purple and pink light illustration

ThriveCart PCI Compliance

by

ThriveCart PCI Compliance

If you’re using ThriveCart to sell your products and just received a PCI compliance questionnaire from your payment processor, take a deep breath. For most small businesses using ThriveCart, PCI compliance is much simpler than it sounds. You won’t need a security team or expensive consultants — just a basic understanding of what’s required and about an hour to complete your questionnaire.

Here’s the bottom line: because ThriveCart handles the actual card processing through integrated payment gateways like Stripe or PayPal, you’re likely looking at the simplest form of PCI compliance. This guide will walk you through exactly what you need to do, step by step, in plain English.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that apply to anyone who accepts credit card payments. Think of it as the basic security hygiene required to handle customer payment information safely.

The standard was created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — through an organization called the PCI Security Standards Council. But here’s who actually enforces it: your payment processor or acquiring bank. That’s why they’re the ones sending you compliance questionnaires.

If you don’t comply, the consequences are real but manageable:

  • Your payment processor can fine you (typically $20-100 per month for small merchants)
  • If card data gets stolen from your business, you’re liable for the costs
  • In extreme cases, you could lose the ability to accept credit cards

But here’s the good news: most businesses using ThriveCart qualify for the simplest compliance requirements. You’re not storing card numbers on your computer or processing payments through complex systems. ThriveCart and your payment gateway handle the heavy lifting.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you process one transaction per month or thousands — the requirement applies to everyone.

Your merchant level determines how you demonstrate compliance:

  • Level 1: Over 6 million transactions annually (requires annual on-site assessment)
  • Level 2: 1-6 million transactions annually (requires annual self-assessment and quarterly scans)
  • Level 3: 20,000-1 million transactions annually (requires annual self-assessment and quarterly scans)
  • Level 4: Under 20,000 transactions annually (requires annual self-assessment and sometimes quarterly scans)

Most ThriveCart users fall into Level 4. This means you complete a self-assessment questionnaire (SAQ) annually and possibly run quarterly vulnerability scans if you have any systems connected to the internet.

That compliance questionnaire your processor sent? It’s their way of verifying you’re meeting the security standards. They’re required to collect this from every merchant, and they’ll keep asking until you complete it.

Which SAQ Do You Need?

The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Here’s how to determine which one applies to your ThriveCart setup:

How You Use ThriveCart SAQ Type Number of Questions Complexity
ThriveCart with Stripe, PayPal, or similar (customers never enter card data on your site) SAQ A 22 Simple
ThriveCart embedded on your website (payment fields hosted by gateway) SAQ A-EP 139 Moderate
Also use physical terminals or take phone orders SAQ C 160 Moderate
Store card numbers anywhere (please don’t) SAQ D 329 Complex

For most ThriveCart users, you’re looking at SAQ A — the simplest questionnaire with just 22 yes/no questions. This applies when:

  • You use ThriveCart’s checkout pages hosted on their domain
  • Payment processing happens through Stripe, PayPal, or similar gateways
  • Customers are redirected to the payment processor’s page to enter card details
  • You never see or touch the actual card numbers

If you’ve embedded ThriveCart forms on your own website using their JavaScript, you might need SAQ A-EP. This has more questions because your website is now part of the payment flow, even though you’re still not handling card data directly.

Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your setup and tells you exactly which questionnaire you need.

How to Complete Your SAQ

Your SAQ is a checklist of security questions with yes/no answers. For SAQ A (the most common for ThriveCart users), you’re looking at questions like:

  • “Do you have a policy for managing vendor access?”
  • “Do you review your service providers’ PCI compliance status annually?”
  • “Is your payment acceptance limited to the payment channels covered by this SAQ?”

Here’s what “yes” actually means:

  • You don’t need formal written policies for most SAQ A requirements
  • You do need to verify your payment processor (like Stripe) is PCI compliant — check their website for their compliance attestation
  • You need to ensure you’re only accepting payments through the approved channels

Documentation you’ll need:

  • Your payment processor’s PCI compliance certificate
  • A list of any third-party services that touch your payment process
  • Your ThriveCart account details to verify your configuration

If your SAQ type requires quarterly ASV scans (external vulnerability scanning), you’ll need to:
1. Sign up with an Approved Scanning Vendor
2. Provide the IP addresses of any systems that process payments
3. Run scans every 90 days
4. Fix any high-risk vulnerabilities found

Once complete, you’ll submit:

  • Your completed SAQ questionnaire
  • The Attestation of Compliance (AOC) — a summary page you sign
  • Any required scan reports
  • These typically go directly to your payment processor through their compliance portal

What It Costs

Let’s talk real numbers for ThriveCart users:

Compliance platforms and tools:

  • Basic SAQ completion tools: $150-300 per year
  • Full compliance platforms with scanning: $300-1,000 per year
  • PCICompliance.com: Starting at $249/year for complete compliance management

Quarterly ASV scanning (if required):

  • Standalone scanning services: $200-400 per year
  • Often included with compliance platforms

If you need a QSA assessment:

  • Only required for Level 1 merchants or complex setups
  • On-site assessments: $15,000-50,000+
  • Most ThriveCart users will never need this

The cost of NON-compliance:

  • Monthly non-compliance fees from processor: $20-100
  • If you have a breach without compliance: $50-90 per compromised card
  • Potential loss of ability to process cards
  • Reputational damage that’s hard to quantify

Being honest: for most small merchants using ThriveCart, annual compliance costs less than two months of non-compliance fines. It’s a business expense that pays for itself by avoiding penalties and reducing risk.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox. Your compliance expires annually, and certain changes to your business require immediate reassessment.

Annual requirements:

  • Complete your SAQ questionnaire
  • Run quarterly ASV scans (if applicable)
  • Review your payment setup for any changes
  • Verify your service providers maintain their compliance

What triggers a new assessment:

  • Changing payment processors
  • Adding new payment channels (like a physical store)
  • Starting to store card numbers (please reconsider)
  • Significant changes to your website or payment flow

Set calendar reminders for:

  • Annual SAQ due date (usually 90 days before expiration)
  • Quarterly scan windows (every 90 days)
  • Service provider compliance verification (annually)

PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and flagging any changes that might affect your compliance status.

FAQ

I only process a few transactions per month. Do I still need to comply?

Yes, PCI compliance applies to any business that accepts credit cards, regardless of volume. Even one transaction per year requires compliance. The good news is that low-volume merchants typically need only the simplest SAQ types.

What happens if I ignore the compliance questionnaire from my processor?

Initially, you’ll receive more urgent reminders. Then monthly non-compliance fees start (typically $20-100). Eventually, your processor may increase your transaction rates or terminate your ability to accept cards.

Is ThriveCart PCI compliant?

ThriveCart maintains its own PCI compliance as a service provider. However, you still need your own compliance because you’re the merchant accepting payments. Think of it like renting a secure building — the building is secure, but you still need to lock your own office.

Can I just check “yes” to all the questions?

Technically you can, but you’re attesting that your answers are accurate. False attestation is considered fraud, and if there’s a breach, investigators will verify your actual practices against your attestation. Answer honestly — it’s better to fail and fix issues than to falsely attest.

Do I need to hire a security consultant?

For most ThriveCart users completing SAQ A, no. The questions are straightforward and relate to basic business practices. If you’re unsure about specific questions, compliance platforms like PCICompliance.com provide guidance for each requirement.

How do I know if my setup requires SAQ A or A-EP?

If customers complete their entire purchase on ThriveCart’s domain (the URL shows ThriveCart’s address during checkout), you’re SAQ A. If you’ve embedded ThriveCart forms on your own website using their JavaScript integration, you’re likely SAQ A-EP. When in doubt, use the SAQ Wizard to confirm.

What if I also take payments over the phone or with a mobile card reader?

Your SAQ type is determined by all your payment channels combined. If you use ThriveCart online and also take phone orders, you’ll likely need SAQ C. Multiple payment channels usually mean more complex compliance requirements.

How long does the whole process take?

For SAQ A (22 questions), budget 30-60 minutes to read through and answer honestly. SAQ A-EP takes 2-4 hours including gathering documentation. Add another 30 minutes if you need to set up quarterly scanning. Most merchants can complete everything in one afternoon.

Conclusion

ThriveCart PCI compliance doesn’t have to be overwhelming. For most merchants, it’s a matter of completing a short questionnaire annually and possibly running automated scans every quarter. The entire process takes less time than setting up your ThriveCart account in the first place.

The key is understanding which SAQ applies to your specific setup and staying organized about annual requirements. Your payment processor needs this to protect both you and your customers from card fraud — and the cost of compliance is far less than the risk of processing payments without it.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. We’ve helped thousands of merchants navigate PCI requirements, from single-person online businesses to growing e-commerce operations. Start with the free SAQ Wizard to identify your requirements, or talk to our compliance team about your specific ThriveCart setup.

Remember: PCI compliance is like business insurance — you hope you never need it, but you’ll be glad it’s there if something goes wrong. And unlike insurance, it actually makes your business more secure along the way.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP