What Red Hat PCI Compliance Actually Means for Your Business
You just received an email from your payment processor with “PCI Compliance” in the subject line. Maybe it mentions Red Hat PCI compliance specifically, or you’re wondering if your Red Hat systems affect your requirements. The attached questionnaire looks like it was written by lawyers for IT security experts, and you’re not sure if you need a consultant, a lawyer, or just a strong cup of coffee to deal with it.
Here’s the good news: for most businesses, PCI compliance is far simpler than that intimidating questionnaire makes it seem. If you’re a small to medium business that accepts credit cards, you can typically complete your compliance requirements in an afternoon. Yes, really.
This guide will walk you through exactly what you need to know, what you need to do, and how to get it done without hiring an army of consultants. Let’s start with the basics.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts, processes, stores, or transmits credit card information. Think of it as the minimum security standards you need to meet to handle customer payment cards safely.
The standard was created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — through an organization called the PCI Security Standards Council. But here’s the important part: they don’t enforce it directly. Your acquirer (the bank or payment processor that handles your card transactions) is the one who requires you to prove compliance. That’s why you received that questionnaire.
What Happens If You Don’t Comply?
Non-compliance isn’t just a theoretical risk. Your payment processor can:
- Fine you monthly (typically $25-$100 for small merchants, but it can escalate)
- Increase your processing rates
- Terminate your merchant account entirely
- Hold you liable for fraud losses if your business is breached
The real kicker? If you experience a data breach while non-compliant, you could face fines ranging from $5,000 to $100,000 per month from the card brands, plus the costs of forensic investigation, customer notification, and potential lawsuits.
The Silver Lining
Most small businesses qualify for the simplest compliance requirements. If you use modern payment terminals or hosted checkout pages, you’re already doing most of what PCI requires. The questionnaire is just documenting what you’re (hopefully) already doing right.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit or debit cards in any form, yes, you need to be PCI compliant.
This applies whether you:
- Run card transactions through a terminal in your store
- Accept payments on your website
- Take card numbers over the phone
- Store customer card information for recurring billing
- Use a mobile card reader attached to a phone or tablet
Your merchant level determines how you prove compliance. Most businesses process fewer than 6 million transactions annually, making them Level 4 merchants. This means you can self-assess using an SAQ (Self-Assessment Questionnaire) rather than hiring a QSA (Qualified Security Assessor) for a full audit.
What Your Payment Processor Expects
That email from your processor typically includes:
- A request to complete your annual PCI compliance validation
- A link to an SAQ or compliance portal
- A deadline (usually 30-90 days out)
- Warning about potential non-compliance fees
They’re not trying to make your life difficult. They’re required by the card brands to ensure all their merchants maintain compliance. Think of them as the messenger, not the enemy.
Which SAQ Do You Need?
The biggest source of confusion in PCI compliance is figuring out which SAQ type applies to your business. There are different questionnaires based on how you accept and process payments. Here’s a plain-English guide:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| E-commerce with fully hosted checkout (Shopify, Square Online, PayPal) | SAQ A | 22 | Simple |
| E-commerce with payment fields on your site (Stripe Elements, Authorize.net Accept.js) | SAQ A-EP | 191 | Moderate |
| Standalone terminals with dial-out or Ethernet (Clover, Square Terminal) | SAQ B | 41 | Simple |
| Standalone terminals with IP connection | SAQ B-IP | 82 | Moderate |
| Payment application connected to internet (most PC-based point-of-sale) | SAQ C | 160 | Complex |
| Manual card entry (virtual terminal, phone orders) | SAQ C-VT | 85 | Moderate |
| Any scenario where you store card numbers | SAQ D | 329 | Very Complex |
How to Know for Sure
The easiest way to determine your SAQ type? Use PCICompliance.com’s SAQ Wizard. Answer 5-6 simple questions about how you accept payments, and we’ll tell you exactly which questionnaire applies to your business.
Common scenarios:
- Restaurant with a Clover terminal: SAQ B or B-IP
- Retail store using Square Register: SAQ B or B-IP
- Online store using Shopify Payments: SAQ A
- Service business taking cards over the phone: SAQ C-VT
- Any business storing card numbers in a spreadsheet: SAQ D (and please stop doing this)
How to Complete Your SAQ
Once you know your SAQ type, the actual completion process is straightforward. Here’s what to expect:
What the Questionnaire Looks Like
Your SAQ consists of yes/no questions about your payment security practices. For example:
- “Do you have a firewall protecting your payment systems?”
- “Do you change vendor default passwords?”
- “Do you restrict access to cardholder data?”
When you answer “yes,” you’re confirming that you have that security control in place. If you answer “no,” you’ll need to either implement the control or explain why it doesn’t apply to your environment.
Documentation You’ll Need
Before starting your SAQ, gather:
- Your payment processing statements (to confirm transaction volume)
- Network diagram (for SAQ C and D only)
- List of any third-party payment service providers
- Security policies (if you have them — many SAQ types don’t require formal documentation)
The Quarterly ASV Scan
If you accept payments online or have any internet-facing systems that handle card data, you’ll need quarterly ASV (Approved Scanning Vendor) scans. Don’t panic — this is just an automated security scan of your public IP addresses to check for vulnerabilities.
The scan typically:
- Takes 30-60 minutes to complete
- Costs $50-150 per quarter
- Can be scheduled to run automatically
- Generates a report showing any vulnerabilities found
PCICompliance.com includes ASV scanning in our compliance packages, with automatic scheduling and remediation guidance if any issues are found.
Submitting Your Compliance
After completing your SAQ and any required scans, you’ll:
1. Generate your AOC (Attestation of Compliance) — a formal declaration that you’ve completed the assessment
2. Submit both documents to your payment processor
3. Receive confirmation of your compliant status
4. Set reminders for next year’s assessment and quarterly scans
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you handle scanning and assessments yourself or use a compliance platform.
Typical Annual Costs:
DIY Approach:
- Quarterly ASV scans: $200-600/year
- Your time: 4-8 hours annually
- Total: $200-600 plus your time
Compliance Platform (like PCICompliance.com):
- SAQ tools and guidance: $200-400/year
- Included ASV scanning: No additional cost
- Compliance tracking dashboard: Included
- Total: $200-400/year all-in
If You Need a QSA:
- Only required for Level 1 merchants (over 6 million transactions)
- Full ROC assessment: $10,000-50,000
- Most small businesses never need this
The Cost of Non-Compliance
Compare those costs to non-compliance consequences:
- Monthly processor fines: $25-100 (that’s $300-1,200 annually)
- Increased processing rates: 0.5-1% higher (hundreds to thousands annually)
- Breach while non-compliant: $5,000-100,000 in fines, plus forensic investigation ($20,000+), legal fees, and lost business
Bottom line: compliance costs less than a single month’s non-compliance fine in most cases.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor requires annual recertification, and if you need ASV scans, those are quarterly. Here’s how to stay on track:
Set Up Your Compliance Calendar
- Quarterly: ASV scans (if required)
- Annually: Complete your SAQ and submit your AOC
- Ongoing: Maintain the security practices you attested to
What Triggers a Reassessment
You’ll need to review your SAQ type if you:
- Change how you accept payments
- Add new payment channels (like adding e-commerce to a retail business)
- Switch payment processors or terminals
- Experience significant business growth
Making It Easy
PCICompliance.com’s compliance dashboard tracks all your requirements in one place. You’ll get automatic reminders for scans and assessments, progress tracking throughout the year, and alerts if anything needs attention. No more scrambling when your processor sends that annual reminder.
FAQ
Q: I only process a few transactions per month. Do I still need to comply?
A: Yes, PCI requirements apply to any business that accepts payment cards, regardless of volume. The good news is that your low volume makes you a Level 4 merchant with the simplest compliance requirements.
Q: My payment processor handles everything. Aren’t they responsible for PCI compliance?
A: Your processor maintains their own PCI compliance, but you’re responsible for your piece of the payment chain. If you touch card data in any way — even just through a terminal — you have compliance obligations. Using a compliant processor reduces your scope but doesn’t eliminate it.
Q: What if I can’t answer “yes” to all the SAQ questions?
A: First, determine if the requirement actually applies to your environment. If it does apply and you can’t meet it, you’ll need to implement the control before attesting to compliance. Some controls might be simpler than you think — “firewall” can mean your standard router’s built-in firewall.
Q: Do I need to hire a security consultant?
A: Most Level 4 merchants can complete their SAQ without external help. The questions are designed to be answered by business owners and IT staff. If you’re struggling, a compliance platform like PCICompliance.com provides guidance without the consultant price tag.
Q: How do I know if my Red Hat systems affect my PCI compliance?
A: If your Red Hat systems store, process, or transmit cardholder data, they’re in scope for PCI compliance. This includes web servers hosting payment pages, databases storing customer information, or any system that handles card data. Red Hat’s security features can actually help meet many PCI requirements.
Q: What’s the difference between an ASV scan and penetration testing?
A: ASV scans are automated external vulnerability scans required quarterly for most merchants with internet-facing systems. Penetration testing is a more thorough manual security assessment required annually only for larger merchants or those with complex environments. Most small businesses only need ASV scans.
Q: Can I just ignore this and hope it goes away?
A: Your processor won’t let it go away. They’ll send increasingly urgent reminders, then start monthly non-compliance fees. Eventually, they may terminate your merchant account. It’s much easier (and cheaper) to spend an afternoon completing your SAQ.
Q: What if I get breached while I’m compliant?
A: PCI compliance significantly reduces your liability in case of a breach. You’ll still need to manage the incident, but you avoid the massive non-compliance fines and may have reduced liability for fraud losses. Think of compliance like insurance — you hope you never need it, but you’ll be glad you have it if something goes wrong.
Taking the Next Step
PCI compliance might seem overwhelming when you first encounter it, but remember — millions of businesses just like yours successfully maintain compliance every year. If you use modern payment systems and follow basic security practices, you’re probably already doing most of what PCI requires.
The key is to identify your correct SAQ type, complete the assessment honestly, and maintain those practices throughout the year. For most small businesses, this means a few hours of work annually and minimal ongoing effort.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard takes the guesswork out of identifying your questionnaire type. Our compliance platform walks you through each requirement in plain English. Our included ASV scanning service handles your quarterly scans automatically. And our compliance dashboard keeps you on track year-round, so you’re never surprised by that annual reminder from your processor.
Don’t let PCI compliance intimidate you. Start with our free SAQ Wizard to identify exactly what you need to do, or reach out to our compliance team for guidance. In just a few hours, you can check this off your list and get back to running your business — with the peace of mind that comes from knowing your customers’ payment data is properly protected.
