Webhooks and PCI Compliance
You just opened an email from your payment processor with “PCI Compliance Questionnaire” in the subject line. Your heart sinks. The attached PDF is 40 pages of technical jargon about firewalls, encryption, and security protocols. Before you panic, take a deep breath. For most small businesses, PCI compliance is simpler than that intimidating questionnaire makes it seem. If you’re accepting credit cards through modern payment systems — especially if you’re using webhooks to handle payment notifications — you’re likely already doing most things right. This guide will show you exactly what you need to do, in plain English, without the technical overwhelm.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist designed to protect credit card data from hackers. If you accept credit cards in any form — in person, online, or over the phone — these rules apply to you.
The card brands created an organization called the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) is responsible for making sure you comply. That’s why you received that questionnaire — your acquirer needs proof that you’re protecting card data properly.
Here’s what happens if you don’t comply:
- Your payment processor can fine you (typically $5,000-$100,000 per month of non-compliance)
- If there’s a data breach, you’re liable for fraud losses and card replacement costs
- In extreme cases, you could lose the ability to accept credit cards entirely
The good news: The current standard recognizes that small businesses aren’t handling card data the same way large retailers are. If you’re using modern payment tools like Square, Stripe, or PayPal, you qualify for the simplest compliance requirements. Most small merchants can complete their compliance in under an hour.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes.
It doesn’t matter if you’re a food truck accepting Apple Pay, an online boutique using Shopify, or a consultant who occasionally takes cards over the phone. The moment you accept a credit card payment, PCI DSS applies to you.
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a Self-Assessment Questionnaire (SAQ) instead of hiring an expensive auditor.
Here’s what your payment processor expects from you:
- Complete the appropriate SAQ annually
- Run quarterly vulnerability scans if you have any internet-facing systems
- Submit your Attestation of Compliance (AOC) — basically a form saying “yes, we completed the requirements”
That compliance questionnaire they sent? It’s your reminder to complete these steps. They’re not trying to catch you doing something wrong — they’re required by the card brands to verify that every merchant in their portfolio is protecting card data.
Which SAQ Do You Need?
The SAQ (Self-Assessment Questionnaire) comes in different versions based on how you handle card data. Think of it like tax forms — you don’t fill out a 1040 long form if you only need a 1040EZ. Here’s how to figure out which one you need:
| How You Accept Payments | SAQ Type | Complexity | Number of Questions |
|---|---|---|---|
| Fully outsourced (PayPal, Square online) | SAQ A | Simple | 22 |
| E-commerce with payment form on your site | SAQ A-EP | Moderate | 139 |
| Standalone terminal (Square reader, Clover) | SAQ B | Simple | 41 |
| Terminal connected to your network | SAQ B-IP | Moderate | 82 |
| Taking cards over the phone | SAQ C-VT | Moderate | 160 |
| Storing card numbers (please stop!) | SAQ D | Complex | 329 |
Let’s break this down with real examples:
If you use a payment terminal like a Square Reader, Clover, or similar device that’s not connected to your computer systems, you’re likely SAQ B. This is one of the simplest forms — just 41 yes/no questions about physical security and basic procedures.
If you have an e-commerce site using hosted checkout (where customers are redirected to Stripe, PayPal, or your payment processor’s page to enter card details), you qualify for SAQ A — the absolute simplest form with just 22 questions.
If you take payments over the phone and enter them into a virtual terminal or payment system, you’ll complete SAQ C-VT. It’s longer but still manageable for most businesses.
If you store card numbers in any form — spreadsheets, customer database, even paper files — you’re stuck with SAQ D, the full questionnaire. This is complex and expensive to maintain. Seriously consider switching to a tokenization service instead.
Not sure which applies? Use PCICompliance.com’s SAQ Wizard — answer a few simple questions about how you accept payments, and we’ll tell you exactly which SAQ you need, no guesswork required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Here’s what you’re actually signing up for when you answer “yes”:
“Do you restrict physical access to cardholder data?”
- Translation: Is your payment terminal in a secure location where customers/visitors can’t tamper with it?
- What “yes” means: You keep terminals behind the counter or in locked areas overnight
“Do you use unique usernames and passwords?”
- Translation: Does everyone have their own login to your payment systems?
- What “yes” means: You don’t share the “admin” password with your whole team
Most questions are this straightforward. You’re not implementing enterprise-grade security — you’re following common-sense practices to protect card data.
Documentation you’ll need:
- List of all systems that handle card payments
- Your network setup (for SAQ types other than A and B)
- Security policies (templates are fine for small businesses)
- Vendor compliance documents (your payment processor should provide these)
The quarterly ASV scan is required if you have any systems connected to the internet (websites, email servers, etc.). An Approved Scanning Vendor runs automated security scans of your external IP addresses looking for vulnerabilities. It’s like having a security expert check your locks four times a year. The scan takes about 15 minutes to set up and runs automatically.
Once everything is complete, you’ll submit:
1. Your completed SAQ
2. The Attestation of Compliance (AOC) — a cover sheet that summarizes your compliance
3. Evidence of passing ASV scans (if required)
4. Any requested documentation
Most payment processors have online portals where you upload these documents. Some even have built-in SAQ tools that guide you through each question.
What It Costs
Let’s talk real numbers. PCI compliance isn’t free, but it’s less expensive than most businesses fear:
Compliance platform and SAQ tools: $100-500 per year for small merchants. This includes access to SAQ questionnaires, policy templates, and compliance tracking. Some payment processors include basic tools for free.
Quarterly ASV scanning: $200-500 per year for four quarterly scans. Some compliance platforms bundle this with their annual fee. You need this if you have any internet-facing systems (even just a basic website).
If you need a QSA: Only required for Level 1 merchants or if you can’t pass the self-assessment. QSA assessments run $10,000-50,000+ depending on complexity. Good news: most small businesses never need one.
The cost of NON-compliance:
- Monthly fines from your processor: $5,000-100,000
- Breach liability: Average $150 per compromised card
- Loss of card processing privileges: Priceless (in the worst way)
Honest assessment: For most small merchants, annual compliance costs less than a single month’s non-compliance fine. Budget $300-700 per year and you’ll have professional tools and scanning covered.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly check-ins. Here’s your compliance calendar:
Annually: Complete your SAQ and submit your AOC. Pick the same month each year (many businesses align with their business license renewal or fiscal year).
Quarterly: Run ASV scans if required. Set calendar reminders for the first week of each quarter. Scans usually complete within 24 hours, but you’ll want buffer time to fix any issues found.
Ongoing: Notify your acquirer if you change how you accept payments. Adding a new e-commerce platform, switching payment processors, or starting to take phone orders could change your SAQ type.
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, stores your documentation, and shows your compliance status at a glance. No more scrambling when your acquirer asks for proof of compliance.
FAQ
Q: I only process a few transactions per month. Do I still need to comply?
A: Yes, PCI DSS applies regardless of transaction volume. The good news is that your low volume means simpler requirements and lower costs.
Q: What if I only use PayPal or Square?
A: You still need to comply, but you qualify for SAQ A — the simplest form with just 22 questions. These providers handle the complex security, so your responsibilities are minimal.
Q: Can I just ignore this questionnaire from my payment processor?
A: Not recommended. Your processor will start with reminder emails, escalate to phone calls, then impose monthly fines. Eventually, they’ll suspend your ability to process cards.
Q: I don’t store any card numbers. Why do I need to comply?
A: PCI DSS covers the entire card payment process, not just storage. Even if cards only pass through your systems for a second during processing, the standard applies.
Q: What’s the difference between PCI compliance and being “PCI certified”?
A: There’s no such thing as “PCI certification” for merchants. You’re either compliant with PCI DSS or you’re not. Vendors can be “PCI certified” for their products, but merchants validate compliance annually.
Q: Do I need to hire a security consultant?
A: Most small businesses don’t. The SAQs are designed for business owners to complete with basic technical knowledge. Compliance platforms provide guidance for each question.
Q: How do I know if I’m using webhooks for payment processing?
A: If your payment system automatically updates your inventory, sends email receipts, or syncs with your accounting software when payments complete, you’re likely using webhooks. Check with your payment processor or web developer.
Q: What happens if I fail my ASV scan?
A: You’ll receive a report showing what needs to be fixed — usually software updates or configuration changes. You have time to fix issues and rescan. Most businesses pass after addressing the findings.
Making PCI Compliance Manageable
That intimidating questionnaire from your payment processor doesn’t have to derail your week. For most small businesses, PCI compliance means answering some straightforward questions about your payment setup, running quarterly security scans if you have a website, and submitting the paperwork once a year. If you’re using modern payment tools and following basic security practices, you’re already doing most of what’s required.
The key is picking the right SAQ type — use PCICompliance.com’s free SAQ Wizard to identify exactly which questionnaire applies to your business. Our platform then walks you through each question in plain English, provides policy templates where needed, and handles your quarterly ASV scans automatically. Instead of wrestling with compliance spreadsheets, you get a simple dashboard showing your status year-round. Whether you need help understanding webhooks and PCI compliance requirements or just want automated reminders when it’s time to recertify, we’ve got you covered. Start with the wizard to see how simple compliance can be, or talk to our team about building a compliance program that fits your business.
