Elasticsearch PCI Compliance
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re staring at it wondering what “Elasticsearch PCI” or any of this means — take a deep breath. For most small businesses, PCI compliance is much simpler than it sounds. You probably don’t need to hire consultants or spend months implementing complex security controls. In fact, if you’re using modern payment terminals or hosted checkout pages, you might be able to complete your compliance requirements in an afternoon. Here’s what you actually need to know.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts credit card payments. Think of it as a security checklist created by the major card brands — Visa, Mastercard, American Express, and Discover — to protect customer card data.
The card brands formed the PCI Security Standards Council (PCI SSC) to write and maintain these standards. But here’s the important part: they don’t enforce compliance directly. Your acquirer (the bank or payment processor that handles your card transactions) is the one who sends you compliance questionnaires and tracks your status.
Why should you care? Three big reasons:
Fines from your processor if you’re not compliant — typically starting at $5,000-$10,000 per month and going up from there. Liability if there’s a breach — if customer card data gets stolen and you weren’t PCI compliant, you’re on the hook for the costs. Loss of card processing ability — your processor can actually terminate your merchant account, meaning you can’t accept credit cards at all.
But here’s the good news that compliance companies don’t always tell you: most small businesses qualify for the simplest compliance requirements. If you’re not storing card numbers and you’re using modern payment tools, compliance is straightforward.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. This includes:
- In-person payments through a terminal
- Online payments through your website
- Phone orders where customers read you their card number
- Mail order forms with card information
- Mobile payments through an app
Your merchant level determines how extensive your compliance requirements are. Most small businesses are Level 4 merchants (processing less than 1 million transactions per year). This means you complete a Self-Assessment Questionnaire (SAQ) instead of hiring an outside assessor.
Your payment processor expects you to:
1. Complete the appropriate SAQ annually
2. Pass quarterly vulnerability scans if you have any internet-facing systems
3. Submit an Attestation of Compliance (AOC) confirming you meet the requirements
That compliance questionnaire they sent? It’s their way of tracking that you’ve done these things. They’re required by the card brands to ensure all their merchants maintain compliance.
Which SAQ Do You Need?
The SAQ (Self-Assessment Questionnaire) you need depends entirely on how you accept payments. Think of it as choosing the right tax form — you want the one that matches your actual business situation.
Here’s the decision tree in plain language:
If you use a payment terminal like Square, Clover, or a traditional credit card machine that connects via phone line or internet → you likely need SAQ B (standalone terminals) or SAQ B-IP (terminals with internet connectivity).
If you have an e-commerce site that redirects to a hosted checkout page (like Shopify payments, Stripe Checkout, or PayPal) → you likely need SAQ A (the simplest one).
If you take payments over the phone and enter them into a virtual terminal or payment software → you likely need SAQ C-VT (call centers and virtual terminals).
If you store card numbers in any form (files, databases, even paper) → you need SAQ D (and you should seriously consider stopping this practice).
| Payment Scenario | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to PayPal/Stripe | SAQ A | ~20 | Simple |
| Square/Clover terminal | SAQ B/B-IP | ~40 | Easy |
| Phone orders with virtual terminal | SAQ C-VT | ~80 | Moderate |
| Store card data | SAQ D | ~330 | Complex |
| E-commerce with payment fields on your site | SAQ A-EP | ~140 | Moderate |
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which SAQ you need — no compliance expertise required.
How to Complete Your SAQ
The questionnaire itself is simpler than you might expect. Each requirement is a yes/no question about your security practices. Here’s what the process looks like:
Understanding the questions: When a requirement asks “Do you have a firewall?” it’s asking about basic network protection — your internet router probably already has one. When it asks about “strong passwords,” it means passwords that aren’t easily guessed (at least 7 characters, mix of letters and numbers).
Documentation you’ll need:
- List of all the ways you accept payments
- Your network setup (for many small businesses, this is just your internet router)
- Employee list for anyone who handles card payments
- Any policies you have about payment security (even informal ones count)
The quarterly ASV scan: If your SAQ requires it (most do except SAQ A), you’ll need an Approved Scanning Vendor to scan your network every three months. This automated scan checks for vulnerabilities in any systems connected to the internet. It typically takes 15-30 minutes to set up and runs automatically.
Submitting your compliance: Once you’ve answered all the questions and passed any required scans, you’ll complete the AOC (Attestation of Compliance). This is basically your signature saying the information is accurate. Submit this to your payment processor through their portal or compliance platform.
Most small merchants can complete their SAQ in 1-3 hours once they have the right information gathered.
What It Costs
Let’s talk real numbers for PCI compliance costs:
Compliance platform and SAQ tools: Free to $30/month for basic platforms, $50-200/month for comprehensive solutions with support. PCICompliance.com starts at $19/month for small merchants.
Quarterly ASV scanning: Usually $30-100 per scan, or $120-400 annually. Many compliance platforms include this in their monthly fee. Watch out for processors that mark up scan costs significantly.
If you need a QSA: Only required for Level 1 merchants or if your processor specifically demands it. QSA assessments typically cost $15,000-50,000+ annually. Good news: most small businesses never need this.
The cost of NON-compliance: This is where it gets expensive. Monthly non-compliance fees from your processor start around $20-100 but can escalate to $5,000+ for continued non-compliance. If there’s a breach and you weren’t compliant, you’re looking at forensic investigation costs ($10,000+), card replacement fees ($3-5 per compromised card), and potential lawsuits.
Honest assessment: For most small merchants, annual compliance costs less than a single month of non-compliance fines. Budget $200-500 per year for a compliance platform with ASV scanning included, and you’re covered.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track:
Annual requirements: Your SAQ must be completed every 12 months. Mark your calendar for 30 days before your anniversary date to avoid any lapse in compliance.
Quarterly scans: If required, ASV scans happen every 90 days. Most platforms handle this automatically once configured, but you need to fix any failures promptly.
Setting up tracking: Use a compliance calendar or platform dashboard. Set reminders for:
- Annual SAQ due date (with 30-day warning)
- Quarterly scan windows
- When to review and update payment processes
Changes that trigger reassessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or equipment
- Storing card data when you didn’t before
- Significant network or system changes
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sends reminders before deadlines, and maintains your compliance history in one place.
FAQ
I’m just a small shop with one credit card terminal. Do I really need to do all this?
Yes, but it’s simpler than you think. With just one terminal, you likely need SAQ B — about 40 yes/no questions that mostly confirm your terminal is separate from other systems. It typically takes less than an hour to complete.
What happens if I just ignore the compliance questionnaire?
Your payment processor will start charging non-compliance fees (usually $20-100/month initially). These fees escalate over time and can reach thousands per month. Eventually, they can terminate your merchant account.
Can I just say “yes” to everything on the questionnaire?
The AOC you sign is a legal attestation. Falsifying it could make you liable for fraud. More practically, if there’s a breach and your answers were false, you’re personally liable for all costs.
Do I need to hire a security consultant?
For most small businesses using SAQ A, B, or C-VT — no. These questionnaires are designed for self-completion. Only SAQ D typically requires professional help due to its complexity.
My payment processor offers compliance for $300/year. Should I use them?
Compare what’s included. Some processor programs are just expensive scanning services. Make sure you get: the right SAQ type, ASV scanning if needed, support for questions, and a compliance dashboard.
I use Square for everything. What’s my compliance requirement?
If you only use Square’s standard terminal or mobile reader, you’re likely SAQ B. Square handles most security, but you still need to complete your annual questionnaire and possibly quarterly scans.
What if I fail my vulnerability scan?
You have time to fix the issues and rescan. Most failures are for outdated software or unnecessary services. The scan report tells you exactly what to fix. You only fall out of compliance if you can’t pass a clean scan within your quarterly window.
How do I know if I’m storing card data?
Check: email inboxes, spreadsheets, customer databases, paper files, and even voicemail systems. If you can see a full 16-digit card number anywhere after a transaction completes, you’re storing card data.
Conclusion
PCI compliance sounds intimidating, but for most small businesses, it’s a manageable annual task. Identify your correct SAQ type, complete the questionnaire honestly, schedule your quarterly scans if required, and maintain your compliance year-round. The cost of compliance — both in time and money — is far less than the alternative.
Remember, you’re not alone in this. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You can start with the free SAQ Wizard to identify your requirements in under 5 minutes, or talk to our compliance team if you need guidance. We’ve helped thousands of merchants just like you navigate PCI requirements without the confusion or unnecessary costs.
