Frequently Asked Questions
Everything you need to know about PCI DSS, scans, SAQs, and how we help you stay compliant — all in plain English.
PCI DSS Basics
Foundational questions about PCI compliance.
What is PCI DSS compliance?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for businesses that store, process, or transmit credit card data. It was created by Visa, Mastercard, American Express, Discover, and JCB to protect cardholder information and reduce fraud. If you accept credit card payments, PCI compliance is required — not optional.
Do I need to be PCI compliant if I use Stripe, PayPal, or Square?
Yes. Even if you never see card data directly, you are still responsible for PCI compliance. Using a PCI-compliant payment processor doesn’t make you compliant — it just simplifies your requirements. Typically, this means completing SAQ A (the simplest form) and ensuring your integrations are secure.
What happens if I’m not PCI compliant?
Non-compliance can result in fines from $5,000 to $100,000 per month from your acquiring bank or payment processor. You may also face higher transaction fees, loss of the ability to accept credit cards, and significant liability if a data breach occurs. Most importantly, your customers’ payment data is at risk.
Who enforces PCI DSS?
PCI DSS is enforced by the payment card brands (Visa, Mastercard, etc.) through your acquiring bank or payment processor. Your acquirer determines your UK PCI, receives your attestation documents, and can impose fines for non-compliance.
What are the 12 PCI DSS requirements?
PCI DSS has 12 requirement categories covering areas like firewalls, encryption, access control, vulnerability management, and security policies. Not all requirements apply to every business — your SAQ type determines which ones you must address. See our PCI DSS overview page for a complete breakdown.
Self-Assessment Questionnaires (SAQs)
Understanding which SAQ you need and how to complete it.
What is an SAQ?
A Self-Assessment Questionnaire (SAQ) is a form that businesses use to assess and document their PCI compliance based on how they handle cardholder data. There are multiple SAQ types (A, A-EP, B, B-IP, C, C-VT, P2PE, D) depending on your payment setup. Most small to mid-sized businesses use SAQs rather than full audits.
How do I know which SAQ I need?
Your SAQ type depends on how you accept and process payments. For example, if you use a fully hosted checkout (like Shopify Payments), you likely need SAQ A. If you have a website that hosts payment elements, you may need SAQ A-EP. Our free assessment tool will determine the right SAQ for your business in minutes.
Can you help us fill out the SAQ?
Yes! Our team provides step-by-step assistance tailored to your business type and merchant level. We explain each question in plain English, help you understand what evidence you need, and ensure you answer accurately. Our SAQ wizard makes the process fast and stress-free.
What’s the difference between SAQ A and SAQ A-EP?
SAQ A is for merchants who completely outsource payment processing — customers are redirected to a third-party payment page (like Stripe Checkout). SAQ A-EP applies when your website hosts elements that can impact card security, like JavaScript-based payment forms, even if you don’t store card data. SAQ A-EP has more requirements and needs quarterly ASV scans.
How often do I need to complete the SAQ?
SAQs must be completed annually. You’ll also need to revalidate if you make significant changes to how you process payments. Your attestation of compliance (AOC) is typically valid for one year from the date you complete it.
What is an AOC?
An Attestation of Compliance (AOC) is the formal document that proves you’ve completed your PCI assessment. It’s generated when you finish your SAQ and is submitted to your acquiring bank or payment processor. We automatically generate your AOC when you complete your SAQ through our platform.
Vulnerability Scanning
Questions about ASV scans and quarterly assessments.
What is an ASV scan?
An ASV (Approved Scanning Vendor) scan is an external vulnerability assessment performed by a company certified by the PCI Security Standards Council. The scan checks your public-facing systems for security weaknesses, misconfigurations, and known vulnerabilities that could put cardholder data at risk.
How often do I need to do a PCI scan?
If your SAQ type requires vulnerability scanning, it must be performed by an ASV every 90 days (quarterly). You also need scans after any significant changes to your infrastructure. SAQ A and SAQ B typically don’t require ASV scans; most other SAQ types do.
What happens if I fail a scan?
Don’t panic — it’s common for first scans to identify issues. You’ll receive a detailed report showing what failed and why, with severity ratings and remediation guidance. We help you fix the issues (called remediation) and perform free re-scans until you pass. Most issues can be resolved within days.
How long does a scan take?
Most scans complete in under an hour, depending on the number of IP addresses and services being scanned. Larger environments with many targets may take longer. You’ll receive your results immediately after the scan finishes.
Do I need internal scans too?
Yes, if your SAQ requires them (SAQ C, D, and others). Internal scans check systems inside your network and can be performed by your own team or a third party — they don’t need to be done by an ASV. However, ASV external scans must be performed by a certified vendor.
Will the scan affect my website or systems?
ASV scans are designed to be non-disruptive. They passively probe your systems for vulnerabilities without exploiting them or affecting performance. You can schedule scans during off-peak hours if you prefer, but most businesses run them during normal operations without any impact.
About Our Service
How PCICompliance.com helps you get and stay compliant.
How long does it take to get compliant?
Most small businesses can become compliant in 1-2 weeks. Simple setups (SAQ A) can often be completed in a few hours. More complex environments may take longer, especially if scan remediation is needed. Our expert guidance streamlines the process for faster results.
What is included in your plans?
All plans include ASV vulnerability scanning, SAQ guidance, compliance support, and expert remediation help. Our Business and Pro plans also include policy templates, priority support, and additional features. Plans start at $149/year. See our pricing page for full details.
Is PCICompliance.com an Approved Scanning Vendor?
We partner with ASV-certified providers to deliver fully compliant vulnerability scans. This ensures your scan reports are accepted by banks and processors. Our platform integrates scanning, SAQ completion, and documentation into one seamless experience.
Do you offer support if I get stuck?
Absolutely! Our team of PCI experts is available to help you through every step. Whether you have questions about your SAQ, need help understanding scan results, or aren’t sure how to fix a vulnerability, we’re here to guide you. Support is included with all plans.
Can you help with Level 1 compliance or ROC assessments?
Yes. While our self-service platform is ideal for Level 2-4 merchants, we also offer gap analysis, penetration testing, and compliance-as-a-service for larger organizations preparing for QSA audits and ROC assessments.
How do I get started?
Simply start your free assessment. Answer a few questions about your business and payment setup, and we’ll determine your SAQ type and compliance requirements. From there, you can complete your SAQ, run scans, and get compliant — all in one platform.
Pricing & Plans
Common questions about costs and billing.
How much does PCI compliance cost?
Our plans start at $149/year, which includes SAQ guidance and quarterly ASV scanning. This is far less than the potential cost of non-compliance fines ($5,000-$100,000/month) or the devastating impact of a data breach.
Are there any hidden fees?
No hidden fees. Our pricing is transparent and all-inclusive. Your plan covers scanning, SAQ completion, documentation, and support. Unlimited rescans are included at no extra cost.
Do you offer monthly billing?
We offer both monthly and annual billing options. Annual plans provide the best value with significant savings compared to monthly billing. All plans include the same features and support.
Your PCI Compliance Questions, Answered
We know PCI DSS compliance can seem complicated — that’s why we’ve compiled answers to the most common questions we hear from merchants, developers, and compliance teams. From understanding what PCI DSS is to navigating SAQ selection and passing your first vulnerability scan, this FAQ covers it all.
Our goal is to make PCI compliance simple, understandable, and achievable for businesses of all sizes. We explain everything in plain English, without the confusing jargon that makes compliance feel overwhelming.
Can’t find the answer you’re looking for? Our expert team is here to help. Reach out anytime and we’ll guide you through whatever questions or challenges you’re facing on your compliance journey.
Still Have Questions?
No problem — our experts are here to help. We’ll guide you every step of the way.
Talk to an ExpertFree assessment • Plain-English guidance • Expert support
