Bottom Line Up Front
If you built your store on Zyro and you just got a PCI compliance questionnaire from your payment processor, take a breath — this is almost certainly simpler than it looks. For most small merchants using a hosted website builder like Zyro, Zyro PCI compliance comes down to filling out the right short questionnaire (an SAQ), possibly running a quarterly scan, and keeping a few good habits year-round.
You don’t need to become a security expert. You don’t need to hire a team. You mostly need to understand which category you fall into and follow a clear checklist. Let’s walk through exactly what PCI compliance means for your Zyro-based business, why your processor sent you that questionnaire, and what you actually have to do about it.
What Is PCI Compliance (In Plain English)
PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security rules designed to protect credit card information — your customers’ card numbers, expiration dates, and the like. If you accept card payments in any form, these rules apply to you.
The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a body called the PCI Security Standards Council (PCI SSC). But here’s the important part: the card brands don’t usually contact you directly. Enforcement flows through your acquiring bank (also called your acquirer) or your payment processor. They’re the ones who sent you that questionnaire, and they’re the ones who expect you to attest that you’re compliant.
The standard is organized into 6 control objectives covering 12 requirements — things like protecting stored data, using strong access controls, and monitoring your systems. Don’t worry: most small merchants only have to address a small slice of these.
What happens if you ignore it?
Non-compliance has real consequences. Your processor can charge monthly non-compliance fees until you attest. If you suffer a data breach while non-compliant, you can face significant liability, forensic investigation costs, and card-brand penalties. In the worst case, you can lose the ability to accept cards altogether — which for most businesses is not survivable.
The good news: for the vast majority of small businesses, especially those using hosted platforms like Zyro, compliance is achievable with one of the simplest SAQ types and modest effort.
Do You Need to Be PCI Compliant?
Yes. If you accept credit or debit cards — online, in person, or over the phone — PCI compliance applies to you. There’s no size threshold that exempts you. A one-person shop selling handmade goods through a Zyro store is just as much in scope as a national chain (though the amount of work is very different).
Your merchant level
The card brands sort merchants into levels 1 through 4 based on annual transaction volume and risk. Most small businesses fall into Level 4 — the lowest-volume, lowest-effort category, which typically means you self-assess rather than undergo a formal audit.
Your acquirer assigns your level, so if you’re unsure, ask them directly. Don’t assume a specific transaction threshold from something you read online — those numbers vary by card brand and can change.
Why they sent you the questionnaire
Your processor sends the compliance questionnaire (the SAQ) because they are obligated to ensure the merchants they serve are compliant. When you complete it and submit your AOC (Attestation of Compliance), you’re formally telling them “I’ve reviewed the applicable requirements and I meet them.” It’s an annual expectation — not a one-time hurdle.
Which SAQ Do You Need?
An SAQ (Self-Assessment Questionnaire) is a checklist tailored to how you accept payments. Choosing the right one is the single most important step, because it determines how much you actually have to do. Pick the wrong one and you’ll either do too much work or attest to something that doesn’t fit your setup.
Here’s the plain-language decision tree:
- Zyro store with a hosted or embedded checkout (payments handled entirely by a provider like Stripe or PayPal, where card data never touches your own systems) → likely SAQ A, the shortest and simplest.
- A physical payment terminal (Square, Clover, or similar standalone device) → likely SAQ B or SAQ B-IP.
- Card payments taken over the phone using a virtual terminal → likely SAQ C-VT.
- You store card numbers anywhere (a spreadsheet, a notebook, a CRM field) → SAQ D, the most demanding. Please stop doing this — more on that below.
| Payment scenario | Likely SAQ | Complexity |
|---|---|---|
| Zyro store, fully hosted checkout (Stripe/PayPal redirect) | SAQ A | Low |
| E-commerce page you partly control (embedded fields/iframe) | SAQ A-EP | Medium |
| Standalone dial-out terminal, no electronic storage | SAQ B | Low |
| Standalone IP-connected terminal | SAQ B-IP | Low–Medium |
| Virtual terminal (phone/mail orders) | SAQ C-VT | Medium |
| You store card numbers electronically | SAQ D | High |
Most Zyro merchants who use a standard integrated checkout land in SAQ A territory, because the payment provider handles the card data and it never lives on your systems. If your checkout is more custom — where your page collects card fields directly — you may fall into SAQ A-EP, which carries more requirements.
Not sure which one is yours? That’s exactly what PCICompliance.com’s free SAQ Wizard is for. Answer a few plain questions about how you take payments, and it tells you precisely which SAQ applies — no guesswork.
How to Complete Your SAQ
The SAQ is a series of yes/no questions mapped to the applicable PCI requirements. A simple SAQ A might take an afternoon; a more involved one takes longer. The questions ask whether you have specific controls in place — for example, whether you use unique passwords, whether you’ve confirmed your payment provider is compliant, and whether you have a basic security policy.
When you answer “yes,” you’re confirming the control genuinely exists. If the honest answer is “no,” that’s not a failure — it’s a remediation item. You fix it, then answer yes.
Documentation you’ll want on hand
- A basic network or payment-flow description (how a card payment travels from customer to processor)
- Confirmation your payment provider is PCI compliant (their AOC — usually downloadable from their site)
- Your password and access policies, even if brief
- Records of who has access to any payment-related systems
The quarterly ASV scan
If your environment has internet-facing systems in scope (common for anything beyond the simplest SAQ A), the current standard requires a quarterly ASV scan. An ASV (Approved Scanning Vendor) runs an external vulnerability scan against your public-facing systems and produces a passing report you submit with your compliance paperwork.
Pure SAQ A merchants often don’t need an ASV scan because they control no in-scope external systems — but confirm this against your specific SAQ. PCICompliance.com’s ASV scanning service handles these scans on a quarterly schedule so you don’t have to think about the timing.
Submitting
Once your SAQ is complete and any required scan passes, you sign the AOC and submit both to your acquirer or processor (often through their compliance portal). That’s your annual attestation done.
What It Costs
Let’s be honest and practical about budget. For most small merchants, PCI compliance is an affordable line item — far cheaper than the alternative.
| Item | Typical range | When it applies |
|---|---|---|
| Compliance platform / SAQ tools | Low annual/monthly fee | Most self-assessing merchants |
| Quarterly ASV scanning | Modest per-quarter or bundled cost | When external systems are in scope |
| QSA (Qualified Security Assessor) | Significant — audit-level engagement | Level 1 or complex environments only |
Most Level 4 small businesses never need a QSA. That’s for larger merchants or complex setups that require a formal ROC (Report on Compliance).
Now weigh that against non-compliance: recurring processor fees, potential breach liability, forensic investigation costs, and the possibility of losing card acceptance. For most small merchants, a full year of compliance costs a fraction of a single breach-related penalty. This is one of the rare cases where the responsible path is also the cheaper one.
Staying Compliant Year-Round
Here’s the truth many merchants miss: PCI compliance is not a one-and-done event. Your SAQ is validated at least annually, and required scans run quarterly. Compliance is a point-in-time attestation and an ongoing practice — you can be compliant today and drift out of compliance next month if things change.
What triggers a re-look
- You change how you accept payments (new terminal, new checkout, adding phone orders)
- You switch payment providers or website platforms
- You start storing data you didn’t before (avoid this)
- Your transaction volume rises enough to change your merchant level
Set calendar reminders for your annual SAQ and your quarterly scans so nothing lapses. Better yet, let a tool track it for you. PCICompliance.com’s compliance dashboard keeps your status, scan schedule, and renewal dates in one place year-round, so you’re never surprised by a lapsed attestation.
FAQ
I just got a PCI questionnaire and I’m overwhelmed. Where do I start?
Start by identifying which SAQ applies to how you take payments — that determines everything else. Run PCICompliance.com’s free SAQ Wizard, and the scope of what you actually have to do will shrink dramatically once you know your category.
Does using Zyro make me automatically PCI compliant?
No platform makes you automatically compliant — compliance is about your whole payment process, not just the website builder. However, using a hosted checkout where your provider handles card data means you likely qualify for a simpler SAQ with fewer requirements to meet.
Do I really need a quarterly scan?
Only if your environment includes internet-facing systems in scope. Many simple SAQ A merchants don’t, while more involved setups do — your SAQ will tell you, and an ASV can run the scan if required.
What if I answer “no” to some questions?
A “no” isn’t a failure — it’s a to-do item. Fix the underlying control (remediation), then answer “yes” honestly before you submit.
Can I store customer card numbers to make repeat billing easier?
Please don’t. Storing card data pushes you into the far more demanding SAQ D and dramatically increases your risk and liability. Use your payment provider’s tokenization or saved-card features instead — they store the data securely so you never have to.
Is compliance a one-time thing?
No. You validate at least annually, run any required scans quarterly, and reassess whenever your payment setup changes. Think of it as an ongoing habit, not a single form.
What happens if I just ignore the questionnaire?
Your processor can charge monthly non-compliance fees, and you’ll carry full liability if a breach occurs. Ignoring it is consistently more expensive than completing it.
Do I need to hire a QSA?
Almost certainly not if you’re a small Level 4 merchant — you self-assess with an SAQ. QSAs are for larger merchants and complex environments requiring a formal ROC.
Conclusion
If you’re running a small business on Zyro, PCI compliance is far more navigable than that intimidating questionnaire suggests. Identify your SAQ, meet the handful of requirements that apply, run any required ASV scan, submit your AOC, and keep a few good habits going year-round. That’s genuinely most of it for the typical small merchant — no absolutes, no guarantees, just steady, sensible risk reduction that keeps your customers’ card data safe and your processor satisfied.
PCICompliance.com gives you everything you need to achieve and maintain compliance in one place. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress all year. We serve thousands of merchants and service providers — from single-location shops to multi-site enterprises — with SAQ guidance, scanning, remediation help, and expert support throughout.
Start with the free SAQ Wizard, or talk to our compliance team — and turn that scary questionnaire into a checked box.