Global Payments PCI
The Bottom Line Up Front
If you just received a PCI compliance questionnaire from Global Payments and you’re feeling overwhelmed, take a deep breath. For most small businesses, PCI compliance is simpler than it sounds. You probably qualify for one of the easier self-assessment questionnaires that takes just a few hours to complete, not the complex audits you’ve heard horror stories about. This guide will walk you through exactly what you need to do, step by step, in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to every business that accepts credit card payments. Think of it as basic security hygiene for handling credit card data — the digital equivalent of locking your doors and keeping cash in a safe.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through an organization called the PCI Security Standards Council. But they don’t enforce the rules directly. Instead, your payment processor — in this case, Global Payments — makes sure you’re compliant.
Here’s what happens if you’re not compliant:
- Monthly fines from Global Payments (typically $25-500/month for small merchants)
- Liability for fraud losses if card data gets stolen from your business
- Loss of card processing privileges in extreme cases
But here’s the good news: most small businesses qualify for the simplest compliance paths. You’re not building Fort Knox — you’re following basic security practices that protect both you and your customers.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes.
It doesn’t matter if you’re a food truck with a Square reader, an online boutique using Shopify, or a plumber who takes card numbers over the phone. If you touch credit card data — even for a second — PCI compliance applies to you.
Most small businesses are classified as Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news because Level 4 merchants can self-assess their compliance instead of hiring an expensive auditor.
When Global Payments sent you that compliance questionnaire, they’re essentially saying: “Hey, we need to verify you’re handling card data safely.” They’re required to collect this documentation from every merchant they serve. It’s not personal — it’s regulatory.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) is your main compliance document. There are several types, and choosing the right one depends on how you accept payments. Think of it like tax forms — you need the right one for your situation.
Here’s a simple decision guide:
| How You Accept Payments | SAQ Type | Complexity | Questions to Answer |
|---|---|---|---|
| Payment terminal only (Square, Clover, standalone terminal) | SAQ B or B-IP | Easy | 30-80 questions |
| E-commerce with hosted checkout (Shopify, PayPal, Stripe Checkout) | SAQ A | Easiest | 20 questions |
| E-commerce with payment fields on your site (WooCommerce with Stripe Elements) | SAQ A-EP | Moderate | 190 questions |
| Phone/mail/fax orders | SAQ C-VT | Moderate | 160 questions |
| Store card numbers (please don’t) | SAQ D | Complex | 340+ questions |
If you’re unsure which SAQ applies to your business, use PCICompliance.com’s SAQ Wizard. Answer a few simple questions about how you accept payments, and we’ll tell you exactly which questionnaire you need.
Most Global Payments merchants fall into these common scenarios:
- Retail store with a countertop terminal: SAQ B
- Restaurant with wireless terminals: SAQ B-IP
- Online store using Shopify: SAQ A
- Service business taking cards over the phone: SAQ C-VT
How to Complete Your SAQ
Once you know which SAQ you need, the process is straightforward:
1. Download or Access Your SAQ
Global Payments may have sent you a link, or you can get the official forms from PCICompliance.com. The questionnaire is a series of yes/no questions about your security practices.
2. Answer Each Question Honestly
Questions look like: “Do you change default passwords on payment terminals?” If you answer “yes,” you’re stating that you actually do this. If you answer “no,” you’ll need to fix the issue before you can be compliant.
3. Gather Supporting Documentation
You’ll need:
- Network diagram (for SAQ C and D only — a simple sketch works)
- Security policies (templates are fine for small businesses)
- ASV scan results (more on this below)
- Service provider compliance documents (from your payment gateway, hosting provider, etc.)
4. Complete Your Quarterly ASV Scan
An Approved Scanning Vendor (ASV) scan checks your internet-facing systems for vulnerabilities. If you have any online presence — even just a marketing website — you need quarterly scans. The scan takes about 30 minutes to set up and runs automatically. PCICompliance.com includes ASV scanning with our compliance platform.
5. Submit Your Attestation of Compliance (AOC)
The AOC is your official declaration that you’ve completed the SAQ and meet all requirements. It’s a simple form that summarizes your compliance status for Global Payments.
The entire process typically takes:
- SAQ A: 1-2 hours
- SAQ B/B-IP: 2-4 hours
- SAQ C-VT: 4-6 hours
- SAQ D: Significantly longer (consider hiring help)
What It Costs
PCI compliance costs vary based on your business type and the tools you choose:
Compliance Platform and Tools
- Basic SAQ tools: $100-300/year
- Full compliance platforms (like PCICompliance.com): $200-500/year
- Enterprise solutions: $1,000+/year
Quarterly ASV Scanning
- Standalone ASV service: $200-400/year
- Included with compliance platform: Often bundled at no extra cost
Professional Help (If Needed)
- QSA for SAQ assistance: $1,000-5,000
- Full ROC assessment (Level 1 merchants only): $10,000-50,000+
The Cost of NON-Compliance
- Monthly fines from Global Payments: $25-500/month
- Breach-related fines: $5,000-100,000+
- Card brand fines: Up to $500,000
- Lost ability to accept cards: Priceless (in the worst way)
For most small merchants, annual compliance costs less than two months of non-compliance fines. It’s not just about avoiding penalties — it’s about protecting your business from devastating breach liability.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your compliance expires annually, and you’ll need to:
- Complete your SAQ annually (Global Payments will remind you)
- Run ASV scans quarterly (every 90 days)
- Update your assessment if you change how you accept payments
- Maintain security practices you attested to in your SAQ
Set calendar reminders for:
- Annual SAQ due date
- Quarterly ASV scan dates
- Security update schedules
- Password change intervals
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending you reminders before deadlines and keeping your compliance documentation organized in one place.
FAQ
Q: What if I only process a few transactions per month?
A: PCI compliance applies to any business that accepts cards, regardless of volume. The good news is that low-volume merchants usually qualify for the simplest SAQ types and pay the lowest fees.
Q: Can I just tell Global Payments I’m compliant without doing the work?
A: No. Falsely attesting to compliance is fraud and leaves you fully liable for any breach. Plus, if card data gets stolen, investigators will check whether you actually implemented the controls you claimed.
Q: What’s the difference between PCI compliance and EMV?
A: EMV (chip cards) helps prevent counterfeit fraud but doesn’t eliminate PCI requirements. You still need to protect card data in your systems, during transmission, and in any storage.
Q: Do I need PCI compliance if I use Square/PayPal/Stripe?
A: Yes, but your compliance is much simpler. These providers handle most of the security heavy lifting, often qualifying you for SAQ A (just 20 questions).
Q: How often does Global Payments check my compliance?
A: Global Payments requires annual compliance validation and may request updated documentation if your processing volume or methods change significantly. They also monitor for security incidents that might affect your compliance status.
Q: What if I fail my ASV scan?
A: Don’t panic. Failed scans are common on the first attempt. The scan report shows exactly what needs fixing — usually outdated software or unnecessary services. Fix the issues and rescan.
Q: Can I do this myself or do I need an IT person?
A: Most small businesses can complete SAQ A or B themselves. For SAQ C-VT or D, you’ll probably want IT help. PCICompliance.com provides step-by-step guidance for non-technical users.
Conclusion
PCI compliance might seem daunting when that Global Payments questionnaire first arrives, but remember — thousands of businesses just like yours complete this process every year. For most merchants, it’s a matter of answering some straightforward questions, running quarterly scans, and following basic security practices you should be doing anyway.
The key is choosing the right SAQ for your situation and having the right tools to guide you through the process. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll spend less time worrying about compliance and more time running your business.
Start with our free SAQ Wizard to identify your requirements in under 5 minutes, or talk to our compliance team if you need guidance. We’ve helped thousands of Global Payments merchants achieve compliance, and we’re here to help you too.
