What Is GitLab PCI Compliance (In Plain English)
If you just received a PCI compliance questionnaire from your payment processor and you’re wondering what GitLab PCI compliance means for your business — relax. For most small businesses, PCI compliance is far simpler than it sounds. You don’t need a security degree or an IT team to get this done. You just need to understand what’s actually required for your specific situation, complete the right questionnaire, and set up a few basic security measures. This guide will walk you through exactly what you need to do.
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. If you accept credit card payments in any form, these requirements apply to you. The card brands created the PCI Security Standards Council to manage these standards, but it’s your payment processor or acquiring bank that actually enforces them and sends you that annual compliance questionnaire.
Think of PCI compliance like health code requirements for restaurants. The standards exist to protect everyone — in this case, to protect cardholder data from theft. Your payment processor checks that you’re following these standards, just like the health department checks that restaurants follow food safety rules.
Why You Should Care (Beyond Just Checking a Box)
Non-compliance has real consequences. Your payment processor can fine you monthly — typically $25-100 for small merchants, but it can escalate. If there’s a data breach and you weren’t compliant, you could be liable for fraud losses and forensic investigation costs that can reach tens of thousands of dollars. In extreme cases, you could lose your ability to accept credit cards entirely.
The good news? Most small businesses qualify for simplified compliance through something called SAQ A or SAQ B — questionnaires that take 30-60 minutes to complete once you understand what they’re asking. You’re not facing the same requirements as Target or Home Depot. The PCI standards scale to your actual risk level.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards, debit cards, or any payment cards bearing a Visa, Mastercard, American Express, Discover, or JCB logo — yes, you need to be PCI compliant. This includes:
- Running cards through a terminal at your store
- Taking payments through your website
- Accepting card numbers over the phone
- Processing cards through a mobile reader
- Even if you only process one card payment per year
Your merchant level determines how you demonstrate compliance. For most small businesses processing fewer than 1 million transactions annually, you’re a Level 4 merchant. This means you complete a Self-Assessment Questionnaire (SAQ) rather than hiring a QSA for a full assessment.
When your payment processor sends that compliance questionnaire, they’re not trying to catch you doing something wrong. They’re required by the card brands to verify that every merchant in their portfolio maintains compliance. That questionnaire is your opportunity to demonstrate you’re protecting cardholder data appropriately for your business type.
Which SAQ Do You Need?
The PCI Security Standards Council provides different SAQ types based on how you accept payments. Here’s the decision tree in plain language:
| How You Accept Payments | Your SAQ Type | Complexity | Time to Complete |
|---|---|---|---|
| E-commerce with fully hosted checkout (PayPal, Stripe Checkout) | SAQ A | Simplest | 30-45 minutes |
| E-commerce with payment fields on your site (Stripe Elements, Square) | SAQ A-EP | Simple | 45-60 minutes |
| Standalone terminal (no connection to other systems) | SAQ B | Simple | 45-60 minutes |
| Terminal connected to your network | SAQ B-IP | Moderate | 60-90 minutes |
| Taking cards over phone/mail (no electronic storage) | SAQ C-VT | Moderate | 60-90 minutes |
| Any electronic card data storage | SAQ D | Complex | Several hours + |
Most small businesses fall into the first three categories. If you’re using modern payment tools like Square, Stripe, or PayPal, you’re likely looking at SAQ A or SAQ A-EP. That corner store with a standalone credit card terminal? They’re probably SAQ B.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.
How to Complete Your SAQ
Your SAQ consists of yes/no questions about your security practices. Don’t panic when you see questions about firewalls and encryption — many won’t apply to your situation. Here’s what to expect:
Understanding the Questions
Each question asks whether you’ve implemented a specific security control. “Yes” means you’re doing it, “No” means you’re not, and “N/A” means it doesn’t apply to your payment setup. For example, if a question asks about your network firewall but you only use a standalone terminal that’s not connected to any network, that’s N/A.
Documentation You’ll Need
- Your payment processor’s merchant ID
- List of all locations where you accept payments
- Payment types and methods you accept
- Any third-party payment services you use
For most small merchants, you won’t need extensive documentation. The questionnaire mainly confirms you’re following basic security practices like keeping your payment software updated and not writing down card numbers.
The Quarterly ASV Scan
If you have any systems connected to the internet (including e-commerce sites), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks for security vulnerabilities in your public-facing systems. It’s not someone hacking your site — it’s a health check that identifies potential security issues before the bad guys do. The scan typically takes a few minutes to run and costs $30-50 per quarter through most providers.
Submitting Your Compliance
Once you’ve completed your SAQ and passed your ASV scans (if required), you’ll sign an Attestation of Compliance (AOC). This is your formal declaration that you’ve met all applicable requirements. Submit this to your payment processor through their compliance portal or however they’ve requested it. Keep copies for your records — you’ll need them next year.
What It Actually Costs
Let’s talk real numbers. PCI compliance for small businesses typically costs:
Compliance Platform/Tools: $150-500 annually
- SAQ wizard and questionnaire tools
- Compliance tracking dashboard
- Technical support when you get stuck
- Document storage and management
Quarterly ASV Scanning: $120-200 annually
- Four quarterly scans at $30-50 each
- Re-scans if you fail initially (usually included)
- Basic remediation guidance
Your Time: 2-4 hours annually
- Initial SAQ completion: 1-2 hours
- Quarterly scan reviews: 15 minutes each
- Annual recertification: 30-60 minutes
Compare that to non-compliance costs:
- Monthly non-compliance fees from your processor: $300-1,200 annually
- If you’re breached while non-compliant: $10,000-100,000+ in fines and forensic fees
- Losing your ability to accept cards: potentially business-ending
For most small merchants, annual compliance costs less than a single month of non-compliance fees. It’s not just about avoiding fines — it’s about protecting your business and your customers.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your payment processor will ask for updated compliance annually, and if you need ASV scans, those happen quarterly. Here’s how to stay on track:
Set Your Reminders
- Annual SAQ due date (usually the anniversary of your last submission)
- Quarterly ASV scan windows (every 90 days)
- Payment software update checks (monthly)
- Security awareness reminders for any staff handling payments
When Things Change
You’ll need to reassess your compliance when you:
- Add new payment channels (like adding e-commerce to your retail store)
- Change payment processors or gateway providers
- Significantly increase your transaction volume
- Start storing card data electronically (please reconsider this)
Making It Manageable
PCICompliance.com’s compliance dashboard tracks all your deadlines, stores your documentation, and sends reminders before anything expires. You can see your compliance status at a glance and know exactly what needs attention. No more scrambling when your processor asks for updated paperwork.
Frequently Asked Questions
Do I really need to do this if I only process a few transactions?
Yes. PCI compliance applies to any business that accepts payment cards, regardless of volume. The good news is that smaller volume means simpler requirements — you’re likely looking at the easiest SAQ types that take under an hour to complete.
What happens if I just ignore the compliance request?
Your payment processor will start charging monthly non-compliance fees, typically $25-100. These add up quickly. More importantly, if you suffer a breach while non-compliant, you’re liable for fraud losses and investigation costs that can bankrupt a small business.
I use Square/PayPal/Stripe — aren’t they handling compliance for me?
They handle security for the payment processing part, but you’re still responsible for your piece. If you redirect customers to their hosted payment page, you’ll complete SAQ A. If you have payment fields on your site, that’s SAQ A-EP. Either way, you need to complete and submit your compliance annually.
How often do I need ASV scans?
If required for your SAQ type, ASV scans happen every 90 days. Missing a quarterly scan window puts you out of compliance. The scans themselves only take minutes to run — it’s remembering to do them that trips people up.
Can I just hire someone to handle this for me?
Absolutely. Many IT providers and security consultants help small businesses with PCI compliance. For most small merchants using simple payment setups, the cost of outsourcing often exceeds the cost of spending an hour or two doing it yourself with the right tools.
What if I fail my ASV scan?
Don’t panic. Failed scans are common on the first attempt. The scan report shows exactly what failed and why. Most issues are simple fixes like updating software or adjusting firewall rules. Fix the issues and run a re-scan — most ASV providers include free re-scans.
Do I need to be compliant at all my locations?
Yes. PCI compliance covers every location and every method you use to accept payments. If you have three retail locations plus an online store, your compliance must cover all of them. The good news: you typically complete one SAQ that covers your entire business.
I take cards over the phone — what special requirements apply?
If you take card-not-present transactions by phone, you’re likely SAQ C-VT. The key requirement: don’t write down full card numbers, don’t store them in your email or computer, and train anyone who handles phone payments on these basic security practices.
Your Path Forward
PCI compliance might seem overwhelming when that first questionnaire arrives from your payment processor, but now you understand what’s actually required. For most small businesses, it’s a straightforward process: identify your SAQ type, answer the security questions honestly, schedule your quarterly scans if needed, and submit your attestation. An hour or two of work protects your business from significant fines and liability.
The key is getting started. Use PCICompliance.com’s free SAQ Wizard to identify exactly which questionnaire applies to your payment setup — it takes just a few minutes and removes the guesswork. Our platform then walks you through each requirement in plain language, handles your ASV scanning needs, and tracks your compliance status throughout the year. Whether you’re completing your first SAQ or renewing annual compliance, we provide the tools and guidance to get it done quickly and correctly. Take the first step with our SAQ Wizard, or reach out to our compliance team who can answer your specific questions and get you on the path to compliance today.