DNS Security Issues PCI
The Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re wondering about DNS security PCI scan requirements, here’s what you need to know: for most small businesses, PCI compliance is much simpler than it sounds. Yes, you need to be compliant if you accept credit cards. No, it doesn’t have to be overwhelming. And those DNS security warnings from your vulnerability scan? They’re usually straightforward to fix. This guide will walk you through everything in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to every business that accepts, processes, stores, or transmits credit card information. Think of it as basic security hygiene for businesses that handle payment cards.
The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through the PCI Security Standards Council (PCI SSC). But here’s who actually enforces them: your acquirer (the bank that processes your card payments) or your payment processor (companies like Square, Stripe, or PayPal). That’s why you received that compliance questionnaire from them, not from Visa directly.
What happens if you ignore PCI compliance? Your payment processor can fine you (typically $5,000 to $100,000 per month), you become liable for fraud losses if there’s a breach, and in extreme cases, you could lose your ability to accept credit cards entirely. One data breach without proper compliance could cost hundreds of thousands in fines, forensic investigations, and liability.
Here’s the good news: most small businesses qualify for the simplest compliance requirements. If you’re using modern payment systems like Square terminals or Stripe’s hosted checkout, you’re already doing most of what’s required. The compliance process is mostly about documenting what you’re already doing right.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you’re a food truck with a mobile reader, an online boutique, or a dental office — if customers can pay with plastic, PCI DSS applies to you.
Your merchant level determines how much documentation you need:
- Level 4 (under 20,000 e-commerce transactions or under 1 million total transactions annually): Most small businesses fall here — you complete a self-assessment questionnaire
- Level 3 (20,000 to 1 million e-commerce transactions): Still self-assessment, but with quarterly scans
- Level 2 (1 to 6 million transactions): May need an on-site assessment
- Level 1 (over 6 million transactions): Requires annual on-site assessment by a QSA
That compliance questionnaire your payment processor sent? It’s their way of ensuring you’re meeting the requirements for your merchant level. They’re required by the card brands to verify your compliance annually. Ignore it, and you’ll start getting warning letters, then fines, then potentially lose your merchant account.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different flavors, each designed for specific payment scenarios. Here’s how to figure out which one applies to you:
| Your Payment Scenario | Your SAQ Type | Number of Questions | Difficulty |
|---|---|---|---|
| Fully outsourced (PayPal, Stripe Checkout where customers never enter card data on your site) | SAQ A | 22 | Easy |
| E-commerce with payment form on your site (even if hosted by provider) | SAQ A-EP | 191 | Moderate |
| Physical terminal only, no electronic storage | SAQ B | 41 | Easy |
| Physical terminal with IP connection | SAQ B-IP | 82 | Easy-Moderate |
| Payment application connected to internet | SAQ C | 160 | Moderate |
| Taking payments over the phone/mail | SAQ C-VT | 85 | Moderate |
| Storing card numbers electronically | SAQ D | 329 | Complex |
Quick examples to help you identify yours:
- Using a Square or Clover terminal at your retail counter? You’re likely SAQ B or SAQ B-IP
- Running an online store with Shopify Payments or WooCommerce with Stripe Checkout? Probably SAQ A
- Taking orders over the phone and entering them into a virtual terminal? That’s SAQ C-VT
- Storing customer card numbers in your computer or database? You’re stuck with SAQ D (and should really consider stopping this practice)
Not sure? Use PCICompliance.com’s SAQ Wizard — answer five simple questions about how you accept payments, and we’ll tell you exactly which SAQ applies to your business.
How to Complete Your SAQ
Your SAQ is essentially a yes/no checklist about your payment security practices. Don’t let the technical-sounding questions intimidate you — most are asking about basic security measures you probably already have in place.
What to expect: Questions like “Do you have a firewall?” or “Do you restrict access to cardholder data?” Each question includes guidance on what “yes” means. For example, if you’re using a cloud-based point-of-sale system, their built-in security features often satisfy many requirements automatically.
Documentation you’ll need:
- Network diagram (even a simple sketch for small businesses)
- List of who has access to payment systems
- Your procedures for handling cards (can be a simple one-page document)
- Evidence of quarterly ASV scans if required for your SAQ type
About those ASV scans: An Approved Scanning Vendor runs automated security scans of your internet-facing systems quarterly. Think of it like a safety inspection for your network. Any system that connects to the internet and is part of your payment process needs scanning. The scan looks for vulnerabilities like outdated software, weak passwords, or those DNS security issues that might have brought you here.
Once you’ve answered all questions and gathered documentation, you’ll complete an Attestation of Compliance (AOC) — basically a formal declaration that you’ve met all requirements. Submit both the SAQ and AOC to your payment processor by their deadline, and you’re done for the year (except for those quarterly scans).
What It Costs
Let’s talk real numbers for PCI compliance:
Compliance platform and tools: Most small merchants pay between $200-500 annually for a compliance platform that includes:
- SAQ wizard and questionnaire tools
- Compliance tracking dashboard
- Basic support and guidance
- Document templates
Quarterly ASV scanning: Budget $200-400 per year for required vulnerability scanning. Some compliance platforms include this, others charge separately. You need four passing scans per year, one each quarter.
If you need a QSA: Only required for Level 1 merchants or if your acquirer specifically demands it. QSA assessments run $15,000-50,000+ depending on complexity. The vast majority of small businesses never need this.
The cost of NON-compliance: This is where it gets expensive:
- Monthly non-compliance fees from your processor: $20-500
- Fines for continued non-compliance: $5,000-100,000 per month
- Breach liability without compliance: Average small business breach costs $150,000+
- Lost ability to process cards: Devastating for most businesses
The honest assessment: For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — it’s insurance against catastrophic breach costs.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly elements. Here’s how to stay on track without the stress:
Set up your compliance calendar:
- Annual SAQ due date (usually on your merchant account anniversary)
- Quarterly ASV scan windows (every 90 days)
- Annual review of who has access to payment systems
- Update procedures when you change payment methods
What triggers a reassessment:
- Changing payment processors or methods
- Adding new ways to accept payments (like adding online sales)
- Significant network changes
- Moving to a new e-commerce platform
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends reminders before deadlines, stores your documentation, and shows your compliance status at a glance. No more scrambling when your processor asks for proof of compliance.
FAQ
Q: What if I only process a few credit card transactions per month?
A: Volume doesn’t matter — if you accept even one credit card payment per year, you need to be PCI compliant. The good news is that low-volume merchants usually qualify for the simplest SAQ types.
Q: My payment processor says I need to fix DNS security issues. What does that mean?
A: DNS security warnings typically mean your network’s DNS servers have vulnerabilities or misconfigurations. Common fixes include updating DNS software, restricting zone transfers, or implementing DNSSEC. Your ASV scan report will specify exactly what needs fixing.
Q: Can I just say “yes” to all the SAQ questions to pass?
A: Don’t do this — false attestation is fraud and makes you fully liable for any breach. If you can’t honestly answer “yes” to a requirement, implement the necessary controls or work with your QSA on compensating controls.
Q: Do I need to be PCI compliant if I only use PayPal or Square?
A: Yes, you still need to complete an SAQ (usually the simple SAQ A). While these providers handle most security, you’re still responsible for your part — like keeping your account credentials secure.
Q: How long does the SAQ take to complete?
A: For SAQ A: 30-60 minutes. For SAQ B: 1-2 hours. For SAQ C or D: Plan for several hours spread across multiple sessions as you gather documentation.
Q: What’s the difference between a vulnerability scan and penetration testing?
A: Vulnerability scans are automated checks for known security issues (required quarterly for most merchants). Penetration testing is when security professionals actively try to break into your systems (only required for service providers and some Level 1 merchants).
Q: Can I do this myself or do I need to hire someone?
A: Most small merchants can complete SAQs A and B themselves with guidance. For SAQs C and D, consider getting help from IT professionals or PCI compliance consultants.
Q: What happens if I fail my ASV scan?
A: You get a report showing what failed and have 30 days to fix issues and rescan. Common failures include outdated SSL certificates, missing security patches, or DNS configuration issues — all fixable with basic IT support.
Conclusion
PCI compliance might seem daunting when that first questionnaire lands in your inbox, but for most small businesses, it’s surprisingly manageable. The key is understanding which requirements actually apply to your specific situation and tackling them systematically. Those DNS security warnings from your scan? Usually just a matter of updating some settings. That 300-question SAQ D you’re worried about? You probably qualify for a much simpler SAQ type.
Remember, the payment card industry created these standards to protect businesses like yours from the devastating costs of a data breach. Every requirement has a purpose, and most are security practices you should be doing anyway. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans with clear remediation guidance for issues like DNS security, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to see how simple your path to compliance really is, or talk to our compliance team if you need guidance getting started.
