Spain PCI Compliance
If you’ve just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses in Spain, PCI compliance is far simpler than it initially appears — often just a matter of completing the right form and running a quarterly scan. This guide will walk you through exactly what you need to do, in plain language, without the technical jargon.
Bottom Line Up Front
Here’s what you actually need to know: if you accept credit cards in your Spanish business, you need to be PCI compliant. The good news? Most small merchants qualify for the simplest compliance options. You’re likely looking at completing a short questionnaire once a year, running automated security scans quarterly, and following some basic security practices you’re probably already doing. The entire process might take a few hours annually, and the peace of mind (plus avoiding hefty fines) makes it worthwhile.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as the minimum security standards for anyone who handles credit card information. The card brands formed the PCI Security Standards Council to manage these standards, but it’s your acquirer (the bank or payment processor that handles your card transactions) who actually enforces compliance.
When you signed up to accept credit cards, buried in that merchant agreement was your commitment to protect cardholder data. PCI DSS simply spells out what that protection looks like in practice. The standard covers everything from using secure passwords to encrypting card data, but don’t panic — your compliance requirements depend entirely on how you accept payments.
The consequences of non-compliance are real but manageable. Your payment processor can fine you (typically €5-€100 monthly for small merchants), and if there’s a breach, you could face liability for fraudulent charges and forensic investigation costs. In extreme cases, you could lose the ability to accept cards. But here’s the key: compliance isn’t complicated for most small businesses, and it’s far less expensive than dealing with a breach.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit or debit cards in any form — in person, online, over the phone — then yes, you need to be PCI compliant. This applies whether you’re a restaurant in Madrid, an online boutique in Barcelona, or a dental office in Valencia. If you touch payment cards in your business, PCI DSS applies to you.
Your merchant level determines how you demonstrate compliance. Most small businesses fall into Level 4 (processing fewer than 20,000 Visa transactions annually or up to 1 million total card transactions). Level 4 merchants complete a self-assessment questionnaire — no outside auditor required. Only the largest merchants need external assessments.
That compliance questionnaire your payment processor sent? It’s their way of verifying you’re protecting cardholder data. They’re required by the card brands to ensure all their merchants maintain compliance. Ignoring it won’t make it go away — processors typically start with reminder emails, then add monthly non-compliance fees to your statement, and eventually may suspend your ability to process cards.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Think of it like tax forms — there’s a simple version for simple situations and more complex versions for complex payment environments. Here’s how to determine which one you need:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Fully outsourced (PayPal, Square website) | SAQ A | 22 | Simple |
| E-commerce with hosted checkout (Stripe, Shopify) | SAQ A-EP | 191 | Moderate |
| Standalone terminal only (no connected systems) | SAQ B | 41 | Simple |
| Terminal connected to internet/network | SAQ B-IP | 82 | Simple-Moderate |
| Phone orders using virtual terminal | SAQ C-VT | 79 | Moderate |
| Anything else (storing cards, direct processing) | SAQ D | 329+ | Complex |
If you use a standalone payment terminal from providers like Square, SumUp, or traditional bank terminals that aren’t connected to your computer systems, you’re likely SAQ B or SAQ B-IP. This covers most restaurants, retail shops, and service businesses.
For e-commerce, if your website redirects to a hosted payment page (like Shopify Payments, Stripe Checkout, or Redsys), you qualify for SAQ A. If customers enter card details on your website but the data goes directly to the processor (never touching your server), that’s SAQ A-EP.
Taking orders over the phone? If you’re typing card numbers into a web-based virtual terminal, you need SAQ C-VT. Please tell me you’re not writing card numbers down — if you are, stop immediately and switch to a virtual terminal.
The dreaded SAQ D applies if you store card numbers (even temporarily), process cards directly on your systems, or have a complex payment environment. If this is you, consider simplifying your payment methods — SAQ D means answering over 300 questions and potentially hiring a QSA.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. The questionnaire contains yes/no questions about your security practices. “Yes” doesn’t mean “sort of” or “planning to” — it means you’re actually doing what the question asks, right now, and can prove it if asked.
For SAQ A, you’ll answer questions like “Do you review your service providers’ PCI compliance status annually?” For most questions, if you’re using reputable payment providers, the answer is already “yes.” The entire questionnaire might take 30 minutes.
For terminal-based SAQs (B, B-IP), expect questions about physical security (“Is your payment terminal in a secure location?”), staff training (“Do employees know not to write down card numbers?”), and basic network security. Most small merchants can complete these in an hour or two.
You’ll need some basic documentation:
- Your payment processor agreements
- List of any service providers who might handle card data
- Written policies for handling cards (even simple ones count)
- Evidence of your quarterly ASV scans (more on this below)
Speaking of ASV scans — if your business has any internet-facing systems (website, email server, etc.), you need quarterly vulnerability scans from an Approved Scanning Vendor. This automated scan checks for security vulnerabilities and typically costs €30-50 per scan. It runs in the background and emails you a report. If issues are found, you have 30 days to fix them and rescan.
After completing your SAQ, you’ll sign an Attestation of Compliance (AOC) — a formal declaration that your answers are accurate. Submit both documents to your payment processor through their compliance portal or via email. Keep copies for your records.
What It Costs
Let’s talk real numbers. For most Level 4 merchants, annual PCI compliance costs break down like this:
Compliance platform and tools: €100-300/year for a service that includes your SAQ, ASV scanning, and compliance tracking. Some payment processors include basic tools for free.
Quarterly ASV scanning: €120-200/year if purchased separately, often included with compliance platforms. Required if you have any internet-facing systems.
Professional help: Most small merchants don’t need a QSA. But if you do (SAQ D merchants), expect €5,000-15,000 for a Level 4 assessment.
Compare this to non-compliance costs: processors typically charge €20-100 monthly for non-compliant merchants. That’s €240-1,200 annually in fines alone. A data breach? Even a small one averages €50,000+ in forensic investigation, card reissuance, fines, and legal costs. One of my clients learned this the hard way — their €200 annual compliance investment would have prevented a €75,000 breach liability.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components. Your SAQ must be updated yearly, ASV scans run quarterly, and you need to maintain those security practices you attested to.
Set calendar reminders for:
- Annual SAQ due date (usually anniversary of your last submission)
- Quarterly ASV scans (every 90 days if required)
- Service provider review (annually verify your providers are PCI compliant)
- Staff training refreshers (especially for handling phone orders)
Certain changes trigger a reassessment:
- Adding new payment channels (starting e-commerce, adding phone orders)
- Changing payment processors or adding payment types
- Significant network changes affecting payment systems
- Moving from outsourced to in-house payment processing
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and maintaining your compliance history. No more scrambling when your processor asks for documentation.
FAQ
Q: My payment processor says I’m non-compliant but I’ve never heard of PCI before. What do I do?
Start by asking your processor exactly what they need — usually it’s a completed SAQ and sometimes ASV scan reports. Use the SAQ decision tree above to determine which questionnaire applies to your payment setup. Most processors give you 30-60 days to become compliant before fines increase.
Q: I only process a few cards per month. Do I still need to comply?
Yes, PCI DSS applies to any business that accepts payment cards, regardless of volume. The good news is that with low volume, you’re definitely Level 4, which means self-assessment only — no external auditor required.
Q: Can I just pay the non-compliance fee instead of doing all this?
While technically possible, it’s shortsighted. Non-compliance fees add up quickly (€240-1,200 annually), and you’re fully liable if there’s a breach. Compliance for most small merchants takes just a few hours per year and costs less than the fines.
Q: What’s the difference between PCI compliance in Spain versus other EU countries?
PCI DSS is a global standard — the requirements are identical whether you’re in Spain, France, or Germany. The only differences are in how payment processors communicate requirements and potentially in breach notification laws, which in Spain follow GDPR requirements.
Q: I use Square/PayPal/Stripe for everything. Am I automatically compliant?
Not automatically, but you’re close. These providers handle the complex security requirements, qualifying you for the simplest SAQ types. You still need to complete your applicable SAQ annually and follow basic security practices like using strong passwords and limiting access to payment systems.
Q: What happens if I fail my ASV scan?
Don’t panic — failing initially is common. The scan report shows exactly what vulnerabilities were found. You have 30 days to fix the issues (usually updating software or adjusting firewall rules) and run a free rescan. Only the passing scan needs to be submitted for compliance.
Q: Do I need to hire a QSA or security consultant?
Most Level 4 merchants don’t need external help beyond a compliance platform. You might consider professional help if you’re SAQ D, struggling with technical requirements, or have had a breach. For typical small businesses, a good compliance platform provides all the guidance you need.
Q: My business is entirely cash and bank transfer — do I need PCI compliance?
No, PCI DSS only applies to payment card transactions. But if you’re considering adding card payments in the future, plan for compliance requirements when selecting your payment solution. Choosing the right payment method upfront can keep you in simpler SAQ categories.
Conclusion
PCI compliance might seem daunting when that first questionnaire arrives, but for most Spanish businesses, it’s a manageable part of accepting card payments. By understanding which SAQ applies to your payment setup and following basic security practices, you can achieve compliance in just a few hours per year. The investment is minimal compared to non-compliance fines or breach costs, and you’ll sleep better knowing your customers’ card data is protected.
Remember, you don’t have to figure this out alone. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team. We’ve helped thousands of merchants navigate PCI compliance, and we can help you too. The sooner you start, the sooner you can check this off your list and get back to running your business.
