Jimdo PCI Compliance

Bottom Line Up Front

If you run a small business on Jimdo and just received a PCI compliance questionnaire from your payment processor, take a breath — you’re almost certainly in the simplest tier of compliance. Jimdo PCI compliance for most merchants means completing a short self-assessment questionnaire (SAQ), possibly running a quarterly scan, and attesting that you’re handling card data responsibly.

Because Jimdo’s built-in store and checkout route card payments through established payment providers (rather than storing card numbers on your own servers), most Jimdo merchants qualify for the least demanding SAQ types. That means less paperwork, fewer technical requirements, and a process you can genuinely complete without a security team. Let’s demystify the whole thing.

What Is PCI Compliance (In Plain English)

PCI DSS — the Payment Card Industry Data Security Standard — is a set of security rules designed to protect credit and debit card data. If you accept card payments in any form, these rules apply to you.

The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a group called the PCI Security Standards Council (PCI SSC). But here’s the part that trips people up: the Council writes the rules, while your acquirer (your bank or payment processor) is the one who actually enforces them. That’s why the questionnaire landed in your inbox from them.

The standard is organized into 6 control objectives covering 12 requirements — everything from protecting stored card data to controlling who can access your systems. Don’t worry: as a small Jimdo merchant, only a fraction of those requirements will apply to you.

What happens if you ignore it?

Non-compliance isn’t a criminal matter, but it has real teeth:

  • Monthly non-compliance fees from your processor until you attest
  • Financial liability if a breach occurs and you weren’t compliant
  • In serious cases, losing the ability to accept card payments entirely

The good news: most small businesses qualify for the simplest SAQ types, and getting compliant is far more achievable than the acronym soup suggests.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit cards in any form, yes. Card-present, online, over the phone — it all counts. There’s no “too small to matter” exemption.

Your merchant level

The card brands assign every merchant a level (1 through 4) based on your annual card transaction volume. Your acquirer determines your specific level, so confirm it with them — but the overwhelming majority of small businesses are Level 4, the tier with the lightest validation requirements.

Merchant Level Roughly Who Typical Validation
Level 1 Highest transaction volume Full ROC by a QSA
Levels 2–3 Mid-volume merchants Usually SAQ, sometimes ROC
Level 4 Most small businesses SAQ + AOC

If you’re a small Jimdo shop, you’re almost certainly Level 4 and completing a self-assessment questionnaire (SAQ) — not undergoing a formal audit.

The questionnaire they sent you

That compliance questionnaire is your processor asking you to formally attest that you’re following the applicable PCI rules. It’s a routine, annual request — not a sign you did anything wrong. Completing it keeps you in good standing and avoids non-compliance fees.

Which SAQ Do You Need?

The SAQ you complete depends entirely on how you accept payments. Each type maps to a specific payment setup, and choosing the right one is the single most important decision in your compliance process — it determines how many requirements apply to you.

Here’s the plain-language decision tree for common Jimdo and small-merchant scenarios:

Payment Scenario Likely SAQ Complexity
Online store with fully hosted checkout (customer redirected to payment provider) SAQ A Lowest
Online store where your page partially controls the payment fields SAQ A-EP Moderate
Standalone dial-out terminal, no electronic card storage SAQ B Low
Standalone IP-connected terminal (Square, Clover, etc.) SAQ B-IP Low–Moderate
Card payments keyed into a virtual terminal (e.g., phone orders) SAQ C-VT Moderate
You store card numbers electronically anywhere SAQ D Highest

What this means for a typical Jimdo store

Most Jimdo online stores use a hosted or redirect checkout — when a customer pays, the card details are entered on the payment provider’s secure page, not stored or processed on your Jimdo site. That setup usually points to SAQ A, the shortest and simplest questionnaire.

If your checkout embeds payment fields more directly into your own page, you may land in SAQ A-EP, which carries a few more technical requirements. And if you take orders over the phone and key them into a virtual terminal, you’re likely looking at SAQ C-VT.

One rule that never changes: if you store card numbers yourself, please stop. Storing Sensitive Authentication Data (the CVV, full track data, or PIN) after a transaction is authorized is prohibited under the current standard — always. Storing card numbers pushes you into SAQ D, the most demanding path.

Not sure which one applies? That’s exactly what PCICompliance.com’s free SAQ Wizard is for — answer a few plain-English questions about how you take payments, and it tells you precisely which SAQ you need.

How to Complete Your SAQ

Once you know your SAQ type, the actual completion is more manageable than you’d expect.

What the questionnaire looks like

An SAQ is a list of yes/no questions about your security controls. Simpler SAQs (like SAQ A) contain relatively few questions; SAQ D contains many. For a small merchant on SAQ A, completing it might take an afternoon once you’ve gathered your information.

Each “yes” means you genuinely have that control in place. For example, a question about multi-factor authentication (MFA) requires that you actually use MFA for the relevant accounts — not that you intend to. Answering honestly matters, because your attestation is a formal statement your processor relies on.

Documentation you’ll gather

Depending on your SAQ, you may need to reference:

  • The names of your payment provider(s) and confirmation they’re PCI compliant
  • Basic access control details (who can log into payment-related systems)
  • A simple information security policy (Requirement 12)
  • For some SAQs, a network diagram and evidence of secure configurations

The quarterly ASV scan

If your environment has any external-facing systems — which many e-commerce and IP-connected setups do — you’ll need a quarterly ASV scan. An Approved Scanning Vendor (ASV) runs an external vulnerability scan against your public-facing systems to confirm there are no known exploitable weaknesses.

Fully hosted SAQ A merchants often have minimal or no scanning obligations, but check with your acquirer. PCICompliance.com’s ASV scanning service handles these quarterly scans for you and flags anything that needs fixing.

Submitting your SAQ and AOC

Once your SAQ is complete, you’ll sign an Attestation of Compliance (AOC) — a document stating you’ve met the applicable requirements — and submit both to your acquirer or through their compliance portal. That closes the loop for the year.

What It Costs

PCI compliance costs vary, but for small Jimdo merchants the numbers are modest — especially compared to the alternative.

Item Typical Range Who Needs It
Compliance platform / SAQ tools Low annual cost Most merchants
Quarterly ASV scanning Modest per-quarter cost External-facing systems
QSA-led assessment (ROC) Significant Level 1 / large merchants only

The reassuring part: most small merchants never need a QSA. A Qualified Security Assessor is required for Level 1 merchants and formal ROC assessments — not for a Level 4 shop completing an SAQ.

The cost of non-compliance

Weigh those modest costs against what non-compliance can bring: recurring processor non-compliance fees, potential breach liability, forensic investigation costs, and the risk of losing card acceptance. For nearly every small merchant, a year of compliance costs far less than a single breach-related penalty. That’s the honest math.

Staying Compliant Year-Round

Here’s the concept people most often miss: PCI compliance is not a one-and-done event. It’s validated at least annually, with quarterly ASV scans where required. Compliance is point-in-time — you’re compliant on the day you attest, and you’re responsible for staying that way.

Certain changes should trigger a fresh look at your compliance:

  • Switching payment providers or checkout methods
  • Adding a new way to take payments (e.g., starting phone orders)
  • Changing your website’s checkout integration
  • Any change to how or where card data flows through your business

The easiest way to avoid a lapse is to track your obligations year-round instead of scrambling when the annual questionnaire arrives. PCICompliance.com’s compliance dashboard keeps your SAQ status, scan schedule, and renewal dates in one place, with reminders so nothing slips.

FAQ

I just got a PCI questionnaire and I’m overwhelmed. Where do I start?

Start by identifying how you accept payments, because that determines your SAQ type. The PCICompliance.com SAQ Wizard walks you through a few simple questions and tells you exactly which questionnaire applies — that single step removes most of the confusion.

Does PCI compliance apply to my small Jimdo store?

Yes — if you accept card payments in any form, PCI DSS applies regardless of your size. The upside is that most small Jimdo merchants qualify for the simplest SAQ types, often SAQ A, which involves minimal technical work.

What’s the difference between an SAQ and a full audit?

An SAQ is a self-assessment questionnaire you complete yourself, paired with an AOC. A full ROC (Report on Compliance) is a formal assessment conducted by a QSA and is generally required only for the largest (Level 1) merchants — not small businesses.

Do I need a quarterly scan?

You need a quarterly ASV scan if your environment includes external-facing systems, which is common for e-commerce and IP-connected setups. Fully hosted SAQ A merchants sometimes have no scanning requirement — confirm your specific obligation with your acquirer or QSA.

Can I store customer card numbers to make repeat orders easier?

You should not store card numbers yourself. Storing Sensitive Authentication Data like the CVV after authorization is never permitted, and storing the PAN pushes you into SAQ D with far more requirements — use your payment provider’s tokenization or saved-card features instead.

What happens if I just ignore the questionnaire?

Your processor can charge recurring non-compliance fees, and you’ll carry greater liability if a breach occurs. Persistent non-compliance can ultimately jeopardize your ability to accept cards, so it’s worth handling promptly.

Is being compliant a guarantee I won’t be breached?

No — PCI compliance reduces risk, but no security program eliminates it entirely. Compliance is a point-in-time validation of good practices; staying secure requires maintaining those controls continuously throughout the year.

How long does the whole process take?

For a small merchant on SAQ A, completing the questionnaire can take as little as an afternoon once you’ve gathered your information. More complex SAQs and scanning add time, but a compliance platform streamlines each step.

Conclusion

PCI compliance sounds intimidating, but for the typical small Jimdo merchant it comes down to a few clear steps: identify your SAQ, answer it honestly, run a scan if required, and attest annually. You don’t need a security team or a deep technical background — you need the right guidance and a way to stay on track.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance in one place. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round — the same end-to-end platform trusted by thousands of merchants, from single-location retailers to multi-site enterprises.

Start with the free SAQ Wizard, or talk to our compliance team and turn that intimidating questionnaire into a done-and-dusted checklist.

Leave a Comment

1,650 PCI scans completed this month