Checkout.com PCI Compliance
Bottom Line Up Front
If you just received a PCI compliance questionnaire from Checkout.com and you’re feeling overwhelmed, take a deep breath. For most small businesses using Checkout.com’s payment services, PCI compliance is simpler than you think. You’re likely looking at filling out a short questionnaire once a year and running quarterly security scans — tasks that typically take a few hours total.
Here’s what you actually need to know: Yes, you need to be PCI compliant if you accept credit cards. Yes, Checkout.com requires it as part of their merchant agreement. And yes, we’ll walk you through exactly what to do. Most small businesses using Checkout.com’s hosted payment solutions qualify for the simplest compliance requirements.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. Think of it as a checklist of security practices that anyone handling credit cards must follow — from massive retailers to single-person online shops.
The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, JCB) through an organization called the PCI Security Standards Council (PCI SSC). But here’s the important part: your acquirer or payment processor — in this case, Checkout.com — is who actually enforces these requirements and asks for proof of compliance.
Why Does This Matter to You?
The consequences of non-compliance are real but manageable if you understand what’s expected:
- Fines from your processor: Checkout.com can charge monthly non-compliance fees (typically $25-$100/month for small merchants)
- Liability if there’s a breach: Without compliance, you could be responsible for fraud losses and card replacement costs
- Loss of card processing: In extreme cases, you could lose the ability to accept credit cards entirely
Here’s the good news: most small businesses qualify for the simplest SAQ (Self-Assessment Questionnaire) types, which can be completed in an afternoon. You’re not facing the same requirements as a major retailer — the PCI DSS scales to your business size and how you handle payments.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. It doesn’t matter if you process one payment a year or thousands daily — PCI compliance applies to every business that touches credit card data.
Your Merchant Level
Most small businesses fall into Merchant Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news — Level 4 merchants have the simplest compliance requirements:
- Complete an annual Self-Assessment Questionnaire (SAQ)
- Run quarterly ASV scans if you have any internet-facing systems
- Submit an Attestation of Compliance (AOC) to Checkout.com
What Checkout.com Expects From You
When Checkout.com sends you that compliance questionnaire, they’re essentially saying: “Show us you’re protecting cardholder data according to PCI standards.” They need this documentation to satisfy their own compliance requirements with the card brands.
That questionnaire probably includes:
- A request to complete a specific SAQ type
- Instructions for setting up quarterly vulnerability scans
- A deadline for submission (usually 30-90 days)
- Links to their compliance portal or partner
Which SAQ Do You Need?
The SAQ is your primary compliance document — a yes/no questionnaire about your security practices. There are different SAQ types based on how you accept and process payments. Here’s how to determine yours:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Checkout.com hosted payment page (customer redirected) | SAQ A | 22 | Simplest |
| Checkout.com Frames or payment fields on your site | SAQ A-EP | 191 | Moderate |
| Physical terminal only (no e-commerce) | SAQ B or B-IP | 41 or 82 | Simple |
| Taking payments over the phone | SAQ C-VT | 160 | Moderate |
| Storing card numbers (please reconsider) | SAQ D | 329 | Complex |
Common Checkout.com Scenarios
Using Checkout.com’s Hosted Payment Page: If customers are redirected to Checkout.com’s servers to enter payment information, you qualify for SAQ A — the simplest questionnaire with just 22 questions.
Using Checkout.com Frames: If you’re embedding Checkout.com’s payment fields directly on your website, you’re looking at SAQ A-EP. While more involved than SAQ A, it’s still manageable for most businesses.
Phone Orders: If you take card details over the phone and enter them into a virtual terminal or your website, that’s SAQ C-VT territory.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ you need — no guesswork required.
How to Complete Your SAQ
Once you know your SAQ type, the actual completion process is straightforward:
What the Questionnaire Looks Like
Your SAQ consists of yes/no questions about your security practices. For example:
- “Do you have a firewall protecting your payment systems?”
- “Are passwords required to access payment data?”
- “Do you install security patches regularly?”
Important: Answering “yes” means you actually do this thing, not that you plan to. If you answer “no” to a requirement, you’ll need to implement that security control before you can be compliant.
Documentation You’ll Need
Before starting your SAQ, gather:
- Network diagram (even a simple sketch works for small businesses)
- List of who has access to payment systems
- Security policies (password requirements, acceptable use, etc.)
- Vendor agreements showing PCI compliance (like Checkout.com’s AOC)
The Quarterly ASV Scan
If you have any internet-facing systems (website, email server, etc.), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks for security holes in your public-facing systems.
What to expect:
- Schedule your first scan after registering with an ASV
- The scan runs automatically (usually takes 30-60 minutes)
- You’ll receive a report showing any vulnerabilities
- Fix any failing issues and rescan
- Submit passing scan reports quarterly
Submitting Your Compliance
Once you’ve completed your SAQ and have passing ASV scans:
1. Generate your Attestation of Compliance (AOC) — a formal declaration that you’ve met all requirements
2. Submit both documents through Checkout.com’s compliance portal
3. Set reminders for next quarter’s scan and next year’s assessment
What It Costs
Let’s talk real numbers. PCI compliance costs vary, but for most small businesses using Checkout.com:
Compliance Tools and Services
- SAQ completion platform: $200-500/year for guided questionnaire tools
- Quarterly ASV scanning: $200-400/year for four scans
- Combined compliance platforms: $300-800/year for both SAQ and scanning
If You Need Extra Help
- Consultant assistance: $500-2,000 for help completing your first SAQ
- QSA services: $5,000-50,000 (only required for Level 1 merchants or if you have a breach)
The Cost of NON-Compliance
- Monthly non-compliance fees: $25-100/month from Checkout.com
- Breach liability: Average small merchant breach costs $35,000-100,000
- Lost business: Damage to reputation and potential loss of card processing
Honest assessment: For most small merchants, annual compliance costs less than a single non-compliance fine from Checkout.com. It’s insurance you can’t afford to skip.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an ongoing commitment to protecting cardholder data. Here’s how to stay on track:
Annual Requirements
- Complete your SAQ every year (Checkout.com will send reminders)
- Update your documentation if anything changes
- Renew your AOC annually
Quarterly Requirements
- Run ASV scans every 90 days
- Fix any vulnerabilities found
- Keep scan reports for your records
When Things Change
Certain changes trigger a reassessment:
- New payment channels (adding phone orders, mobile payments)
- New payment providers or processors
- Major website changes affecting payment flow
- Business growth crossing merchant level thresholds
Making It Easy
Set calendar reminders for:
- Quarterly scan due dates (every 90 days)
- Annual SAQ renewal (same month each year)
- Policy review dates
- Security update schedules
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and keeping your compliance documentation organized in one place.
FAQ
I’m just a small business. Do I really need to worry about PCI compliance?
Yes, but don’t panic. Size doesn’t exempt you from PCI requirements, but it does determine how simple those requirements are. Most small businesses using Checkout.com qualify for the simplest SAQ types, which can be completed in a few hours annually.
What happens if I ignore Checkout.com’s compliance request?
Checkout.com will likely start charging monthly non-compliance fees ($25-100 typically). More seriously, if there’s a breach, you’ll be liable for fraud losses, investigation costs, and card replacement fees. Eventually, they could terminate your merchant account.
I don’t store any credit card numbers. Do I still need to comply?
Yes. PCI compliance applies to anyone who accepts, processes, stores, or transmits credit card data — even if you never store it. The good news is that not storing data qualifies you for simpler SAQ types.
How often do I need to complete PCI requirements?
Annually for your SAQ and AOC, quarterly for ASV scans (if required). Think of it like business insurance — you renew yearly but check in quarterly to ensure everything’s still secure.
Can I just pay someone to handle this for me?
Absolutely. Many consultants and managed service providers offer PCI compliance services. For small businesses, expect to pay $500-2,000 annually for someone to handle your SAQ, scans, and documentation.
What’s the difference between SAQ A and SAQ A-EP?
SAQ A applies when customers are completely redirected away from your website to enter payment information. SAQ A-EP applies when payment fields appear on your website but card data goes directly to the processor (like with Checkout.com Frames). SAQ A has 22 questions; SAQ A-EP has 191.
Do I need to hire a QSA?
Probably not. Only Level 1 merchants (processing over 6 million transactions annually) require a QSA assessment. Level 4 merchants (most small businesses) can self-assess using the appropriate SAQ.
What if I fail my ASV scan?
Don’t worry — failing initially is common. The scan report will list specific vulnerabilities to fix. Address these issues (usually updating software or adjusting firewall rules), then request a rescan. You need a passing scan once per quarter.
Conclusion
PCI compliance with Checkout.com doesn’t have to be overwhelming. For most small businesses, it’s a matter of completing the right self-assessment questionnaire, running quarterly scans if you have a website, and submitting your documentation annually. Yes, it requires some time and attention, but far less than dealing with a data breach or losing your ability to accept credit cards.
The key is identifying which SAQ applies to your specific setup with Checkout.com and staying organized with your compliance tasks. Whether you’re using their hosted payment page (SAQ A), embedded frames (SAQ A-EP), or another integration method, there’s a clear path to compliance.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team about creating a custom compliance plan for your Checkout.com integration. We’ve helped thousands of merchants navigate PCI requirements, and we’re here to make your compliance journey as simple as possible.
