You Just Got a PCI Compliance Questionnaire — Don’t Panic
Your payment processor or bank sent you something about “PCI compliance” and now you’re staring at terms like SAQ, AOC, and ASV wondering what language this is written in. Here’s the good news: if you’re a small business accepting credit cards in Kenya, PCI compliance is probably much simpler than it looks. Most merchants can complete their requirements in an afternoon with the right guidance.
Let me walk you through exactly what you need to do, step by step. No jargon, no confusion — just clear answers about what PCI compliance means for your business.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist designed to protect credit card information from theft.
If you accept, process, store, or transmit credit card payments in any way, these requirements apply to you. It doesn’t matter if you’re a small shop in Nairobi taking payments on a mobile terminal or an e-commerce site serving customers across East Africa — if credit cards touch your business, you need to be PCI compliant.
The card brands created these standards through an organization called the PCI Security Standards Council (PCI SSC), but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) makes sure you’re following the rules. That questionnaire they sent? That’s them doing their job.
What Happens If You’re Not Compliant?
Let’s be clear about the consequences:
- Monthly fines from your payment processor (typically starting at KES 5,000-50,000 per month)
- Liability for fraud losses if cardholder data gets stolen
- Higher transaction fees as a non-compliant merchant
- Loss of ability to accept credit cards in extreme cases
But here’s the thing — for most small businesses, achieving compliance is straightforward. The horror stories you might have heard usually involve large companies storing millions of card numbers. If you’re using modern payment tools and following basic security practices, you’re probably already doing most of what’s required.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit or debit cards, yes.
It doesn’t matter if you:
- Only process a few transactions per month
- Use a mobile payment terminal
- Accept payments through M-PESA that get converted to card transactions
- Have an online store with just a handful of customers
- Take card details over the phone occasionally
Your merchant level determines how you demonstrate compliance. Most small and medium businesses fall into Level 4 (processing fewer than 20,000 Visa transactions or 1 million total card transactions annually). This is good news — Level 4 merchants typically complete a Self-Assessment Questionnaire (SAQ) rather than undergo a full onsite assessment.
What Your Payment Processor Expects
When your payment processor sends that compliance questionnaire, they’re asking you to:
1. Complete the appropriate Self-Assessment Questionnaire (SAQ) for your business type
2. Run quarterly vulnerability scans if you have any systems connected to the internet
3. Submit an Attestation of Compliance (AOC) confirming you’ve met the requirements
4. Keep records showing you’ve maintained compliance throughout the year
That questionnaire isn’t them being difficult — they’re required by the card brands to verify every merchant’s compliance annually.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) is your main compliance document. There are different versions depending on how you accept payments. Here’s a simple breakdown:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment gateway (PayPal, Pesapal) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site | SAQ A-EP | 139 | Moderate |
| Standalone terminals only (no connected systems) | SAQ B | 41 | Easy |
| Terminals connected to your network | SAQ B-IP | 82 | Moderate |
| Manual card entry (phone/mail orders) | SAQ C-VT | 84 | Moderate |
| Full POS system or storing card data | SAQ D | 329 | Complex |
Common Kenya Scenarios
Retail shop with a standalone terminal: If you’re using a wireless terminal from your bank or a solution like Square that isn’t connected to your computer systems, you’re likely SAQ B.
Restaurant with integrated POS: If your point-of-sale system connects to payment terminals over your network, you need SAQ B-IP.
E-commerce using Shopify or WooCommerce: If customers complete payment on a hosted checkout page (like Shopify Payments or Stripe Checkout), you qualify for SAQ A. If payment fields appear on your website, you need SAQ A-EP.
Taking orders by phone: If you manually enter card details into a virtual terminal or payment portal, you need SAQ C-VT.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire to use — no guessing required.
How to Complete Your SAQ
Once you know which SAQ you need, the actual process is straightforward:
1. Download or Access Your SAQ
Your payment processor might provide a link, or you can use PCICompliance.com’s guided questionnaire that walks you through each requirement.
2. Answer Yes/No Questions
Each question asks about a specific security practice. For example:
- “Do you have a firewall protecting your payment systems?”
- “Do you change default passwords on payment devices?”
- “Is antivirus software installed and updated?”
“Yes” means you have that security control in place and can prove it if asked. Don’t just check yes because it sounds good — compliance requires you to actually implement these practices.
3. Gather Supporting Documentation
You’ll need to show:
- Network diagrams (if applicable)
- Security policies and procedures
- Evidence of quarterly vulnerability scans
- Employee training records (for handling card data)
For most small merchants, this documentation is minimal. An SAQ B might just need your terminal inspection checklist and evidence that you’ve trained staff not to write down card numbers.
4. Complete Quarterly Vulnerability Scans
If you have any internet-facing systems (including your e-commerce website), you need quarterly scans from an Approved Scanning Vendor (ASV). This automated scan checks for security vulnerabilities and typically takes 24-48 hours to complete. PCICompliance.com includes ASV scanning with our compliance platform — schedule it once and we’ll remind you every quarter.
5. Submit Your Attestation of Compliance
The AOC is a formal declaration that you’ve completed the SAQ honestly and are maintaining the required security controls. Both you and an authorized company representative sign this document before submitting it to your payment processor.
What It Costs
Let’s talk real numbers for Kenya PCI compliance:
Compliance Platform and Tools
- Basic SAQ completion tools: Free to KES 5,000 per year
- Guided compliance platforms: KES 15,000 to 50,000 per year
- Enterprise solutions with policy templates: KES 100,000+ per year
Quarterly ASV Scanning
- Standalone scanning service: KES 10,000 to 25,000 per year
- Often included with compliance platforms
- Required for any merchant with internet-facing systems
Professional Assistance
- Compliance consultant for SAQ help: KES 50,000 to 150,000
- Full QSA assessment (Level 1 merchants only): KES 500,000 to 2,000,000
- Most Level 4 merchants never need a QSA
The Cost of Non-Compliance
- Monthly fines: KES 5,000 to 100,000
- Breach recovery costs: KES 500,000 to 5,000,000+
- Lost ability to accept cards: Devastating for most businesses
For a typical small merchant, annual compliance costs less than KES 25,000 — often less than a single month’s non-compliance fine.
Staying Compliant Year-Round
PCI compliance isn’t a checkbox you tick once and forget. Your acquirer expects:
- Annual SAQ submission (usually on your merchant account anniversary)
- Quarterly vulnerability scans (every 90 days if required)
- Immediate re-assessment if you change how you accept payments
- Ongoing maintenance of security controls
Setting Up Your Compliance Calendar
Mark these dates:
- SAQ due date (check your processor’s requirement)
- Quarterly scan windows (every 90 days)
- Security training refreshers (annually)
- Password change reminders (every 90 days)
Changes That Trigger New Assessments
You’ll need to reassess if you:
- Add new payment channels (like starting e-commerce)
- Change payment processors or terminals
- Start storing cardholder data (please don’t)
- Integrate payment systems with other business applications
PCICompliance.com’s compliance dashboard tracks all these dates and sends automatic reminders. You’ll never miss a deadline or forget a quarterly scan.
FAQ
Q: I only process a few cards per month. Do I really need to comply?
Yes, PCI DSS applies to any business that accepts credit cards, regardless of volume. The good news is that low-volume merchants usually qualify for the simplest SAQ types, which you can complete in under an hour.
Q: My payment processor handles everything. Aren’t they responsible for compliance?
Your processor is responsible for their own compliance, but you’re responsible for how you handle cards in your business. If you never touch card data because everything goes directly to the processor, you’ll have an easier questionnaire (likely SAQ A), but you still need to complete it.
Q: What’s this vulnerability scan requirement? My business doesn’t have a website.
If you truly have no internet-facing systems (no website, no IP-connected payment terminals, no remote access to business systems), you don’t need scans. But if you have any system accessible from the internet — even just your business website — you need quarterly ASV scans.
Q: Can I just pay someone to make me compliant?
Consultants can guide you and help complete paperwork, but true compliance requires you to actually implement and maintain security controls. No one can “make you compliant” without your active participation in securing your payment environment.
Q: How long does the SAQ take to complete?
For SAQ A or B: typically 1-2 hours if you have your documentation ready. For SAQ A-EP or C-VT: plan for 3-4 hours. SAQ D requires significant preparation and often takes multiple days or weeks.
Q: What if I fail a vulnerability scan?
Failing a scan is common on the first attempt. The ASV provides a detailed report showing what needs fixing. Address those items (usually updating software or adjusting firewall rules), then request a rescan. You need a passing scan once per quarter.
Q: Do I need to hire a QSA?
Level 4 merchants (most small businesses) complete self-assessments without QSA involvement. Only Level 1 merchants or those required by their acquirer need a formal QSA assessment. If you’re reading this guide, you probably don’t need a QSA.
Q: What happens if I get breached while non-compliant?
You become liable for fraud losses, forensic investigation costs, card reissuance fees, and potential fines from the card brands. These costs often reach hundreds of thousands of shillings even for small breaches. Compliance is your insurance policy against this liability.
Your Next Steps
That compliance questionnaire from your payment processor doesn’t have to be intimidating. For most merchants in Kenya, achieving PCI compliance involves completing a straightforward self-assessment, running quarterly scans if you’re online, and maintaining basic security practices you should be doing anyway.
Start by identifying which SAQ applies to your business — PCICompliance.com’s free SAQ Wizard makes this simple. Once you know your requirements, our platform guides you through each question, handles your quarterly ASV scanning, and maintains all your compliance documentation in one secure dashboard. Whether you’re a small retailer in Westlands or an growing e-commerce business serving all of East Africa, we provide the tools and support to achieve and maintain your PCI compliance without the confusion or complexity. Begin with our SAQ Wizard to see exactly what’s required for your business, or contact our compliance team for personalized guidance on your path to PCI compliance.