Paysafe PCI Compliance
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses, achieving Paysafe PCI compliance is simpler than it looks. You probably qualify for one of the easier self-assessment questionnaires (SAQs), and the whole process might take you an afternoon. This guide will walk you through exactly what you need to do, in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. If your business accepts credit or debit cards — whether through a terminal, online, or over the phone — these requirements apply to you.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. Your payment processor or acquiring bank enforces them by requiring annual compliance validation. Think of it as a safety checklist for handling credit card information, similar to health codes for restaurants.
Non-compliance comes with real consequences: monthly fines from your processor (typically $25-$100 for small merchants), potential liability if customer data gets compromised, and in extreme cases, losing your ability to accept credit cards. The good news? Most small businesses qualify for simplified compliance through the easiest SAQ types, which are straightforward questionnaires you can complete yourself.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:
- Running card transactions through a terminal
- Processing payments on your website
- Taking card numbers over the phone
- Storing customer card information (though you should avoid this if possible)
Most small businesses fall into Merchant Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million transactions annually). Your merchant level determines how you validate compliance — Level 4 merchants typically complete a self-assessment questionnaire rather than undergoing a full audit.
That compliance questionnaire you received from your payment processor? It’s their way of ensuring you’re meeting PCI requirements. They’re required to verify your compliance annually, and they’ll keep sending reminders (and eventually fines) until you complete it.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Here’s how to determine which one applies to your business:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity Level |
|---|---|---|---|
| Outsource all payment processing (PayPal, Square online) | SAQ A | 22 | Easiest |
| E-commerce with payment page redirect (Stripe Checkout, Shopify) | SAQ A-EP | 139 | Moderate |
| Standalone terminals only (Square Reader, Clover) | SAQ B or B-IP | 41 or 82 | Easy |
| Take card numbers by phone/mail | SAQ C-VT | 160 | Moderate |
| Store card numbers or have complex setup | SAQ D | 329 | Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine that connects via phone line or internet, you’ll likely complete SAQ B (standalone terminals with dial-out) or SAQ B-IP (standalone terminals with IP connection).
If you have an e-commerce site that redirects to a hosted payment page (like Stripe Checkout or PayPal), you’ll probably use SAQ A. If your site has more integration with the payment provider, you might need SAQ A-EP.
If you take payments over the phone, you’ll complete SAQ C-VT (assuming you don’t store the card numbers electronically).
If you store card numbers in any electronic format — please reconsider this practice. You’ll need to complete SAQ D, the most comprehensive questionnaire with 329 requirements.
not sure which SAQ applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Your SAQ consists of yes/no questions about your payment security practices. Here’s what to expect:
The questionnaire format is straightforward. Each question asks whether you’ve implemented a specific security control. For example: “Do you change default passwords on payment terminals?” Answer honestly — “yes” means you actually do this, not that you plan to.
For most small merchants, you’ll need to gather:
- A list of your payment terminals or software
- Your network setup (usually just confirming your terminals aren’t on the same network as your computers)
- Documentation of your security policies (even informal ones count)
- Results from your quarterly vulnerability scan (if required)
Quarterly ASV scans are external vulnerability scans required for most SAQ types. An Approved Scanning Vendor checks your internet-facing systems for security weaknesses. These scans are automated — you provide your website or IP address, and the ASV does the rest. Budget about 30 minutes quarterly to review results and address any findings.
Once you complete your SAQ, you’ll generate an Attestation of Compliance (AOC). This is the official document you submit to your payment processor confirming your compliance status. Most processors have an online portal where you upload this document annually.
What It Costs
PCI compliance costs vary based on your business size and complexity:
Compliance platforms and SAQ tools typically cost $100-300 annually for small businesses. These platforms guide you through the questionnaire, store your documentation, and remind you of upcoming deadlines.
Quarterly ASV scanning runs $50-150 per scan (so $200-600 annually). Some compliance platforms include ASV scanning in their annual fee.
If you need a QSA (Qualified Security Assessor), expect to pay $5,000-50,000+ for a full assessment. This only applies to larger merchants or those with complex payment environments — most small businesses never need a QSA.
The cost of non-compliance hits harder than compliance fees. Payment processors typically charge $25-100 monthly for non-compliant merchants. If you experience a data breach while non-compliant, you could face fines starting at $5,000 plus breach-related costs and liability for fraudulent charges.
For most small merchants, annual compliance costs less than two months of non-compliance fines — and far less than a single data breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your payment processor requires annual revalidation with quarterly vulnerability scans in between.
Set up reminders for:
- Annual SAQ completion (usually on your compliance anniversary date)
- Quarterly ASV scans (every 90 days)
- Security updates for payment terminals and e-commerce platforms
- Password changes for payment systems
Certain changes trigger immediate reassessment:
- Adding new payment channels (like starting to accept online payments)
- Changing payment processors or terminals
- Storing card data when you didn’t before
- Significant changes to your network or payment environment
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and maintaining your compliance history in one place.
FAQ
What happens if I ignore the compliance questionnaire?
Your payment processor will send increasingly urgent notices, then begin charging monthly non-compliance fees (typically $25-100). Eventually, they may increase your transaction rates or terminate your merchant account, leaving you unable to accept credit cards.
Do I need PCI compliance if I only process a few transactions?
Yes. PCI requirements apply to any business that accepts credit cards, regardless of transaction volume. Even one transaction per year means you need to complete an SAQ.
Can I just check ‘yes’ to all the questions?
Only check ‘yes’ if you actually meet that requirement. False attestation can result in significant fines and liability if a breach occurs. Most SAQs include some questions where ‘no’ is the expected answer for small businesses.
What’s the difference between PCI compliance and EMV compliance?
EMV (chip cards) is about fraud liability shift for counterfeit cards. PCI compliance covers overall payment data security. You need both — EMV terminals for in-person transactions and PCI compliance for your entire payment environment.
Do I need quarterly scans if I only use a terminal?
It depends on your SAQ type. SAQ B (dial-out terminals) doesn’t require quarterly scans. SAQ B-IP (internet-connected terminals) and most other types do require them. Check your specific SAQ requirements.
How long does the SAQ take to complete?
For simple setups (SAQ A or B), budget 1-2 hours for your first assessment. SAQ C-VT might take 2-4 hours. SAQ D can take days or weeks, depending on your environment’s complexity. Subsequent years go faster once you understand the questions.
What if I fail my vulnerability scan?
Don’t panic. The ASV report shows what failed and why. Common issues include outdated SSL certificates or unpatched software. Fix the identified vulnerabilities and request a rescan. You have time to remediate issues before your compliance deadline.
Can I outsource PCI compliance?
You can outsource the work but not the responsibility. Payment facilitators, tokenization providers, and hosted checkout solutions reduce your compliance scope, but you still need to complete the appropriate SAQ and maintain secure practices for any card data you handle.
Conclusion
PCI compliance might seem daunting when you first receive that questionnaire, but for most small businesses, it’s a manageable process. Identify your SAQ type, set aside a few hours to complete it honestly, schedule your quarterly scans if required, and maintain simple security practices throughout the year. The investment in compliance costs far less than the alternative — monthly fines, increased liability, and potentially losing your ability to accept credit cards.
PCICompliance.com simplifies this entire process with everything you need in one platform. Our free SAQ Wizard helps you identify exactly which questionnaire applies to your business. Our ASV scanning service handles your quarterly vulnerability scans automatically. And our compliance dashboard keeps track of all your deadlines, documentation, and progress throughout the year. Whether you’re completing your first SAQ or maintaining ongoing compliance, we guide you through each step. Start with our free SAQ Wizard to identify your requirements, or talk to our compliance team for personalized guidance on achieving and maintaining your PCI compliance.
