A security and privacy dashboard with its status.

NMI Gateway PCI Compliance

by

NMI Gateway PCI Compliance

Your Payment Gateway Just Sent You a PCI Questionnaire — Here’s What You Actually Need to Do

If you’re reading this, you probably just received an email from NMI (Network Merchants Inc.) or your payment processor asking about PCI compliance. Maybe there’s a questionnaire attached, lots of acronyms you don’t recognize, and a deadline that’s making you nervous.

Here’s the good news: for most businesses using NMI’s payment gateway, PCI compliance is much simpler than it sounds. You’re likely looking at a straightforward questionnaire that takes 30-60 minutes to complete, not the massive security audit you might be imagining.

This guide walks you through exactly what NMI PCI compliance means, which questionnaire you need to fill out, and how to get it done without hiring a security consultant or pulling your hair out.

What Is PCI Compliance (In Plain English)

PCI compliance means following security standards designed to protect credit card information. Think of it as the payment industry’s way of making sure everyone who touches credit card data — from giant retailers to tiny online shops — maintains basic security practices.

The standards were created by the major card brands (Visa, Mastercard, American Express, Discover) through something called the PCI Security Standards Council (PCI SSC). But here’s what matters to you: your payment processor (whether that’s NMI directly or whoever you signed up with) is the one asking you to prove compliance.

If you don’t complete your compliance requirements, several things can happen:

  • Your processor can charge non-compliance fees (typically $20-100 per month)
  • If there’s a data breach, you’re liable for fraud losses and investigation costs
  • In extreme cases, you could lose the ability to accept credit cards

But before you panic, understand that most small businesses qualify for the simplest compliance options. You’re not being asked to implement the same security as Amazon — just to answer some questions about how you handle card payments.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards through NMI’s gateway, yes.

It doesn’t matter if you process one transaction or one thousand — the moment you accept a credit card payment, PCI compliance applies. This includes:

  • Online payments through your website
  • Phone orders where customers give you their card number
  • Email orders (though you should stop taking cards by email immediately)
  • Any other way you’re accepting cards through NMI

Your merchant level determines how much documentation you need to provide. Most businesses are Level 4 merchants (processing under 20,000 e-commerce transactions or under 1 million total transactions annually). This means you complete a self-assessment questionnaire, not a full audit.

That compliance questionnaire NMI or your processor sent? It’s their way of making sure you’re following the rules — and protecting themselves from liability if something goes wrong.

Which SAQ Do You Need?

The Self-Assessment Questionnaire (SAQ) is the form you fill out to prove compliance. There are different versions based on how you accept payments. Here’s the plain English guide:

How You Take Payments Your SAQ Type Number of Questions
Fully outsourced (customer never enters card data on your site) SAQ A ~20 questions
E-commerce with payment form on your site SAQ A-EP ~140 questions
Standalone terminals only (no computer connection) SAQ B ~40 questions
Terminals connected to your network SAQ B-IP ~80 questions
Taking cards over the phone SAQ C-VT ~80 questions
Storing card numbers or complex setup SAQ D ~330 questions

For NMI gateway users, here are the most common scenarios:

If you use NMI’s hosted payment page where customers are redirected to NMI’s servers to enter their card details, you’re likely SAQ A — the simplest one.

If you use NMI’s API with a payment form on your website, you’re probably SAQ A-EP. This applies even if you’re using tokenization and never store card numbers.

If you take phone orders and type card numbers into a virtual terminal or your computer, that’s SAQ C-VT.

Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need — no payment industry degree required.

How to Complete Your SAQ

Once you know which SAQ you need, here’s what to expect:

The questionnaire itself is a series of yes/no questions about your security practices. Questions like:

  • “Do you have a firewall?”
  • “Do you change default passwords?”
  • “Is your payment page served over HTTPS?”

When you answer “yes,” you’re confirming that you follow that security practice. If you answer “no,” you’ll need to either implement the control or explain why it doesn’t apply to your business.

Documentation you’ll need:

  • Your network diagram (can be hand-drawn showing how payment data flows)
  • Security policies (even basic ones count)
  • Evidence of quarterly vulnerability scans (if required for your SAQ type)
  • List of any third-party service providers who handle card data for you

Quarterly ASV scans are external vulnerability scans of your public-facing systems. If your SAQ type requires them (most do except SAQ A), you’ll need to:

  • Schedule scans with an Approved Scanning Vendor (ASV)
  • Fix any failing vulnerabilities they find
  • Get a passing scan at least once per quarter

The entire process typically takes a few hours spread over a couple days — gathering documents, answering questions, and waiting for scan results.

Once complete, you’ll sign an Attestation of Compliance (AOC) — basically a formal declaration that you’ve answered honestly and maintain these security practices. Submit this to whoever requested it (NMI or your payment processor) and you’re done… until next year.

What It Costs

Let’s talk real numbers for NMI gateway merchants:

Compliance platform fees typically run $100-300 per year for Level 4 merchants. This includes:

  • Access to the right SAQ for your business
  • Guided questionnaire completion
  • Compliance tracking and reminders
  • Basic support

Quarterly ASV scanning costs around $30-100 per scan, or $120-400 annually. Some compliance platforms bundle this in.

If you need a QSA (only for Level 1 merchants or if your processor specifically requires it), budget $5,000-50,000 for a full assessment. But again, most small businesses never need this.

The cost of non-compliance hits much harder:

  • Monthly non-compliance fees: $20-100
  • Data breach liability: $50-90 per compromised card
  • Forensic investigation costs: $10,000-100,000
  • Lost ability to process cards: priceless (in the worst way)

For most merchants, annual compliance costs less than what you’d pay in non-compliance fees after just a few months.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox. Your compliance is valid for one year, then you need to re-assess. Plus, if you require quarterly scans, those need to happen every 90 days.

Set these reminders now:

  • Annual SAQ completion (same time each year)
  • Quarterly ASV scans (if required)
  • Review any changes to your payment setup
  • Update security policies annually

Changes that trigger a new assessment:

  • Switching payment processors or gateways
  • Adding new payment channels (like going from online-only to also taking phone orders)
  • Significantly increasing transaction volume
  • Starting to store card data (please don’t)

PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and keeps your compliance documentation in one place. No more scrambling when your processor asks for proof of compliance.

FAQ

Q: I only process a few transactions per month through NMI. Do I still need to comply?
A: Yes. PCI compliance applies to any business that accepts credit cards, regardless of volume. The good news is that low-volume merchants typically qualify for the simplest SAQ types.

Q: What happens if I just ignore the compliance request?
A: Your processor will likely start charging monthly non-compliance fees. More importantly, if there’s a breach, you’re fully liable for all costs and damages. Some processors will eventually terminate your account.

Q: Can I just say “yes” to all the questions to pass?
A: That’s fraud, and it doesn’t protect you. If there’s a breach and investigators find you lied on your SAQ, you’re facing massive liability plus potential criminal charges. Answer honestly — it’s better to fix issues than hide them.

Q: I use NMI’s hosted payment page. Do I still need to do anything?
A: Yes, but you likely qualify for SAQ A — the simplest questionnaire with only about 20 questions. Even fully outsourced payments require you to confirm basic security practices like using unique passwords and keeping systems patched.

Q: How do I know if I’m storing card data?
A: Search your systems for any 16-digit numbers that look like credit cards. Check databases, spreadsheets, email, and backup files. If you find any, stop what you’re doing and call a QSA — you need professional help to handle this safely.

Q: What’s the difference between PCI compliance and being PCI certified?
A: Only service providers get “certified.” Merchants achieve “compliance” by completing their annual assessment. If someone’s trying to sell you PCI certification as a merchant, they don’t understand PCI.

Q: My website developer says they made my site PCI compliant. Am I done?
A: No. Your developer can implement technical controls, but PCI compliance includes policies, procedures, and ongoing practices. You still need to complete your annual SAQ and maintain those controls year-round.

Q: Do I need to hire a security consultant to complete my SAQ?
A: Most merchants don’t. If you’re SAQ A, A-EP, or B, the questions are straightforward enough to answer yourself. If you’re SAQ D or having trouble understanding the requirements, then yes, get professional help.

Your Next Steps

PCI compliance might feel overwhelming when you first encounter it, but for most businesses using NMI’s gateway, it’s a manageable process. You’re likely looking at a few hours of work annually to complete a straightforward questionnaire and maintain basic security practices you should be following anyway.

The key is to start now rather than wait for non-compliance fees to pile up. Identify which SAQ type applies to your payment setup, schedule any required vulnerability scans, and work through the questionnaire methodically.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to identify your requirements in under 5 minutes, or talk to our compliance team if you need guidance on your specific NMI integration. Either way, you’ll have clarity on what PCI compliance actually means for your business and a clear path to get there.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP