Recurly PCI Compliance
Bottom Line Up Front
Just received a PCI compliance questionnaire and feeling overwhelmed? Here’s the truth: for most small businesses using modern payment solutions, PCI compliance is simpler than you think. If you’re processing payments through platforms like Recurly, you’re already doing most of the heavy lifting — you just need to complete the right paperwork to prove it.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that apply to anyone who accepts credit cards. Think of it as basic hygiene for handling payment data — like health codes for restaurants, but for credit card information.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But here’s who actually enforces them: your acquirer (the bank that processes your payments) or your payment processor. That’s why you received that compliance questionnaire — they’re required to verify that every merchant they work with follows these security standards.
What happens if you ignore it? Your processor can fine you (typically $5,000-$100,000 per month), you become liable for any fraud or data breaches, and ultimately, they can terminate your ability to accept cards. The good news? Most small businesses qualify for the simplest compliance types that take about an hour to complete annually.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. This includes:
- Online payments through your website
- Phone orders where customers read you their card number
- In-person payments through a terminal or mobile reader
- Recurring billing for subscriptions
- Even if you only process one card per year
Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news — Level 4 merchants have the simplest compliance requirements.
Your payment processor sent you that questionnaire because they’re required to collect proof of compliance from every merchant. It’s not optional, and ignoring it won’t make it go away. But completing it is probably easier than you think.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) is your compliance paperwork. There are different versions based on how you accept payments. Here’s a plain-English guide:
| How You Accept Payments | SAQ Type | Questions | Difficulty |
|---|---|---|---|
| Redirect to payment provider (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site | SAQ A-EP | 139 | Moderate |
| Standalone terminal (Square, Clover) | SAQ B | 41 | Easy |
| Terminal connected to internet | SAQ B-IP | 82 | Easy-Moderate |
| Phone/mail orders (no electronic storage) | SAQ C-VT | 80 | Moderate |
| You store card numbers electronically | SAQ D | 329 | Complex |
For Recurly users: If you’re using Recurly’s hosted payment pages or their JavaScript library where card data goes directly to Recurly (never touching your servers), you likely qualify for SAQ A — the simplest form with just 22 yes/no questions.
Not sure which one you need? PCICompliance.com’s free SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire applies.
How to Complete Your SAQ
The questionnaire itself is straightforward — it’s a series of yes/no questions about your security practices. Here’s what to expect:
What “Yes” Really Means: When a question asks “Do you restrict physical access to cardholder data?” and you answer yes, you’re stating that you have a policy in place. For SAQ A merchants, this might simply mean “We don’t store any card data, so there’s nothing to physically access.”
Documentation You’ll Need:
- Your network diagram (can be a simple sketch for small businesses)
- List of any third-party service providers that handle cards for you
- Your information security policy (templates are available)
- Results from your quarterly vulnerability scans
The Quarterly ASV Scan: If you have any systems that are internet-facing and involved with card processing, you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks for security vulnerabilities and typically takes 24-48 hours to complete. Schedule your first one before completing your SAQ.
Submitting Your Compliance: Once you’ve answered all questions and passed your scan, you’ll generate an Attestation of Compliance (AOC). This is your official compliance certificate to submit to your processor.
What It Costs
Let’s talk real numbers for small business PCI compliance:
Compliance Tools & SAQ Assistance: $200-500 per year for platforms that guide you through the questionnaire and track your compliance status.
Quarterly ASV Scanning: $200-400 per year for required vulnerability scans. Some compliance platforms include this.
If You Need Professional Help: Small merchants rarely need a QSA (Qualified Security Assessor). But if you do, expect $5,000-15,000 for a formal assessment.
The Cost of Non-Compliance:
- Monthly fines from your processor: $5,000-100,000
- Liability for breach costs: $50-90 per compromised card
- Loss of card processing ability: priceless
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not an expense — it’s insurance.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Here’s your annual cycle:
Annual Requirements:
- Complete and submit your SAQ
- Update your compliance certificate (AOC)
- Review and update security policies
Quarterly Requirements:
- Run ASV vulnerability scans (if applicable)
- Review scan results and fix any failures
Set Reminders For:
- SAQ renewal date (same date each year)
- Quarterly scan windows
- Policy review dates
When to Reassess: Major changes to how you accept payments might require a different SAQ type. This includes adding new payment channels, changing processors, or significantly increasing transaction volume.
PCICompliance.com’s compliance dashboard tracks all these dates automatically and sends reminders before each deadline. No more scrambling when your processor asks for updated documentation.
FAQ
Do I need PCI compliance if I only accept payments through PayPal?
Yes, any merchant accepting card payments needs PCI compliance, even through third-party processors. However, PayPal users typically qualify for SAQ A, the simplest questionnaire with just 22 questions.
What’s the difference between PCI compliance and being PCI certified?
Merchants achieve PCI compliance by completing their annual SAQ and meeting all requirements. Only service providers and solution vendors get “certified” through more rigorous assessments.
Can I just let my payment processor handle PCI compliance for me?
Your processor handles security for their systems, but you’re responsible for your piece of the payment chain. Using a processor that minimizes your scope (like Recurly) makes compliance easier, but doesn’t eliminate your obligations.
How long does the compliance process take?
For SAQ A merchants, expect 1-2 hours to complete the questionnaire once you have the necessary documentation. More complex SAQ types might take several days of gathering information and implementing controls.
What if I fail my ASV scan?
Failing vulnerabilities must be fixed and the systems rescanned until they pass. Common failures include outdated SSL certificates or unpatched software — usually simple fixes your IT team can handle quickly.
Do I need to hire a QSA to help with compliance?
Most Level 4 merchants complete self-assessments without professional help. You only need a QSA if you’re a Level 1 merchant or if your processor specifically requires third-party validation.
What happens if I store card numbers in a spreadsheet?
Stop immediately — this puts you in SAQ D territory with 329 requirements. Transition to a tokenization service or virtual terminal that doesn’t require local storage, then securely delete all stored card data.
Can I reduce my PCI scope by using Recurly?
Yes, payment providers like Recurly that handle card data collection and storage without it touching your servers significantly reduce your PCI scope. Most Recurly merchants qualify for SAQ A or SAQ A-EP rather than more complex forms.
Conclusion
PCI compliance might seem daunting when that first questionnaire arrives, but for most small businesses, it’s a manageable annual task. If you’re using modern payment solutions like Recurly that minimize your contact with card data, you’re already doing the hard part — now you just need to document it.
The key is identifying which SAQ type applies to your business and staying organized with your annual requirements. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team to get your PCI compliance journey started on the right foot.
Remember: every business that accepts cards needs PCI compliance. But with the right tools and guidance, it’s just another part of running a secure, professional business that customers can trust with their payment information.
