Open padlock with combination lock on keyboard

Brazil PCI Compliance

by

Brazil PCI Compliance

Bottom Line Up Front

If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses in Brazil, PCI compliance is simpler than you think. You probably need to complete a short self-assessment questionnaire (SAQ) once a year and run quarterly security scans on your website. That’s it.

Here’s what matters: if you accept credit or debit cards — whether through a terminal, website, or phone — you need to be PCI compliant. The good news? Most small merchants qualify for the simplest compliance requirements. This guide will walk you through exactly what you need to do, step by step.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. Think of it as basic security hygiene for businesses that accept card payments — like locking your doors at night or password-protecting your computer.

The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through an organization called the PCI Security Standards Council. But here’s the important part: your acquirer (the bank or payment processor that handles your card transactions) is the one who enforces these requirements and sends you that compliance questionnaire.

What Happens If You’re Not Compliant?

The consequences of non-compliance are real but manageable:

  • Monthly fines from your payment processor (typically R$500-5,000 per month)
  • Liability for fraud if card data gets stolen from your business
  • In extreme cases, losing the ability to accept card payments

But before you panic — remember that most small businesses can achieve compliance in an afternoon. The horror stories you might have heard usually involve large companies storing millions of card numbers, not small businesses using modern payment systems.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit or debit cards in any form, yes. This includes:

  • Card machines or terminals in your store
  • Online payments through your website
  • Phone orders where customers give you their card number
  • Mobile card readers attached to phones or tablets

Understanding Your Merchant Level

Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants, which means:

  • You process fewer than 20,000 Visa transactions per year (or up to 1 million for other card brands)
  • You complete a self-assessment questionnaire (SAQ) instead of hiring an external assessor
  • You submit quarterly vulnerability scans if you have a website

Your payment processor‘s compliance questionnaire is their way of verifying you meet these requirements. They’re required by the card brands to ensure all their merchants maintain compliance.

Which SAQ Do You Need?

The SAQ (Self-Assessment Questionnaire) you need depends entirely on how you accept payments. Think of it as choosing the right form at the tax office — pick the one that matches your situation.

Here’s the decision tree in plain language:

How You Accept Payments SAQ Type Complexity
Terminal only (like Square, Cielo, Stone) SAQ B Simple (20-30 questions)
Terminal with internet connection SAQ B-IP Simple (80-90 questions)
E-commerce with hosted checkout (Shopify, PagSeguro, Mercado Pago) SAQ A Simplest (20 questions)
E-commerce with payment form on your site SAQ A-EP Moderate (130+ questions)
Phone/mail orders only SAQ C-VT Moderate (80-90 questions)
Multiple channels or storing card data SAQ D Complex (300+ questions)

Common Scenarios for Brazilian Merchants

If you run a retail store with a Cielo or Stone terminal, you’re likely SAQ B or SAQ B-IP. The difference? B-IP is for terminals connected to the internet.

If you have an online store using Shopify, WooCommerce with Mercado Pago, or similar platforms where customers are redirected to pay, you’re likely SAQ A — the simplest one.

If you take orders over the phone and type card numbers into a virtual terminal, you’re SAQ C-VT.

If you’re storing card numbers in a spreadsheet or database (please stop doing this immediately), you’re SAQ D — the most complex questionnaire.

Not sure which one fits? Use PCICompliance.com’s SAQ Wizard — answer a few simple questions about your payment setup, and we’ll tell you exactly which SAQ applies to your business.

How to Complete Your SAQ

Once you know which SAQ you need, completing it is straightforward. The questionnaire consists of yes/no questions about your security practices.

What the Questions Look Like

Each question asks about a specific security control. For example:

  • “Do you change default passwords on payment terminals?”
  • “Is your payment page secured with HTTPS?”
  • “Do you have a firewall protecting your network?”

When you answer “yes,” you’re confirming you have that security measure in place. If you answer “no,” you’ll need to implement it or explain why it doesn’t apply to your business.

Documentation You’ll Need

Gather these items before starting:

  • Network diagram (can be hand-drawn) showing how payments flow
  • List of payment systems and software you use
  • Security policies (even simple ones count)
  • Vendor agreements with your payment processor

The Quarterly ASV Scan

If you have any web presence — even just a simple website without payment functionality — you need quarterly ASV scans. An Approved Scanning Vendor checks your website for security vulnerabilities four times per year.

The scan is automated and usually takes 15-30 minutes. You’ll receive a report showing any vulnerabilities found. Fix any critical issues, rescan, and you’re done. Most modern websites pass on the first try.

Submitting Your Compliance

After completing your SAQ and passing your ASV scan (if required), you’ll receive an Attestation of Compliance (AOC). This is the official document you submit to your payment processor proving you’re compliant. Most processors have an online portal where you upload this annually.

What It Costs

Let’s talk real numbers. For most Level 4 merchants, annual PCI compliance costs include:

Compliance Platform and Tools

  • Basic SAQ completion tools: R$500-1,500 per year
  • Full compliance platforms with guidance: R$1,500-5,000 per year
  • PCICompliance.com’s platform: competitive pricing with all features included

ASV Scanning

  • Quarterly scans: R$300-1,000 per quarter
  • Many compliance platforms include ASV scanning
  • Some payment processors provide it free

If You Need a QSA

Most small merchants don’t need a Qualified Security Assessor. But if you do:

  • Level 1 merchants must have a QSA assessment
  • Costs range from R$50,000-200,000 annually
  • Only applies if you process over 6 million transactions per year

The Cost of NON-Compliance

Here’s what you risk by ignoring PCI:

  • Monthly non-compliance fees: R$500-5,000
  • Breach liability: R$100-500 per compromised card
  • Forensic investigation costs: R$50,000-500,000
  • Lost ability to accept cards: priceless

For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s simply good business.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly touchpoints. Here’s how to stay on track:

Annual Requirements

  • Complete your SAQ every 12 months
  • Update your network diagram if anything changes
  • Review and update security policies
  • Ensure your AOC is current and submitted

Quarterly Requirements

  • Run ASV scans every 90 days (if applicable)
  • Review scan results and fix any issues
  • Keep passing scan reports for your records

What Triggers a New Assessment

Certain changes require immediate action:

  • Switching payment processors or adding new payment methods
  • Moving from SAQ A to accepting phone orders (now SAQ C-VT)
  • Starting to store card data (now SAQ D)
  • Significant network or system changes

PCICompliance.com’s compliance dashboard tracks all these requirements automatically. You’ll get reminders before scans are due, alerts if compliance lapses, and a clear view of your status year-round.

FAQ

I’m just a small business. Do I really need to worry about this?

Yes, but it’s simpler than you think. If you accept cards, you need to be compliant regardless of business size. The good news? Small businesses typically need only the simplest SAQ types, which take 1-2 hours to complete annually.

What’s the difference between PCI compliance and data protection laws like LGPD?

PCI DSS specifically protects payment card data, while Brazil’s LGPD covers all personal data. You need to comply with both, but they serve different purposes. PCI focuses on card security; LGPD focuses on privacy rights.

My payment processor handles everything. Am I still responsible?

Yes, you’re still responsible for your part. Even if you use fully hosted payment solutions, you need to complete an SAQ confirming you’re not doing anything to compromise security. Think of it as shared responsibility.

How long does the SAQ take to complete?

For most small merchants, 1-2 hours. SAQ A has about 20 questions. SAQ B has 30-40. If you know your payment setup, you can complete these in an afternoon.

What if I fail my ASV scan?

Fix the issues and rescan. Most failures are minor — outdated software, unnecessary services running. Your ASV report tells you exactly what to fix. You can rescan as many times as needed.

Can I just ignore this until my processor complains?

That’s expensive thinking. Non-compliance fees start immediately and compound monthly. Plus, you’re liable for any fraud. The time you spend avoiding compliance costs far more than just doing it.

Do I need to hire a security consultant?

Probably not. Unless you’re processing millions of transactions or handling complex payment scenarios, you can achieve compliance using self-service tools and guides. Save consultants for when you genuinely need expert help.

What if I only accept payments through PayPal or Mercado Pago?

You still need compliance, but it’s minimal. If you redirect all payments to third-party processors and never touch card data, you qualify for SAQ A — just 20 questions confirming you’re not interfering with the secure redirect.

Conclusion

Brazil PCI compliance doesn’t have to be overwhelming. For most businesses, it’s a matter of completing a straightforward questionnaire once a year and running quarterly security scans. The entire process takes less time than you’ve probably already spent worrying about it.

Start by identifying which SAQ type fits your payment methods. Use PCICompliance.com’s free SAQ Wizard to get an instant answer based on your specific setup. Our platform then guides you through every question, handles your ASV scanning requirements, and tracks your compliance status year-round.

Remember: the cost of compliance is minimal compared to the risk of fines and fraud liability. More importantly, these security practices protect your customers’ data and your business reputation. Whether you’re ready to complete your SAQ today or just want to understand your requirements better, PCICompliance.com provides the tools and support to make PCI compliance manageable for businesses of any size.

Don’t wait for non-compliance fees to start accumulating. Take control of your PCI compliance today — your future self (and your customers) will thank you.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP