New Website: Do I Need PCI?
So you just launched your new website, or maybe you’re planning to accept credit cards online for the first time. Your payment processor sent you something about “PCI compliance” and now you’re wondering if this applies to you. The quick answer: if you accept credit cards in any form — online, in-person, or over the phone — then yes, new website PCI compliance requirements apply to you. But here’s the good news: for most small businesses, achieving compliance is much simpler than it sounds.
Bottom Line Up Front
Take a deep breath. For most small businesses, PCI compliance means filling out a straightforward questionnaire once a year and running quarterly security scans on your website. If you’re using modern payment tools like Stripe, Square, or PayPal, you’re already 90% of the way there. The whole process might take you a few hours spread over a couple of days — not the weeks-long ordeal you might be imagining.
Your payment processor isn’t trying to make your life difficult. They’re required by the card brands to ensure all their merchants protect card data. That questionnaire they sent? It’s actually designed to help you confirm you’re following basic security practices — many of which you’re probably already doing.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of PCI and Virtual created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist that anyone who handles credit cards must follow.
The card brands created an organization called the PCI Security Standards Council (PCI SSC) to manage these standards, but they don’t enforce them directly. Instead, your acquiring bank or payment processor — the company that handles your card transactions — is responsible for making sure you comply. That’s why Stripe, Square, or your bank sent you that compliance questionnaire.
Why This Matters to You
If you don’t maintain compliance, several things can happen:
- Your payment processor can fine you (typically $5,000-$100,000 depending on your size)
- If there’s a data breach, you could be liable for fraud losses and remediation costs
- Your processor could increase your rates or terminate your ability to accept cards
- You might face legal liability from customers whose data was compromised
But here’s what they don’t always tell you: achieving compliance protects your business too. Following PCI requirements significantly reduces your risk of a breach, protects your reputation, and can even lower your processing rates with some providers.
Do You Need to Be PCI Compliant?
Let’s make this simple: if you accept credit cards, you need to be PCI compliant. It doesn’t matter if you’re a Fortune 500 company or selling crafts on Etsy. The moment you accept a credit card payment, PCI requirements apply.
Understanding Your Merchant Level
Your merchant level determines how you demonstrate compliance. Most businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total Visa transactions annually). Here’s what each level means:
- Level 4: Complete an annual Self-Assessment Questionnaire (SAQ) and quarterly security scans
- Level 3: Same as Level 4, but processing 20,000-1 million e-commerce transactions
- Level 2: May need an annual assessment by a QSA depending on your acquirer
- Level 1: Definitely need an annual on-site assessment and Report on Compliance (ROC)
Don’t worry about calculating this yourself — your Payment Processor already knows your level and will tell you exactly what’s required.
What Your Payment Processor Expects
When your processor sends that compliance package, they’re typically asking for:
1. A completed SAQ appropriate to how you accept payments
2. Quarterly ASV scans if you have any systems connected to the internet
3. An Attestation of Compliance (AOC) — basically your signature saying you completed the requirements
They’ll usually give you 30-90 days to complete this, and many provide tools or partnerships to help you through the process.
Which SAQ Do You Need?
The Self-Assessment Questionnaire comes in different versions based on how you handle card data. Here’s a plain-English guide to picking the right one:
| How You Accept Payments | Your SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Customer enters card details on payment provider’s website (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| E-commerce site where customers enter cards on your site but you use JavaScript from payment provider | SAQ A-EP | 139 | Moderate |
| Standalone terminal with no electronic storage (Square Reader, basic Clover) | SAQ B | 41 | Easy |
| Terminal connected to internet but isolated from other systems | SAQ B-IP | 82 | Easy-Moderate |
| Taking payments over phone using virtual terminal | SAQ C-VT | 80 | Moderate |
| Any electronic storage of card numbers | SAQ D | 329 | Complex |
Common Scenarios
If you just launched an online store:
- Using Shopify Payments? → SAQ A
- Using WooCommerce with Stripe Elements? → SAQ A-EP
- Built custom checkout storing card numbers? → SAQ D (and please reconsider)
If you have a physical location:
- Using a Square reader on your phone? → SAQ B
- Using a Clover station connected to internet? → SAQ B-IP
PCICompliance.com’s SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which SAQ applies. No guessing required.
How to Complete Your SAQ
Completing your SAQ is less daunting than it seems. Each questionnaire contains yes/no questions about your security practices. Here’s what to expect:
What “Yes” Really Means
When you answer “yes” to a question like “Are default passwords changed?”, you’re confirming:
- You actually checked this (not just assuming)
- You have a process to keep it this way
- You could show evidence if asked
Documentation You’ll Need
Gather these before you start:
- Network diagram (even a simple sketch works for small businesses)
- List of any systems that handle card data
- Your payment processor agreements
- Any security policies you have (formal or informal)
The Quarterly ASV Scan
If you have any internet-facing systems (website, email server, etc.), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan:
- Checks for security vulnerabilities
- Takes about 30 minutes to set up
- Runs automatically each quarter
- Costs $200-500 per year for most small businesses
Submitting Your Compliance
Once complete:
1. Review your answers one more time
2. Sign the Attestation of Compliance
3. Submit through your processor’s portal or compliance platform
4. Save copies for your records
Most businesses can complete their first SAQ in 2-4 hours, and subsequent years take even less time.
What It Costs
Let’s talk real numbers. PCI compliance costs vary, but for most small businesses:
Direct Costs
- SAQ completion tools: $100-500/year (many processors include this free)
- Quarterly ASV scanning: $200-500/year for small businesses
- Compliance management platform: $500-2,000/year (optional but helpful)
- QSA assessment: $10,000-50,000 (only if you’re Level 1 or 2)
The Cost of Non-Compliance
- Monthly non-compliance fees: $20-100 from your processor
- Breach-related fines: $5,000-100,000 depending on severity
- Fraud liability: You’re responsible for any fraudulent charges
- Forensic investigation: $20,000+ if you have a breach
- Lost business: Immeasurable damage to reputation
When you do the math, spending a few hundred dollars annually on compliance is far cheaper than even a minor security incident.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your annual certification confirms your security practices for that point in time, but you need to maintain those practices year-round.
Annual Requirements
- Complete your SAQ once per year
- Update it if your payment methods change
- Keep documentation current
Quarterly Requirements
- Run ASV scans every 90 days
- Review and fix any failures
- Save passing scan reports
What Triggers a New Assessment
You’ll need to reassess if you:
- Change how you accept payments
- Add new payment channels
- Start storing card data (please don’t)
- Experience significant business growth
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends reminders before deadlines, and maintains your compliance history in one place. No more scrambling when your processor asks for last quarter’s scan report.
FAQ
Q: I only process a few transactions per month. Do I still need to comply?
A: Yes, PCI compliance applies regardless of transaction volume. The good news is that smaller merchants typically qualify for the simplest SAQ types, making compliance straightforward and affordable.
Q: My payment processor handles everything. Why do I need to do anything?
A: While your processor handles the actual transaction, you’re responsible for how you collect and transmit card data to them. Your SAQ confirms you’re doing your part securely. Think of it as a partnership — they secure their end, you secure yours.
Q: What happens if I just ignore the compliance requirements?
A: Your processor will likely start charging monthly non-compliance fees ($20-100 typically). Eventually, they may terminate your merchant account, meaning you can’t accept cards at all. Plus, if you have a breach while non-compliant, you’re fully liable for all costs and fines.
Q: Can I just say “yes” to everything on the SAQ?
A: Falsifying your SAQ is considered fraud and can result in immediate termination of your merchant account. More importantly, the SAQ helps identify actual security gaps in your business. Being honest protects both you and your customers.
Q: How do I know if I’m storing credit card data?
A: Check your systems for saved card numbers — databases, spreadsheets, email, paper files, even post-it notes count. If you find any, stop immediately and contact your processor for guidance. Modern payment tools eliminate the need to store card data.
Q: Is PCI compliance the same as being “secure”?
A: PCI compliance is a minimum security standard, not comprehensive protection. Think of it like a driver’s license — passing the test doesn’t make you a race car driver. Compliance is important, but consider additional security measures based on your risk profile.
Q: Do I need to hire a security consultant?
A: Most small businesses don’t need outside help for basic SAQ completion. However, if you’re having trouble understanding requirements or failing ASV scans repeatedly, a few hours with a consultant can save time and frustration.
Q: What’s the difference between a vulnerability scan and penetration testing?
A: ASV scans are automated checks for known vulnerabilities, required quarterly for most merchants. Penetration testing involves security professionals actively trying to break into your systems — only required for SAQ D merchants.
Conclusion
Starting PCI compliance for your new website doesn’t have to be overwhelming. For most small businesses, it’s a matter of confirming you’re using secure payment tools and following basic security practices — many of which you’re likely already doing. The key is understanding which requirements apply to your specific situation and having the right tools to guide you through the process.
PCICompliance.com simplifies this entire journey with our comprehensive compliance platform. Start with our free SAQ Wizard to identify exactly which questionnaire you need — it takes less than five minutes and eliminates the guesswork. Our ASV scanning service handles your quarterly vulnerability scans automatically, our step-by-step guidance walks you through each requirement in plain English, and our compliance dashboard keeps you on track throughout the year. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools, scanning, and support you need in one integrated platform. Begin your compliance journey today with our free SAQ Wizard, or contact our team for personalized guidance on your specific payment setup.
