a close up of a cell phone on a table

Certificate Chain Issues PCI

by

Certificate Chain Issues PCI

What You Need to Know Right Away

If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed — take a breath. For most small businesses, PCI compliance is actually much simpler than it sounds. You probably don’t need to worry about complex technical issues like certificate chain validation unless you’re running your own e-commerce servers. This guide will help you understand what PCI compliance really means for your business and how to get through that questionnaire without the technical headaches.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules designed to protect credit card information. If your business accepts credit cards — whether through a terminal, website, or over the phone — these rules apply to you.

The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But here’s the important part: your payment processor or acquiring bank is the one who actually enforces them. That’s why they sent you that compliance questionnaire.

What Happens If You’re Not Compliant?

Non-compliance isn’t just a bureaucratic hassle — it comes with real consequences:

  • Monthly fines from your payment processor (typically $5-100 per month)
  • If there’s a data breach, you could be liable for fraud losses and investigation costs
  • In extreme cases, you could lose the ability to accept credit cards entirely

But here’s the good news: most small businesses qualify for the simplest compliance requirements. You’re not facing the same standards as Target or Home Depot. Your compliance process is likely a straightforward questionnaire that takes 30-60 minutes to complete.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a tiny coffee shop with one Square terminal or an online store processing thousands of transactions — PCI compliance applies to you.

Your Merchant Level

Your merchant level determines how much compliance documentation you need. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news — Level 4 merchants have the simplest compliance requirements.

What Your Payment Processor Expects

Your payment processor sent that questionnaire because they’re required to verify that every merchant in their portfolio maintains PCI compliance. They need:

  • A completed Self-Assessment Questionnaire (SAQ)
  • An Attestation of Compliance (AOC) — basically your signature saying the information is accurate
  • For some SAQ types, proof of quarterly vulnerability scans

Miss the deadline, and they’ll likely start charging non-compliance fees. Complete it on time, and you’re good for another year.

Which SAQ Do You Need?

The Self-Assessment Questionnaire comes in several versions, each designed for different payment scenarios. Here’s how to figure out which one applies to your business:

How You Accept Payments Your SAQ Type Number of Questions Complexity
Redirect to payment provider (PayPal, Stripe Checkout) SAQ A 22 Simplest
E-commerce with payment fields on your site SAQ A-EP 191 Moderate
Standalone terminals only (Square, Clover) SAQ B 41 Simple
Terminals connected to your network SAQ B-IP 82 Moderate
Taking cards over the phone SAQ C-VT 83 Moderate
Storing card numbers (please reconsider!) SAQ D 329+ Complex

Common Scenarios

If you use Square, Clover, or similar terminals: You’re likely SAQ B if the terminal uses cellular or dial-up connection, or SAQ B-IP if it connects through your internet.

If you have an e-commerce site: Using a hosted checkout page (where customers are redirected to PayPal or Stripe)? That’s SAQ A. If payment fields appear on your website, you’re looking at SAQ A-EP.

If you take payments over the phone: You’ll need SAQ C-VT for virtual terminal environments.

If you store credit card numbers: You’re in SAQ D territory — the most complex questionnaire with over 300 questions. Consider switching to tokenization or a payment service that handles storage for you.

Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need.

How to Complete Your SAQ

Once you know which SAQ applies, the actual completion process is straightforward. Most questions are yes/no format, asking about your security practices.

What “Yes” Really Means

When the questionnaire asks “Do you restrict physical access to cardholder data?” — they’re not expecting Fort Knox. For a small business, “yes” might mean:

  • Your payment terminal is behind the counter, not accessible to customers
  • Your office is locked when no one’s there
  • You don’t leave credit card receipts lying around

Documentation You’ll Need

Gather these before you start:

  • Your network setup (even a simple diagram helps)
  • List of who has access to payment systems
  • Any security policies you’ve written down
  • Password requirements for your systems

The Quarterly Scan Requirement

If your SAQ type requires quarterly ASV scans (SAQ A-EP, B-IP, C, and D), you’ll need to work with an Approved Scanning Vendor. These automated scans check your internet-facing systems for vulnerabilities. Schedule one each quarter, fix any critical issues found, and submit the passing scan report with your compliance documentation.

Submitting Your Compliance Package

Once complete, you’ll submit:

  • Your completed SAQ
  • The signed Attestation of Compliance (AOC)
  • Passing scan reports (if required)
  • Any additional documentation your processor requests

Most processors have an online portal where you upload these documents. Some work with compliance platforms like PCICompliance.com that submit directly on your behalf.

What It Costs

Let’s talk real numbers — PCI compliance doesn’t have to break the bank.

Compliance Tools and Platform Costs

  • SAQ completion tools: $100-500 annually
  • Compliance management platforms: $200-1,000 annually depending on features
  • DIY approach: Technically free, but factor in your time

Quarterly Scanning

If you need ASV scans, budget:

  • Basic scanning service: $200-500 annually for four quarterly scans
  • Scanning with remediation support: $500-1,500 annually

When You Need Professional Help

Most small merchants don’t need a QSA. But if you’re processing high volumes or handling complex payment scenarios:

  • QSA consultation: $500-2,000 for guidance
  • Full QSA assessment (Level 1 merchants): $10,000-50,000+

The Cost of Non-Compliance

Here’s what motivates most merchants:

  • Monthly non-compliance fees: $25-100 from your processor
  • Data breach costs: Average $150,000+ for small businesses
  • Lost business: Customers don’t trust merchants who mishandle card data

For most small merchants, annual compliance costs less than two months of non-compliance fees — and far less than a single data breach.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly touchpoints.

Setting Up Your Compliance Calendar

Mark these dates:

  • Annual SAQ due date (check your processor’s requirements)
  • Quarterly scan windows (if applicable)
  • Policy review dates (update as your business changes)

What Triggers a New Assessment

Certain changes require updating your compliance:

  • Switching payment processors or adding new payment methods
  • Moving from retail-only to e-commerce
  • Changing how you handle or store card data
  • Major network or system changes

Making It Manageable

The easiest approach? Use a compliance management platform that tracks your requirements and sends reminders. PCICompliance.com’s dashboard shows your compliance status at a glance, alerts you before deadlines, and stores all your documentation in one place.

FAQ

Q: What if I only process a few transactions per month?

A: Transaction volume doesn’t exempt you from PCI compliance. Even one transaction means you need to comply. However, low volume typically means you’re a Level 4 merchant with the simplest requirements.

Q: Can I just use PayPal/Square and avoid all this?

A: Using third-party processors definitely simplifies compliance, but doesn’t eliminate it entirely. You’ll likely qualify for SAQ A or B, the simplest questionnaires. Your processor still needs documentation showing you’re protecting any card data you do handle.

Q: What’s the difference between PCI compliance and EMV?

A: EMV (chip cards) is about authentication — making sure the card is legitimate. PCI compliance is about protecting card data throughout your business. You need both, but they serve different purposes.

Q: Do I need to hire a security consultant?

A: Most small businesses don’t need professional help for basic SAQ completion. If you’re processing high volumes, storing card data, or facing complex technical requirements, a consultant can help. Start with your SAQ — you might find it’s simpler than expected.

Q: What if I fail a vulnerability scan?

A: Don’t panic — failing scans are common on the first try. The scan report shows exactly what needs fixing. Most issues are routine updates or configuration changes. Fix the critical findings, rescan, and you’ll likely pass.

Q: How do I know if my compliance is actually complete?

A: You’ll receive confirmation from your processor once they accept your documentation. Most send an email confirmation or update your status in their merchant portal. Keep this confirmation for your records.

Q: Can I complete the SAQ myself or do I need IT help?

A: Many business owners complete SAQ A and B themselves — the questions are straightforward. For technical questionnaires (A-EP, C-VT, D), you might want IT assistance. The questionnaire itself guides you through what’s needed.

Q: What if my business model doesn’t fit any SAQ type perfectly?

A: This happens more than you’d think. Contact your processor or use a tool like PCICompliance.com’s SAQ Wizard for guidance. Sometimes you’ll need to complete the next-higher SAQ type or work with a QSA to document your specific situation.

Conclusion

PCI compliance might seem overwhelming at first glance, but for most small businesses, it’s a manageable annual task. You’re likely looking at a simple questionnaire, maybe some automated scans, and basic documentation — not the complex certificate chain validation issues that large enterprises face.

The key is understanding which requirements actually apply to your business. Once you know your SAQ type, the path forward becomes clear. And remember — this isn’t just about checking boxes for your processor. These security practices genuinely protect your business and your customers from fraud and data breaches.

Ready to tackle that compliance questionnaire? PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team if you need guidance. We’ve helped thousands of merchants navigate PCI compliance, and we’re here to make sure you’re not doing it alone.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP