Getting That PCI Compliance Questionnaire From Your Payment Processor? Here’s What You Actually Need to Know
Take a breath. That compliance questionnaire your payment processor just sent might look intimidating, but here’s the truth: for most small businesses in Thailand, PCI compliance is simpler than you think. If you’re using modern payment terminals or e-commerce platforms, you’re probably already doing 90% of what’s required — you just need to document it properly.
You’re not alone in feeling overwhelmed. Every business owner accepting credit cards faces this same requirement, from the street food vendor using a mobile terminal to the luxury hotel processing thousands of transactions. The good news? The payment card industry understands that different businesses have different capabilities, which is why there are simplified compliance paths for smaller merchants.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as basic security hygiene for businesses that handle credit card information. The rules exist because criminals want credit card data, and the card brands want to ensure every business in the payment chain does their part to protect it.
The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce compliance directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) does the enforcement. They’re the ones who sent you that questionnaire, and they’re required by the card brands to ensure all their merchants maintain compliance.
Why Should You Care?
Non-compliance has real consequences. Your payment processor can fine you monthly until you comply — typically starting at a few hundred baht and escalating quickly. If your business experiences a data breach while non-compliant, you become liable for fraud losses, forensic investigation costs, and card reissuance fees that can reach millions of baht. In extreme cases, you could lose your ability to accept credit cards entirely.
But here’s what should ease your mind: most small businesses qualify for the simplest compliance requirements. If you’re reading this article, you’re probably not handling the transaction volumes that require complex assessments. The standard recognizes that a small retail shop shouldn’t face the same requirements as a major bank.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form — whether through a physical terminal, online, over the phone, or even on paper — yes, you need to be PCI compliant. This applies whether you process one transaction per month or thousands per day.
Understanding Merchant Levels
The payment card industry divides merchants into four levels based on annual transaction volume:
| Merchant Level | Annual Visa Transactions | Compliance Requirements |
|---|---|---|
| Level 1 | Over 6 million | Annual on-site assessment by QSA |
| Level 2 | 1-6 million | Annual self-assessment + quarterly scans |
| Level 3 | 20,000-1 million | Annual self-assessment + quarterly scans |
| Level 4 | Less than 20,000 | Annual self-assessment + quarterly scans |
Most small and medium businesses fall into Level 4, which means you can self-assess your compliance using a simplified questionnaire called an SAQ (Self-Assessment Questionnaire).
What Your Payment Processor Expects
That questionnaire your processor sent is their way of verifying your compliance. They need you to:
1. Complete the appropriate SAQ for your business type
2. Run quarterly vulnerability scans if you have any internet-facing systems
3. Submit an Attestation of Compliance (AOC) — basically your signature saying the information is accurate
4. Keep your compliance current with annual updates
They’re not trying to catch you out. Your processor wants you to succeed because non-compliant merchants create risk for everyone in the payment ecosystem.
Which SAQ Do You Need?
The key to simplifying PCI compliance is identifying the right SAQ for your business. There are different versions, each tailored to specific payment scenarios:
| How You Accept Payments | Your SAQ Type | Questions to Answer | Complexity |
|---|---|---|---|
| Fully outsourced (PayPal, Stripe Checkout) | SAQ A | 22 questions | Simplest |
| E-commerce with direct post | SAQ A-EP | 191 questions | Moderate |
| Terminal only (no electronic storage) | SAQ B | 41 questions | Simple |
| Terminal with IP connection | SAQ B-IP | 82 questions | Simple |
| Phone/mail orders (no storage) | SAQ C-VT | 80 questions | Moderate |
| You store card numbers | SAQ D | 329 questions | Complex |
Let’s decode these scenarios:
SAQ A: The Simplest Path
If your e-commerce site redirects to a hosted payment page (like when you click “Pay with PayPal” or use Stripe Checkout), you qualify for SAQ A. Your website never touches the actual card data — it goes directly from the customer to the payment provider.
SAQ B or B-IP: Standalone Terminals
Using a Square reader, Clover terminal, or similar device? If it’s a dial-out terminal with no connection to your other systems, that’s SAQ B. If it connects via your internet (IP), you’ll need SAQ B-IP. Either way, these are still relatively simple.
SAQ C-VT: Phone Orders
Taking orders over the phone? As long as you’re entering them directly into a virtual terminal (web-based payment form) without writing them down or storing them, you qualify for SAQ C-VT.
SAQ D: The Full Assessment
If you store credit card numbers in any form — in your database, in files, even in emails — you’re looking at SAQ D. This is the same questionnaire big retailers complete, with over 300 questions. If you’re in this category, seriously consider whether you need to store card data. Most businesses don’t.
Not Sure Which One?
PCICompliance.com offers a free SAQ Wizard — answer a few simple questions about how you accept payments, and we’ll tell you exactly which questionnaire applies to your business.
How to Complete Your SAQ
Once you know which SAQ applies, the actual completion process is straightforward. The questionnaire consists of yes/no questions about your security practices. Here’s what to expect:
Understanding the Questions
Each question asks whether you’ve implemented a specific security control. “Yes” means you’re doing it consistently, have documentation to prove it, and can show evidence if asked. “No” means you need to implement that control before you can achieve compliance.
For example, a typical SAQ A question might ask: “Are all pages that collect payment card data encrypted using strong cryptography?” If you’re using a hosted checkout page, the answer is yes — your payment provider handles the encryption.
Documentation You’ll Need
Gather these items before starting your SAQ:
- List of all payment applications and terminals
- Network diagram (even a simple one) if you process over IP
- Written policies for handling card data (can be simple for small businesses)
- Evidence of quarterly ASV scans (if required for your SAQ type)
- Vendor compliance certificates (like PCI compliance attestations from your payment gateway)
The Quarterly ASV Scan
If you have any systems connected to the internet (including e-commerce websites), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). Don’t let the technical name intimidate you — it’s an automated scan that checks for common security vulnerabilities. Most ASV services cost between 1,500-3,000 baht per quarter and take minutes to set up.
Submitting Your Compliance
After completing your SAQ and passing any required scans:
1. Generate your Attestation of Compliance (AOC)
2. Submit both documents to your payment processor
3. Save copies for your records
4. Set a reminder for next year’s assessment
Most processors have online portals where you upload these documents. Some integrate with compliance platforms to make submission automatic.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your merchant level and SAQ type, but here’s what to budget:
Compliance Platform and Tools
- SAQ completion tools: 3,000-15,000 baht per year
- Includes questionnaire wizard, policy templates, and compliance tracking
- Some payment processors provide basic tools free
Quarterly ASV Scanning
- Required for most SAQ types: 1,500-3,000 baht per quarter
- Annual cost: 6,000-12,000 baht
- Includes vulnerability detection and remediation guidance
If You Need Professional Help
- QSA consultation: 30,000-60,000 baht for assessment guidance
- Full Level 1 ROC assessment: 300,000+ baht (only for largest merchants)
- Most small businesses never need professional assessment
The Cost of Non-Compliance
Your processor’s non-compliance fees typically start at 3,000-6,000 baht per month and can escalate to 30,000+ baht monthly. A data breach while non-compliant could cost millions in fraud liability, forensic investigation, and card reissuance fees. One year of compliance costs less than a single month of non-compliance fines.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with ongoing obligations. Here’s how to stay on track:
Annual Renewal
Your SAQ expires after 12 months. Set calendar reminders at:
- 10 months: Start gathering updated documentation
- 11 months: Complete your new SAQ
- 12 months: Submit before expiration
Quarterly Obligations
If your SAQ type requires ASV scanning:
- Schedule scans every 90 days
- Review and remediate any findings
- Keep passing scan reports for your records
When Things Change
Certain changes require immediate compliance review:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or applications
- Starting to store card data (please reconsider)
- Significant network or system changes
Making It Manageable
PCICompliance.com’s compliance dashboard tracks all these dates and requirements automatically. You’ll get reminders before scans are due, alerts when your SAQ needs renewal, and guidance if your business changes require a different assessment type.
FAQ
Q: What if I only process a few transactions per month?
A: Transaction volume doesn’t exempt you from PCI compliance — even one transaction per year requires compliance. However, lower volumes mean you’re Level 4, qualifying for the simplest self-assessment process. The requirements are proportional to your risk level.
Q: Can I just ignore this questionnaire from my processor?
A: Ignoring it will result in monthly non-compliance fees starting within 60-90 days, typically 3,000-6,000 baht monthly and escalating. Your processor may eventually terminate your ability to accept cards. Completing the questionnaire takes less time than dealing with the consequences of ignoring it.
Q: Do I need to hire a security consultant?
A: Most small businesses don’t need professional help. If you qualify for SAQ A, B, or B-IP, you can complete the assessment yourself using online tools. Only SAQ D or Level 1 merchants typically need QSA involvement. Start with self-assessment tools and only engage consultants if you hit specific technical challenges.
Q: What if I fail my ASV scan?
A: Failing vulnerabilities are typically outdated software or misconfigurations — your ASV report will explain exactly what needs fixing. Most issues can be resolved by applying updates or adjusting settings. You can rescan immediately after making fixes. PCICompliance.com includes remediation guidance with our ASV service to help you pass quickly.
Q: How do I know if I’m storing card data?
A: Search your systems for 16-digit numbers, check your email for card data, review any spreadsheets or databases. If you’re unsure, assume you are storing data and take steps to remove it. Modern payment systems eliminate the need to store card data — use tokenization or hosted payment pages instead.
Q: Is PCI compliance required by law in Thailand?
A: PCI compliance is a contractual requirement from your payment processor, not a government regulation. However, Thailand’s Personal Data Protection Act (PDPA) has similar data protection requirements. Being PCI compliant helps you meet both obligations and protects you from breach liability.
Q: What’s the difference between PCI compliance and PDPA compliance?
A: PCI DSS specifically protects payment card data, while PDPA covers all personal data. They overlap but aren’t identical — PCI compliance helps with PDPA compliance for payment data, but PDPA has broader requirements. Focus on PCI for card processing and ensure your overall data practices align with PDPA.
Q: Can I just use cash to avoid all this?
A: While cash avoids PCI requirements, you’ll miss significant revenue from customers who prefer cards. Studies show businesses accepting cards see 20-30% higher average transactions. The convenience for customers and increased sales typically far outweigh the compliance costs. Plus, many customers now expect card payment options.
Moving Forward With Confidence
Thailand PCI compliance might seem overwhelming when that first questionnaire arrives, but you’ve just learned it’s manageable for most businesses. Whether you’re running a small online shop or a growing retail operation, there’s an appropriate compliance path for your situation.
Start by identifying your SAQ type — this single step eliminates 90% of the confusion. If you’re like most small merchants using modern payment solutions, you’ll qualify for one of the simpler questionnaires. The actual requirements often align with basic security practices you’re already following.
Remember, your payment processor wants you to succeed. PCI compliance protects their business too, which is why they often provide resources and support. Don’t hesitate to contact them with questions — they’d rather help you comply than process non-compliance fees.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard identifies exactly which questionnaire you need in minutes. Our ASV scanning service handles your quarterly vulnerability scans automatically. Our compliance dashboard tracks every requirement and deadline, sending reminders before anything expires. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and guidance to achieve and maintain PCI compliance efficiently. Start with our free SAQ Wizard to identify your requirements, or contact our compliance team to discuss your specific situation. We’ve helped thousands of businesses navigate PCI compliance successfully — yours can be next.