Bottom Line Up Front
If you run a store on Swell and just got a PCI compliance questionnaire from your payment processor, take a breath. For most small merchants, Swell PCI compliance is far simpler than the intimidating paperwork suggests. Swell is a headless e-commerce platform that integrates with payment providers like Stripe — and if your customers enter their card details into a hosted or embedded checkout you don’t directly control, you likely qualify for one of the simplest self-assessment questionnaires available.
In most cases, achieving Swell PCI compliance means completing a short questionnaire, running a quarterly scan (if applicable), and signing an attestation. No auditors camping out in your office. Here’s everything you actually need to know — in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security rules designed to protect credit card data from theft. If you accept card payments in any form — online, in person, or over the phone — these rules apply to you.
The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a group called the PCI Security Standards Council (PCI SSC). The Council writes the rules, but it doesn’t enforce them directly. That job falls to your acquirer (also called your acquiring bank or payment processor) — the company that deposits card payments into your bank account.
That’s why they sent you the questionnaire. Your processor is contractually required to make sure the merchants they serve are following the rules.
What happens if you ignore it
Skipping PCI compliance isn’t a great idea. The realistic consequences include:
- Monthly non-compliance fees from your processor until you validate
- Liability if a breach occurs — fines, forensic investigation costs, and card reissuance charges can be severe
- Loss of card-processing privileges in the worst cases
The good news: most small businesses qualify for the simplest SAQ types, and the whole process is designed to be self-service. PCI compliance is point-in-time and ongoing — you validate at least annually — but for a typical small merchant, it’s a manageable annual task, not a year-round nightmare.
Do You Need to Be PCI Compliant?
Yes. If you accept credit or debit cards in any way, PCI DSS applies to you. There’s no transaction volume too small to be exempt. A single card payment a month still counts.
Your merchant level
The card brands sort merchants into four levels based on annual transaction volume and risk. Your acquirer assigns your level — so always confirm yours with them directly. That said:
- Level 1 is for the largest merchants, who undergo a formal audit
- Levels 2, 3, and 4 generally validate through a self-assessment questionnaire (SAQ)
Most small businesses are Level 4. That means you complete an SAQ yourself rather than hiring an auditor — a huge relief in both time and cost.
The questionnaire they sent you
The document from your processor is your invitation to self-assess. It’s asking you to confirm that you’re handling card data securely. You complete the appropriate SAQ, sign an Attestation of Compliance (AOC), and (if required) submit a passing scan. Once you do, you’re validated for the year.
Which SAQ Do You Need?
There are several SAQ types, and the right one depends entirely on how you accept payments. The whole point of choosing the correct SAQ is scope — the more card-handling you outsource, the fewer requirements apply to you.
Here’s the plain-language decision tree:
| Payment Scenario | Likely SAQ | Complexity |
|---|---|---|
| E-commerce site with fully hosted/redirected checkout (e.g. Stripe Checkout, hosted page) | SAQ A | Lowest |
| E-commerce where your page partially controls payment (iframe, direct-post, embedded fields) | SAQ A-EP | Moderate |
| Standalone dial-out terminal, no electronic card storage | SAQ B | Low |
| Standalone IP-connected terminal | SAQ B-IP | Low–Moderate |
| Virtual terminal — you key in phone/mail orders manually | SAQ C-VT | Low–Moderate |
| Payment systems connected to the internet, no electronic storage | SAQ C | Moderate |
| You store card numbers electronically (please stop) | SAQ D | Highest |
Where Swell merchants usually land
Most stores running Swell use a payment provider like Stripe, where the actual card entry happens through the provider’s secure fields or a hosted checkout. If the card data never touches your servers because it’s fully redirected to or hosted by your provider, you’re likely SAQ A — the simplest path.
If your Swell storefront uses embedded payment fields where your own page is more involved in the card-entry process (think direct-post or certain iframe setups), you may fall into SAQ A-EP, which carries more requirements because more of the transaction flow runs through systems you control.
Not sure which side of that line you’re on? That distinction matters, and getting it wrong means you either over-work or under-protect. Our free SAQ Wizard asks a few simple questions about how you take payments and tells you exactly which questionnaire you need — no guessing.
How to Complete Your SAQ
What it looks like
An SAQ is a series of yes/no questions about your security controls. The simpler SAQs (like SAQ A) have relatively few; SAQ D has many. For most small merchants, completing the right SAQ takes a few hours to a couple of days, depending on how prepared you are.
A “yes” answer means you genuinely have that control in place. For example:
- “Are vendor-supplied default passwords changed?” → Yes means you actually changed the admin password on your router, terminal, and accounts.
- “Is access restricted to those who need it?” → Yes means each staff member has their own login with appropriate permissions (this maps to Requirement 7).
- “Is multi-factor authentication used for access to systems?” → Yes means you’ve turned on MFA where the standard requires it (Requirement 8).
Don’t answer “yes” just to finish faster. A false attestation can void your liability protection if a breach happens.
Documentation to gather
Even for a simple SAQ, have these on hand:
- A list of your payment providers and confirmation they’re PCI compliant
- Your information security policy (the current standard requires one — even a short, plain one)
- Records of who has access to payment systems
- Evidence of annual security awareness for staff who handle payments
The quarterly ASV scan
If your environment has any external-facing (internet-connected) systems in scope, the standard requires a quarterly vulnerability scan performed by an Approved Scanning Vendor (ASV). The scan checks your public-facing systems for known weaknesses and produces a pass/fail report.
For a fully outsourced SAQ A setup, an ASV scan often isn’t required — but confirm your specific obligation. When a scan is required, our ASV scanning service handles it for you on a quarterly schedule.
Submitting
Once your SAQ is complete and any required scan passes, you sign your AOC and submit both to your acquirer through whatever portal they specify. That’s your validation for the year.
What It Costs
PCI compliance costs vary, but for a small merchant they’re modest — and trivial compared to the cost of a breach.
| Item | Typical Range | Who Needs It |
|---|---|---|
| Compliance platform / SAQ tools | Low annual cost | Most merchants |
| Quarterly ASV scanning | Modest per-quarter or annual fee | Merchants with external-facing systems |
| QSA-led assessment (ROC) | Significant — thousands+ | Level 1 / complex environments only |
| Non-compliance fees | Recurring monthly charges | Anyone who skips validation |
| Breach liability | Potentially severe | Anyone who suffers a breach |
The honest assessment: for most small merchants, an entire year of compliance — SAQ tooling plus scanning — costs far less than a single breach fine or forensic investigation. PCI compliance is one of the rare security investments where the math is genuinely lopsided in your favor.
You only need a QSA (Qualified Security Assessor) if you’re a Level 1 merchant or your acquirer specifically requires a Report on Compliance (ROC). Most small Swell merchants never go near a QSA.
Staying Compliant Year-Round
Here’s the part people miss: PCI compliance isn’t a one-time form. It’s validated at least annually, with quarterly scans where required. And compliance is only a snapshot — staying secure between assessments is what actually protects you.
A few habits keep you on track:
- Set reminders for your annual SAQ renewal and quarterly scans
- Re-assess when things change — switching payment providers, adding a new checkout method, redesigning your store, or starting to store data you didn’t before can all change your SAQ type
- Keep your security basics current — strong unique passwords, MFA, updated software, and limited access
Tracking all of this manually is where merchants slip. Our compliance dashboard keeps your SAQ status, scan schedule, and renewal dates in one place, so you’re never caught off guard when your acquirer asks for proof.
FAQ
I just got the questionnaire and I’m overwhelmed. Where do I start?
Start by identifying how you accept payments, because that determines your SAQ. The fastest way is our free SAQ Wizard — answer a few questions and it tells you exactly which questionnaire applies, so you’re not staring at the wrong form.
Does Swell handle PCI compliance for me?
Swell and your payment provider handle the security of their systems, which reduces your scope significantly — especially if card data never touches your servers. But you’re still responsible for completing your own SAQ, attesting to your controls, and any required scans. Compliance is shared, not transferred.
Do I really need an ASV scan?
It depends on your SAQ type and whether you have internet-facing systems in scope. Fully outsourced setups (often SAQ A) frequently don’t require one, while many other SAQ types do. Confirm your obligation with your acquirer — or let us determine it for you.
What if I answer “no” to some questions?
A “no” means you have a gap to fix before you can validate. That’s normal — it just means a bit of remediation, like enabling MFA or updating a password policy. Our remediation guidance walks you through closing each gap.
Am I really Level 4? How do I know?
Your acquirer assigns your merchant level based on annual transaction volume and risk, so the only authoritative answer comes from them. Most small businesses are Level 4 and self-assess, but always confirm directly with your processor.
What happens if I just ignore the questionnaire?
Your processor will typically charge monthly non-compliance fees, and you’ll carry full liability if a breach occurs. In serious cases, you can lose the ability to accept cards. Validating is almost always cheaper and easier than ignoring it.
Can I store customer card numbers to make repeat checkout easier?
Please don’t store raw card numbers — it dramatically expands your scope and pushes you into SAQ D. Instead, use your payment provider’s tokenization, which stores a safe token on their compliant systems while keeping the actual PAN out of your environment entirely.
How often do I have to do this?
At least annually for your SAQ and AOC, plus quarterly ASV scans if required. Re-assess sooner if you change how you accept payments.
Conclusion
PCI compliance has a fearsome reputation, but for a typical small Swell merchant the reality is much gentler: identify the right SAQ, confirm your controls, run a scan if you need one, and sign your attestation. Keep your security basics solid and revisit it each year. That’s genuinely most of the journey.
PCICompliance.com gives you everything you need to achieve and maintain compliance in one place. As an end-to-end platform serving thousands of merchants and service providers — from single-location retailers to multi-site enterprises — we make the process navigable instead of intimidating. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round.
Start with the free SAQ Wizard, or talk to our compliance team — and turn that intimidating questionnaire into a checked box.