black and red steering wheel

South Africa PCI Compliance

by

South Africa PCI Compliance

Your Credit Card Compliance Requirements Don’t Have to Be Scary

If you’ve just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses in South Africa, PCI compliance is actually much simpler than it first appears. Yes, you need to complete it. No, it’s not as complicated as it looks. And we’re here to walk you through exactly what you need to do.

Here’s the bottom line: if you accept credit cards in your business — whether that’s through a card machine, online, or over the phone — you need to be PCI compliant. Your payment processor isn’t trying to make your life difficult. They’re required to ensure all their merchants protect customer card data, and that questionnaire they sent is how they verify you’re doing it.

The good news? Most small businesses qualify for the simplest compliance requirements. You probably don’t need to hire expensive consultants or implement complex security systems. You just need to understand which form applies to your business and answer some straightforward questions about how you handle card payments.

What Is PCI Compliance (In Plain English)

PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules created by the major card brands (Visa, Mastercard, American Express, Discover) to protect credit card information. These rules apply to every business that accepts, processes, stores, or transmits credit card data — from the smallest coffee shop to the largest online retailer.

The card brands created an organization called the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) is responsible for making sure you comply. That’s why you received that questionnaire from them, not from Visa or Mastercard.

Why Should You Care?

Beyond the obvious benefit of protecting your customers’ financial information, there are real consequences for non-compliance:

  • Fines from your payment processor (typically R5,000 to R50,000 per month for small merchants)
  • Liability for any fraudulent charges if your business experiences a breach
  • Loss of card acceptance privileges — your processor can literally turn off your ability to accept cards
  • Breach recovery costs that can easily exceed R500,000 even for small businesses

But here’s what most compliance notices don’t tell you: achieving compliance is usually straightforward for small merchants. The standard recognizes that a small shop with a simple card terminal has very different security needs than a large e-commerce site storing thousands of card numbers.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:

  • Swiping, dipping, or tapping cards through a physical terminal
  • Taking payments through your website
  • Accepting card details over the phone
  • Processing mail order forms with card numbers
  • Using mobile card readers attached to phones or tablets

Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 Visa transactions or 1 million total card transactions annually). Don’t worry if you don’t know your exact transaction count — your payment processor already knows and will tell you which level you are.

As a Level 4 merchant, you typically need to:

  • Complete an annual Self-Assessment Questionnaire (SAQ)
  • Pass quarterly vulnerability scans if you have an e-commerce presence
  • Keep records showing you’ve completed these requirements

That questionnaire your processor sent? It’s asking you to complete your annual SAQ. They’re required to collect this from all their merchants to prove to the card brands that their portfolio is secure.

Which SAQ Do You Need?

The Self-Assessment Questionnaire comes in different versions based on how you accept payments. Each version asks questions relevant to your specific setup. Here’s how to determine which one applies to you:

How You Accept Cards SAQ Type Number of Questions Complexity
Outsource everything to PayPal, Shopify Payments, etc. SAQ A 22 Simplest
E-commerce with payment page on your site (iframe/redirect) SAQ A-EP 191 Moderate
Card machine only, no electronic storage SAQ B 41 Simple
Card machine with IP connection SAQ B-IP 82 Simple
Phone/mail orders entered into virtual terminal SAQ C-VT 80 Moderate
Phone/mail orders entered into computer system SAQ C 160 Complex
Store card data or process payments yourself SAQ D 329 Most Complex

Real-World Examples:

  • Restaurant with a Yoco terminal: You’re probably SAQ B-IP
  • Online store using PayFast or PayGate checkout: Likely SAQ A
  • Retail shop with a standalone Capitec or FNB terminal: Probably SAQ B
  • Call center taking orders over the phone: Most likely SAQ C-VT
  • Any business storing card numbers in files or databases: Unfortunately, you’re SAQ D (and should really stop storing card data)

Not sure which applies to you? The PCICompliance.com SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ you need — no payment industry expertise required.

How to Complete Your SAQ

Once you know which SAQ applies to your business, completing it is straightforward. The questionnaire consists of yes/no questions about your payment security practices. Here’s what to expect:

What the Questions Look Like

Each question asks whether you’ve implemented a specific security control. For example:

  • “Do you change default passwords on payment terminals?”
  • “Is your payment page served over HTTPS?”
  • “Do you have a firewall between your payment systems and the internet?”

Important: Answer honestly. “Yes” means you actually do this thing, not that you plan to or think you should. If you answer “No” to required questions, you’ll need to fix those items before you can be compliant.

Documentation You’ll Need

Gather these items before starting your SAQ:

  • Network diagram (even a simple sketch showing how your payment devices connect)
  • List of payment software and devices you use
  • Security policies (many small merchants use templates)
  • ASV scan results if you have a website

The Quarterly ASV Scan

If you have any web presence where customers can make payments, you’ll need quarterly vulnerability scans performed by an Approved Scanning Vendor (ASV). These automated scans check your website for security vulnerabilities.

The process is simple:
1. Sign up with an ASV (like PCICompliance.com)
2. Provide your website URL
3. Run the scan (takes about 30 minutes)
4. Fix any critical vulnerabilities found
5. Get a passing scan report

Submitting Your Compliance

After completing your SAQ and passing your ASV scans (if required), you’ll sign an Attestation of Compliance (AOC). This is your formal declaration that you’ve answered accurately and met all requirements. Submit both documents to your payment processor through their compliance portal or via email.

What It Costs

Let’s be honest about the real costs of PCI compliance for small merchants:

Compliance Tools and Services

  • SAQ completion platform: R500-2,000 annually
  • Quarterly ASV scanning: R1,000-3,000 per year
  • Compliance management dashboard: Often included with above
  • Basic security awareness training: R500-1,500 per year

If You Need Professional Help

  • QSA consultation (rarely needed for Level 4): R15,000-30,000
  • Remediation assistance: R5,000-15,000
  • Policy template packages: R2,000-5,000

The Cost of NOT Being Compliant

  • Monthly non-compliance fees: R500-5,000 (charged by your processor)
  • Breach liability: R50,000-500,000+ for forensics and card replacement
  • Lost business: Incalculable if you lose the ability to accept cards

For most small merchants, annual compliance costs less than a single month’s non-compliance fine. Think of it as business insurance that actually prevents problems rather than just paying for them afterward.

Staying Compliant Year-Round

PCI compliance isn’t a one-time checkbox — it’s an ongoing responsibility. But don’t worry, maintaining compliance is much easier than achieving it initially.

Annual Requirements

  • Complete your SAQ every 12 months
  • Update your compliance if your payment setup changes
  • Renew your security awareness training

Quarterly Requirements

  • Run ASV scans every 90 days (if applicable)
  • Review scan results and fix any new vulnerabilities
  • Keep passing scan reports for your records

When Things Change

You’ll need to reassess your compliance when you:

  • Add new payment channels (like starting e-commerce)
  • Change payment processors or software
  • Significantly increase transaction volume
  • Start storing card data (please don’t)

The PCICompliance.com compliance dashboard tracks all these dates for you, sending reminders before requirements expire and keeping all your documentation organized in one place.

FAQ

I’m just a small business. Do I really need to do this?

Yes, size doesn’t matter when it comes to PCI compliance. If you accept credit cards, you need to comply. The good news is that small businesses usually qualify for the simplest requirements. Your SAQ might only take 30 minutes to complete.

What happens if I ignore that compliance notice?

Your payment processor will likely start charging monthly non-compliance fees (usually R500-5,000). Eventually, they can suspend your ability to accept credit cards. Worse, if you experience a breach while non-compliant, you’re liable for all associated costs.

Can I just say “yes” to all the questions?

Only if they’re actually true. Lying on your SAQ is considered fraud and makes you fully liable for any breach costs. Better to answer honestly and fix any gaps than to falsely claim compliance.

Do I need to hire a security consultant?

Probably not. Most Level 4 merchants can complete their SAQ using online tools and guidance. You only need a QSA if you’re a larger merchant or your acquirer specifically requires it.

How do I know if I’m storing card data?

Check these common places: Excel spreadsheets, accounting software, email, paper files, or backup systems. If you find card numbers anywhere, you’re storing card data. The safest approach is to stop immediately and use tokenization or your processor’s virtual terminal instead.

What’s this ASV scan thing?

An Approved Scanning Vendor scan is an automated security check of your website. It looks for vulnerabilities that hackers could exploit. If you only accept cards through a physical terminal, you don’t need ASV scans.

Can my payment processor help with compliance?

Some offer basic guidance, but most expect you to handle it independently. They’re required to collect your compliance documentation but aren’t typically set up to help you complete it. That’s where services like PCICompliance.com come in.

Is PCI compliance the same as being secure?

PCI compliance is a minimum security standard, not comprehensive protection. Think of it like having working locks on your doors — necessary but not sufficient for total security. Smart merchants go beyond PCI requirements with additional security measures.

Take Control of Your Compliance Today

PCI compliance might seem daunting at first, but now you understand what’s actually required. For most businesses, it’s a straightforward process: identify your SAQ type, answer some questions about your current practices, fix any gaps, and submit your documentation. The entire process often takes less time than you’ve already spent worrying about it.

Remember, protecting your customers’ payment data isn’t just a compliance requirement — it’s good business. Customers trust you with their financial information, and meeting PCI standards helps you honor that trust while protecting your business from breach liability.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance. Our free SAQ Wizard identifies exactly which questionnaire you need in under two minutes. Our ASV scanning service handles your quarterly vulnerability scans automatically. And our compliance dashboard tracks your progress year-round, sending reminders before requirements expire. Whether you’re completing your first SAQ or managing compliance across multiple locations, we make the process simple and stress-free. Start with the free SAQ Wizard to see just how straightforward your compliance journey can be, or talk to our compliance team for personalized guidance on your specific situation.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP