the intent of the requirement.
Documentation You’ll Need:
- Network diagram (can be hand-drawn for simple setups)
- List of who has access to payment systems
- Current software versions for payment applications
- Security policies (even informal ones count)
The Quarterly ASV Scan: If you have any systems connected to the internet (website, email server, etc.), you need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). The scan checks for security holes hackers could exploit. It runs automatically and usually takes 30 minutes to a few hours. Most businesses pass on the first try, and if you don’t, the ASV provides clear instructions for fixing any issues.
Submitting Your Compliance:
1. Complete all SAQ questions
2. Run and pass your ASV scan (if required)
3. Sign the Attestation of Compliance (AOC)
4. Submit everything to your payment processor
Most merchants can complete the entire process in an afternoon.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you handle it yourself or use a compliance platform:
Compliance Platforms and Tools:
- Self-service platforms: $150-$500 annually
- Guided compliance tools: $300-$1,200 annually
- Full-service managed compliance: $1,000-$5,000 annually
Quarterly ASV Scanning:
- Basic scanning: $50-$150 per scan ($200-$600 annually)
- Advanced scanning with remediation support: $100-$300 per scan
If You Need a QSA: Only required for Level 1 merchants or if your acquirer specifically demands it. QSA assessments run $10,000-$50,000+ depending on complexity.
The Cost of Non-Compliance:
- Monthly non-compliance fees from your processor: $20-$300
- Initial fines for non-compliance: $5,000-$100,000
- If card data is breached: $50-$90 per compromised card number
- Forensic investigation costs: $10,000-$100,000+
- Loss of ability to process credit cards: priceless (and business-ending)
Bottom line: For most small merchants, annual compliance costs less than a single non-compliance fine. It’s not just about avoiding penalties — it’s about protecting your business from devastating breach costs.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your payment processor requires annual recertification, and the card brands expect you to maintain security controls continuously. Here’s how to stay on track:
Set Up Your Compliance Calendar:
- Annual SAQ due date (mark it 30 days early)
- Quarterly ASV scan deadlines
- Security update schedules
- Employee security training (yes, even for small teams)
What Triggers a New Assessment:
- Changing payment processors
- Adding new payment channels (like starting e-commerce)
- Significant network changes
- Moving from redirect to integrated payments
- Starting to store card data (please reconsider)
Year-Round Best Practices:
- Keep payment systems updated
- Change passwords regularly (and use strong ones)
- Limit access to payment systems to only those who need it
- Monitor for suspicious activity
- Document your security procedures
PCICompliance.com’s compliance dashboard tracks all these dates and requirements automatically. You’ll get reminders before scans are due, alerts if your compliance lapses, and a clear record for your payment processor.
FAQ
I’m just a small business. Do I really need to worry about this?
Yes, but it’s not as scary as it sounds. The card brands require all merchants to comply, regardless of size. However, small businesses usually qualify for the simplest SAQ types that take just an hour or two annually.
What happens if I just ignore the compliance questionnaire?
Your payment processor will start charging non-compliance fees (usually $20-$300 monthly). Eventually, they can fine you substantially ($5,000-$100,000) or terminate your merchant account. You’ll also be fully liable if card data gets compromised.
Can I just say “yes” to all the questions?
That’s fraud, and you don’t want to go there. Answer honestly — if you can’t answer “yes” to something, you probably have a simple fix to implement. Lying on your SAQ makes you liable for massive fines and criminal charges if there’s a breach.
I use Kajabi/Shopify/Square. Aren’t they PCI compliant for me?
These platforms are PCI compliant for their part of the payment process, but you still have responsibilities. You need to complete an SAQ (usually SAQ A or A-EP) confirming you’re using their tools correctly and securely. Think of it as a shared responsibility model.
How often do I need to do this?
Annually for your SAQ and AOC. Quarterly for ASV scans if required. Some processors check compliance quarterly but most verify annually. Set calendar reminders and you’ll never miss a deadline.
What’s an ASV scan and do I need one?
An Approved Scanning Vendor scan checks your internet-facing systems for vulnerabilities. You need quarterly scans if you have any systems online — website, email server, remote access, etc. SAQ A merchants sometimes don’t need scans, but most others do.
I failed my ASV scan. Now what?
Don’t panic — it happens to most merchants on their first scan. The ASV report shows exactly what failed and how to fix it. Usually it’s outdated software or unnecessary services. Make the fixes and rescan. Most merchants pass within a week of their first attempt.
Is PCI compliance the same as being secure?
PCI compliance is a solid security baseline, but it’s not comprehensive protection. Think of it as the minimum required to handle card data safely. Smart merchants go beyond compliance with additional security measures like cyber insurance and regular security training.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire lands in your inbox, but for most small businesses, it’s a manageable process that protects both you and your customers. You’re likely looking at a simple SAQ that takes an hour or two annually, plus quarterly scans that run automatically. The cost is minimal compared to the massive liability you’d face in a breach.
The key is identifying which SAQ applies to your payment setup and using the right tools to streamline compliance. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team about your specific payment setup.
Remember: every business that accepts credit cards needs to be PCI compliant. But with the right guidance and tools, it’s just another routine part of running a secure business — not the compliance nightmare you might have feared.
