Ticketmaster PCI Compliance

Bottom Line Up Front

If you’ve just received a PCI compliance questionnaire and you’re feeling overwhelmed, take a deep breath. For most small businesses, PCI compliance is much simpler than it appears. You probably qualify for one of the easier SAQ types, which means you can complete your compliance requirements in a few hours, not weeks. This guide will walk you through exactly what Ticketmaster PCI compliance means for your business and how to handle that questionnaire sitting in your inbox.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. If your business accepts credit cards — whether through a terminal, online, or over the phone — these requirements apply to you.

The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council (PCI SSC). But here’s the important part: your acquirer (the bank or payment processor that handles your credit card transactions) is the one who enforces these rules and sends you that compliance questionnaire.

The Consequences Matter

Non-compliance isn’t just about paperwork. Your payment processor can fine you anywhere from $5,000 to $100,000 per month for non-compliance. If there’s a data breach and you weren’t compliant, you’re liable for the fraud losses. In extreme cases, you could lose the ability to accept credit cards entirely.

The Good News

Most small businesses qualify for the simplest SAQ types, which means your compliance process involves answering straightforward yes/no questions about your payment setup. You don’t need a security team or expensive consultants. You just need to understand which questionnaire applies to your business and answer honestly about your current practices.

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit cards in any form, yes.

It doesn’t matter if you process one transaction or one million. The moment you accept a credit card payment, you’re required to comply with PCI DSS. Your merchant level determines how you demonstrate compliance:

Level 4 (under 20,000 e-commerce transactions or under 1 million total transactions annually): Most small businesses fall here. You complete a self-assessment questionnaire (SAQ) annually.
Level 3 (20,000 to 1 million e-commerce transactions): Still self-assessment, but with additional requirements.
Level 2 (1 to 6 million transactions): Annual self-assessment plus quarterly network scans.
Level 1 (over 6 million transactions): Full annual assessment by a QSA.

What Your Payment Processor Expects

Your payment processor sends that compliance questionnaire because they’re required to verify that all their merchants maintain PCI compliance. They typically expect:

An annual Self-Assessment Questionnaire (SAQ) appropriate to your payment setup
Quarterly ASV scans if you have any systems connected to the internet
An Attestation of Compliance (AOC) confirming you’ve met all requirements
Evidence of compliance stored in their portal or compliance management system

That questionnaire in your inbox? It’s your processor’s way of saying “it’s time for your annual compliance check-up.”

Which SAQ Do You Need?

The most common mistake businesses make is choosing the wrong SAQ type. Here’s how to determine which one applies to your specific payment setup:

The SAQ Decision Tree

Your Payment Scenario	Your SAQ Type	Complexity Level	Typical Questions
Online payments with hosted checkout (PayPal, Stripe Checkout, Shopify Payments where customers never enter card data on your site)	SAQ A	Simplest	~20 questions
Online payments with payment page on your site (Stripe Elements, Square Web Payments, Authorize.net Accept.js)	SAQ A-EP	Simple	~140 questions
Standalone terminals only (Square Terminal, Clover Flex not connected to other systems)	SAQ B	Simple	~40 questions
Terminals connected to your network (Terminal connects to internet through your router)	SAQ B-IP	Moderate	~80 questions
Taking payments over the phone (Call center, phone orders, virtual terminal)	SAQ C-VT	Moderate	~80 questions
Old-school setup (Imprinter, paper forms, manual key entry)	SAQ C	Moderate	~140 questions
P2PE validated solution (Special encrypted terminals)	SAQ P2PE	Simple	~35 questions
Storing card numbers (In your database, files, or paper)	SAQ D	Complex	~330 questions

Real-World Examples

If you use a Square reader at your farmers market booth, you’re likely SAQ B — the terminal handles everything, and it’s not connected to any other systems.

If you run a Shopify store, you’re probably SAQ A — Shopify handles all the card data, and customers never enter card details on your actual website.

If you have a restaurant POS system, you’re typically SAQ B-IP if the terminals connect through your network, or potentially SAQ P2PE if you’re using a validated Point-to-Point Encryption solution.

If you take orders over the phone and type them into a virtual terminal, that’s SAQ C-VT territory.

Not sure which applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ you need — no guesswork required.

How to Complete Your SAQ

Once you know which SAQ type you need, the actual completion process is straightforward.

What the Questionnaire Looks Like

Your SAQ consists of yes/no questions about your payment environment. For example:

“Do you have a firewall in place?”
“Do you change default passwords on all systems?”
“Do you have anti-virus software installed?”

When you answer “yes,” you’re confirming that control is in place. When you answer “no,” you’ll need to either implement that control or explain why it doesn’t apply to your environment.

Time Investment by SAQ Type

SAQ A: 1-2 hours (mostly gathering information)
SAQ A-EP: 2-4 hours (includes network security questions)
SAQ B: 1-2 hours (focus on physical terminal security)
SAQ B-IP: 3-5 hours (adds network security requirements)
SAQ C-VT: 3-5 hours (emphasis on access controls)
SAQ D: Multiple days (you really should avoid this one)

Documentation You’ll Need

Before starting, gather:

Your network diagram (even a simple sketch works for small businesses)
List of all systems that handle payments
Your information security policies (or be ready to create basic ones)
Vendor agreements for any third-party payment services
Results from your last vulnerability scan (if applicable)

The Quarterly ASV Scan

If your SAQ type requires it (most do except SAQ A and SAQ B), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks your internet-facing systems for security vulnerabilities.

The scan itself takes minutes to run, though fixing any findings might take longer. Schedule your first scan early in the compliance process — don’t wait until the last minute to discover you have vulnerabilities to fix.

Submitting Your Compliance Package

Once complete, you’ll submit:
1. Your completed SAQ with all questions answered
2. Your Attestation of Compliance (AOC) — a formal declaration that you’ve met all requirements
3. Evidence of passing ASV scans (if required)
4. Any additional documentation your processor requests

Most processors have an online portal where you upload these documents. Some use third-party compliance management platforms. Either way, keep copies for your records.

What It Costs

Let’s talk real numbers. PCI compliance has both direct and indirect costs, but for most small merchants, it’s less expensive than you might think.

Direct Compliance Costs

Compliance Platform/Tools: $200-500 per year for small merchants. This typically includes:

SAQ wizard and questionnaire tools
Compliance tracking dashboard
Document storage
Basic support

ASV Scanning: $200-400 per year for quarterly scans. Some compliance platforms bundle this with their annual fee.

QSA Assessment: Only required for Level 1 merchants or if your acquirer specifically demands it. Budget $20,000-50,000 for a full ROC assessment.

Hidden Costs to Consider

Time Investment: Your biggest cost is often time. Budget 5-10 hours annually for a simple SAQ, more for complex environments.

Remediation: If your ASV scan finds vulnerabilities, you’ll need to fix them. This might mean software updates (free) or new hardware ($varies).

Security Improvements: Some requirements might necessitate new tools — a firewall ($200-500), anti-virus software ($50-100/year), or password manager ($50-100/year).

The Cost of Non-Compliance

Your payment processor can impose:

Monthly non-compliance fees: $25-100 per month until you comply
Non-compliance fines: $5,000-100,000 for serious or repeated violations
Breach liability: If you’re breached while non-compliant, you’re liable for fraud losses, forensic investigation costs, card reissuance fees, and potential lawsuits

Reality check: For most Level 4 merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — it’s about protecting your business and your customers.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done activity. It’s an ongoing commitment to protecting card data.

Annual Requirements

Every year, you’ll need to:

Complete your SAQ again (even if nothing changed)
Submit a fresh AOC
Review and update your security policies
Train any staff who handle card data

Quarterly Requirements

Every 90 days:

Run your ASV vulnerability scan (if required)
Review scan results and fix any failures
Save passing scan reports for your annual submission

When Things Change

Certain changes trigger a reassessment:

New payment channels (adding e-commerce to a retail-only business)
New payment types (starting to take phone orders)
Infrastructure changes (new POS system, changed payment processor)
Business growth (moving up a merchant level)

When in doubt, check with your acquirer. They’d rather help you stay compliant than discover issues later.

Making Compliance Easier

Set up a compliance calendar with reminders for:

Quarterly scan dates (every 90 days)
Annual SAQ due date
Policy review dates
Staff training sessions

PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders when action is needed and maintaining a complete audit trail of your compliance activities.

FAQ

I’m just a small business. Do these requirements really apply to me?

Yes, if you accept credit cards, PCI DSS applies regardless of size. However, the requirements scale with your transaction volume and payment methods. Most small businesses qualify for simplified SAQ types that take just a few hours annually.

What happens if I ignore that compliance questionnaire?

Your payment processor will likely start with reminder notices, then add monthly non-compliance fees to your statement. Eventually, they can fine you thousands of dollars or terminate your ability to accept cards. It’s much easier to just complete the questionnaire.

Can I just say “yes” to everything on the SAQ?

Answering dishonestly puts you at serious risk. If there’s a breach and investigation reveals you weren’t actually compliant, you’re liable for all associated costs. Answer honestly, fix what needs fixing, and sleep better at night knowing you’re genuinely protecting your customers’ data.

Do I really need quarterly scans if I barely process any transactions?

If your SAQ type requires ASV scanning, then yes — transaction volume doesn’t matter. The scans verify your internet-facing systems are secure. The good news: scans are automated and typically cost less than $100 per quarter.

My payment processor says I need an onsite assessment. Is that normal?

For Level 4 merchants, onsite assessments are rare unless there’s been a breach or repeated non-compliance. Double-check you’re actually required to have one. Some processors default to requesting more than actually required — push back politely and ask for the specific requirement.

What’s the difference between PCI compliance and being secure?

PCI DSS provides a baseline security standard — it’s the minimum, not the maximum. True security goes beyond compliance. Think of PCI as your security foundation. Build additional protections based on your specific risks and business needs.

Can I handle PCI compliance myself or do I need a consultant?

Most small businesses can handle their own compliance, especially with the right tools. You need a consultant or QSA only if you’re Level 1, had a breach, or have an unusually complex payment environment. Start with self-assessment — you can always get help later if needed.

How long do I need to keep PCI compliance documentation?

Keep all compliance documentation for at least three years. This includes completed SAQs, AOCs, ASV scan reports, and evidence of remediation. Your acquirer might require longer retention periods — check your merchant agreement.

Conclusion

That PCI compliance questionnaire doesn’t have to be intimidating. For most businesses, it’s a straightforward process of documenting the security measures you should have in place anyway. The key is understanding which SAQ type applies to your payment setup and answering the questions honestly.

Start by identifying your SAQ type — PCICompliance.com’s free SAQ Wizard makes this simple by asking about your payment methods and guiding you to the right questionnaire. Once you know your SAQ type, set aside a few hours to complete it, schedule your quarterly ASV scans if required, and submit everything to your payment processor.

Remember, PCI compliance protects both your business and your customers. The few hours you invest annually in compliance pale in comparison to the costs and headaches of a data breach or non-compliance fines. PCICompliance.com provides everything you need to achieve and maintain compliance — from our SAQ Wizard and ASV scanning service to our compliance dashboard that tracks your progress year-round. Whether you’re completing your first SAQ or managing compliance across multiple locations, we make the process as painless as possible. Start with the free SAQ Wizard to identify your requirements, or talk to our compliance team for guidance tailored to your specific situation.