Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a breath. For most small businesses in the Philippines, PCI compliance is much simpler than it sounds. You’re probably looking at a straightforward self-assessment that takes an afternoon to complete, not the complex audit you might be imagining.
Here’s what you actually need to know: If you accept credit or debit cards in any form — whether through a terminal, online, or over the phone — you need to be PCI compliant. Your payment processor sent you that questionnaire because they’re required to verify your compliance annually. The good news? Most small merchants qualify for the simplest questionnaire types, and with the right guidance, you can complete yours today.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. Think of it as basic security hygiene for businesses that handle payment cards. The standard exists because card fraud costs billions annually, and everyone in the payment chain — from giant retailers to tiny shops — plays a role in preventing it.
The major card brands (Visa, Mastercard, American Express, Discover, JCB, and UnionPay) created these standards through an organization called the PCI Security Standards Council. But here’s the important part: the card brands don’t enforce compliance directly. Your acquirer (the bank or payment processor that handles your card transactions) does. When they send you that compliance questionnaire, they’re fulfilling their obligation to the card brands.
What happens if you ignore that questionnaire? Your processor can fine you — typically starting at a few hundred pesos monthly and escalating from there. If your business experiences a data breach while non-compliant, you could face massive fines and lose your ability to accept cards entirely. You’ll also be liable for any fraud that results from the breach.
But don’t panic. For most small businesses, achieving compliance means completing a simple self-assessment questionnaire (SAQ) and running quarterly security scans. You don’t need a team of security experts or expensive consultants. You just need to understand which requirements apply to your business and how to meet them.
Do You Need to Be PCI Compliant?
The simple answer: If you accept credit or debit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you process one transaction per month or thousands per day. The moment you accept card payments, PCI DSS applies to your business.
Your merchant level determines how you demonstrate compliance. Most small and medium businesses fall into Level 4, which means you process fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. Level 4 merchants complete a self-assessment rather than hiring an outside assessor.
Here’s how to determine your merchant level:
| Annual Transaction Volume | Merchant Level | Compliance Method |
|---|---|---|
| Over 6 million | Level 1 | Annual onsite assessment by QSA |
| 1-6 million | Level 2 | Annual SAQ, quarterly scans |
| 20,000-1 million e-commerce | Level 3 | Annual SAQ, quarterly scans |
| Under 20,000 e-commerce or under 1 million total | Level 4 | Annual SAQ, may require quarterly scans |
Your payment processor expects you to complete an annual self-assessment and submit an Attestation of Compliance (AOC). Depending on how you accept payments, you might also need quarterly vulnerability scans performed by an Approved Scanning Vendor (ASV).
That questionnaire they sent you? It’s your annual compliance check-in. They need to verify that you’re following security practices appropriate for how you handle card data. Ignore it, and you’ll likely see non-compliance fees on your next statement.
Which SAQ Do You Need?
The most confusing part of PCI compliance for newcomers is figuring out which SAQ applies. There are nine different SAQ types, each designed for specific payment scenarios. Choose the wrong one, and you’ll either overwhelm yourself with unnecessary requirements or miss critical security controls.
Here’s the decision tree in plain language:
If you use a standalone payment terminal (like those from BDO, BPI, or payment facilitators like PayMaya or GCash for Business), you’re likely SAQ B or SAQ B-IP. SAQ B applies when your terminal connects via dial-up or cellular. SAQ B-IP applies when it connects via your internet connection but is isolated from other systems.
If you have an e-commerce site where customers are redirected to a hosted payment page (like DragonPay, PayPal, or 2C2P), you’re likely SAQ A. This is the simplest SAQ with only 22 requirements. Your website never touches card data — the payment provider handles everything.
If you manually enter card numbers into a virtual terminal or payment gateway website, you’re SAQ C-VT. Many businesses that take orders over the phone fall into this category.
If you store card numbers anywhere — in files, databases, or even paper — you’re looking at SAQ D. This is the most complex SAQ with over 200 requirements. If you’re storing card data, seriously consider whether you need to. Most businesses can redesign their processes to avoid storage entirely.
| Your Payment Scenario | Likely SAQ Type | Number of Requirements | Quarterly Scans Required? |
|---|---|---|---|
| Standalone terminal only | SAQ B | 41 | No |
| Internet-connected terminal (isolated) | SAQ B-IP | 82 | Yes |
| E-commerce with full redirect | SAQ A | 22 | No |
| E-commerce with payment iframe | SAQ A-EP | 191 | Yes |
| Virtual terminal (web-based) | SAQ C-VT | 83 | No |
| Any card data storage | SAQ D | 200+ | Yes |
Still unsure? PCICompliance.com’s SAQ Wizard asks a few simple questions about how you accept payments and tells you exactly which SAQ applies to your business.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. Each SAQ is a questionnaire with yes/no questions about your security practices. For example, SAQ A might ask, “Do you review and verify that your payment page redirect uses only supported, strong cryptography?”
Don’t let the technical language intimidate you. In practice, this means: “When customers click ‘Pay Now,’ does your site send them to a secure payment page (look for ‘https://’ and the padlock icon)?” The answer for most properly configured e-commerce sites is yes.
For each question, you’ll mark yes, no, or N/A (not applicable). Every “no” answer requires an explanation and a plan to fix the issue. Your goal is to answer “yes” or “N/A” to every question. If you can’t, you’ll need to implement the missing security control before you can be compliant.
You’ll need to gather some basic documentation:
- Your network diagram (even a simple sketch showing how your payment systems connect)
- List of all systems that handle card data
- Your security policies (many SAQs include templates you can customize)
- Recent vulnerability scan reports (if required for your SAQ type)
If your SAQ type requires quarterly ASV scans, you’ll need to schedule these with an approved vendor. These scans check your internet-facing systems for vulnerabilities. They’re automated, typically take a few hours to run, and you’ll receive a report showing any issues that need fixing.
Once you’ve completed your SAQ and addressed any vulnerabilities, you’ll generate an AOC — a formal declaration that you’ve met all applicable requirements. Submit this to your payment processor, and you’re compliant for another year.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your business size and payment methods, but for most Philippine small businesses, you’re looking at modest annual expenses.
Compliance platforms and SAQ tools typically run ₱5,000-₱25,000 annually. These services guide you through your SAQ, track your compliance status, and often include support. Some payment processors include basic compliance tools with your merchant account.
Quarterly ASV scanning, when required, costs ₱2,000-₱8,000 per scan, or ₱8,000-₱32,000 annually. Many compliance platforms bundle scanning with their annual fee. The scans are automated — you provide your IP addresses or URLs, and the ASV does the rest.
If you need a QSA (typically only for Level 1 merchants or complex environments), expect to pay ₱500,000-₱2,000,000+ for a full assessment. But remember, most small businesses never need a QSA. Your self-assessment is sufficient.
Now consider the cost of non-compliance: Monthly fines from your processor start around ₱5,000 and can escalate to ₱50,000 or more. If you experience a breach while non-compliant, fines can reach millions of pesos, plus you’ll cover fraud losses and potentially lose your ability to accept cards.
Put simply: Annual compliance for most small merchants costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — it’s basic business protection.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox. Your processor will send that questionnaire annually, and if you require ASV scans, those happen quarterly. But staying compliant is easier than achieving it the first time.
Set calendar reminders for:
- Your annual SAQ due date (usually the anniversary of your last submission)
- Quarterly scan windows (if required)
- Security update schedules for your payment systems
- Annual reviews of your security policies
Certain changes trigger a reassessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or gateways
- Implementing new payment technologies
- Significantly increasing transaction volume
When these changes occur, revisit your SAQ type. What worked for your retail store might not cover your new online shop. PCICompliance.com’s compliance dashboard tracks all these dates and changes, sending reminders before deadlines and flagging when reassessment might be needed.
FAQ
I’m just a small business. Do I really need to do this?
Yes, if you accept cards, PCI compliance applies regardless of business size. The good news is that small businesses typically qualify for the simplest SAQ types. Your compliance process is much easier than what large retailers face.
What if I only process a few transactions per month?
Transaction volume doesn’t exempt you from PCI requirements, but it does determine your merchant level. Low-volume merchants complete simple self-assessments rather than hiring outside assessors. The requirements scale with your risk.
Can my payment processor handle compliance for me?
Your processor can provide tools and guidance, but ultimately compliance is your responsibility. Some processors offer managed compliance services where they help complete your SAQ, but you still need to implement and maintain the actual security controls.
What happens if I fail my vulnerability scan?
Failing a scan isn’t the end of the world — it’s actually common on the first attempt. You’ll receive a report detailing what needs fixing. Address the vulnerabilities, rescan, and repeat until you pass. Most issues are simple configuration changes.
Do I need to hire a security consultant?
Most small businesses don’t need consultants for PCI compliance. If you’re SAQ A or B, you can likely handle it yourself with good guidance. Consultants become valuable for complex environments or if you’re struggling with technical requirements.
How do I know if I’m storing card data?
Search your systems for 16-digit numbers. Check databases, spreadsheets, order forms, and email. If you find card numbers anywhere, you’re storing card data. The easiest path to compliance is often to stop storing it entirely.
Can I just ignore the questionnaire from my processor?
Ignoring compliance requirements leads to monthly fines, increased liability, and potentially losing your merchant account. The fines alone will quickly exceed the cost of compliance. Better to spend an afternoon completing your SAQ than deal with escalating penalties.
What’s the difference between PCI compliance and having a secure website?
PCI compliance is specifically about protecting card data, while website security is broader. You can have a secure website but still fail PCI requirements if you’re not following specific card data protections. Conversely, being PCI compliant doesn’t mean your entire website is secure — just the parts handling card data.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most Philippine businesses, it’s a manageable process. You’re likely looking at a simple SAQ that takes a few hours to complete, not the complex audit you might have imagined. The key is understanding which requirements apply to your specific payment setup and tackling them systematically.
Remember, PCI compliance protects both your business and your customers. Those security requirements exist because real businesses suffer real losses from payment card fraud every day. By following these standards, you’re joining a global effort to make card payments safer for everyone.
Ready to start? PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team if you need guidance. Most merchants complete their first assessment the same day they start.