GoDaddy Payments PCI Compliance Guide: What You Actually Need to Know
The Bottom Line Up Front
Just received a PCI compliance questionnaire and feeling overwhelmed? Here’s the good news: GoDaddy Payments PCI compliance is simpler than you think for most small businesses. You probably don’t need to hire expensive consultants or implement complex security systems. In most cases, you’ll answer a short questionnaire, run a basic security scan, and you’re done. This guide walks you through exactly what you need to do — in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major credit card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as basic security hygiene for businesses that accept credit cards. The goal is simple: protect customer card data from theft.
The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your payment processor or acquiring bank (the company that handles your credit card transactions) enforces compliance. When you signed up to accept credit cards, you agreed to follow these rules.
What happens if you don’t comply? Your payment processor can:
- Fine you (typically $5,000-$100,000 per month of non-compliance)
- Hold you liable for fraud losses if there’s a breach
- Terminate your ability to accept credit cards
But here’s what most compliance companies won’t tell you: the vast majority of small businesses qualify for the simplest compliance requirements. If you’re using modern payment tools like GoDaddy Payments, Square, or Stripe, you’re already doing most of what’s required.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:
- In-person card payments (even if it’s just one transaction per year)
- Online payments through your website
- Phone or mail orders where customers give you their card number
- Recurring billing or subscriptions
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing less than 20,000 e-commerce transactions or less than 1 million total transactions annually). Level 4 merchants complete a Self-Assessment Questionnaire (SAQ) instead of hiring an outside assessor.
That compliance questionnaire your payment processor sent? It’s their way of ensuring you’re meeting the minimum security standards. They’re required to collect this documentation annually, and they’ll keep sending reminders until you complete it.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) is your main compliance document. There are different versions based on how you accept payments. Here’s how to determine which one applies to you:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Outsourced completely (PayPal, Square online) | SAQ A | 22 | Easiest |
| E-commerce with hosted checkout page | SAQ A-EP | 191 | Moderate |
| Standalone terminal only (no computer connection) | SAQ B | 41 | Easy |
| Terminal connected to internet | SAQ B-IP | 82 | Easy-Moderate |
| Phone/mail orders (no storage) | SAQ C-VT | 85 | Moderate |
| Phone/mail orders (manual entry on computer) | SAQ C | 139 | Moderate |
| Store card data or complex setup | SAQ D | 326 | Complex |
Most GoDaddy Payments users will need either SAQ A (for online payments) or SAQ B-IP (for in-person payments). If you’re using both, you’ll complete the more comprehensive questionnaire that covers both scenarios.
Not sure which one you need? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire applies — no guesswork required.
How to Complete Your SAQ
Once you know which SAQ you need, the process is straightforward:
1. Access the questionnaire. Your payment processor might provide a portal, or you can use a compliance platform like PCICompliance.com. The questions are yes/no format — you’re confirming that you follow specific security practices.
2. Answer honestly. When a question asks “Do you change default passwords?” a ‘yes’ means you actually changed them, not that you plan to. Most questions for simpler SAQs are about basic practices you’re probably already doing.
3. Gather your documentation. You’ll need:
- Your network details (for scanning)
- Vendor agreements (if using third-party processors)
- Basic security policies (templates are usually provided)
4. Complete your quarterly vulnerability scan. If you have any internet-facing systems (including your e-commerce website), you need an ASV scan every three months. An Approved Scanning Vendor runs automated security scans to check for vulnerabilities. The scan typically takes 15-30 minutes and costs $50-150 per quarter.
5. Submit your attestation. After completing the SAQ, you’ll sign an Attestation of Compliance (AOC) — essentially a formal declaration that your answers are accurate. Submit this to your payment processor through their portal or via email.
The entire process typically takes 1-4 hours for simpler SAQ types, spread over a few days while you wait for scan results.
What It Costs
PCI compliance costs vary based on your setup and which tools you use:
Compliance platforms and tools:
- Basic SAQ tools: $100-300/year
- Full-service platforms with scanning: $200-600/year
- Enterprise solutions with support: $1,000+/year
Quarterly ASV scanning:
- Standalone scanning service: $50-150 per scan (4x per year)
- Bundled with compliance platform: Often included
QSA assessment (only for larger merchants):
- Level 1-3 merchants only: $15,000-50,000+ annually
- Most small businesses never need this
The cost of NON-compliance:
- Monthly fines from processor: $5,000-100,000
- Breach liability: Average $150 per compromised card
- Forensic investigation costs: $10,000-100,000+
- Loss of card processing ability: Devastating for most businesses
Put in perspective: annual compliance for a typical small merchant costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — it’s about protecting your business and your customers.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an ongoing commitment. Here’s how to stay on track:
Set annual reminders. Your compliance expires 12 months after submission. Set reminders at 10 months to start the renewal process. Most processors send notices, but don’t rely solely on them.
Schedule quarterly scans. If you need ASV scans, they must be passing scans dated within 90 days of each other. Set recurring quarterly reminders or use a platform that schedules them automatically.
Document changes to your payment environment. Adding a new payment channel? Switching e-commerce platforms? These changes might affect your SAQ type. Review your setup annually or whenever you make significant changes.
Keep your compliance dashboard updated. PCICompliance.com’s dashboard tracks your compliance status, upcoming deadlines, and scan history in one place. You’ll never wonder whether you’re current or when your next scan is due.
Frequently Asked Questions
I’m just a small business. Do I really need to worry about this?
Yes, but it’s probably simpler than you think. Your size doesn’t exempt you from PCI requirements, but it does qualify you for the simplest compliance path. Most small businesses can complete their annual requirements in an afternoon.
What if I never store credit card numbers?
Great! That makes compliance much easier. You’ll likely qualify for one of the simpler SAQ types. Never storing card data is the single best thing you can do to reduce your compliance burden.
Can I just ignore these compliance requests?
Technically yes, but it’s a terrible idea. Your processor will eventually fine you, raise your rates, or terminate your account. One breach without compliance could bankrupt a small business.
Is PCI compliance the same as being secure?
PCI compliance is a minimum security standard, not comprehensive protection. Think of it like a driving test — passing means you meet basic requirements, not that you’ll never have an accident. Good security goes beyond compliance.
How do I know if my website needs a vulnerability scan?
If customers can reach your website from the internet and it’s involved in payment processing (even just redirecting to a payment page), you need quarterly ASV scans. When in doubt, scan — it’s inexpensive insurance.
What’s the difference between SAQ A and SAQ A-EP?
SAQ A is for merchants who fully outsource payment processing — the customer never enters card data on your website. SAQ A-EP is for e-commerce sites where customers start on your site but enter card data on a third-party hosted payment page.
Do I need to hire a QSA?
Only if you’re a Level 1 merchant (over 6 million transactions annually) or if your processor specifically requires it. Most small and medium businesses self-assess using the appropriate SAQ.
What if I fail my vulnerability scan?
Don’t panic. The scan report shows what needs fixing, usually outdated software or basic configuration issues. Fix the items marked as “failing,” then request a rescan. Most issues can be resolved by your web hosting provider or IT support.
Your Next Steps
PCI compliance might seem daunting at first glance, but for most GoDaddy Payments users, it’s a manageable process that protects both your business and your customers. The key is choosing the right SAQ type and staying organized with your quarterly scans and annual renewals.
Ready to get started? PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll spend less time worrying about compliance and more time growing your business. Start with the free SAQ Wizard to identify your requirements in under two minutes, or talk to our compliance team if you need guidance on your specific situation.
