Multiple Websites PCI Compliance: A Straightforward Guide for Merchants
The Bottom Line Up Front
If you manage multiple websites PCI compliance might sound complicated, but here’s the truth: for most small businesses, it’s simpler than you think. Whether you run two online stores, ten restaurant locations with different websites, or manage e-commerce sites for multiple brands, the fundamentals remain the same. You need to protect credit card data, complete the right self-assessment questionnaire (SAQ), and maintain compliance across all your properties. This guide will show you exactly what to do, without the technical jargon or unnecessary complexity.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) exists for one reason: to protect credit card data from theft. If you accept Visa, Mastercard, American Express, or Discover payments — whether through a website, over the phone, or with a card reader — you need to be PCI compliant. It’s not optional.
The major card brands created these standards through the PCI Security Standards Council (PCI SSC), but your acquirer (the bank or payment processor that handles your card transactions) enforces them. When your processor sent you that compliance questionnaire, they weren’t being bureaucratic — they’re required to verify that every merchant in their portfolio follows these security standards.
The consequences of non-compliance are real but manageable. Your payment processor can fine you monthly until you comply. If a breach occurs and you weren’t compliant, you’re liable for the costs — which can include forensic investigation fees, card reissuance costs, and fraud losses. In extreme cases, processors can terminate your ability to accept credit cards entirely.
Here’s the good news: most small businesses with multiple websites qualify for the simplest SAQ types, which take about an hour to complete. You don’t need a computer science degree or a security team. You just need to understand which questionnaire applies to your situation and answer some straightforward yes/no questions about your payment setup.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, on any of your websites, yes. It doesn’t matter if you process one transaction or one million — PCI compliance applies to you.
Your merchant level determines how much documentation you need to provide. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). At this level, you complete a self-assessment questionnaire rather than hiring an outside auditor. Even if you have multiple websites, your transaction volume across all sites determines your level — not each site individually.
Your payment processor expects you to complete an annual self-assessment questionnaire (SAQ) and, in most cases, pass quarterly vulnerability scans performed by an Approved Scanning Vendor (ASV). That compliance questionnaire they sent isn’t a suggestion — it’s a requirement for maintaining your merchant account.
Which SAQ Do You Need?
Finding the right SAQ for multiple websites starts with understanding how you handle payments on each site. The good news: you often complete the same SAQ type for all your properties, especially if they use similar payment methods.
| Payment Scenario | SAQ Type | Complexity |
|---|---|---|
| All sites use hosted checkout (Stripe, PayPal, Square) | SAQ A | Simplest (22 questions) |
| Sites use payment forms that send data directly to processor | SAQ A-EP | Simple (139 questions) |
| Physical locations with standalone terminals | SAQ B or B-IP | Moderate (41 or 82 questions) |
| Taking payments over the phone | SAQ C-VT | Moderate (83 questions) |
| Storing card numbers or complex setups | SAQ D | Complex (329 questions) |
If your e-commerce sites use Shopify Payments, WooCommerce with Stripe Checkout, or similar hosted solutions where customers enter card details on the processor’s page, you likely need SAQ A — the simplest form with just 22 questions.
For sites using embedded payment forms (like Stripe Elements or Authorize.net Accept.js) where the card data goes directly to your processor but the form appears on your page, you’ll need SAQ A-EP.
Running restaurants with tableside payment devices? That’s typically SAQ B-IP. Call centers taking orders? SAQ C-VT. The key is identifying the most complex payment method across all your sites — that determines your SAQ type.
PCICompliance.com’s SAQ Wizard walks you through these scenarios with simple questions about your payment setup. Answer a few questions about how you accept payments, and we’ll identify exactly which SAQ you need.
How to Complete Your SAQ
The SAQ itself is a series of yes/no questions about your security practices. When you answer “yes,” you’re confirming that you’ve implemented that specific security control. For example, “Do you restrict access to cardholder data by business need-to-know?” isn’t asking about complex technology — it’s asking whether only employees who need to process payments have access to your payment systems.
Start by gathering basic documentation:
- Network diagrams (even a simple sketch of how your payment systems connect)
- Vendor agreements with your payment processors
- Any security policies you’ve written down
- List of who has access to payment systems
For multiple websites, you’ll document each site’s payment flow. If they all use the same processor and method, you can often describe them together. The questionnaire takes most small businesses 1-3 hours to complete, depending on the SAQ type.
Your quarterly ASV scan checks your websites for security vulnerabilities. Schedule these scans for all your public-facing websites that are in scope for PCI (any site involved in payment processing). The ASV will provide a report showing any vulnerabilities found — most are simple fixes like updating software or adjusting server settings.
Once complete, you’ll submit your SAQ and Attestation of Compliance (AOC) to your payment processor. The AOC is essentially your signature confirming the information is accurate. Keep copies for your records — you’ll need them next year.
What It Costs
PCI compliance costs vary based on your setup, but for most small businesses with multiple websites, expect:
Compliance platform and tools: $150-500 annually for SAQ wizard access, compliance tracking, and guidance. Some processors include basic tools with your merchant account.
Quarterly ASV scanning: $200-400 annually for all your websites. Many compliance platforms bundle this with their annual fee. You need four passing scans per year.
QSA assessment: Only required for Level 1 merchants. If you’re processing over 6 million transactions annually across all sites, budget $20,000-50,000 for a formal assessment.
Non-compliance costs: Monthly fines from your processor typically start at $50-200 per month and increase over time. A data breach while non-compliant can cost $100,000+ in forensic investigation fees, fines, and liability.
For most small merchants, annual compliance costs less than your monthly marketing budget — and far less than a single non-compliance fine or breach incident.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor requires annual recertification and quarterly scans. Set calendar reminders for:
- Quarterly ASV scans (every 90 days)
- Annual SAQ renewal (same month each year)
- Security update reviews (monthly)
- Employee access reviews (quarterly)
When you add new websites, payment methods, or significantly change your setup, reassess your SAQ type. Opening a call center to take phone orders? You might move from SAQ A to SAQ C-VT. Adding in-person payment terminals to your online store? That could mean completing SAQ B-IP.
PCICompliance.com’s compliance dashboard tracks all these dates automatically. You’ll see upcoming scan deadlines, SAQ renewal dates, and any action items needed to maintain compliance across all your properties. One dashboard for all your websites simplifies what could otherwise become a complex tracking challenge.
FAQ
I have 5 websites but only one accepts payments. Do all need PCI compliance?
Only websites that handle, process, or impact credit card payments need PCI compliance. However, if your sites share infrastructure (same server, network, or admin access), they might all be “in scope.” Your ASV scans will need to cover any sites on the same IP address or server as your payment site.
Can I complete different SAQs for different websites?
You complete the SAQ that covers your highest-risk payment method across all sites. If four sites use hosted checkout (SAQ A) but one processes payments directly (SAQ D), you complete SAQ D for your entire organization.
Do I need separate ASV scans for each website?
You need ASV scans for all external-facing IP addresses and domains in your cardholder data environment. If your sites are on different servers, each needs scanning. Sites on the same server can often be covered in a single scan.
My sites use different payment processors. Does that change anything?
Each processor will want to see your compliance documentation, but you complete one SAQ covering all your payment methods. You might need to submit your AOC to multiple processors, but you don’t complete multiple SAQs.
How do I track compliance across multiple locations with different websites?
Use a centralized compliance management platform that supports multiple locations and websites. Track each site’s payment methods, scan schedules, and compliance status in one place. Regular reviews ensure nothing falls through the cracks.
What if my websites process wildly different transaction volumes?
Your merchant level is based on total transaction volume across all sites combined. A site processing 100 transactions and another processing 100,000 transactions still combine for your overall merchant level determination.
Conclusion
Managing multiple websites’ PCI compliance doesn’t require multiple times the effort — it requires organization and the right tools. Understanding your payment methods, selecting the correct SAQ, and maintaining consistent security practices across all your sites keeps you compliant without overwhelming complexity.
PCICompliance.com simplifies this process with our free SAQ Wizard that identifies exactly which questionnaire you need based on your payment methods across all sites. Our ASV scanning service handles quarterly vulnerability scans for all your domains, while our compliance dashboard tracks progress and deadlines in one centralized location. Whether you’re managing two websites or twenty, we’ll guide you through achieving and maintaining PCI compliance. Start with our free SAQ Wizard to identify your requirements, or talk to our compliance team about managing multiple sites efficiently.
