Ingenico PCI Compliance
If you just received a PCI compliance questionnaire from your payment processor and your stomach dropped — take a breath. For most small businesses, Ingenico PCI compliance is much simpler than it sounds. You don’t need a computer science degree or a dedicated security team. You just need to understand which form to fill out (it’s probably the shortest one) and complete a few basic steps each year. This guide walks you through everything in plain English — no jargon, no panic, just the facts you need to protect your business and keep accepting card payments.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that apply to anyone who accepts credit card payments. Think of it as basic hygiene for handling payment cards — like food safety rules for restaurants, but for credit card data.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through an organization called the PCI Security Standards Council. But here’s the important part: the card brands don’t enforce these rules directly. Your payment processor or acquiring bank — the company that handles your card transactions — is the one who sends you compliance questionnaires and tracks whether you’re meeting the standards.
Why should you care? Three reasons that matter to your bottom line:
- Fines: Your processor can charge monthly non-compliance fees (typically $20-100/month) that add up fast
- Liability: If card data gets stolen from your business and you’re not compliant, you’re on the hook for the breach costs
- Card acceptance: In extreme cases, you could lose the ability to accept credit cards entirely
Here’s the good news: most small businesses qualify for the simplest compliance requirements. If you use modern payment terminals or hosted checkout pages, you’re already doing most of the heavy lifting. The compliance process often just means confirming you’re following basic security practices you’re probably already doing.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you’re a food truck with a mobile reader, an online boutique, or a dental office — if customers can pay with plastic, PCI applies to you.
Your merchant level determines how much documentation you need to provide. Most small businesses fall into Level 4 (processing less than 20,000 e-commerce transactions or less than 1 million total transactions annually). Level 4 merchants typically just need to complete a self-assessment questionnaire — no external auditor required.
That questionnaire your payment processor sent? It’s their way of making sure you’re following the rules. They’re required by the card brands to verify your compliance annually. Ignore it, and those monthly non-compliance fees start showing up on your merchant statement. Complete it, and you’re good for another year.
The questionnaire itself is called an SAQ (Self-Assessment Questionnaire), and there are different versions depending on how you accept payments. The next section helps you figure out which one you need.
Which SAQ Do You Need?
The biggest source of confusion in PCI compliance is figuring out which SAQ applies to your business. There are nine different types, but most small merchants only need to worry about four:
| How You Accept Payments | Your SAQ Type | Number of Questions | Difficulty |
|---|---|---|---|
| Payment terminal only (Square, Clover, standalone device) | SAQ B or B-IP | 22-82 questions | Easy |
| E-commerce with hosted checkout (Shopify, Stripe Checkout, PayPal) | SAQ A | 22 questions | Easiest |
| Phone orders (no electronic storage) | SAQ C-VT | 80 questions | Moderate |
| You store card numbers anywhere | SAQ D | 329 questions | Complex |
Let’s break these down in real-world terms:
SAQ A: You never touch card data. Customers enter their payment info on someone else’s secure page (like when they’re redirected to PayPal or see a Stripe-hosted payment form). This is the golden ticket of PCI compliance — just 22 yes/no questions.
SAQ B: You have a standalone payment terminal that’s not connected to your other systems. Think of a restaurant with a separate credit card machine or a retail store with a Square reader. Still just 22 questions if it’s truly standalone.
SAQ B-IP: Same as SAQ B, but your terminal connects to the payment processor over the internet instead of a phone line. Slightly more questions (82) because internet connections need extra security checks.
SAQ C-VT: You take orders over the phone and key them into a virtual terminal or web-based system. No paper storage of card numbers allowed. This one’s longer (80 questions) because phone payments have more security considerations.
SAQ D: The big one. You’re storing card numbers in your system, processing payments through software on your computers, or have a complex payment environment. Please reconsider — this path leads to 329 questions and significant ongoing work.
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ you need. No guessing required.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. The questionnaire is a series of yes/no questions about your security practices. Here’s what to expect:
What ‘Yes’ Really Means: When a question asks “Do you change default passwords?” answering ‘yes’ means you actually changed them, not that you plan to. Be honest — false answers can create bigger problems than non-compliance.
Documentation You’ll Need:
- List of all the ways you accept payments
- Your network setup (for anything beyond SAQ A)
- Vendor agreements for any third-party payment services
- Security policies (many SAQs include templates if you don’t have them)
The Quarterly ASV Scan: If you have any internet-facing systems (websites, email servers, etc.), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. Don’t panic — it’s an automated scan that checks for common security holes. Most ASV services cost $100-300 per year and take minutes to set up.
Submitting Your Package:
1. Complete the SAQ questionnaire (usually takes 30 minutes to 2 hours)
2. Run your ASV scan if required (automated, results in 24-48 hours)
3. Sign the Attestation of Compliance (AOC) — basically saying “yes, I answered truthfully”
4. Submit everything through your processor’s compliance portal
Most payment processors have online portals where you upload these documents. Once submitted and approved, you’re compliant for another year (though ASV scans run quarterly).
What It Costs
Let’s talk real numbers. PCI compliance costs vary, but for most small businesses, it’s less than you’d spend on a year of coffee runs:
Compliance Platform/Tools: $100-500/year for SAQ completion tools and guidance. Some payment processors include basic tools free.
ASV Scanning: $100-300/year for quarterly scans. Required for most merchants except those using only standalone terminals.
QSA Assessment: Only required for Level 1-3 merchants. If you’re Level 4 (most small businesses), you self-assess for free.
The Cost of NON-Compliance:
- Monthly non-compliance fees: $20-100/month from your processor
- Breach fines: $5,000-100,000 depending on the scope
- Forensic investigation: $10,000+ if you have a breach
- Lost business and reputation damage: Immeasurable
Here’s the bottom line: Annual compliance for a typical small merchant costs less than a single month of non-compliance fees. It’s not a profit center for anyone — it’s insurance against catastrophic losses.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done deal. Your processor will ask you to recertify every year, and certain changes to your business can trigger new requirements:
Set Annual Reminders: Mark your calendar for 30 days before your compliance anniversary. You’ll need time to gather any new documentation and complete your ASV scans.
Quarterly Requirements: If you need ASV scans, they run every 90 days. Most scanning services send automatic reminders, but set your own backup alerts.
Changes That Matter:
- Adding new payment methods (like accepting payments online when you only took them in-store)
- Switching payment processors or adding payment software
- Storing card numbers when you didn’t before (please don’t)
- Major network or system changes
Tracking Compliance: Manual tracking gets messy fast. PCICompliance.com’s compliance dashboard shows your compliance status, upcoming deadlines, scan results, and documentation all in one place. No more searching through emails for last year’s SAQ or wondering when your next scan is due.
FAQ
What happens if I just ignore the compliance questionnaire?
Your payment processor will start charging monthly non-compliance fees (typically $20-100). Worse, if you have a data breach while non-compliant, you’re fully liable for all costs — forensic investigation, card reissuance, fraud losses, and potential fines. The questionnaire takes an hour or two per year; the alternative risks could bankrupt a small business.
I only process a few cards per month. Do I still need to comply?
Yes. PCI DSS applies from your very first transaction — there’s no minimum volume exemption. The good news is that your low volume means simpler requirements and lower costs.
My payment processor says they handle PCI compliance for me. Am I covered?
Partially. Your processor handles security for the transactions they process, but you’re still responsible for your part — like keeping your terminals secure or not writing down card numbers. You’ll still need to complete an annual SAQ confirming you’re doing your part.
What’s the difference between PCI compliance and EMV?
EMV (chip cards) is about preventing counterfeit fraud. PCI DSS is about protecting cardholder data in all forms. You need both — EMV terminals for card-present transactions and PCI compliance for overall data security.
Can I just use cash to avoid all this?
Technically yes, but you’ll lose significant sales. Studies show businesses that don’t accept cards lose 20-30% of potential revenue. The hour or two per year for PCI compliance is worth keeping those customers.
How often do small businesses actually get fined?
Payment processors regularly charge monthly non-compliance fees — it’s automated and guaranteed if you ignore compliance. Breach-related fines are less common but devastating when they happen. Think of it like driving without insurance — you might get away with it until you don’t.
Is PCI compliance the same for online and physical stores?
The standards are the same, but the requirements differ. Online stores often qualify for simpler SAQs if they use hosted payment pages. Physical stores with standalone terminals also get simpler requirements. The complexity comes when you store cards or have integrated point-of-sale systems.
Do I need to hire a security consultant?
For most small businesses using standard payment solutions, no. The SAQ is designed for self-assessment. If you’re storing card data or have complex systems (SAQ D territory), then yes, get professional help. But if you’re SAQ A through C, you can handle it yourself with basic guidance.
Conclusion
PCI compliance sounds intimidating, but for most small businesses, it’s a manageable annual task that protects both you and your customers. If you’re using modern payment tools — hosted checkout pages, standalone terminals, or major payment platforms — you’re already doing most of what PCI requires. The compliance process just documents what you’re doing and fills any gaps.
The key is knowing which SAQ applies to your specific situation and having the right tools to complete it efficiently. That’s where PCICompliance.com makes the difference — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard keeps track of everything year-round. No more guessing which form to fill out or remembering when scans are due. Start with our free SAQ Wizard to see how simple compliance can be, or talk to our compliance team if you need guidance. In less time than it takes to do your quarterly taxes, you can check PCI compliance off your list for the entire year.
