The Bottom Line Up Front
If you’re reading this because your payment processor just sent you a PCI compliance questionnaire, take a deep breath. For most small businesses in Portugal, achieving PCI compliance is much simpler than it sounds. You probably don’t need to hire expensive consultants or overhaul your entire payment system — you just need to understand which questionnaire applies to your business and answer some straightforward yes/no questions about how you handle credit card payments.
The compliance email sitting in your inbox isn’t a regulatory trap or a money grab. It’s your payment processor making sure you’re following basic security practices to protect your customers’ card data. Think of it like the health and safety inspection at a restaurant — there are rules to follow, but they exist for good reasons, and once you understand what’s expected, compliance becomes routine.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. If you accept any of these cards, whether in your Porto shop or on your Lisbon-based e-commerce site, these requirements apply to you.
The card brands don’t enforce PCI compliance directly. Instead, they delegate this to your acquirer (the bank that processes your card transactions) or your payment processor (companies like Stripe, Square, or local Portuguese processors). When these companies send you compliance questionnaires, they’re fulfilling their obligation to the card brands to ensure everyone in the payment chain maintains proper security.
Non-compliance carries real consequences. Your processor can fine you monthly — typically starting at €50-100 but potentially escalating to thousands. If your business experiences a data breach and you’re not compliant, you become liable for fraud losses and investigation costs that can reach tens of thousands of euros. In extreme cases, you could lose the ability to accept card payments entirely, which for most businesses means closing your doors.
Here’s the good news: the vast majority of small and medium businesses qualify for the simplest compliance paths. If you use modern payment terminals or hosted checkout pages, you’re already doing most of what PCI requires. The questionnaire just documents that you’re following these practices.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit or debit cards in any form, yes, you need to be PCI compliant. This applies whether you:
- Run a physical store with a payment terminal
- Operate an e-commerce website
- Take orders over the phone
- Process payments at trade shows or markets
- Accept cards through a mobile device
Your merchant level determines how you demonstrate compliance. Most businesses process fewer than 6 million transactions annually, making them Level 4 merchants. At this level, you complete a Self-Assessment Questionnaire (SAQ) rather than undergoing a formal audit. Think of it as doing your own taxes versus being audited — you’re still responsible for accuracy, but the process is much simpler.
Your payment processor expects you to:
1. Complete the appropriate SAQ annually
2. Run quarterly vulnerability scans if you have any internet-connected systems
3. Submit an Attestation of Compliance (AOC) confirming you’ve met all requirements
4. Fix any security issues identified during the process
That compliance questionnaire they sent? It’s their way of starting this annual process. They need to collect your completed SAQ and AOC to satisfy their own obligations to the card brands.
Which SAQ Do You Need?
Choosing the right SAQ is crucial — pick one that’s too simple and you’re not actually compliant; pick one that’s too complex and you’re creating unnecessary work. Here’s how to determine which one fits your business:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Simple |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminals with no electronic storage | SAQ B | 41 | Simple |
| Standalone terminals connected to internet | SAQ B-IP | 82 | Simple-Moderate |
| Manual card entry (virtual terminal, phone orders) | SAQ C-VT | 87 | Moderate |
| Any electronic storage of card numbers | SAQ D | 329+ | Complex |
If you use a payment terminal like those from Square, SumUp, or traditional banks, you’re likely SAQ B (if the terminal uses dial-up) or SAQ B-IP (if it connects via internet). These terminals handle all the card data, so your main responsibility is physical security — keeping the terminal in a secure location and ensuring only authorized staff can access it.
If you have an e-commerce site using Shopify Payments, WooCommerce with Stripe, or similar hosted checkout services, you’re probably SAQ A. These services handle all the sensitive card data on their servers, not yours. Your website just redirects customers to their secure payment page.
If you take payments over the phone and enter them into a web-based virtual terminal, you need SAQ C-VT. This covers businesses that manually key in card numbers but don’t store them electronically.
If you store card numbers in any electronic format — even in Excel spreadsheets or your email — you’re in SAQ D territory. This is the most complex questionnaire and honestly, you should stop storing card numbers. Modern payment processors offer tokenization and customer vault services that eliminate this need.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no payment industry expertise required.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is straightforward. The questionnaires consist of yes/no questions grouped by security topic. For example, SAQ A might ask: “Do you redirect customers to a PCI DSS compliant payment processor?” If you use Stripe Checkout, the answer is yes.
Each “yes” answer means you’re meeting that requirement. Each “no” means you need to either implement the control or explain why it doesn’t apply to your business (called a compensating control). For most Level 4 merchants using modern payment solutions, you’ll find you’re already doing what’s required.
You’ll need to gather some basic documentation:
- Your payment processing agreement
- Network diagram (for SAQ B-IP and above — this can be as simple as a drawing showing how your payment terminal connects to the internet)
- Security policies (for more complex SAQs — templates are widely available)
- Evidence of quarterly ASV scans if you have any internet-facing systems
About those ASV scans: if your payment systems connect to the internet, you need quarterly vulnerability scans from an Approved Scanning Vendor. This isn’t as intimidating as it sounds — you provide your IP addresses, the ASV runs automated scans, and you get a report showing any vulnerabilities to fix. Most small businesses pass on the first try, and common issues (like outdated SSL certificates) have straightforward fixes.
After completing your SAQ, you sign an Attestation of Compliance — a formal declaration that you’ve answered accurately and maintain the controls you’ve described. Submit both documents to your payment processor, and you’re compliant for another year.
What It Costs
PCI compliance costs vary based on your complexity, but for most small merchants, it’s quite affordable:
Compliance platforms and SAQ tools: €100-500 per year for Level 4 merchants. These platforms guide you through the questionnaire, store your documentation, and send renewal reminders.
Quarterly ASV scanning: €50-150 per quarter, often bundled with compliance platforms. Some payment processors include this in their merchant accounts.
QSA assessment: Only required for Level 1 merchants or if you’ve had a breach. Costs range from €5,000-50,000 depending on scope. Most small businesses never need this.
Training and consulting: Optional for most. Basic online training costs €50-200 per person. Consultant help with your first SAQ might run €500-2,000 but isn’t usually necessary for simple setups.
Compare these costs to non-compliance penalties: monthly fines starting at €50-100, potential breach liability in the tens of thousands, and the catastrophic impact of losing card acceptance privileges. For most businesses, annual compliance costs less than a single month’s non-compliance fine.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly components. Mark your calendar for:
- Annual SAQ renewal: Complete a fresh questionnaire each year
- Quarterly ASV scans: Required every 90 days if you have internet-connected systems
- Change reviews: Major changes to your payment setup might require a new SAQ type
Set up a compliance calendar with reminders 30 days before each deadline. Many businesses assign this to whoever handles the payment processor relationship — often the office manager or finance lead.
Changes that trigger reassessment include:
- Switching payment processors
- Adding new payment channels (like starting e-commerce)
- Changing how you handle card data
- Implementing new POS systems
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders when action is needed and maintaining your compliance history in one searchable location.
FAQ
My payment processor says I need to be PCI compliant by next month. Is that realistic?
Yes, for most small merchants using modern payment systems, achieving initial compliance takes just a few hours. If you’re SAQ A or B, you can complete the questionnaire in an afternoon. The main time factor is scheduling your first ASV scan if required — allow a week for that process.
I’m just a small shop in Lisbon. Do these international standards really apply to me?
PCI DSS applies to every business that accepts payment cards, regardless of size or location. The good news is that the requirements scale with your size — as a small merchant, you self-assess rather than hiring auditors, and your questionnaire is much simpler than what large retailers complete.
What happens if I just ignore the compliance request?
Your payment processor will likely start charging monthly non-compliance fees, typically €50-100. These continue until you comply. If you persistently ignore requirements, they can terminate your merchant account, meaning you lose the ability to accept cards.
I use Square for everything. Doesn’t that make me automatically compliant?
Using Square (or similar providers) handles most compliance requirements, but you still need to complete an annual SAQ. You’ll likely qualify for SAQ B or B-IP, which primarily asks about physical security of your terminals and basic business practices.
Do I need to hire a security consultant?
Most Level 4 merchants don’t need consultants for PCI compliance. The self-assessment questionnaires are designed for business owners to complete. If you’re storing card numbers electronically or have a complex payment environment, consultant help might be valuable, but this is rare for small businesses.
What’s an ASV scan and do I really need one?
An Approved Scanning Vendor scan checks your internet-facing systems for vulnerabilities. If you have any payment-related systems connected to the internet (including most modern terminals), quarterly scans are required. They’re automated, typically take 30 minutes to run, and cost about €50-150 per scan.
Can I just answer ‘yes’ to everything to pass?
The SAQ is a legal attestation — false answers constitute fraud and can result in significant penalties if discovered. Answer honestly. If you must answer ‘no’ to a requirement, you can often implement simple fixes or document compensating controls that achieve the same security goal.
I accepted cards for years without doing this. Why now?
Payment processors have increased enforcement in recent years as data breaches grabbed headlines and regulations like GDPR raised the stakes. What was once loosely monitored is now actively enforced, partly due to pressure from the card brands and partly because processors face their own compliance obligations.
Conclusion
That PCI compliance notice in your inbox isn’t the bureaucratic nightmare you might have feared. For most Portuguese merchants, compliance means completing a straightforward questionnaire about payment practices you’re likely already following. Whether you run a boutique in Porto, a restaurant in Faro, or an online shop shipping across Europe, the process is designed to match your actual risk level.
The key is identifying which SAQ fits your payment setup — and that’s where the right tools make all the difference. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Instead of guessing which requirements apply or struggling through complex documentation, you get clear guidance tailored to your specific payment environment. Start with the free SAQ Wizard to see exactly what your compliance journey looks like, or talk to our compliance team if you need help understanding your processor’s requirements. Most merchants complete their first assessment in under two hours and wonder why they worried so much about PCI compliance in the first place.