You Got a PCI Compliance Questionnaire — Now What?
Take a deep breath. Austria PCI compliance requirements sound intimidating, but here’s the truth: if you’re a small business accepting credit cards, achieving compliance is probably simpler than you think. That questionnaire from your payment processor? It’s not a test designed to trip you up — it’s a checklist to confirm you’re protecting customer card data properly. For most Austrian businesses, you can complete the entire process in an afternoon.
Your payment processor sent you this questionnaire because the major card brands — Visa, Mastercard, American Express, and Discover — require every business that accepts cards to validate their security practices annually. The good news? The vast majority of small and medium businesses qualify for the simplest compliance options. You don’t need a team of security experts or expensive consultants. You just need to understand which form applies to your business and answer some straightforward questions about how you handle payments.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands to protect credit card information. Think of it as basic hygiene for businesses that accept card payments — like health codes for restaurants, but for payment security.
The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce compliance directly. Instead, your acquiring bank or payment processor — the company that handles your card transactions — enforces compliance by requiring you to complete an annual questionnaire and sometimes additional security scans.
Here’s why this matters to you:
- Non-compliance fines from your processor can range from €50 to €500 per month
- If there’s a data breach, you could be liable for thousands in forensic investigation costs and card replacement fees
- Your processor could suspend your ability to accept card payments entirely
- In Austria, GDPR violations related to payment card data can add additional penalties
The consequences sound severe because they can be — but here’s what the scare tactics don’t tell you: most small businesses can achieve compliance with minimal effort. If you use modern payment terminals or hosted checkout pages, you’re already doing most of what’s required.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit or debit cards in any form, yes. This includes:
- Physical card readers in your shop
- Online payments through your website
- Taking card details over the phone
- Mobile card readers attached to phones or tablets
- Even if you only process a handful of transactions per year
Your merchant level determines how you validate compliance:
- Level 4: Under 20,000 e-commerce transactions OR under 1 million total transactions annually (most small businesses)
- Level 3: 20,000 to 1 million e-commerce transactions annually
- Level 2: 1 to 6 million total transactions annually
- Level 1: Over 6 million transactions annually
As a Level 4 merchant (which includes most Austrian small and medium businesses), you complete a Self-Assessment Questionnaire (SAQ) rather than hiring an external assessor. Your payment processor sends you the compliance questionnaire because they’re required to collect proof of compliance from every merchant in their portfolio.
That questionnaire they sent? It’s asking you to complete your annual PCI validation. They need this on file to satisfy the card brands that all their merchants are following security requirements.
Which SAQ Do You Need?
The Self-Assessment Questionnaire comes in different versions based on how you accept payments. Here’s the decision tree in plain language:
Quick Reference Table
| How You Accept Payments | SAQ Type | Number of Questions | Difficulty |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminals only (no computer connection) | SAQ B | 41 | Easy |
| Terminals connected to internet/computer | SAQ B-IP | 82 | Easy-Moderate |
| Mail/phone orders entered into virtual terminal | SAQ C-VT | 85 | Moderate |
| Store card data or complex processing | SAQ D | 329 | Complex |
Finding Your SAQ Type
If you have a physical location with card terminals:
- Standalone terminals (Square, SumUp, or bank-provided terminals not connected to your computer) → SAQ B
- Internet-connected terminals or terminals that communicate with your POS system → SAQ B-IP
If you run an e-commerce site:
- Customers are redirected to PayPal, Stripe Checkout, or similar for payment → SAQ A
- Payment fields are embedded on your site (even if data goes directly to processor) → SAQ A-EP
- You collect card details on your site and pass them to a processor → SAQ D
If you take orders by phone or mail:
- You enter card details into a virtual terminal web page → SAQ C-VT
- You enter card details into your own system → SAQ D
Not sure? PCICompliance.com’s free SAQ Wizard asks you 5-6 simple questions about your payment setup and tells you exactly which questionnaire applies. It takes less than two minutes and removes all the guesswork.
How to Complete Your SAQ
Your Self-Assessment Questionnaire is a series of yes/no questions about your payment security practices. Despite the intimidating acronyms, the questions are straightforward:
- Do you have a firewall? (Your internet router counts)
- Do you change default passwords? (Yes, you changed your Wi-Fi password)
- Do you have antivirus software? (Windows Defender counts)
For SAQ A (redirect to hosted checkout):
The 22 questions focus mainly on your policies and the basics of your website security. You’ll spend most of your time understanding the questions rather than implementing new controls.
For SAQ B or B-IP (card terminals):
The 40-80 questions cover physical security of terminals, password practices, and basic network security. If you keep terminals in a locked office and use strong passwords, you’re already doing most of what’s required.
Documentation You’ll Need
Before starting your questionnaire, gather:
- Your payment processor agreement (shows your merchant ID)
- List of all payment acceptance methods and devices
- Your website URL (if applicable)
- Terminal models and serial numbers
- Basic network information (your internet provider details)
The Quarterly ASV Scan
If you have any internet-facing systems (including just a website), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. Don’t panic — this sounds more complex than it is:
1. Sign up with an ASV (PCICompliance.com includes this service)
2. Enter your website URL or IP address
3. The scanner checks for common vulnerabilities
4. You get a report showing pass/fail
5. If anything fails, you fix it and rescan
Most modern websites pass on the first try. The scan takes about 10-20 minutes to run, and you’ll have results within an hour.
Submitting Your Compliance
Once you’ve completed your SAQ and passed your scan (if required):
1. Generate your Attestation of Compliance (AOC) — a formal declaration that you’ve met all requirements
2. Submit both documents to your payment processor through their portal
3. Save copies for your records
4. Set a reminder for next year
What It Costs
Let’s talk real numbers for PCI compliance in Austria:
Basic Compliance Tools:
- SAQ completion platform: €10-30/month
- Quarterly ASV scanning: €20-40/quarter (often included with platform)
- Combined compliance platform: €200-500/year
If You Need Professional Help:
- Consultant to guide SAQ completion: €500-2,000
- Full QSA assessment (only for Level 1 merchants): €10,000-50,000
The Cost of NON-Compliance:
- Monthly non-compliance fees: €50-500
- Data breach forensic investigation: €20,000-100,000
- Card replacement costs: €5-25 per compromised card
- Lost ability to accept cards: Devastating for most businesses
Reality check: For most Austrian small businesses, annual compliance costs less than a single month’s non-compliance fee. It’s not an expense — it’s insurance against catastrophic costs.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done exercise. Your validation is good for one year, but you need to maintain security practices continuously:
Annual Requirements:
- Complete your SAQ
- Submit your AOC to your processor
- Review and update security policies
Quarterly Requirements:
- Run ASV vulnerability scans (if applicable)
- Review scan results and fix any failures
- Keep scan reports for your records
Ongoing Practices:
- Keep payment software and terminals updated
- Train staff on security practices when hired
- Monitor for any changes to your payment environment
What Triggers a New Assessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or equipment
- Significant changes to your network or systems
- A security incident or breach
PCICompliance.com’s compliance dashboard tracks all these requirements automatically. You’ll get reminders before quarterly scans are due, alerts if anything needs attention, and a clear compliance status you can check anytime.
Frequently Asked Questions
What happens if I ignore the compliance questionnaire?
Your payment processor will start charging non-compliance fees (typically €50-500 monthly) and may eventually terminate your merchant account. Without a merchant account, you can’t accept card payments — essentially forcing you to be cash-only.
Is PCI compliance required by law in Austria?
PCI compliance isn’t explicitly required by Austrian law, but GDPR requires appropriate security measures for personal data. More importantly, your merchant agreement contractually requires PCI compliance — it’s not optional if you want to accept cards.
Can I just say ‘yes’ to all the questions?
The SAQ is a legal attestation. Falsely claiming compliance when you haven’t implemented the controls is fraud. If a breach occurs, you’ll be liable for all costs plus potential criminal charges.
What if I only process a few transactions per year?
Volume doesn’t matter — even one transaction per year requires compliance. However, very small merchants often qualify for the simplest SAQ types, making compliance relatively painless.
Do I need to hire a QSA?
Only Level 1 merchants (over 6 million transactions annually) require QSA assessments. Level 2-4 merchants complete self-assessments. Most Austrian businesses never need a QSA.
How do I know if my payment processor is PCI compliant?
Ask for their PCI DSS Attestation of Compliance. All legitimate payment service providers must maintain their own compliance and can provide documentation.
What’s the difference between PCI DSS and PA-DSS?
PCI DSS applies to your business as a merchant. PA-DSS applies to the payment software you might use. Your software vendor handles PA-DSS — you just need to worry about PCI DSS.
Can I outsource PCI compliance entirely?
You can outsource much of the technical work through tokenization and hosted payment pages, but you can’t outsource the responsibility. You’ll always have some compliance obligations, even if minimal with SAQ A.
Your Next Steps
PCI compliance for Austrian businesses doesn’t have to be overwhelming. Start by understanding which SAQ applies to your payment setup — that single piece of information tells you exactly what’s required. For most small merchants, you’re looking at 22-82 straightforward questions that confirm you’re following basic security practices you probably already have in place.
PCICompliance.com simplifies the entire process. Our free SAQ Wizard identifies your exact requirements in minutes. Our compliance platform guides you through each question with plain-language explanations. Our ASV scanning service handles your quarterly vulnerability scans automatically. And our compliance dashboard ensures you never miss a deadline or requirement. Whether you’re completing your first SAQ or maintaining year-round compliance, we provide the tools and support to protect your business and your customers’ card data. Start with our free SAQ Wizard to see just how straightforward compliance can be, or contact our team for personalized guidance on your specific situation.