Strikingly PCI Compliance

Bottom Line Up Front

If you just received a PCI compliance questionnaire from your payment processor and your stomach dropped — take a breath. For most small businesses, especially those built on a platform like Strikingly PCI-friendly website builders, compliance is far simpler than the scary reputation suggests.

Here’s the short version: if your Strikingly site uses a hosted or embedded checkout (which most do), you likely qualify for the simplest self-assessment questionnaire — you fill out a short yes/no form once a year, possibly run a quarterly scan, and you’re done. You don’t need to become a security expert. You just need to understand a few key concepts, which is exactly what this guide covers.

What Is PCI Compliance (In Plain English)

PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security rules designed to protect credit card data everywhere it’s stored, processed, or transmitted. If you accept card payments in any form — online through your Strikingly store, in person, or over the phone — it applies to you.

The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a group called the PCI Security Standards Council (PCI SSC). But here’s an important distinction: the Council writes the rules, while your acquirer (your bank or payment processor) enforces them. That’s why the questionnaire came from your processor, not from some government agency.

What happens if you ignore it? Non-compliance can lead to monthly fines from your processor, and — far worse — if a breach occurs and you weren’t compliant, you can be held liable for fraud losses, forensic investigation costs, and card reissuance. In the worst case, you can lose the ability to accept cards entirely. That’s the leverage that makes PCI mandatory in practice.

The good news: most small businesses qualify for the least demanding paths to compliance. The rules that feel overwhelming — building firewalls, encrypting stored card numbers, penetration testing — often don’t apply to you at all if you never touch raw card data.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit cards, yes. There’s no size exemption. A one-person Etsy-style shop and a national retail chain are both subject to PCI DSS — the difference is how much they have to do.

That difference comes down to your merchant level, which your acquirer assigns based on your annual card transaction volume and risk. Most small businesses are Level 4, the tier with the lightest validation requirements. You don’t self-select your level — confirm it with your acquirer if you’re unsure.

The questionnaire your processor sent is called a Self-Assessment Questionnaire (SAQ). It’s how you formally attest that you’re following the applicable security requirements. Your processor sent it because validating compliance is part of your merchant agreement — they need it on file, usually annually.

Which SAQ Do You Need?

There are several SAQ types, and picking the right one is the single most important step — it determines how many questions you answer and how much work is involved. The type depends on how you accept payments.

Here’s the plain-language decision tree:

  • You have an e-commerce site with a fully hosted checkout (the customer is redirected to your payment provider, or payment fields are embedded via a secure iframe) → likely SAQ A. This is the simplest and most common path for Strikingly and similar site builders.
  • Your site controls part of the payment page but the card data still flows to a third party → likely SAQ A-EP.
  • You use a standalone payment terminal (dial-out or IP-connected) with no electronic card storage → likely SAQ B or SAQ B-IP.
  • You take payments through a virtual terminal — typing card numbers into a web page, common for phone orders → likely SAQ C-VT.
  • You store card numbers anywhere — a spreadsheet, a CRM, a filing cabinet → SAQ D (please stop storing them).
Payment Scenario Likely SAQ Complexity
Strikingly / hosted e-commerce checkout (redirect or iframe) SAQ A Low
Site partially controls the payment page SAQ A-EP Medium
Standalone dial-out terminal, no e-storage SAQ B Low
Standalone IP-connected terminal SAQ B-IP Low–Medium
Virtual terminal / phone orders SAQ C-VT Low–Medium
Any electronic storage of card numbers SAQ D High

If you’re running a Strikingly store with a connected payment gateway like Stripe or PayPal handling the actual card entry, you’re almost certainly in SAQ A territory — the lightest lift available.

Not sure? Don’t guess. Our free SAQ Wizard asks you a handful of plain questions about how you accept payments and tells you exactly which SAQ applies. Choosing the wrong one is the most common mistake small merchants make, and it’s completely avoidable.

How to Complete Your SAQ

An SAQ is a document full of yes/no questions about your security practices. The number of questions varies by SAQ type — an SAQ A is short and manageable, while an SAQ D is extensive. For most small merchants on the simpler SAQs, completing it takes anywhere from an afternoon to a day or two.

Each “yes” means you’re actually doing what the question describes. For example, a question might ask whether you use strong, unique passwords and whether you’ve changed vendor-default credentials. “Yes” isn’t a wish — it means the control is genuinely in place. If the honest answer is “no,” that’s a remediation item to fix before you can attest.

Documentation you’ll need

Depending on your SAQ, gather:

  • A list of your service providers (payment gateway, hosting, etc.) and confirmation they’re PCI compliant
  • Your information security policy (even a short one)
  • Records of who has access to payment systems
  • For applicable SAQ types, results of your quarterly ASV scan

The quarterly ASV scan

If your environment has any internet-facing systems involved in payments, you’ll need a scan from an Approved Scanning Vendor (ASV) every quarter. This is an automated external vulnerability scan that checks for known weaknesses. A “passing” scan is required to validate.

Good news: many SAQ A merchants who fully outsource their checkout may have minimal or no ASV scan obligation — but confirm what your acquirer expects. Our ASV scanning service handles this for you and schedules the quarterly cadence automatically.

Once your SAQ is complete and any scans pass, you sign the Attestation of Compliance (AOC) and submit it to your acquirer. That’s the finish line for the year.

What It Costs

Let’s talk honestly about money, because “PCI compliance” sounds expensive and often isn’t for small merchants.

Item Typical Range Who Needs It
Self-assessment platform / SAQ tools Modest annual fee (some free options) Most merchants
Quarterly ASV scanning Small annual budget Merchants with internet-facing systems
QSA-led assessment (ROC) Significant — several thousand+ Level 1 / large merchants only

Most small merchants completing an SAQ A or SAQ B never need a Qualified Security Assessor (QSA) at all. A QSA-led Report on Compliance (ROC) applies to Level 1 merchants — high-volume operations — not the typical small business.

Compare that to the cost of non-compliance: recurring monthly fines from your processor, and if a breach hits, potential liability for forensic investigations, fraud losses, and card reissuance — figures that can be devastating for a small business. For most merchants, a full year of compliance costs less than a single non-compliance penalty. The math strongly favors just doing it.

Staying Compliant Year-Round

Here’s the mindset shift that trips people up: PCI compliance is not a one-time task. It’s validated at least annually, with quarterly ASV scans where applicable. Compliance is a point-in-time snapshot backed by continuous practice — you can be compliant today and drift out of compliance next month if something changes.

Certain changes should trigger a fresh look at your assessment:

  • Switching payment providers or checkout methods
  • Adding phone or in-person payments to an online-only business
  • Storing card data you didn’t before (this can jump you to SAQ D)
  • Major changes to your website or hosting setup

The practical solution is simple: set reminders so your annual SAQ and quarterly scans never lapse, and track your status in one place. Our compliance dashboard does exactly this — it monitors your SAQ status, schedules scans, flags what’s due, and keeps your AOC ready when your acquirer asks. No more scrambling when the annual questionnaire lands in your inbox.

FAQ

I just got a PCI questionnaire and I’m overwhelmed. Where do I start?

Start by identifying how you accept payments, because that determines your SAQ type. Use our free SAQ Wizard — it walks you through a few questions and tells you exactly which questionnaire applies, so you’re not staring at the wrong (or hardest) form.

Does PCI compliance really apply to my tiny business?

Yes — there’s no size exemption. Any business that accepts credit cards is subject to PCI DSS, but small businesses almost always qualify for the simplest SAQ types with the least work involved.

If I use Strikingly with Stripe or PayPal, am I compliant automatically?

Not automatically — you still need to complete the applicable SAQ (usually SAQ A) and attest. But because your payment provider handles the actual card data, your obligations are dramatically reduced, which is exactly the point of using a hosted checkout.

What’s the difference between an SAQ and an AOC?

The SAQ is the questionnaire where you assess your security controls. The AOC (Attestation of Compliance) is the signed summary confirming you completed it and meet the requirements — that’s what you submit to your acquirer.

Do I always need a quarterly ASV scan?

Not always. Scans are required where your environment includes internet-facing systems involved in payments. Some fully outsourced SAQ A merchants have minimal scan obligations — confirm with your acquirer what applies to you.

What happens if I just ignore the questionnaire?

Your processor can charge non-compliance fees, and you’ll carry full liability if a breach occurs. Over time, ignoring it can put your ability to accept cards at risk — it’s far cheaper and easier to complete the SAQ.

Can PCI compliance guarantee I won’t be breached?

No — no control or standard can promise that. PCI DSS reduces your risk significantly and demonstrates due diligence, but security is about ongoing risk reduction, not absolute guarantees.

How often do I have to do this?

Compliance is validated at least annually, with quarterly ASV scans where applicable. Certain changes — like switching payment methods or starting to store card data — can require a fresh assessment sooner.

Conclusion

PCI compliance carries a fearsome reputation, but for the typical small merchant — especially one running a hosted checkout on a platform like Strikingly — the reality is manageable. Identify the right SAQ, answer the questions honestly, run your scans if required, sign your AOC, and keep an eye on anything that changes. That’s the whole loop.

You don’t have to figure it out alone. PCICompliance.com gives you everything you need to achieve and maintain compliance in one place. As an end-to-end platform serving thousands of merchants and service providers — from single-location retailers to multi-site enterprises — we provide a free SAQ Wizard that identifies exactly which questionnaire you need, an ASV scanning service that handles your quarterly vulnerability scans, remediation guidance when something needs fixing, and a compliance dashboard that tracks your progress year-round.

Start with the free SAQ Wizard to pinpoint your questionnaire in minutes, or talk to our compliance team if you’d rather have an expert confirm your path. Either way, you’ll go from overwhelmed to on-track — which is exactly where you want to be before your acquirer asks again next year.

Leave a Comment

1,650 PCI scans completed this month