black and red steering wheel

Self-Signed Certificates and PCI

by

Self-Signed Certificates and PCI: What Your Payment Processor Is Really Asking

Bottom Line Up Front

That compliance questionnaire your payment processor just sent? It’s not as scary as it looks. While “PCI compliance” and terms like “self-signed SSL” might sound intimidating, most small businesses can achieve compliance in a few hours with the right guidance. If you’re wondering about self-signed SSL PCI requirements specifically, here’s the simple answer: self-signed certificates won’t meet PCI requirements for external-facing systems, but they might work for internal networks depending on your setup. We’ll explain exactly what you need to know — in plain English.

What Is PCI Compliance (In Plain English)

PCI compliance means you’re following the security rules for accepting credit cards. Think of it like health codes for restaurants — basic safety standards that protect your customers (and your business).

PCI DSS (Payment Card Industry Data Security Standard) was created by the major card brands — Visa, Mastercard, American Express, and Discover — through something called the PCI Security Standards Council. But here’s who actually enforces it: your acquirer (the bank or payment processor that deposits card payments into your account). They’re the ones who sent you that questionnaire.

If you don’t comply, your payment processor can:

  • Fine you (typically $5,000-$100,000 per month)
  • Hold you liable for fraud losses
  • Terminate your ability to accept cards

But here’s the good news: most small businesses qualify for the simplest compliance options. That restaurant down the street? That local boutique? They’re probably spending just a couple hours per year on PCI compliance. You can too.

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit cards in any form, yes.

It doesn’t matter if you:

  • Only process five cards per month
  • Use Square at farmers markets
  • Have a Shopify store
  • Take orders over the phone
  • Store cards in a filing cabinet (please stop doing this)

Your merchant level determines how much validation you need. Most small businesses are Level 4 merchants (under 20,000 e-commerce transactions or under 1 million total transactions annually). This means you complete a self-assessment questionnaire, not a full audit.

Your payment processor sent that compliance notice because they’re required to verify all their merchants maintain compliance. They need you to:
1. Complete the right SAQ (Self-Assessment Questionnaire)
2. Pass quarterly security scans (if applicable)
3. Submit an AOC (Attestation of Compliance)

That’s it. No auditors. No consultants. Just answer some questions honestly about your card handling practices.

Which SAQ Do You Need?

The SAQ is just a questionnaire — like a safety checklist. There are different versions based on how you accept cards. Here’s the decision tree in plain language:

How You Accept Cards Your SAQ Type Complexity Questions to Answer
Standalone terminal (Square, Clover, Verifone) with no computer connection SAQ B Easiest ~20 questions
Standalone terminal connected to internet SAQ B-IP Easy ~80 questions
E-commerce with fully hosted checkout (customer enters card on Stripe/PayPal page) SAQ A Easy ~20 questions
E-commerce with payment fields on your site (Stripe Elements, payment iframe) SAQ A-EP Moderate ~130 questions
Phone orders entered into virtual terminal SAQ C-VT Moderate ~80 questions
Computer-based point of sale or you store card numbers SAQ D Complex ~320 questions

Not sure which one? PCICompliance.com’s SAQ Wizard asks you five simple questions and tells you exactly which SAQ you need. Most businesses discover they need an easier SAQ than they thought.

For example:

  • Using Shopify Payments? You’re SAQ A — the simplest one
  • Restaurant with a Clover terminal? Probably SAQ B-IP
  • Taking orders over the phone and typing them into Square Virtual Terminal? That’s SAQ C-VT

How to Complete Your SAQ

Your SAQ is a series of yes/no questions about your security practices. Here’s what to expect:

What the questions look like:

  • “Do you change default passwords on payment devices?”
  • “Is your payment terminal in a secure location?”
  • “Do you have a firewall between your payment systems and the internet?”

What “yes” means: You currently do this thing. Not “we plan to” or “we should” — you actually do it today. If you answer “no,” you’ll need to fix it before you can be compliant.

Documentation you’ll need:

  • List of who has access to payment systems
  • Your network setup (even a simple drawing works)
  • Any policies about handling cards (even informal ones)

The quarterly ASV scan: If your SAQ type requires it (most do except SAQ B), you’ll need an Approved Scanning Vendor to scan your internet-facing systems four times per year. This automated scan checks for vulnerabilities hackers might exploit. It takes about 15 minutes to set up, runs automatically, and you get a report showing pass/fail.

Submitting your compliance: Once you answer all questions with “yes” and pass your scan (if required), you’ll sign the Attestation of Compliance — basically saying “yes, we do all these security things.” Submit this to your payment processor, and you’re done for the year.

Timeline: Most merchants complete their first SAQ in 2-4 hours. Annual recertification takes 30-60 minutes.

What It Costs

Let’s talk real numbers:

Compliance platform and tools:

  • Basic SAQ completion tools: $200-500/year
  • Full compliance management platforms: $500-2,000/year
  • PCICompliance.com: Free SAQ Wizard, then $299-999/year depending on your needs

Quarterly ASV scanning:

  • Required for most SAQ types
  • $200-400/year for four scans
  • Often bundled with compliance platforms

If you need a QSA:

  • Only required for Level 1-2 merchants (over 1 million transactions)
  • Not needed for 99% of small businesses
  • If required: $15,000-50,000 for full assessment

The cost of NON-compliance:

  • Monthly fines: $5,000-100,000
  • Breach liability: Average $150 per compromised card
  • Lost ability to accept cards: Priceless (in the worst way)

Bottom line: For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not a profit center for your processor — they’d rather you just be compliant.

Staying Compliant Year-Round

PCI compliance isn’t “set it and forget it” — but it’s also not complicated to maintain:

Annual requirements:

  • Complete your SAQ again (much faster the second time)
  • Update any changed answers
  • Sign a new Attestation

Quarterly requirements:

  • ASV scans run automatically
  • Review and remediate any failures
  • Keep scan reports for your records

Set these reminders:

  • Annual SAQ due date
  • Quarterly scan windows
  • Password change schedules

What triggers a reassessment:

  • Changing payment processors
  • Adding new payment channels
  • Significant network changes
  • Starting to store card data (don’t!)

PCICompliance.com’s compliance dashboard tracks all these dates automatically. You’ll get reminded before deadlines, not after you’re already late.

FAQ

My payment processor says I need PCI compliance by next month. Is that even possible?

Absolutely. Most small merchants can complete their SAQ in an afternoon. Schedule your first ASV scan today (results take 24 hours), answer your SAQ questions while it runs, and you’ll be compliant within a week.

What’s the difference between PCI compliance and SSL certificates?

SSL certificates encrypt data between browsers and websites. PCI compliance is a comprehensive security standard covering how you handle card data everywhere. SSL is just one piece — and yes, PCI requires valid SSL certificates from trusted authorities (not self-signed) for any external-facing systems.

Can I just tell my processor I’m compliant without doing anything?

That’s fraud, and they’ll know. Processors can request evidence, and if there’s a breach, investigators will quickly discover false attestations. The fines and liability for false compliance far exceed the cost of actual compliance.

Do I need to hire a consultant?

Probably not. Unless you’re processing millions of transactions or have complex systems, the self-assessment process is designed for business owners to complete themselves. Compliance platforms like PCICompliance.com provide all the guidance you need without consultant fees.

What if I fail my vulnerability scan?

It’s common and fixable. Most failures are for outdated software or unnecessary services. Your ASV report will list exactly what to fix. Update the software, remove the service, or call your IT provider with the specific items to address.

If I only use Square/PayPal/Stripe, am I automatically compliant?

No, but you’re close. These providers handle the complex security, but you still need to complete an SAQ (usually the simple SAQ A) confirming you’re redirecting to their hosted payment pages and not storing card data yourself. It takes about 20 minutes.

What about accepting cards at trade shows or events?

Same requirements apply. If you use a mobile terminal (Square Reader, PayPal Here), you’re typically SAQ B or B-IP. The questionnaire asks about physical security of devices and your mobile payment practices.

Is PCI compliance the same as being EMV compliant?

Different things. EMV (chip cards) is about accepting chip transactions to avoid fraud liability. PCI DSS covers overall security practices. You need both, but they’re separate requirements with different rules.

Making PCI Compliance Simple

That questionnaire from your payment processor isn’t a test designed to trip you up — it’s a checklist to ensure you’re following basic security practices. Most small businesses discover they’re already doing 90% of what’s required.

The key is identifying your correct SAQ type. Once you know whether you’re SAQ A, B, or C, the path forward is clear. Answer the questions honestly, fix any gaps, run your scans if required, and submit your attestation. Next year, it’ll take you 30 minutes.

PCICompliance.com simplifies this entire process. Our free SAQ Wizard identifies exactly which questionnaire you need — no more guessing or reading complex flowcharts. Our ASV scanning service handles your quarterly vulnerability scans automatically, sending you reports and remediation guidance when needed. And our compliance dashboard tracks everything in one place, reminding you of deadlines and storing your documentation securely.

Start with our free SAQ Wizard to identify your requirements in under five minutes, or talk to our compliance team if you have specific questions about your setup. We’ve helped thousands of merchants achieve compliance without the confusion — yours can be next.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP