An unlocked padlock rests on a computer keyboard.

Netherlands PCI Compliance

by

Netherlands PCI Compliance

Here’s What You Actually Need to Know

Let’s start with the reassuring news: if you’re a small business owner in the Netherlands who just received a PCI compliance questionnaire from your payment processor, it’s probably not as complicated as it looks. Most Dutch merchants — especially smaller shops, restaurants, and online businesses — can achieve compliance by answering a simple questionnaire and running quarterly security scans. No expensive consultants, no months of preparation, just straightforward security practices that protect both you and your customers.

PCI compliance in the Netherlands follows the same global standards as everywhere else, but you’re dealing with Dutch acquirers like ING, Rabobank, or ABN AMRO, or working through payment service providers like Adyen, Mollie, or PayPal. They’re the ones who sent you that compliance request, and they’re required to ensure all their merchants meet these security standards. The good news? They want you to succeed — non-compliant merchants create risk for them too.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. If you accept any of these cards, whether in your Amsterdam shop or through your Dutch e-commerce site, these requirements apply to you.

The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) enforces compliance. When Rabobank or Adyen asks for your compliance documentation, they’re fulfilling their obligation to the card brands.

Why does this matter to you? Three reasons:

Non-compliance can result in fines from your payment processor — typically €5,000 to €25,000 for small merchants, but potentially much higher if there’s a breach. Your processor doesn’t want to fine you, but the card brands fine them if their merchants aren’t compliant, so they pass those costs along.

You could lose the ability to accept cards if you persistently ignore compliance requirements. This is rare for small merchants, but it happens.

You’re liable for fraud losses if criminals steal card data from your business and you weren’t compliant. This is the scary one — a single breach can put a small business under.

But here’s the crucial point: most small businesses can achieve compliance with minimal effort. The PCI Council recognizes that a corner shop in Utrecht has different security needs than Bol.com. That’s why they created different Self-Assessment Questionnaires (SAQs) — simplified compliance paths for different types of businesses.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit or debit cards, yes. This includes:

  • Physical cards in your store or restaurant
  • Online payments through your website
  • Phone or mail orders where customers give you their card number
  • Mobile payments through a card reader attached to your phone or tablet

Your merchant level determines how you demonstrate compliance. In the Netherlands, as elsewhere, merchant levels are based on your annual transaction volume:

  • Level 1: Over 6 million transactions annually (you’d know if this was you)
  • Level 2: 1 to 6 million transactions annually
  • Level 3: 20,000 to 1 million transactions annually
  • Level 4: Under 20,000 transactions annually

Most Dutch small businesses are Level 4, which means you can self-assess using an SAQ rather than hiring an expensive Qualified Security Assessor (QSA).

What your payment processor expects from you:

  • Complete the appropriate SAQ annually
  • Run quarterly vulnerability scans if you have any internet-facing systems
  • Submit your Attestation of Compliance (AOC) — a form that says you completed the requirements
  • Fix any security issues the scans identify

That compliance questionnaire they sent you? It’s your annual reminder to complete these requirements. Some processors include a deadline and mention potential fines — this gets your attention, but don’t panic. You probably have 30-90 days to comply, and the process is manageable.

Which SAQ Do You Need?

The Self-Assessment Questionnaire you need depends entirely on how you accept payments. Here’s the decision tree in plain language:

If you use a standalone payment terminal:

  • Square, SumUp, or Zettle terminal that connects via WiFi or cellular: You likely need SAQ B-IP (about 33 questions)
  • Traditional countertop terminal connected to a phone line: You likely need SAQ B (about 29 questions)
  • Multiple terminals in a restaurant or retail environment: Still SAQ B or B-IP, depending on connection type

If you have an e-commerce website:

  • Using Shopify, WooCommerce with Stripe Checkout, or similar hosted payment page: You likely need SAQ A (about 22 questions — the simplest one)
  • Taking card details on your own website that you then send to a processor: You likely need SAQ A-EP (about 191 questions — significantly more complex)
  • Storing card numbers for recurring billing: You need SAQ D (over 300 questions — please reconsider this approach)

If you take payments over the phone:

  • Entering card details directly into a virtual terminal or payment portal: You likely need SAQ C-VT (about 81 questions)
  • Using a phone payment system that records calls: You likely need SAQ D (the full assessment)
Payment Scenario SAQ Type Questions Complexity
Mollie or Stripe hosted checkout SAQ A ~22 Simple
Square or SumUp wireless terminal SAQ B-IP ~33 Simple
Traditional phone-line terminal SAQ B ~29 Simple
Virtual terminal for phone orders SAQ C-VT ~81 Moderate
E-commerce site collecting card data SAQ A-EP ~191 Complex
Storing card numbers anywhere SAQ D ~300+ Very Complex

Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ you need — no guessing required.

How to Complete Your SAQ

Once you know which SAQ you need, the process is straightforward:

1. Download or access the questionnaire. Each question is yes/no format. A “yes” answer means you’ve implemented that security control. For example, “Do you change default passwords on payment terminals?” isn’t asking if you know you should — it’s asking if you’ve actually done it.

2. Work through each requirement. For SAQ A (the simplest), you’re confirming things like:

  • You don’t store card numbers
  • Your website uses HTTPS
  • You’ve configured your payment page to use the processor’s hosted form

For SAQ B or B-IP, you’re confirming:

  • Your terminals are from an approved vendor
  • You’ve changed default passwords
  • Terminals are in secure locations where customers can’t tamper with them

3. Gather supporting documentation. You’ll need:

  • Your payment terminal receipts or agreements
  • Network diagrams (for more complex SAQs)
  • Security policies (templates are fine for small merchants)
  • ASV scan reports (if required for your SAQ type)

4. Schedule your ASV scan if required. An Approved Scanning Vendor runs automated tests against your internet-facing systems (website, email server, etc.) looking for vulnerabilities. This is required quarterly for most SAQ types except SAQ B (standalone dial-up terminals). The scan takes minutes to run and costs €50-150 per quarter from most providers.

5. Submit your completed SAQ and AOC to your acquirer. The Attestation of Compliance is a formal declaration that you’ve met all requirements. Both documents go to whoever sent you the compliance request — usually uploaded to their merchant portal or emailed to their compliance team.

Timeline: SAQ A takes most merchants 1-2 hours. SAQ B or B-IP might take 2-4 hours including gathering documentation. More complex SAQs can take days or weeks if you need to implement missing controls.

What It Costs

Let’s talk real numbers for Dutch small businesses:

Compliance platform or SAQ tools: €10-50 per month for small merchants. This includes questionnaire wizards, policy templates, and compliance tracking. Some acquirers provide basic tools for free.

Quarterly ASV scanning: €50-150 per scan, or €200-600 annually. Some compliance platforms include this in their monthly fee. If you only have SAQ B with dial-up terminals, you don’t need ASV scans.

QSA assessment: €5,000-15,000 for Level 4 merchants who voluntarily choose this route. Remember, most small merchants don’t need a QSA — self-assessment is perfectly acceptable.

The cost of non-compliance makes these fees look trivial:

  • Initial non-compliance fines: €5,000-25,000
  • Monthly fines until you comply: €1,000-5,000
  • If you suffer a breach while non-compliant: €50,000+ in fines, plus liability for fraud losses, forensic investigation costs, and potential lawsuits

Bottom line: Annual compliance for a typical Dutch small merchant costs €300-1,000. A single non-compliance fine costs 5-25x more. The math is clear.

Staying Compliant Year-Round

PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track:

Set up your compliance calendar:

  • Annual SAQ due date (usually the anniversary of your last submission)
  • Quarterly ASV scan dates (every 90 days)
  • Annual review of security policies and procedures
  • Employee security training (at least annually)

Know what triggers a reassessment:

  • Changing payment processors or adding new ones
  • Adding new payment channels (like starting e-commerce)
  • Significantly changing your payment infrastructure
  • Moving from outsourced to in-house payment processing

Use automation where possible. Compliance platforms like PCICompliance.com track your deadlines, automate ASV scans, and alert you before requirements expire. Your Dutch acquirer might also send reminders, but don’t count on it — they manage thousands of merchants.

Keep evidence of compliance. Save your completed SAQs, AOCs, ASV reports, and any remediation evidence. If your acquirer questions your compliance or if there’s ever an incident, this documentation is your protection.

FAQ

I’m just a small shop in Amsterdam. Do these global standards really apply to me?

Yes, if you accept credit or debit cards. The size of your business determines which simplified SAQ you can use, not whether the standards apply. A single-location shop typically needs just SAQ B or B-IP — about 30 simple questions.

My payment processor (Adyen/Mollie/etc.) handles all the card processing. Am I still responsible?

You’re still responsible for your part of the payment process. If you use their hosted payment page and never touch card data, your responsibility is minimal (SAQ A). But you still need to complete the questionnaire annually and confirm you’re using their tools correctly.

What happens if I just ignore the compliance request?

Your processor will likely start with warnings, then move to fines. Typical progression: reminder letters, then €100-500 monthly “non-compliance fees,” then larger fines (€5,000+), and eventually they may terminate your merchant account. It’s far easier to just complete the SAQ.

How long do I have to complete the requirements?

Check your processor’s letter, but typically 30-90 days. Some processors give you just 30 days, while others are more flexible. Don’t wait until the deadline — ASV scans can reveal issues that take time to fix.

Can I just say “yes” to all the questions to pass?

This is fraud and makes you personally liable for any breach. The attestation you sign is a legal document. If there’s a breach and investigators find you lied on your SAQ, you face massive personal liability plus potential criminal charges.

I process less than 100 transactions per year. Do I still need to comply?

Yes, there’s no minimum threshold. Even one card transaction per year triggers PCI requirements. However, with such low volume, you’ll use the simplest SAQ type and your processor might not actively enforce compliance — though you’re still technically required to comply.

What if my website fails the ASV scan?

You’ll get a report showing what vulnerabilities were found. Most are simple fixes: updating WordPress plugins, installing security patches, or adjusting server configurations. You typically have 30 days to fix issues and rescan. PCICompliance.com includes remediation guidance with our scanning service.

Do I need to hire a security consultant or QSA?

Probably not. Level 4 merchants (under 20,000 transactions annually) can self-assess using SAQs. Only Level 1 merchants must use a QSA, and Level 2-3 merchants only need one if their acquirer specifically requires it.

Your Next Steps

PCI compliance might seem overwhelming when that first questionnaire arrives, but for most Netherlands merchants, it’s a manageable process. You’re likely a Level 4 merchant who needs one of the simpler SAQs — a few hours of work once a year, plus quarterly scans if you have a website.

The key is starting now rather than waiting for deadline pressure. Identify which SAQ you need, gather your documentation, and work through the requirements methodically. Most small merchants find they’re already doing 80% of what’s required — they just need to document it and fix a few gaps.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. We’ve helped thousands of merchants navigate PCI requirements, from single-location shops to growing e-commerce businesses. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team if you need guidance. Don’t let PCI compliance become a source of stress or fines when the solution is this straightforward.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP