Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor, take a deep breath. For most Vietnam businesses accepting card payments, PCI compliance is simpler than it sounds — you’re likely looking at answering 20-40 yes/no questions once a year and running quarterly security scans. Yes, Vietnam PCI compliance is mandatory if you accept credit cards, but no, it doesn’t have to be overwhelming. This guide will show you exactly what you need to do.
The complexity of PCI compliance depends entirely on how you handle card payments. If you’re using modern payment terminals or hosted checkout pages, you’re already doing most of the work. If you’re storing card numbers in spreadsheets (please stop), you’ll have more work ahead. Either way, we’ll get you through this.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist that ensures businesses handle credit card data safely.
The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce compliance directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) enforces compliance. That’s who sent you the questionnaire, and that’s who can fine you for non-compliance.
Why should you care? Three reasons:
1. Fines from your processor — typically starting at $5,000 USD per month for non-compliance
2. Liability if there’s a breach — you could be responsible for fraudulent charges and card reissuance costs
3. Loss of card acceptance — persistent non-compliance can result in losing your ability to process cards
Here’s the good news: most small businesses qualify for the simplest SAQ (Self-Assessment Questionnaire) types, which take about an hour to complete. You’re not facing the same requirements as a major retailer storing millions of card numbers.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form — in person, online, over the phone, or even on paper — you need to be PCI compliant. This applies whether you process one transaction or one million.
Your merchant level determines how you demonstrate compliance:
| Annual Visa Transactions | Merchant Level | What’s Required |
|---|---|---|
| Over 6 million | Level 1 | Annual onsite assessment by QSA |
| 1-6 million | Level 2 | Annual SAQ, quarterly scans |
| 20,000-1 million | Level 3 | Annual SAQ, quarterly scans |
| Under 20,000 | Level 4 | Annual SAQ, may need quarterly scans |
Most small businesses are Level 4 merchants, which means you complete a self-assessment questionnaire annually. Your processor might also require quarterly vulnerability scans if you have any internet-facing systems.
That questionnaire your payment processor sent? It’s them fulfilling their obligation to the card brands to ensure their merchants are compliant. They’re required to validate your compliance annually, and they’ll keep sending reminders until you complete it.
Which SAQ Do You Need?
The SAQ decision tree can seem complex, but for most businesses it comes down to one question: how do you handle credit card data?
| How You Accept Payments | Your SAQ Type | Number of Questions |
|---|---|---|
| Redirect to payment gateway (PayPal, Stripe Checkout) | SAQ A | 22 |
| E-commerce with payment fields on your site | SAQ A-EP | 191 |
| Standalone terminals with dial-up/cellular | SAQ B | 41 |
| Standalone terminals on your network | SAQ B-IP | 82 |
| Virtual terminal or phone orders | SAQ C-VT | 84 |
| Card data touches your systems | SAQ D | 329+ |
Let’s make this concrete:
- Using Square or Clover terminals? You’re likely SAQ B or SAQ B-IP
- Shopify store with their checkout? That’s SAQ A
- WooCommerce with Stripe Elements? You’re looking at SAQ A-EP
- Taking orders over the phone? That’s SAQ C-VT territory
- Storing card numbers anywhere? You’re in SAQ D — time to reconsider your processes
The difference between 22 questions and 329 questions is massive. If you’re currently storing card data, moving to a tokenization service or virtual terminal could save you months of compliance work.
PCICompliance.com’s SAQ Wizard asks you five simple questions about your payment setup and tells you exactly which SAQ applies. No guessing, no reading through complex flowcharts.
How to Complete Your SAQ
Your Self-Assessment Questionnaire is exactly what it sounds like — a questionnaire where you assess your own security practices. Each question requires a yes or no answer, but “yes” means you actually do what the question asks, not that you plan to.
Here’s what the process looks like:
1. Download the correct SAQ from the PCI SSC website or use a compliance platform
2. Answer each question honestly — if you answer “no,” you’ll need to fix that issue
3. Gather supporting documentation — network diagrams, policies, scan reports
4. Complete the Attestation of Compliance (AOC) — a form stating you’ve completed the assessment
5. Submit to your acquirer — along with any required scans or documentation
The questions themselves are straightforward. For example, Requirement 2 asks if you’ve changed default passwords on all systems. Either you have or you haven’t. If you haven’t, you need to do it before marking “yes.”
For most SAQ types, you’ll also need quarterly ASV scans. An Approved Scanning Vendor runs automated security scans against your internet-facing systems looking for vulnerabilities. You’ll need four consecutive passing scans (one per quarter) to be compliant. The scan itself takes minutes, though fixing any issues found might take longer.
Your payment processor wants to see:
- Completed SAQ with all “yes” answers
- Signed Attestation of Compliance
- Passing ASV scans (if required)
- Evidence of completion in their compliance portal
What It Costs
Let’s talk real numbers. Vietnam PCI compliance costs vary based on your SAQ type and how you approach it:
Compliance Platform/Tools:
- Self-service SAQ tools: $100-300 USD/year
- Guided compliance platforms: $500-1,500 USD/year
- Full-service compliance management: $2,000-5,000 USD/year
ASV Scanning:
- Basic scanning service: $200-400 USD/year
- Scanning with remediation support: $500-1,000 USD/year
If You Need a QSA:
- Level 4 merchants rarely need a QSA unless specifically requested
- Level 1 onsite assessment: $15,000-50,000 USD
- SAQ validation by QSA: $2,000-5,000 USD
The Cost of NON-Compliance:
- Monthly fines: Starting at $5,000 USD
- Breach liability: $50-90 USD per compromised card
- Forensic investigation: $20,000+ USD
- Lost business during card processing suspension: Varies
For most small merchants, annual compliance costs less than a single month of non-compliance fines. A typical Level 4 merchant spends $500-1,000 USD annually on compliance — that’s less than most businesses spend on coffee.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done exercise. Your annual assessment is due every twelve months, with quarterly scans due every 90 days if you’re required to scan.
Here’s your compliance calendar:
- Quarterly: ASV scans due (if required)
- Annually: Complete SAQ and AOC
- Ongoing: Maintain the security practices you attested to
When do you need a new assessment?
- Changed payment processors
- Added new payment channels (started e-commerce, added phone orders)
- Significantly changed your payment processing setup
- Your processor requested an updated assessment
Set calendar reminders for:
- Quarterly scan due dates
- Annual SAQ renewal
- Security update schedules
- Password change requirements
PCICompliance.com’s compliance dashboard tracks all these dates automatically. You’ll get reminders before scans are due, alerts if vulnerabilities are found, and annual assessment notifications. No spreadsheets, no missed deadlines.
FAQ
My payment processor says I need to be PCI compliant by next month. Is that even possible?
Yes, absolutely. If you’re using modern payment methods (hosted checkout, encrypted terminals), you can complete your SAQ in an afternoon. Schedule your first ASV scan today — even if issues are found, showing progress toward compliance usually satisfies your processor while you remediate.
I only process a few transactions per month. Do I really need to comply?
Yes. PCI compliance applies to any business that accepts card payments, regardless of volume. However, as a small merchant, you’ll qualify for the simplest SAQ types, making compliance manageable.
What happens if I just ignore the compliance requirements?
Your processor will start with reminder emails, then move to monthly fines (typically $5,000+ USD), and ultimately can terminate your ability to accept card payments. Additionally, if a breach occurs, you’ll be liable for all associated costs without the protection compliance provides.
I use Shopify/Square/PayPal exclusively. Am I already compliant?
You’re mostly there, but not quite. These services handle the complex security requirements for you, but you still need to complete an annual SAQ (likely SAQ A) confirming you’re using them properly and following basic security practices like using strong passwords.
How do I know which SAQ type applies to my business?
Look at how credit card data flows through your business. If customers enter card data on someone else’s website, you’re SAQ A. If you have a terminal, you’re SAQ B or B-IP. If card data touches your computer systems, you’re looking at SAQ C or D. Use PCICompliance.com’s free SAQ Wizard for a definitive answer.
Can I just pay someone to handle all this for me?
Yes, many Qualified Security Assessors and compliance services offer managed compliance programs. For Level 4 merchants, expect to pay $2,000-5,000 USD annually for full-service compliance management. That said, most small merchants can handle compliance themselves with the right tools.
What’s the difference between a vulnerability scan and penetration testing?
ASV vulnerability scans are automated checks for known security issues — like spell-check for your network. Penetration testing involves security professionals actively trying to break into your systems. Most merchants only need ASV scans; penetration testing is required for SAQ D merchants and service providers.
My IT person says we’re secure. Isn’t that enough?
Being secure and proving compliance are different things. Your acquirer needs documented evidence of compliance through the official PCI process. Good security practices make compliance easier, but you still need to complete the formal assessment.
Conclusion
PCI compliance might seem daunting when that first questionnaire arrives, but for most Vietnam businesses, it’s a manageable annual task. You’re likely facing a short questionnaire and some automated scans — not the extensive audits that large retailers undergo.
Start by identifying your SAQ type. If you’re using modern payment tools and following basic security practices, you’re already doing most of what PCI requires. The questionnaire just documents what you’re doing.
PCICompliance.com simplifies the entire process. Our free SAQ Wizard identifies exactly which questionnaire you need in minutes. Our ASV scanning service handles your quarterly vulnerability scans automatically. Our compliance dashboard tracks your progress, sends reminders, and stores your documentation securely year after year. Whether you need basic tools or full compliance management, we’ll match you with the right solution for your business size and complexity.
Take that first step today — use our SAQ Wizard to identify your requirements, or talk to our compliance team about your specific situation. Most merchants complete their initial assessment within a week. Don’t let non-compliance fines eat into your profits when compliance is this straightforward.