Switzerland PCI Compliance
If you just received a PCI compliance questionnaire from your payment processor and feel overwhelmed, take a deep breath. Switzerland PCI compliance requirements are the same as anywhere else in the world, and for most Swiss businesses accepting card payments, achieving compliance is much simpler than it first appears. This guide will walk you through exactly what you need to do, in plain language, without the technical jargon.
The Bottom Line Up Front
Here’s what you actually need to know: if your Swiss business accepts credit cards — whether in person, online, or over the phone — you need to be PCI compliant. The good news? Most small and medium-sized businesses qualify for the simplest compliance options. You probably don’t need expensive consultants or complex security assessments. You just need to complete the right questionnaire, run quarterly scans if required, and maintain a few basic security practices.
Your payment processor sent you that questionnaire because they’re required to verify your compliance annually. It’s not optional, but it’s also not as scary as it looks. Most merchants can complete their requirements in a few hours with the right guidance.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. These companies formed the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. That’s where your acquirer or payment processor comes in.
Your payment processor — whether it’s SIX Payment Services, Worldline, Datatrans, or another provider — is responsible for ensuring their merchants maintain PCI compliance. They’re the ones who sent you that questionnaire, and they’re the ones who will follow up if you don’t complete it.
The consequences of non-compliance are real but manageable. Your processor can impose fines (typically starting at CHF 50-200 per month for small merchants), you face liability if there’s a data breach, and in extreme cases, you could lose the ability to accept card payments. But here’s the key: compliance isn’t difficult if you understand which requirements actually apply to your business.
The standard exists for one simple reason: to protect cardholder data. Every business that touches credit card information needs to handle it securely. For most businesses, that means not storing it at all — which makes compliance much simpler.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit or debit cards in any form, yes, you need to be PCI compliant. This applies whether you:
- Run a retail shop with a card terminal
- Operate an e-commerce website
- Take orders over the phone
- Process recurring payments
- Accept cards at events or markets
Most Swiss small businesses fall into Merchant Level 4, which means you process fewer than 20,000 Visa transactions or 1 million total card transactions annually. This is good news — Level 4 merchants have the simplest compliance requirements. You complete a self-assessment questionnaire (SAQ) annually and submit it to your payment processor.
Your payment processor expects three things from you:
1. Complete the appropriate SAQ for your business type
2. Pass quarterly ASV scans if you have any internet-facing systems
3. Submit your Attestation of Compliance (AOC) confirming you meet the requirements
That compliance questionnaire they sent? It’s their way of collecting this information. They need it to prove to the card brands that their merchant portfolio is secure.
Which SAQ Do You Need?
The most important decision in PCI compliance is selecting the right SAQ type. Choose wrong, and you’ll either do unnecessary work or miss critical requirements. Here’s how to determine which one applies to your Swiss business:
| Payment Scenario | SAQ Type | Complexity | Questions |
|---|---|---|---|
| E-commerce with hosted checkout (Stripe, PayPal, Datatrans) | SAQ A | Simplest | ~20 |
| Physical terminal only, no electronic storage | SAQ B | Simple | ~40 |
| Physical terminal with IP connection | SAQ B-IP | Simple | ~80 |
| Taking cards over phone/mail, no storage | SAQ C-VT | Moderate | ~160 |
| E-commerce with payment page on your site | SAQ A-EP | Moderate | ~190 |
| Any electronic storage of card numbers | SAQ D | Complex | ~330 |
If you use a payment terminal like the SIX terminals, Worldline devices, or modern solutions like SumUp or Zettle, you likely need SAQ B or SAQ B-IP. The difference? SAQ B is for standalone terminals with no network connection (increasingly rare), while SAQ B-IP covers terminals that connect via your internet connection.
If you have an e-commerce site and redirect customers to a hosted payment page (think Stripe Checkout, PayPal, or Datatrans Payment Page), you qualify for SAQ A — the simplest form with only about 20 yes/no questions.
If you take card payments over the phone but don’t record or store the numbers, you’ll complete SAQ C-VT. This applies to many service businesses, hotels, and B2B companies in Switzerland.
If you store card numbers in any electronic format — even in Excel or your email — you’re stuck with SAQ D, the full assessment. This is complex and expensive. The solution? Stop storing card numbers and move to a simpler SAQ type.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about how you accept payments and tells you exactly which SAQ you need. No guessing required.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is straightforward. Each SAQ is a series of yes/no questions about your security practices. Here’s what to expect:
The questionnaire format is standardized. You’ll answer questions like “Do you change default passwords on payment terminals?” and “Is cardholder data only retained for business purposes?” Answer honestly — this is about identifying and fixing gaps, not passing a test.
When the question asks for “yes,” it means you have implemented that control and can prove it. For instance, if asked about password policies, “yes” means you actually enforce strong passwords, not just that you intend to. Your processor may ask for evidence during validation.
Documentation you’ll need:
- Network diagram (even a simple sketch for small businesses)
- List of who has access to payment systems
- Copies of any security policies you’ve implemented
- Results from your quarterly ASV scans
- Evidence of security awareness training (can be as simple as a sign-in sheet)
The quarterly ASV scan is required if you have any internet-facing systems — including e-commerce sites, email servers, or even just a static website. An Approved Scanning Vendor runs automated scans to check for vulnerabilities. These typically cost CHF 100-300 per year for small businesses and take about 15 minutes to set up.
Submitting your completed SAQ happens through your payment processor’s portal or compliance platform. You’ll also sign an Attestation of Compliance (AOC) — a formal declaration that your answers are accurate. Keep copies for your records.
What It Costs
Let’s talk real numbers for Swiss businesses:
Compliance platform and tools typically run CHF 200-1,000 annually for small merchants. This includes access to the SAQ, guidance on completing it, and basic compliance tracking. PCICompliance.com’s platform starts at the lower end of this range.
Quarterly ASV scanning costs about CHF 25-75 per quarter, depending on the complexity of your infrastructure. If you have a simple website, you’re looking at the lower end. Multiple domains or complex systems push the cost up.
If you need a QSA — which only applies to Level 1 merchants or those who can’t self-assess — budget CHF 10,000-50,000 for a formal assessment. But remember: most Swiss businesses never need this level of assessment.
The cost of non-compliance makes compliance look cheap. Monthly fines from your processor start around CHF 50-200 but can escalate. If you suffer a breach while non-compliant, you face breach investigation costs (CHF 20,000+), card replacement fees, and potential liability for fraudulent charges. One breach can cost more than a decade of compliance.
For most small Swiss merchants, annual compliance costs less than CHF 1,000 — often less than a single monthly non-compliance fine. It’s not an expense; it’s insurance for your ability to accept card payments.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor will ask for updated compliance validation every year, and some requirements need attention throughout the year.
Annual requirements include completing your SAQ and updating any changed information. If your payment setup changes — new terminals, different e-commerce platform, additional locations — you may need to complete a different SAQ type.
Quarterly requirements primarily mean ASV scans for merchants with internet-facing systems. Mark your calendar or use automated reminders. Missing a quarter means scrambling to explain the gap to your processor.
Setting up a compliance calendar takes five minutes but saves hours of stress. Note your SAQ due date, quarterly scan windows, and any security update schedules. Many Swiss businesses align their PCI calendar with their fiscal year for easier tracking.
What triggers a reassessment:
- Changing payment processors or terminals
- Adding new payment channels (like starting e-commerce)
- Significant network changes
- Moving to a new SAQ type
- Any security incident
PCICompliance.com’s compliance dashboard tracks all these dates and requirements automatically, sending reminders before deadlines and flagging any changes that might affect your compliance status.
Frequently Asked Questions
Do Swiss data protection laws affect PCI compliance?
No, PCI DSS requirements are the same globally. However, you need to comply with both PCI DSS and Swiss data protection laws. The good news is that PCI compliance helps with GDPR and Swiss Federal Data Protection Act compliance — they share many security principles.
Can I just ignore the compliance questionnaire from my payment processor?
Ignoring it won’t make it go away. Your processor will follow up, potentially adding non-compliance fees to your monthly statement. Eventually, they can suspend your ability to process cards. It’s much easier to spend a few hours completing the requirements.
What if I only process a few transactions per month?
Transaction volume doesn’t exempt you from PCI compliance — if you accept even one card payment, you need to comply. However, low volume means you’re likely Level 4 with the simplest requirements. Your SAQ type depends on how you accept payments, not how many.
Do I need to hire a security consultant?
Most small businesses don’t need consultants for PCI compliance. If you qualify for SAQ A, B, or B-IP, you can complete the requirements yourself with basic guidance. Only complex payment environments typically need professional help.
What’s the difference between PCI compliance and PA-DSS?
PCI DSS applies to merchants and service providers handling card data. PA-DSS applied to payment application vendors (it’s been replaced by the PCI Software Security Standard). As a merchant, you only need to worry about PCI DSS.
How do I know if I’m storing card data?
Search your systems for 16-digit numbers, especially in spreadsheets, databases, and email. Check paper files too. If you find card numbers anywhere except active transaction logs on your payment terminal, you’re storing card data and need to address it.
Can I self-assess or do I need a QSA?
Swiss Level 4 merchants (processing under 1 million transactions annually) can self-assess using the appropriate SAQ. Only Level 1 merchants or those with specific compliance issues need a formal QSA assessment.
What if my business is seasonal?
PCI compliance is required year-round, even if you only process transactions seasonally. Complete your annual SAQ based on your peak processing setup. If you completely shut down card processing in the off-season, document this for your processor.
Conclusion
PCI compliance for Swiss businesses doesn’t have to be overwhelming. Most merchants can achieve and maintain compliance with just a few hours of work annually, plus quarterly scans if needed. The key is understanding which requirements actually apply to your business and using the right tools to simplify the process.
Start by identifying your SAQ type — this single decision determines 90% of your compliance journey. From there, it’s simply a matter of answering the questions honestly, implementing any missing controls, and maintaining your compliance year-round.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. For Swiss businesses dealing with PCI requirements, we provide the guidance and tools to make compliance straightforward and affordable. Start with our free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team for personalized guidance on your specific payment setup.
