MySQL Security for PCI
The Bottom Line
Just received a PCI compliance questionnaire from your payment processor? Take a breath. For most small businesses, achieving PCI compliance is simpler than it sounds — especially if you’re using modern payment systems. You don’t need a security degree or an IT department. This guide will walk you through exactly what you need to know about MySQL PCI security and overall compliance, in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover — through an organization called the PCI Security Standards Council. If you accept credit cards in any form, these requirements apply to you.
Think of it as basic security hygiene for businesses that handle credit card data. The standard exists because credit card fraud costs billions annually, and the card brands want to ensure every business in the payment chain does their part to protect cardholder data.
Your acquirer (the bank or payment processor that handles your card transactions) enforces these requirements. They’re the ones who sent you that compliance questionnaire. They need to verify that every merchant they work with meets minimum security standards — it’s part of their agreement with the card brands.
What happens if you ignore it? Your processor can fine you monthly (typically $50-500 for small merchants), you face liability if there’s a breach, and ultimately, they can terminate your ability to accept credit cards. The good news? Most small businesses qualify for the simplest compliance requirements, and completing your assessment takes hours, not weeks.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards, yes. It doesn’t matter if you’re a food truck, an online boutique, or a professional services firm taking payments over the phone. Accept Visa, Mastercard, Discover, or Amex? You need to comply with PCI DSS.
Most small businesses are Merchant Level 4 — processing fewer than 1 million transactions annually. This is good news because Level 4 merchants have the lightest compliance requirements. You’ll complete a Self-Assessment Questionnaire (SAQ) instead of hiring an external assessor.
Your payment processor expects you to:
- Complete the appropriate SAQ annually
- Run quarterly vulnerability scans if you have any internet-facing systems
- Maintain compliance between assessments
- Report any suspected breaches immediately
That questionnaire they sent? It’s their way of collecting your annual compliance validation. They need it for their own compliance with the card brands.
Which SAQ Do You Need?
The Self-Assessment Questionnaire comes in different versions based on how you accept payments. Here’s the decision tree in plain language:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to payment page (PayPal, Stripe Checkout) | SAQ A | ~20 | Simplest |
| Payment iframe on your site (Stripe Elements, Square) | SAQ A-EP | ~130 | Simple |
| Standalone terminal (Square Reader, Clover) | SAQ B or B-IP | ~40 | Simple |
| Take payments over phone only | SAQ C-VT | ~80 | Moderate |
| Store card numbers anywhere | SAQ D | ~300+ | Complex |
Common scenarios:
- E-commerce with Shopify Payments → SAQ A (redirect)
- Restaurant with tableside Square terminals → SAQ B-IP
- Service business taking phone payments → SAQ C-VT
- Any business storing card numbers → SAQ D (please stop doing this)
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Each “yes” means you’re following that security requirement. Here’s what to expect:
The questionnaire asks about:
- How you protect payment systems (passwords, updates, antivirus)
- Your network security (firewall, WiFi settings)
- Physical security (who has access to payment terminals)
- Your policies and procedures (even if informal)
Documentation you’ll need:
- List of who has access to payment systems
- Basic network diagram (can be hand-drawn)
- Any security policies you have (informal is fine)
- Results from your quarterly ASV scan (if required)
About ASV scans: If you have any internet-facing systems (website, email server, etc.), you need quarterly vulnerability scans from an Approved Scanning Vendor. This automated scan checks for security holes hackers could exploit. It typically takes 30 minutes to set up and runs automatically.
Once complete, you’ll generate an Attestation of Compliance (AOC) — a formal declaration that you’ve met all requirements. Submit both the SAQ and AOC to your payment processor through their compliance portal.
What It Costs
Let’s talk real numbers for MySQL PCI security and overall compliance:
Compliance tools and platforms: $200-500/year for small merchants. This typically includes:
- SAQ wizard and questionnaire tools
- Compliance tracking dashboard
- Remediation guidance
- Basic support
Quarterly ASV scanning: $200-400/year total (about $50-100 per scan). Some compliance platforms include this in their annual fee.
If you need a QSA: Only required for Level 1-3 merchants or if you’ve had a breach. QSA assessments start at $15,000+ annually. Most small businesses never need this.
The cost of NON-compliance:
- Monthly fines from your processor: $50-500
- Breach liability: Average small merchant breach costs $50,000+
- Lost ability to process cards: Priceless (in a bad way)
Honest assessment: For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s business insurance you can’t afford to skip.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual cycle with quarterly checkpoints.
Mark your calendar:
- Annual SAQ due on your compliance anniversary date
- Quarterly ASV scans if required (every 90 days)
- Review after changes like new payment systems or processors
Common triggers for reassessment:
- Switching payment processors or gateways
- Adding new payment channels (like phone orders)
- Changing e-commerce platforms
- Starting to store card data (please don’t)
Set up email reminders 30 days before each deadline. Your processor will send reminders too, but they often come with less lead time than you’d like. PCICompliance.com’s compliance dashboard tracks all your deadlines and sends proactive alerts so nothing slips through the cracks.
FAQ
Q: I only process 10 transactions a month. Do I really need to comply?
A: Yes, transaction volume doesn’t matter for whether you need to comply — only which merchant level you fall into. Even one transaction per year requires PCI compliance. The good news is that your low volume means simpler requirements.
Q: What if I only use PayPal or Square?
A: You still need to complete PCI compliance, but you’ll qualify for the simplest SAQ types. Using these services dramatically reduces your compliance burden because they handle the complex security requirements for you.
Q: My web developer says our site is PCI compliant. Is that enough?
A: A secure website is just one piece. You still need to complete and submit your annual SAQ to your payment processor. Your developer’s work makes passing the assessment easier, but doesn’t replace the formal compliance process.
Q: Can’t I just say “yes” to all the questions?
A: Falsifying your SAQ is fraud — you’re attesting under penalty of perjury. More practically, if you have a breach after lying on your SAQ, you face personal liability. Answer honestly and fix any “no” answers.
Q: How long does the SAQ take to complete?
A: For SAQ A: 30-60 minutes. For SAQ B: 1-2 hours. For SAQ C-VT: 2-4 hours. SAQ D can take days or weeks. Most of the time goes to gathering documentation, not answering questions.
Q: What’s the difference between PCI compliance and MySQL PCI security?
A: MySQL PCI security refers to securing any MySQL databases that store or process card data according to PCI requirements. It’s one component of overall PCI compliance. If your payment systems don’t use MySQL, this specific concern doesn’t apply to you.
Q: Do I need cyber insurance too?
A: PCI compliance and cyber insurance serve different purposes. Compliance reduces breach risk, while insurance covers costs if something goes wrong. Many insurers now require proof of PCI compliance for coverage.
Q: What if I just stop taking credit cards?
A: That’s certainly one option, but you’ll likely lose significant revenue. For most businesses, the few hours annually spent on PCI compliance is worth keeping the ability to accept cards. Cash-only businesses lose an average of 20-30% in potential sales.
Get Started Today
PCI compliance sounds intimidating, but for most small businesses, it’s a straightforward process that takes a few hours annually. The requirements exist to protect your business and your customers from fraud — something you want to do anyway.
The key is knowing exactly which requirements apply to your specific situation. That’s where PCICompliance.com makes the difference. Our free SAQ Wizard takes the guesswork out of determining your requirements. Answer a few simple questions about how you accept payments, and we’ll tell you exactly which SAQ you need.
Once you know your SAQ type, our platform guides you through each requirement with plain-English explanations and practical examples. We handle your quarterly ASV scans automatically, track your compliance deadlines, and keep you audit-ready year-round. No more scrambling when your processor sends that annual reminder.
Start with our free SAQ Wizard to identify your requirements, or talk to our compliance team about your specific situation. With the right guidance, achieving PCI compliance is simpler than you think — and far less expensive than the alternative.
