API Gateway PCI Compliance
If you just received a PCI compliance questionnaire from your payment processor and you’re wondering what API gateway PCI compliance means for your business — take a deep breath. For most small and medium businesses, PCI compliance is far simpler than the jargon-filled questionnaires make it seem. If you’re using modern payment solutions like API gateways, you’re likely already doing most things right. This guide will walk you through exactly what you need to know and do, without the technical overwhelm.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover — through an organization called the PCI Security Standards Council. Think of it as a security checklist designed to protect credit card data from theft and fraud.
Here’s the key point: if your business accepts credit or debit cards in any form — whether through an API gateway, payment terminal, or online checkout — these requirements apply to you. The card brands created these standards, but your acquiring bank or payment processor (the company that handles your card transactions) enforces them.
The consequences of non-compliance are real but manageable. Your payment processor can impose fines ranging from $5,000 to $100,000 per month for non-compliance. More importantly, if card data gets stolen from your business and you weren’t compliant, you could be liable for the fraud losses. In extreme cases, you could lose your ability to accept card payments entirely.
But here’s the good news that compliance companies don’t always emphasize: most small businesses qualify for the simplest compliance requirements. If you’re using modern payment methods like API gateways with proper tokenization, your compliance burden is minimal. You won’t need to hire consultants or security experts — just answer some questions honestly and run a few security scans.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:
- Physical card readers and terminals
- E-commerce websites
- Phone orders
- Mobile payments
- API-based payment processing
Your merchant level determines how much documentation you need to provide. Most small businesses processing fewer than 6 million transactions annually are Level 4 merchants, which means you can self-assess your compliance using a questionnaire called an SAQ (Self-Assessment Questionnaire) instead of hiring an expensive auditor.
That questionnaire your payment processor sent you? It’s their way of ensuring you’re meeting the security standards required by the card brands. They’re not trying to catch you out — they’re required to verify that every merchant in their portfolio maintains compliance. Complete it once a year, run quarterly security scans if required, and you’re good to go.
Which SAQ Do You Need?
The PCI world includes nine different SAQ types, but don’t panic — most businesses fall into one of the simpler categories. Here’s how to determine which one applies to your API gateway setup:
| How You Accept Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| API gateway with tokenization (no card data touches your servers) | SAQ A | Simplest (22 questions) | 12-15 apply |
| API gateway with JavaScript on your site | SAQ A-EP | Simple (139 questions) | 30-40 apply |
| Standalone payment terminal only | SAQ B | Simple (41 questions) | 20-25 apply |
| Terminal + internet connection | SAQ B-IP | Moderate (82 questions) | 40-50 apply |
| Manual card entry (virtual terminal) | SAQ C-VT | Moderate (80 questions) | 40-50 apply |
| Storing card numbers (please don’t) | SAQ D | Complex (329 questions) | Most apply |
If you’re using an API gateway for payment processing, you’ll most likely fall into SAQ A or SAQ A-EP territory. The key differentiator? Whether card data ever touches your servers, even for a millisecond.
SAQ A applies when your API gateway provider handles everything — your customers are redirected to their hosted payment page, or you use a solution where card data goes directly from the customer’s browser to the gateway without passing through your servers. Think Stripe Checkout, PayPal, or Square’s hosted solutions.
SAQ A-EP applies when you use JavaScript-based solutions that collect card data on your website but send it directly to your payment processor. Stripe Elements, Square Web Payments SDK, and similar tools fall into this category.
Not sure which applies? PCICompliance.com offers a free SAQ Wizard — answer a few simple questions about how you accept payments, and we’ll tell you exactly which questionnaire you need.
How to Complete Your SAQ
Your SAQ is essentially a security checklist in yes/no format. Each question asks whether you’ve implemented a specific security control. Here’s what the process looks like:
1. Download the right SAQ from the PCI Security Standards Council website or use your compliance platform’s version. Each SAQ starts with eligibility criteria — read these carefully to confirm you have the right one.
2. Answer each question honestly. When a question asks “Do you review security policies annually?” — answering “yes” means you actually have written policies and can show when they were last reviewed. If you can’t prove it, the answer is “no.”
3. Gather supporting documentation. While Level 4 merchants don’t usually need to submit proof, you should have it ready. Common documents include:
- Your network diagram (even a simple one)
- Security policies and procedures
- Vendor compliance certificates (like your API gateway’s AOC)
- ASV scan reports
4. Complete your quarterly ASV scan if required. SAQ types A-EP, B-IP, C, C-VT, and D require quarterly external vulnerability scans performed by an Approved Scanning Vendor. The scan checks your public-facing systems for security vulnerabilities. Most scans take 15-30 minutes to run and cost $50-200 per quarter.
5. Submit your completed SAQ and AOC to your payment processor. The Attestation of Compliance is a shorter form that summarizes your SAQ results — think of it as your official declaration of compliance.
The entire process typically takes 2-4 hours for SAQ A, or 1-2 days for more complex SAQ types. Set aside uninterrupted time, have your payment processing documentation handy, and work through it methodically.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you handle it yourself or use a compliance platform:
Compliance platforms and tools: $20-100/month for small merchants. These platforms provide the questionnaires, track your progress, and often include ASV scanning. Premium tiers include support from compliance experts when you get stuck.
Quarterly ASV scanning: $50-200 per scan if purchased separately, though many compliance platforms include this. You need four clean scans per year for most SAQ types.
QSA services: Only required for Level 1 merchants or if your acquirer specifically demands it. Full assessments start at $15,000 annually. If you’re reading this guide, you probably don’t need a QSA.
The cost of non-compliance puts these numbers in perspective. Payment processors typically fine non-compliant merchants $25-100 monthly — already more expensive than most compliance solutions. A single data breach can result in fines starting at $5,000 per month, forensic investigation costs of $20,000+, and potential liability for fraudulent charges.
For most small merchants using API gateways, expect to spend $500-1,500 annually on compliance. That’s less than the cost of a single month’s non-compliance fine, and far less than defending against a breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track without the stress:
Set calendar reminders for:
- Annual SAQ completion (same month each year)
- Quarterly ASV scans (if required)
- Annual policy reviews
- Security update schedules
Track what triggers reassessment. Significant changes to how you accept payments require a fresh look at your compliance:
- Adding new payment channels
- Changing payment processors or API gateways
- Storing card data when you didn’t before
- Major website or infrastructure changes
Keep your documentation current. When your ASV scan reports arrive, file them. When you update your security policies, date them. When your API gateway sends their compliance certificate, save it. You’ll thank yourself next year.
PCICompliance.com’s compliance dashboard tracks all these dates and documents for you, sending reminders before deadlines and storing your compliance history in one searchable location. No more scrambling to find last year’s attestation or wondering when your next scan is due.
FAQ
Q: My payment processor says I need to be PCI compliant by next month. Is that realistic?
For most small merchants using modern API gateways, absolutely. SAQ A takes 2-4 hours to complete. SAQ A-EP might take a full day including the ASV scan setup. The hardest part is usually figuring out which SAQ you need — which is why we built the SAQ Wizard.
Q: Do I really need quarterly scans if I’m just a small business?
If your SAQ type requires ASV scanning (A-EP, B-IP, C, C-VT, or D), then yes — you need four passing scans per year, no matter your size. The good news is these scans are automated and typically cost less than $100 each. Think of them as a security checkup that also happens to keep you compliant.
Q: What happens if I fail my ASV scan?
First, don’t panic — most initial scans find something. Your ASV provider will give you a report detailing what they found and how to fix it. Common issues include outdated SSL certificates or unnecessary services running on your server. Fix the issues, rescan (usually free within 30 days), and you’re back on track.
Q: Can I just use my API gateway’s PCI compliance?
Your payment gateway’s compliance covers their systems, not yours. However, if you use their hosted payment pages (SAQ A), your compliance requirements are minimal because sensitive card data never touches your systems. You still need to complete your own SAQ, but it’s the simplest one available.
Q: Is PCI compliance the same as being secure?
PCI DSS provides a solid security baseline, but compliance alone doesn’t guarantee security. Think of PCI as the minimum security standards for handling payment cards. Smart merchants use PCI requirements as a starting point and add additional security measures based on their specific risks.
Q: What’s the difference between SAQ A and SAQ A-EP?
SAQ A applies when customers are redirected away from your site to enter card details (like PayPal checkout). SAQ A-EP applies when you collect card details on your site using JavaScript that sends data directly to your payment processor (like Stripe Elements). The technical difference matters — A-EP has more requirements because your website is involved in the payment flow.
Q: Do I need to hire a QSA?
Level 4 merchants (under 6 million transactions annually) can self-assess using SAQs — no QSA required. Level 1 merchants and service providers need annual assessments by a QSA. Some payment processors require QSA assessments regardless of level, but this is rare for small merchants using API gateways.
Q: How do I know if I’m storing card data?
Check your databases, spreadsheets, email systems, and paper files. If you can see full card numbers anywhere in your systems, you’re storing card data. Modern API gateways return tokens (random strings) instead of card numbers specifically to keep you out of data storage territory. When in doubt, search your systems for 16-digit numbers starting with 4, 5, or 6.
Making PCI Compliance Manageable
PCI compliance might seem overwhelming when that first questionnaire arrives, but remember — if you’re using a modern API gateway, you’re already most of the way there. These payment solutions are designed with PCI compliance in mind, handling the complex security requirements so you don’t have to.
The key is identifying which SAQ applies to your specific setup and methodically working through the requirements. For most businesses using API gateways, this means completing SAQ A or A-EP once a year, running quarterly security scans if required, and keeping basic documentation up to date.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard eliminates the guesswork by identifying exactly which questionnaire you need based on your payment setup. Our ASV scanning service handles your quarterly vulnerability scans with automated scheduling and remediation guidance. And our compliance dashboard tracks everything in one place — questionnaire progress, scan results, important dates, and compliance certificates — so you’re never scrambling to prove compliance or wondering what’s due next. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and support to make PCI compliance straightforward and stress-free. Start with our free SAQ Wizard to identify your requirements, or talk to our compliance team about a complete solution tailored to your business.
