What You Need to Know About Poland PCI Compliance
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small and medium-sized businesses in Poland, PCI compliance is far simpler than it first appears. The questionnaire sitting in your inbox isn’t a test you can fail — it’s a checklist to confirm you’re protecting your customers’ credit card data. And depending on how you accept payments, you might be able to complete it in less than an hour.
Here’s what matters: if you accept credit or debit cards from Visa, Mastercard, American Express, Discover, or JCB — whether in your shop, online, or over the phone — you need to be PCI compliant. The good news? Most businesses qualify for the simplest compliance types, especially if you’re using modern payment terminals or hosted checkout pages.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules created by the major card brands to protect credit card information. Every business that accepts, processes, stores, or transmits credit card data must follow these rules — from the corner café in Kraków to major online retailers.
The card brands (Visa, Mastercard, American Express, Discover, and JCB) created these standards through an organization called the PCI Security Standards Council. But they don’t enforce compliance directly. Instead, your acquirer — the bank or payment processor that handles your card transactions — is responsible for making sure you comply. That’s why you received the questionnaire from them.
Why Should You Care?
Non-compliance carries real consequences. Your payment processor can fine you monthly (typically €50-€500 for small merchants). If there’s a data breach and you weren’t compliant, you could face fines up to €100,000 and become liable for fraudulent charges. In extreme cases, you could lose the ability to accept card payments entirely.
But here’s the reassuring part: for most small businesses using modern payment solutions, achieving compliance is straightforward. If you’re using a standalone terminal from a provider like PayU, Przelewy24, or international providers like Square or SumUp, you’re already doing most things right. The compliance process just documents what you’re doing.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit or debit cards in any form — whether chip and PIN, contactless, online, or over the phone — you need to be PCI compliant. This applies whether you’re a physical shop in Warsaw, an e-commerce site serving all of Poland, or a service business taking payments over the phone.
Your Merchant Level
PCI groups merchants into four levels based on annual transaction volume:
- Level 4: Under 20,000 Visa transactions or under 1 million total card transactions annually (most small businesses)
- Level 3: 20,000 to 1 million Visa transactions annually
- Level 2: 1 to 6 million Visa transactions annually
- Level 1: Over 6 million Visa transactions annually
Most small and medium businesses fall into Level 4, which has the simplest compliance requirements. You complete a Self-Assessment Questionnaire (SAQ) annually and run quarterly vulnerability scans if you have any internet-facing systems.
What Your Payment Processor Expects
Your acquirer or payment processor sent you that questionnaire because the card brands require them to verify your compliance. They need:
- A completed SAQ (the questionnaire itself)
- An Attestation of Compliance (AOC) — basically your signature saying the information is accurate
- Quarterly vulnerability scan results if you process payments online
- Evidence that you’ve completed these requirements annually
Miss these requirements and your processor will start with warning letters, then monthly non-compliance fees, and potentially increase your transaction rates.
Which SAQ Do You Need?
The Self-Assessment Questionnaire comes in different versions, from the simple 22-question SAQ A to the comprehensive 329-question SAQ D. Which one you need depends entirely on how you accept and process payments.
Payment Scenarios and SAQ Types
| How You Accept Payments | Your SAQ Type | Questions | Complexity |
|---|---|---|---|
| E-commerce with fully hosted checkout (customer enters card details on Stripe, PayPal, PayU, Przelewy24) | SAQ A | 22 | Simple |
| E-commerce with payment fields on your site (using Stripe Elements, PayPal Pro) | SAQ A-EP | 191 | Moderate |
| Standalone terminal with dial-up/cellular connection (no electronic cardholder data storage) | SAQ B | 41 | Simple |
| Standalone terminal connected to your network (SumUp, Square Reader) | SAQ B-IP | 82 | Simple |
| Call center or phone orders using virtual terminal | SAQ C-VT | 81 | Moderate |
| Payment application connected to internet (not using P2PE solution) | SAQ C | 160 | Complex |
| Any electronic storage, processing, or transmission of card data | SAQ D | 329 | Complex |
Common Scenarios for Polish Businesses
Restaurant or retail shop with standalone terminal: You’re likely SAQ B or B-IP. If your terminal connects via phone line or cellular, it’s SAQ B (41 questions). If it connects through your internet or Wi-Fi, it’s SAQ B-IP (82 questions).
E-commerce using WooCommerce with PayU or Przelewy24: If customers are redirected to pay on PayU’s or Przelewy24’s site, you’re SAQ A (22 questions). If you use an iframe or API where customers stay on your site, you’re SAQ A-EP (191 questions).
Service business taking phone payments: If you type card details into a virtual terminal webpage, you’re SAQ C-VT (81 questions).
Using modern integrated POS: Many cloud-based POS systems like Square, Toast, or Lightspeed qualify for simplified SAQs if they’re validated P2PE solutions.
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire applies.
How to Complete Your SAQ
Once you know which SAQ type you need, the actual process is straightforward. Each questionnaire contains yes/no questions about your payment security practices. Here’s what to expect:
What the Questions Look Like
Questions range from simple (“Do you have a firewall?”) to more specific (“Are security patches installed within one month of release?”). For each question, you’ll answer:
- Yes: You have this control in place
- No: You don’t have this control
- N/A: This doesn’t apply to your environment
“Yes” doesn’t mean perfection — it means you have a reasonable control in place. For example, “Do you restrict physical access to cardholder data?” If you keep your terminal in a locked office or behind a counter where customers can’t access it, that’s a “yes.”
Documentation You’ll Need
Gather these before starting:
- Network diagram (even a simple sketch for SAQ B-IP)
- List of who has access to payment systems
- Your data retention and disposal policy (can be one page)
- Evidence of quarterly vulnerability scans (for internet-facing systems)
- Security policies (templates are fine for small merchants)
The Quarterly ASV Scan
If you have any internet-facing systems (website, email server, etc.), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. This automated scan checks for security weaknesses in your public-facing systems. It typically takes 15-30 minutes to set up and runs automatically.
Don’t panic if your first scan shows failures — most do. Your ASV will provide a report showing what needs fixing, usually basic items like updating software or closing unnecessary ports.
Submitting Your Compliance
After completing your SAQ:
1. Review your answers and ensure supporting documentation exists
2. Complete the Attestation of Compliance (AOC) — this legally attests your answers are accurate
3. Submit both documents to your acquirer through their portal or email
4. Save copies for your records
Most acquirers have online portals where you upload these documents. You’ll receive confirmation of compliance, which is valid for one year.
What It Costs
PCI compliance costs vary based on your complexity, but for most Level 4 merchants, it’s quite affordable:
Typical Annual Costs
SAQ and Compliance Tools: €100-500 per year
- Basic compliance platforms: €100-200/year
- Comprehensive platforms with scanning and support: €300-500/year
- PCICompliance.com starts at €99/year for small merchants
ASV Scanning (if required): €200-400 per year
- Usually €50-100 per quarterly scan
- Many compliance platforms include this
- Required only if you have internet-facing systems
Professional Help (if needed):
- QSA consultation: €500-2,000 for guidance
- Full QSA assessment: €10,000+ (only required for Level 1 merchants)
- Most small merchants never need a QSA
The Cost of Non-Compliance
Avoiding compliance costs more than completing it:
- Monthly non-compliance fees: €50-500
- Data breach fines: €5,000-100,000
- Forensic investigation costs: €20,000+
- Lost ability to process cards: priceless
For most small merchants, annual compliance costs less than two months of non-compliance fees. It’s simply good business.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly components. But once you’ve completed it the first time, renewals are much simpler.
Annual Requirements
- Complete your SAQ and AOC each year
- Run quarterly ASV scans (if applicable)
- Update documentation if your payment methods change
- Train staff on security basics
Setting Up for Success
Create calendar reminders:
- Annual SAQ due date (usually anniversary of last submission)
- Quarterly scan dates (every three months)
- Monthly check of compliance portal for any new requirements
- Annual staff security training
When Things Change
You’ll need to reassess your compliance if you:
- Change payment processors or add new payment methods
- Start storing card data (please don’t)
- Add e-commerce to your physical store
- Significantly increase transaction volume
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sends reminders, and alerts you if your payment setup changes might affect your SAQ type.
Frequently Asked Questions
I’m just a small shop in Poland. Do I really need to worry about this?
Yes, but it’s simpler than you think. If you accept credit cards, you need to be compliant regardless of size. However, small merchants typically need only the simplest SAQ types, which take 30-60 minutes to complete annually.
What happens if I ignore the compliance questionnaire?
Your payment processor will start charging non-compliance fees (typically €50-500 monthly) and may eventually terminate your ability to accept cards. It’s much easier and cheaper to spend an hour completing the questionnaire.
Do I need to hire a security consultant or QSA?
Probably not. Level 4 merchants (processing under 1 million transactions annually) can self-assess using the SAQ. Only Level 1 merchants and service providers require a QSA assessment.
I use PayU/Przelewy24 for everything. Am I already compliant?
Not automatically. While these providers handle security for the payment page, you still need to complete your SAQ annually and ensure your overall environment is secure. You’re likely SAQ A, the simplest type.
How do I know if my answers are correct?
Answer honestly based on your actual practices. The questions are designed to be clear. If you’re unsure, err on the side of caution and mark “no” — you can always implement the control and update your answer.
What if I fail my vulnerability scan?
This is normal for first-time scans. Your ASV will provide a detailed report of what needs fixing. Most issues are simple updates or configuration changes. Fix them and rescan — you can scan as many times as needed.
Can I just say “yes” to everything to pass?
No — this constitutes fraud. The AOC is a legal attestation. False statements can result in fines, loss of card processing abilities, and personal liability in case of a breach. Answer honestly.
How long does compliance last?
One year from your submission date. You’ll need to recomplete your SAQ annually and run quarterly ASV scans if applicable. Mark your calendar or use a compliance platform that sends reminders.
Your Path to PCI Compliance
PCI compliance might seem daunting when that first questionnaire arrives, but for most Polish businesses, it’s a manageable process. If you’re using modern payment solutions — whether a standalone terminal in your shop or hosted checkout for your online store — you’re likely already following most requirements. The compliance process simply documents what you’re doing.
Start by identifying which SAQ type applies to your payment setup. For most small merchants, this will be one of the simpler types: SAQ A for e-commerce with hosted checkout, or SAQ B/B-IP for physical terminals. Once you know your type, set aside an hour to complete the questionnaire — answer honestly, gather basic documentation, and submit through your processor’s portal.
PCICompliance.com makes this entire process simpler. Our free SAQ Wizard identifies exactly which questionnaire you need based on your payment setup. Our ASV scanning service handles your quarterly vulnerability scans automatically. And our compliance dashboard tracks everything year-round, sending reminders when it’s time to renew and alerting you if anything changes that might affect your compliance.
Whether you’re completing your first SAQ or managing compliance for multiple locations, we provide the tools and guidance to achieve and maintain PCI compliance efficiently. Start with our free SAQ Wizard to identify your requirements, or contact our compliance team for personalized guidance on your path to PCI compliance.