Apache Web Server PCI Fixes: A Beginner’s Guide to PCI Compliance
The Truth About PCI Compliance (It’s Not as Scary as You Think)
If your payment processor just sent you a PCI compliance questionnaire and you’re staring at it wondering what on earth PCI DSS means or why they’re asking about Apache vulnerabilities PCI issues, take a deep breath. For most small businesses, PCI compliance is far simpler than it first appears. Yes, you need to complete it. No, it doesn’t require an IT degree.
This guide will walk you through everything you need to know about PCI compliance in plain English. By the end, you’ll understand what your payment processor wants, which questionnaire you need to complete, and how to stay compliant without breaking the bank or losing your mind.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover — through an organization called the PCI Security Standards Council. Think of it as a security checklist that helps protect credit card data from hackers.
If you accept credit cards in any form — whether through a terminal, online, or over the phone — these requirements apply to you. The good news? The complexity of what you need to do depends entirely on how you handle card payments.
Your acquirer (the bank or payment processor that handles your card transactions) enforces these requirements. They’re the ones who sent you that compliance questionnaire, and they’re the ones who can fine you if you don’t comply.
What happens if you ignore PCI compliance? Your payment processor can:
- Fine you monthly (typically $5-100 for small merchants)
- Increase your processing rates
- Hold you liable for fraud losses
- Terminate your ability to accept credit cards
But here’s the important part: for most small businesses, achieving compliance takes just a few hours per year. The horror stories you’ve heard about PCI compliance usually involve large companies storing millions of card numbers. If you’re using modern payment tools like Square, Stripe, or PayPal, you’re already 90% of the way there.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards, yes.
It doesn’t matter if you process one transaction or one million. The moment you accept a credit card payment, you’re required to comply with PCI DSS. Even if you only take cards at craft fairs or through invoices, the requirements apply.
Most small businesses fall into Merchant Level 4 — processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. This is good news because Level 4 merchants have the simplest Compliance requirements: complete a self-assessment questionnaire (SAQ) annually and run quarterly vulnerability scans if you have any internet-facing systems.
That compliance questionnaire your processor sent? It’s your annual PCI self-assessment. They need it to prove to the card brands that their merchants (you) are following security best practices. Think of it like renewing your business license — annoying but necessary to keep operating.
Which SAQ Do You Need?
The scariest part of PCI compliance for most business owners is figuring out which SAQ (Self-Assessment Questionnaire) applies to them. There are different versions based on how you accept and process payments, but here’s the breakdown in plain English:
Payment Scenarios and SAQ Types
| How You Take Payments | Your SAQ Type | Number of Questions | Difficulty |
|---|---|---|---|
| Redirect to payment provider (PayPal, Stripe Checkout) | SAQ A | 22 | Easy |
| E-commerce with payment fields on your site | SAQ A-EP | 139 | Moderate |
| Standalone terminal only (Square, Clover) | SAQ B | 41 | Easy |
| Terminal connected to internet | SAQ B-IP | 91 | Moderate |
| Mail order/telephone order only | SAQ C-VT | 83 | Moderate |
| You store card numbers (please stop!) | SAQ D | 329 | Very Hard |
Most common scenarios:
- Restaurant with a Square terminal: SAQ B or B-IP
- Online store using Shopify: SAQ A
- Service business taking cards over the phone: SAQ C-VT
- Retail store with a traditional terminal: SAQ B-IP
Not sure which one applies? PCICompliance.com’s free SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need. No technical knowledge required.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. The questionnaire contains yes/no questions about your security practices. Here’s what to expect:
The questions look like:
- “Do you change default passwords on payment systems?”
- “Is your payment terminal in a secure location?”
- “Do you have a firewall protecting your network?”
For each question, you need to answer honestly. “Yes” means you currently do this thing, you have documentation to prove it, and you’ll keep doing it. If you answer “no” to any required question, you’ll need to fix that issue before you can be compliant.
Documentation you’ll need:
- Network diagram (can be hand-drawn for small businesses)
- List of who has access to payment systems
- Your data retention policy (how long you keep receipts)
- Firewall configuration (your IT person can provide this)
The quarterly ASV scan sounds technical, but it’s actually automated. An Approved Scanning Vendor runs software that checks your internet-facing systems for vulnerabilities. If you don’t have any systems exposed to the internet (like a simple retail store with just a terminal), you may not need these scans. The scan takes about 30 minutes and costs $50-150 per scan.
Once you’ve answered all questions and passed any required scans, you’ll sign an Attestation of Compliance (AOC) — basically a form saying “yes, we did all this” — and submit it to your payment processor.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your size and complexity:
For most small businesses (SAQ A or B):
- Compliance platform with SAQ tools: $100-300/year
- Quarterly ASV scans (if required): $200-600/year
- Total annual cost: $100-900
If you need professional help:
- Consultant to help with first-time compliance: $500-2,000
- Full QSA assessment (only for Level 1 merchants): $10,000-50,000
Compare this to non-compliance costs:
- Monthly processor fines: $60-1,200/year
- Single data breach: $50,000-500,000 in liability
- Loss of card processing ability: priceless (in the bad way)
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not a profit center for your processor — they’d rather you be compliant than pay fines.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your processor will ask for updated documentation every year, and if you need ASV scans, those happen quarterly.
Set these reminders now:
- Annual SAQ due date (check your processor’s letter)
- Quarterly ASV scan dates (every three months)
- Password change reminders (every 90 days for payment systems)
- Annual review of who has access to payment systems
What triggers a new assessment:
- Changing payment processors
- Adding new payment channels (like starting e-commerce)
- Significant network changes
- Starting to store card numbers (don’t do this)
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends reminders before deadlines, and keeps all your documentation in one place. No more scrambling when your processor asks for last year’s AOC.
Frequently Asked Questions
What if I only process a few transactions per year?
Transaction volume doesn’t matter for compliance requirements — if you accept even one credit card payment annually, you need to comply with PCI DSS. The good news is that low-volume merchants typically qualify for the simplest SAQ types.
Can I just tell my processor I’m compliant without doing the work?
Falsely attesting to compliance is fraud and makes you fully liable for any breach losses. If a breach occurs and you claimed compliance without actually doing the work, you could face hundreds of thousands in fines plus lose your ability to accept cards.
What’s the difference between PCI compliance and EMV?
EMV (chip cards) is about fraud liability shift, while PCI compliance is about data security. You need both — EMV protects against counterfeit cards, while PCI protects against data breaches.
My payment processor says they handle PCI compliance for me. Is that true?
Payment processors can reduce your PCI scope through tokenization or hosted payment pages, but they can’t make you compliant. You still need to complete your applicable SAQ and protect any systems that interact with payment processing.
Do I need to hire an IT consultant to become compliant?
Most small businesses can achieve compliance without external help using compliance platforms and their payment processor’s guidance. Only consider hiring help if you’re storing card data or have complex payment systems.
What if I fail my vulnerability scan?
Failed scans are common on the first attempt — they usually flag outdated software or unnecessary services. Your ASV provides a report showing what to fix, and most issues can be resolved by applying updates or adjusting firewall rules.
How do I know if I’m storing card data?
Check your payment applications, databases, email systems, and paper files. If you can see full card numbers anywhere after the transaction completes, you’re storing card data and need to either stop or move to SAQ D.
Will my cyber insurance cover PCI fines?
Most policies exclude regulatory fines, including PCI non-compliance penalties. Cyber insurance typically covers breach response costs but not fines for failing to meet security standards.
Your Next Steps
PCI compliance might seem overwhelming at first glance, but for most small businesses, it’s a manageable annual task that protects both your business and your customers. The key is determining which SAQ applies to your payment setup and methodically working through the requirements.
Start by identifying your SAQ type using PCICompliance.com’s free SAQ Wizard — it takes five minutes and eliminates the guesswork. Once you know which questionnaire you need, our platform guides you through each requirement with plain-English explanations and tracks your progress. If you need quarterly ASV scans, our automated scanning service handles those too, with clear reports on any issues found and how to fix them.
Don’t let PCI compliance intimidate you. With the right tools and guidance, you can achieve compliance in a few hours and maintain it with minimal effort throughout the year. Your customers trust you with their payment data — PCI compliance helps you honor that trust while protecting your business from fines and liability. Whether you’re completing your first SAQ or renewing your annual compliance, PCICompliance.com provides everything you need in one simple platform. Get started today with our free SAQ Wizard or reach out to our compliance team for personalized guidance.
