purple and pink light illustration

TSYS PCI Compliance

by

TSYS PCI Compliance

Your Payment Processor Sent You a Compliance Questionnaire — Now What?

If you’re here because TSYS (now part of Global Payments) sent you a PCI compliance questionnaire, take a breath. For most small businesses, PCI compliance is simpler than it sounds. You don’t need to become a security expert or hire expensive consultants. You just need to understand what’s actually required for your specific situation — which is probably less than you think.

This guide walks you through everything you need to know about TSYS PCI compliance in plain English. No jargon, no scare tactics, just practical steps to get compliant and stay that way.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts credit cards. Think of it as basic security hygiene for handling payment data — like locking your doors and keeping customer information safe.

The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, JCB) through the PCI Security Standards Council. But here’s the important part: your payment processor (in this case, TSYS/Global Payments) is the one who enforces it and asks you to prove compliance.

What Happens If You’re Not Compliant?

Non-compliance isn’t just a bureaucratic hassle — it has real consequences:

  • Monthly fines from your processor (typically $20-100 per month for small merchants)
  • Liability for fraud losses if card data is compromised
  • Higher processing fees as a non-compliant merchant
  • Loss of card acceptance privileges in extreme cases

But here’s the good news: most small businesses qualify for the simplest compliance options. If you’re using modern payment terminals or hosted checkout pages, you’re already doing most of what’s required.

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit cards in any form, yes.

It doesn’t matter if you:

  • Only process a few transactions per month
  • Use a mobile card reader
  • Take orders over the phone
  • Have customers fill out paper forms
  • Use an online payment gateway

If credit card numbers touch your business in any way, PCI compliance applies to you.

Understanding Your Merchant Level

TSYS categorizes merchants into four levels based on annual transaction volume:

  • Level 4: Under 20,000 e-commerce transactions OR under 1 million total transactions annually (most small businesses)
  • Level 3: 20,000 to 1 million e-commerce transactions annually
  • Level 2: 1 to 6 million transactions annually
  • Level 1: Over 6 million transactions annually

As a Level 4 merchant (which most readers are), you’ll complete a Self-Assessment Questionnaire (SAQ) rather than hiring an external assessor. That’s the form TSYS sent you — and it’s simpler than it looks.

What TSYS Expects From You

Your compliance requirements from TSYS typically include:

1. Complete the appropriate SAQ annually
2. Run quarterly vulnerability scans if you have any internet-facing systems
3. Submit your Attestation of Compliance (AOC) — a form saying you completed the SAQ
4. Fix any security issues identified during the process

The questionnaire they sent is your starting point. Let’s figure out which one you actually need.

Which SAQ Do You Need?

The most confusing part of PCI compliance is figuring out which SAQ applies to your business. There are nine different versions, but most small merchants only need to worry about four:

How You Accept Payments SAQ Type Number of Questions Complexity
Redirect to payment gateway (PayPal, Square Checkout) SAQ A 22 Simplest
E-commerce with payment fields on your site SAQ A-EP 191 Moderate
Standalone terminal (Square, Clover, traditional terminal) SAQ B or B-IP 41 or 82 Simple
Manual card entry (phone orders, mail order) SAQ C-VT 160 Moderate
Store card numbers in any system SAQ D 329 Complex

Let’s break down the most common scenarios:

If You Use a Payment Terminal

Examples: Square Stand, Clover Station, traditional credit card terminal

You likely need SAQ B (standalone terminals with dial-up/cellular) or SAQ B-IP (terminals connected to your network). These are relatively simple — mostly asking about physical security of the terminals and basic network protections.

If You Have an E-commerce Site

Examples: Shopify, WooCommerce with Stripe, BigCommerce

If customers are redirected to a hosted payment page (they see PayPal or Stripe’s URL when entering card details), you need SAQ A — the simplest questionnaire with just 22 questions.

If payment fields appear on your website (even if you use Stripe Elements or similar), you need SAQ A-EP — more complex but still manageable.

If You Take Card Payments Over the Phone

Examples: Call center, phone orders, consultations

You need SAQ C-VT if you don’t record calls or store card numbers electronically. This covers virtual terminal usage and requires more security controls around employee access.

If You Store Card Numbers

Please stop doing this if possible

If you store card numbers anywhere — in files, databases, or even paper — you need SAQ D, the full questionnaire. This is complex and expensive to maintain. Consider switching to tokenization or avoiding storage entirely.

Not sure which applies? Use PCICompliance.com’s SAQ Wizard — answer a few simple questions about how you accept payments, and we’ll tell you exactly which SAQ you need.

How to Complete Your SAQ

Once you know which SAQ applies, completing it is straightforward. Here’s what to expect:

What the Questionnaire Looks Like

Each SAQ contains yes/no questions about your security practices. For example:

  • “Is the payment application vendor’s remote-access to customer systems disabled by default?”
  • “Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission?”

Don’t panic at the technical language. For each question, you’re basically confirming whether you follow that security practice or explaining why it doesn’t apply to you.

What ‘Yes’ Actually Means

When you answer “yes” to a question, you’re saying:

  • You have that control in place
  • You can prove it if asked
  • You’ll maintain it going forward

For Level 4 merchants, TSYS typically doesn’t require you to submit documentation — but you should be able to provide evidence if there’s ever an incident.

Documentation You’ll Need

Gather these items before starting your SAQ:

  • Network diagram (even a simple one)
  • List of all systems that handle card data
  • Security policies (password requirements, access controls)
  • Vendor agreements for any payment services
  • Scan reports from your ASV if applicable

The Quarterly ASV Scan

If you have any internet-facing systems (website, email server, remote access), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks for security holes in your external systems.

PCICompliance.com includes ASV scanning with our platform — we’ll run the scans automatically and help you fix any issues found.

Submitting Your Completed SAQ

After answering all questions, you’ll:
1. Generate your Attestation of Compliance (AOC)
2. Sign it (usually electronically)
3. Submit it through TSYS’s compliance portal
4. Keep a copy for your records

The whole process typically takes 1-4 hours for simple SAQ types.

What It Costs

Let’s talk real numbers for PCI compliance costs:

Compliance Platform and Tools

  • SAQ completion tools: $100-300 annually
  • Full compliance platforms: $300-1,200 annually
  • PCICompliance.com: Includes SAQ tools, ASV scanning, and compliance tracking

Quarterly ASV Scanning

  • Standalone ASV service: $200-400 per scan
  • Annual packages: $600-1,200
  • Included with most compliance platforms

If You Need a QSA

  • Level 4 merchants: Usually not required
  • Complex environments: $5,000-15,000 for assessment
  • Ongoing QSA support: $500-2,000 monthly

The Cost of NON-Compliance

  • Monthly processor fines: $20-100
  • Data breach liability: $50-90 per compromised card
  • Forensic investigation: $10,000-100,000
  • Lost ability to accept cards: Devastating

For most small merchants, annual compliance costs less than three months of non-compliance fines. It’s not just about avoiding penalties — it’s about protecting your business and customers.

Staying Compliant Year-Round

PCI compliance isn’t a one-time checkbox — it’s an ongoing requirement. Here’s how to stay on track:

Annual Requirements

  • Recertify annually by completing your SAQ again
  • Update for changes in how you accept payments
  • Review security practices to ensure they still apply

Quarterly Requirements

  • ASV scans must run every 90 days
  • Review scan results and fix any critical issues
  • Keep passing scan reports for your records

Setting Up Your Compliance Calendar

Create reminders for:

  • Annual SAQ due date (usually your anniversary date with TSYS)
  • Quarterly scan windows
  • Security update schedules
  • Employee training refreshers

What Triggers a New Assessment

You’ll need to reassess if you:

  • Change payment methods (add e-commerce, phone orders)
  • Switch payment processors
  • Store card data when you didn’t before
  • Experience a security incident

PCICompliance.com’s compliance dashboard tracks all these dates automatically, sends reminders before deadlines, and maintains your compliance history — so you’re never caught off-guard by a TSYS compliance request.

Frequently Asked Questions

How long does PCI compliance take?

For most small merchants, initial compliance takes 2-4 hours. This includes understanding your requirements, gathering documentation, and completing your SAQ. Annual recertification typically takes less than an hour if nothing has changed.

Can I ignore the TSYS compliance notice?

No. TSYS will begin charging monthly non-compliance fees (typically $20-40) after the deadline. More importantly, you’ll be liable for any fraud losses and could lose your ability to accept cards.

Do I need to hire a security consultant?

Most small merchants don’t need external help. If you’re SAQ A, B, or B-IP eligible, you can complete compliance yourself using the right tools. Only complex environments typically need professional assistance.

What if I fail my vulnerability scan?

Don’t panic — most merchants fail their first scan. The ASV report will list what needs fixing, usually outdated software or unnecessary services. Fix the critical issues and rescan within 30 days.

How does TSYS verify my compliance?

For Level 4 merchants, TSYS typically accepts your self-attestation at face value. However, they may request documentation if there’s an incident or during random audits. Keep your completed SAQ and any scan reports.

What’s the difference between TSYS and PCI requirements?

There’s no difference — TSYS enforces the PCI DSS requirements set by the card brands. When TSYS asks for PCI compliance, they’re requiring you to meet the same standards that apply to all merchants globally.

Can I use any compliance provider or must I use TSYS’s?

You can use any legitimate PCI compliance service provider. The key is ensuring they provide the correct SAQ type and ASV scanning if required. TSYS will accept valid AOCs from any provider.

What if my business model doesn’t fit any SAQ type?

This is rare but happens. You might need to complete SAQ D or work with a QSA to document compensating controls. Contact TSYS’s compliance team or a qualified provider for guidance on unusual scenarios.

Your Next Steps

TSYS PCI compliance doesn’t have to be overwhelming. For most merchants, it’s a straightforward process that protects both your business and your customers. The key is understanding which requirements actually apply to you — not trying to tackle everything in the PCI DSS.

Start by identifying your correct SAQ type. If you’re still unsure after reading this guide, PCICompliance.com’s free SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need. From there, our platform guides you through each requirement, provides the quarterly ASV scanning TSYS requires, and keeps your compliance documentation organized year after year.

Whether you complete your SAQ today or schedule a call with our compliance team for guidance, taking action now prevents those monthly fines and gives you peace of mind that your payment processing is secure. Most merchants find that once they understand what’s actually required, compliance is far simpler than they expected.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP