Print on Demand Business PCI Compliance: What You Actually Need to Know
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re staring at it like it’s written in ancient Greek, take a deep breath. For most print on demand businesses, PCI compliance is simpler than you think. You’re probably looking at a few hours of work once a year, not the regulatory nightmare you might be imagining.
Here’s what matters: if you accept credit cards (and what print on demand business doesn’t?), you need to be PCI compliant. The good news? Most POD businesses qualify for the simplest compliance requirements. This guide will walk you through exactly what you need to do, in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. Think of it as the minimum security standards you need to follow if you handle customer payment information.
The major card brands (Visa, Mastercard, American Express, Discover) created these standards through the PCI Security Standards Council. But here’s the important part: your payment processor or acquiring bank is the one who actually enforces these rules and sends you that compliance questionnaire.
What Happens If You’re Not Compliant?
Your payment processor can fine you for non-compliance — typically $5,000 to $10,000 per month until you fix it. If there’s a data breach and you weren’t compliant, you could be liable for fraud losses and forensic investigation costs. Worst case? You could lose the ability to accept credit cards entirely.
But here’s the good news: for most print on demand businesses, getting compliant is straightforward. You’re not a massive retailer storing millions of card numbers. You’re likely using modern payment tools that handle most of the security for you.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you:
- Only process a few orders per month
- Use a third-party payment processor
- Never see the actual card numbers
- Only sell through marketplaces
If customer card data flows through your business in any way, PCI requirements apply.
Your Merchant Level
Most print on demand businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions annually). This is good news — Level 4 merchants have the simplest compliance requirements.
Your payment processor determines your merchant level based on your annual transaction volume. They’ll tell you which level you are when they send your compliance questionnaire.
That Questionnaire They Sent You
Your payment processor sends an annual compliance questionnaire because the card brands require them to verify that their merchants are following security standards. It’s not optional — ignore it and you’ll likely see monthly non-compliance fees on your merchant statement.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) is how you demonstrate PCI compliance. There are different types based on how you accept payments. Most print on demand businesses fall into one of these categories:
| How You Accept Payments | SAQ Type | Complexity |
|---|---|---|
| E-commerce with hosted checkout (Shopify, WooCommerce + Stripe) | SAQ A | Simplest (22 questions) |
| E-commerce with payment fields on your site | SAQ A-EP | Moderate (139 questions) |
| Payment terminal only (Square Reader, Clover) | SAQ B or B-IP | Simple (41-82 questions) |
| Taking orders by phone/email | SAQ C-VT | Moderate (160 questions) |
| Storing card numbers (please stop) | SAQ D | Complex (329+ questions) |
Common Print on Demand Scenarios
If you use Shopify or similar platforms: You’re likely SAQ A eligible. When customers check out, they’re redirected to Shopify’s secure payment page. You never touch the card data.
If you use WooCommerce with Stripe: Depends on your setup. Using Stripe’s hosted checkout? That’s SAQ A. Using Stripe Elements where card fields appear on your site? That’s SAQ A-EP.
If you take custom orders by phone: You’re looking at SAQ C-VT if you use a virtual terminal to process payments.
If you’re on Etsy, Amazon, or other marketplaces exclusively: The marketplace handles PCI compliance for transactions on their platform. But if you also have your own website or take direct orders, you still need to comply for those sales.
PCICompliance.com’s SAQ Wizard takes the guesswork out of this — answer a few questions about how you accept payments, and we’ll tell you exactly which SAQ applies to your business.
How to Complete Your SAQ
Once you know your SAQ type, the actual questionnaire is straightforward. It’s a series of yes/no questions about your security practices.
What ‘Yes’ Actually Means
When you answer “yes” to a requirement, you’re stating that you currently meet that security control. For example:
- “Yes” to firewall requirements means you have a firewall configured and active
- “Yes” to password requirements means you enforce strong passwords
- “Yes” to encryption means card data is encrypted when transmitted
If you can’t answer “yes” to something, you’ll need to implement that control or explain why it doesn’t apply to your business.
Documentation You’ll Need
Gather these before you start:
- Your network diagram (even a simple one)
- List of all systems that handle payments
- Security policies (password policy, access control, etc.)
- Your incident response plan
- Vendor agreements for any third-party payment services
The Quarterly ASV Scan
If you’re SAQ A-EP or higher, you need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks your website and payment systems for security vulnerabilities.
Don’t panic — it’s not as scary as it sounds. Schedule your first scan, fix any critical issues it finds, and get a passing scan. Then repeat every 90 days.
Submitting Your Completed SAQ
Once you’ve answered all questions and gathered required documentation:
1. Complete the Attestation of Compliance (AOC) — a formal statement that you’re compliant
2. Submit both the SAQ and AOC to your payment processor
3. Save copies for your records
Most processors have an online portal where you upload these documents. Some integrate with compliance platforms like PCICompliance.com for direct submission.
What It Costs
Let’s talk real numbers for a typical print on demand business:
Compliance Platform/Tools: Most small businesses spend $200-500 annually for SAQ tools and guidance. This includes access to the questionnaire, help completing it, and tracking your compliance status.
Quarterly ASV Scanning: Required for SAQ A-EP and higher. Budget $300-500 annually for four quarterly scans.
If You Need a QSA: Only required for Level 1 merchants or if your acquirer specifically demands it. QSA assessments start at $5,000 for small businesses.
The Cost of NON-Compliance: Monthly fines from your processor typically run $5,000-10,000. A single data breach can cost hundreds of thousands in forensic investigation, card reissuance, and fraud liability.
Put it in perspective: annual compliance for most print on demand businesses costs less than a single month’s non-compliance fine.
Staying Compliant Year-Round
PCI compliance isn’t a checkbox you tick once. It’s an annual requirement with quarterly components.
Your Compliance Calendar
- Annually: Complete your SAQ and submit your AOC
- Quarterly: Run ASV scans (if required for your SAQ type)
- Monthly: Review your security logs and access lists
- Ongoing: Maintain the security controls you attested to
When You Need to Reassess
Major changes trigger a new assessment:
- Switching payment processors or adding new payment methods
- Changing how you accept payments (adding phone orders, storing card data)
- Significant changes to your website or payment infrastructure
- After a security incident
Tracking Your Status
Set calendar reminders for:
- SAQ renewal (90 days before it expires)
- Quarterly scan windows
- Security policy reviews
- Employee security training
PCICompliance.com’s compliance dashboard tracks all these dates automatically and sends reminders when action is needed.
FAQ
Q: Do I need PCI compliance if I only use PayPal or Stripe?
A: Yes. While PayPal and Stripe handle most of the security, you’re still responsible for your part — securing your website, protecting login credentials, and following basic security practices. You’ll likely qualify for SAQ A, the simplest form.
Q: Can I just ignore the compliance questionnaire from my processor?
A: Not if you want to keep accepting cards. Processors are required by the card brands to verify merchant compliance. Ignore their requests and you’ll see non-compliance fees on your monthly statement, typically starting at $25-50 and escalating to thousands per month.
Q: What if I can’t answer ‘yes’ to all the SAQ questions?
A: You have two options: implement the missing security controls so you can answer ‘yes’, or work with a QSA to document compensating controls that achieve the same security objective. For most small businesses, implementing the actual control is simpler and cheaper.
Q: Do I need to hire a security consultant to get compliant?
A: Most print on demand businesses don’t need outside consultants for PCI compliance. If you qualify for SAQ A or B, you can typically handle it yourself with a good compliance platform. Save the consultant fees for if you genuinely get stuck or need SAQ D compliance.
Q: How do I know if I’m storing card data?
A: Search your systems for card numbers — databases, spreadsheets, email, order management systems. If you find any, you’re storing card data and need to either securely delete it or implement full SAQ D controls. Most modern payment systems handle this for you, so storage is increasingly rare.
Q: What’s the difference between PCI compliance and PCI certification?
A: For most merchants, there’s no real difference — completing your SAQ and getting it approved makes you ‘PCI compliant.’ True PCI certification involves an onsite assessment by a QSA and only applies to Level 1 merchants and service providers.
Q: My payment processor says I need a ‘network scan’ — is that the same as an ASV scan?
A: Probably yes. ASV scans are external vulnerability scans of your network and are required quarterly for many SAQ types. Your processor might call them network scans, vulnerability scans, or security scans — they’re typically referring to the same ASV requirement.
Q: Can I use the same SAQ for multiple payment processors?
A: Yes and no. The SAQ itself covers your overall security posture, so the answers don’t change. But each processor might want their own attestation and may have slightly different submission requirements. Complete the SAQ once, then submit it to each processor as needed.
Conclusion
PCI compliance for your print on demand business doesn’t have to be overwhelming. For most POD merchants, you’re looking at a few hours of work annually to complete a simple questionnaire and maintain basic security practices you should be following anyway.
The key is identifying your correct SAQ type and staying organized with your compliance tasks. Start by figuring out how you accept payments, use PCICompliance.com’s free SAQ Wizard to identify your questionnaire type, then work through the requirements methodically.
Remember: PCI compliance protects both you and your customers. It’s not just about avoiding fines — it’s about running a trustworthy business that customers feel safe buying from. And in the print on demand world where customer trust directly impacts sales, that security assurance matters.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. We’ve helped thousands of businesses just like yours navigate PCI requirements without the confusion or complexity. Start with the free SAQ Wizard or talk to our compliance team about getting your print on demand business compliant quickly and correctly.
