purple and pink light illustration

Website Redesign PCI Impact

by

Website Redesign PCI Impact

You’re planning a website redesign and wondering about the PCI compliance implications. Here’s the good news: if you’re already handling credit card payments correctly on your current site, a website redesign won’t make PCI compliance more complicated — and might actually be your opportunity to simplify it. The key is understanding how your payment setup affects your compliance requirements before you start the redesign process.

Bottom Line Up Front

Most businesses worry that a website redesign will trigger complex new PCI requirements. In reality, your compliance obligations depend on how you accept payments, not how your website looks. If you’re currently using a hosted payment page (like Stripe Checkout or PayPal), you’re likely completing the simplest SAQ type — and that won’t change with a redesign. If you’re handling card data directly on your site, a redesign is the perfect time to switch to a simpler, more secure payment method that reduces your compliance burden.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. If you accept credit cards in any form, these requirements apply to you.

The card brands formed the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Your acquirer (the bank or payment processor that handles your card transactions) is responsible for making sure you comply. They’re the ones who sent you that compliance questionnaire you’re trying to understand.

Why does this matter? Three reasons:

  • Fines: Your payment processor can fine you for non-compliance (typically $5,000-$100,000 per month)
  • Liability: If there’s a data breach and you weren’t compliant, you’re liable for the costs
  • Card acceptance: Continued non-compliance means losing the ability to accept credit cards

Here’s what most small businesses don’t realize: PCI compliance is usually simpler than you think. The standards recognize that a local bakery with a Square terminal has very different security needs than Amazon. That’s why there are different SAQ (Self-Assessment Questionnaire) types — most small merchants qualify for the simplest ones.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes. This includes:

  • Physical card readers in your store
  • Online payments on your website
  • Phone orders where customers give you their card number
  • Mail order forms with credit card fields
  • Mobile card readers attached to phones or tablets

Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing less than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants typically complete a self-assessment questionnaire rather than hiring an external assessor.

Your payment processor expects you to:

  • Complete the appropriate SAQ annually
  • If required, pass quarterly ASV (Approved Scanning Vendor) vulnerability scans
  • Submit an AOC (Attestation of Compliance) confirming you meet all applicable requirements

That compliance questionnaire they sent? It’s their way of collecting this documentation. They need it to show the card brands that their merchants are protecting cardholder data.

Which SAQ Do You Need?

The type of SAQ you complete depends entirely on how you accept payments. During a website redesign, you have the opportunity to choose payment methods that simplify your compliance requirements.

Payment Scenario SAQ Type Questions Complexity
Redirect to payment provider (PayPal, Stripe Checkout) SAQ A 22 Simplest
Payment iframe on your site (Stripe Elements, Authorize.net Accept.js) SAQ A-EP 139 Moderate
Standalone terminals, no connected systems SAQ B 41 Simple
Standalone terminals with IP connection SAQ B-IP 82 Moderate
Phone/mail orders, no electronic storage SAQ C-VT 80 Moderate
Any electronic storage or processing of card data SAQ D 329+ Complex

Let’s translate this into real website scenarios:

  • E-commerce with hosted checkout: Your “Buy Now” button sends customers to Stripe, Square, or PayPal to enter payment info → SAQ A
  • E-commerce with embedded payment fields: Payment form is on your site but uses tokenization (like Stripe Elements) → SAQ A-EP
  • No online payments: Website is just for marketing; you only accept cards in-store via terminals → SAQ B or B-IP
  • Taking orders by phone: Customers call to place orders; you enter cards into a virtual terminal → SAQ C-VT
  • Storing card numbers: Your website saves card data for recurring billing or convenience → SAQ D (please reconsider this approach)

Not sure which applies to you? Use PCICompliance.com’s free SAQ Wizard — answer a few questions about your payment setup, and we’ll identify exactly which questionnaire you need.

Planning Your Redesign for Optimal PCI Compliance

A website redesign is the perfect opportunity to simplify your PCI compliance. Here’s how to approach it:

Before You Start:

  • Document your current payment flow
  • Identify which SAQ you’re currently completing
  • List any payment-related pain points (security concerns, customer friction, compliance burden)

Design Decisions That Affect PCI:

  • Payment method: Hosted pages (SAQ A) are simplest; embedded forms (SAQ A-EP) offer more design control
  • Checkout flow: Single-page vs. multi-step doesn’t affect PCI if you’re redirecting for payment
  • Account features: “Save my card” functionality dramatically increases your compliance scope
  • Recurring payments: Let your payment provider handle token storage instead of storing cards yourself

Common Redesign Mistakes:

  • Adding card storage features without understanding the compliance impact
  • Choosing a payment plugin that brings card data into your environment
  • Forgetting to update your network diagram and data flow documentation
  • Not involving your payment processor in major payment flow changes

Typical Compliance Costs

Understanding the true cost of PCI compliance helps you make informed decisions during your redesign:

Basic Compliance (SAQ A, A-EP, B):

  • SAQ completion tools: $200-500/year
  • Quarterly ASV scanning (if required): $200-400/year
  • Total annual cost: $200-900

Moderate Compliance (SAQ C-VT, complex B-IP):

  • SAQ completion and tracking: $500-1,000/year
  • Quarterly ASV scanning: $400-800/year
  • Security awareness training: $200-500/year
  • Total annual cost: $1,100-2,300

Complex Compliance (SAQ D):

  • Compliance management platform: $2,000-5,000/year
  • Quarterly ASV scanning: $800-2,000/year
  • Annual penetration testing: $5,000-15,000
  • Potential QSA assessment: $15,000-50,000
  • Total annual cost: $22,800-72,000+

The Cost of Non-Compliance:

  • Monthly processor fines: $5,000-100,000
  • Breach costs if non-compliant: $50,000-500,000+
  • Loss of card processing ability: Incalculable

For most small merchants, annual compliance costs less than a single month’s non-compliance fine.

Making the Switch During Your Redesign

If you’re currently dealing with a complex SAQ type, your website redesign is the ideal time to simplify:

From SAQ D to SAQ A:

  • Stop storing card numbers
  • Implement a hosted payment page
  • Use your processor’s customer vault for recurring billing
  • Archive old card data according to retention policies

From SAQ C-VT to SAQ A-EP:

  • Replace phone orders with “pay by link” emails
  • Implement online ordering to reduce call volume
  • Use a cloud-based virtual terminal instead of desktop software

Improving SAQ A-EP Security:

  • Ensure payment iframes load from PCI-compliant providers
  • Implement Content Security Policy headers
  • Use subresource integrity for third-party scripts
  • Monitor for formjacking attacks

Staying Compliant After Your Redesign

PCI compliance isn’t a one-time checkbox — it’s an ongoing responsibility. Your redesigned website needs:

Annual Requirements:

  • Complete your SAQ questionnaire
  • Submit your AOC to your payment processor
  • Review and update security policies
  • Train staff on security procedures

Quarterly Requirements:

  • Run ASV vulnerability scans (if applicable)
  • Review firewall rules and configurations
  • Check for security updates and patches
  • Verify no unauthorized payment changes

Ongoing Monitoring:

  • Set calendar reminders for compliance deadlines
  • Document any payment flow changes
  • Keep your network diagram updated
  • Maintain your compliance evidence

PCICompliance.com’s compliance dashboard automates these reminders and tracks your progress throughout the year, ensuring you never miss a deadline.

FAQ

My web developer says they’ll make my site “PCI compliant.” Is that enough?

No, PCI compliance is your responsibility as the merchant, not your developer’s. While a good developer can implement secure payment methods that reduce your compliance scope, they can’t complete your SAQ or ensure you meet all applicable requirements. You need to understand your obligations and complete the annual assessment yourself.

We’re switching from PayPal to Stripe during our redesign. Does this affect our PCI compliance?

If you’re using Stripe Checkout (full redirect), you’ll likely stay at SAQ A — the simplest level. If you’re implementing Stripe Elements (payment fields on your site), you’ll move to SAQ A-EP, which has more requirements but is still manageable. Both are reputable, PCI-compliant providers.

Our new site will save cards for repeat customers. What does this mean for PCI?

Storing card data puts you in SAQ D territory — the most complex compliance level with 300+ requirements. Instead, use your payment processor’s tokenization or customer vault features. You can offer the same convenience without the massive compliance burden.

Do we need to pause our website redesign to get PCI compliant first?

Actually, your redesign is the perfect time to address PCI compliance properly. Design your new payment flow with compliance in mind from the start. It’s much easier than retrofitting security controls after launch.

How do we know if our payment gateway choice affects our SAQ type?

The key question: where do customers enter their card details? If they’re redirected to the gateway’s site (SAQ A), if payment fields are embedded on your site (SAQ A-EP), or if card data touches your server (SAQ D). Your gateway should clearly document which integration methods support which SAQ types.

We only update our website once every few years. How does this affect PCI compliance?

PCI compliance is annual regardless of website changes. Even if your site doesn’t change, you must complete your SAQ yearly, run quarterly scans if required, and maintain security controls. Major updates like redesigns are a good time to reassess and potentially simplify your approach.

Our marketing agency wants analytics tracking on our checkout page. Is this allowed?

Yes, but be extremely careful about what data you track. Never allow analytics scripts to capture card numbers or security codes. If you’re using SAQ A (redirect), analytics on your site don’t affect the payment page. For SAQ A-EP (embedded), ensure analytics scripts can’t access payment iframes.

What happens to our old PCI documentation after the website redesign?

Keep it for at least one year after your redesign as evidence of previous compliance. Update all documentation to reflect your new payment flow: network diagrams, data flow diagrams, policies, and procedures. Your next assessment should clearly show the change in payment methods if applicable.

Conclusion

A website redesign doesn’t have to complicate your PCI compliance — in fact, it’s often your best opportunity to simplify it. The key is understanding how different payment methods affect your requirements and choosing the approach that balances customer experience with security simplicity.

Most businesses discover they can offer the same payment convenience with far less compliance burden by using modern payment providers and hosted checkout pages. If you’re currently struggling with complex requirements because you store card data or use outdated payment methods, your redesign is the perfect time to modernize.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need based on your new payment setup, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to see how your redesigned payment flow affects your compliance requirements, or talk to our compliance team about the best approach for your specific situation.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP