Young man using smartphone and credit card for online shopping.

Wix Payments PCI Compliance

by

Wix Payments PCI Compliance

Bottom Line Up Front

Relax. If you’re reading this because your payment processor just sent you a PCI compliance questionnaire that looks like it was written in another language, you’re not alone. For most small businesses using Wix Payments, PCI compliance is actually simpler than you think — often just answering some yes/no questions about how you handle credit cards and running a quarterly security scan. Here’s what you actually need to know to get compliant and stay that way.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover — to protect credit card data. Think of it as a security checklist that ensures businesses handle payment cards safely.

The card brands created an organization called the PCI Security Standards Council (PCI SSC) to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank that processes your card payments) or payment processor enforces compliance. That’s who sent you that questionnaire.

Here’s why it matters: If you’re not compliant, your payment processor can fine you monthly (typically $20-100 for small merchants, but potentially much more). Worse, if there’s a data breach and you weren’t compliant, you could be liable for fraud losses and investigation costs that can reach hundreds of thousands of dollars. In extreme cases, you could lose your ability to accept credit cards entirely.

The good news: Most small businesses qualify for the simplest compliance requirements. If you’re using modern payment tools like Wix Payments, Square, or Stripe, you’re already outsourcing most of the heavy security lifting to companies that specialize in it.

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit cards in any form — online, in-person, over the phone, even if it’s just one transaction per year — yes, you need to be PCI compliant.

Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you can self-assess your compliance using a questionnaire rather than hiring an outside auditor.

Your payment processor expects you to:

  • Complete an annual Self-Assessment Questionnaire (SAQ)
  • Run quarterly security scans if you have any internet-facing systems
  • Submit an Attestation of Compliance (AOC) confirming you’ve met the requirements

That compliance questionnaire they sent? It’s their way of saying “prove to us you’re handling card data safely so we don’t get in trouble with Visa and Mastercard.” It’s not optional — ignoring it will eventually result in monthly fines added to your processing statements.

Which SAQ Do You Need?

The PCI compliance world has different SAQs based on how you accept and process payments. Think of them like tax forms — you need to pick the right one for your situation. Here’s the decision tree in plain language:

How You Take Payments SAQ Type Complexity Typical Questions
Redirect to payment page (PayPal, Stripe Checkout) SAQ A Simplest (22 questions) ~30 minutes
Embedded payment form (Wix Payments, Stripe Elements) SAQ A-EP Simple (139 questions) 1-2 hours
Standalone terminal only (Square Reader, Clover) SAQ B or B-IP Moderate (41 questions) 1 hour
Take payments over phone SAQ C-VT Moderate (160 questions) 2-3 hours
Process on your computer SAQ C Complex (160 questions) 2-3 hours
Store card numbers SAQ D Most complex (329 questions) Days/weeks

For Wix Payments users specifically:

  • If customers enter card details on your Wix site → likely SAQ A-EP
  • If you redirect to Wix’s hosted checkout → likely SAQ A
  • If you also take phone orders → might bump you to SAQ C-VT

Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.

How to Complete Your SAQ

The questionnaire itself is less scary than it looks. Each question is yes/no, asking about specific security practices. Here’s what to expect:

What “Yes” Actually Means:
When a question asks “Do you have a firewall?” and you answer yes, you’re stating that you’ve implemented that security control. You don’t need perfection — you need to honestly assess whether you meet each requirement.

Documentation You’ll Need:

  • Your network diagram (even a simple sketch works for small businesses)
  • List of who has access to payment systems
  • Any security policies you have (don’t panic if you don’t have formal ones yet)
  • Results from your vulnerability scans

The Quarterly ASV Scan:
If you have any internet-facing systems (like a website), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks for security holes in your public-facing systems. It’s like a safety inspection for your website — schedule it, let it run, fix any critical issues it finds, and you’re done.

Submitting Your Compliance:
Once you’ve answered all questions and passed your scans:
1. Review your answers (the platform will flag any inconsistencies)
2. Generate your Attestation of Compliance (AOC)
3. Submit to your payment processor through their portal or email

The whole process typically takes a few hours for most small merchants — not the weeks you might have feared.

What It Costs

Let’s talk real numbers so you can budget appropriately:

Compliance Platform and Tools:

  • Basic SAQ tools: Free to $30/month
  • Full compliance platforms: $50-200/month
  • Enterprise solutions: $500+/month

Quarterly ASV Scanning:

  • Standalone scanning: $100-300/year
  • Bundled with compliance platform: Often included
  • Remediation help if scans fail: $50-150/hour

If You Need a QSA:
Most Level 4 merchants don’t need a Qualified Security Assessor (QSA), but if you do:

  • Small merchant assessment: $5,000-15,000
  • Full Level 1 ROC: $30,000-100,000+

The Cost of NON-Compliance:

  • Monthly non-compliance fees: $20-100 (compounds quickly)
  • Breach costs if not compliant: $50,000-500,000+
  • Lost ability to process cards: Devastating for most businesses

Reality check: For most small merchants using modern payment tools, annual compliance costs less than a single non-compliance fine. It’s genuinely cheaper to be compliant than not.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track:

Annual Requirements:

  • Complete your SAQ once per year
  • Update it if your payment setup changes significantly
  • Renew your attestation with your processor

Quarterly Requirements:

  • Run ASV scans every 90 days (set calendar reminders)
  • Review and remediate any failing scan results
  • Keep scan reports for your records

What Triggers a New Assessment:

  • Changing payment processors
  • Adding new payment channels (like phone orders)
  • Starting to store card data (please don’t)
  • Major changes to your network or systems

PCICompliance.com’s compliance dashboard tracks all these deadlines for you, sending reminders before scans are due and alerting you if your compliance status changes. No more scrambling when your processor asks for updated documentation.

FAQ

Q: I only process a few transactions per month. Do I still need to comply?

A: Yes, even one transaction per year means you need to be PCI compliant. The good news is that your low volume means you qualify for the simplest compliance path.

Q: What happens if I just ignore the compliance questionnaire?

A: Your processor will start adding non-compliance fees to your monthly statements (typically $20-100/month). Eventually, they can terminate your ability to accept cards.

Q: Is PCI compliance the same as being secure?

A: PCI DSS is a solid security baseline, but it’s not comprehensive security. Think of it as the minimum required to safely handle payment cards. Many businesses use PCI as a starting point for broader security improvements.

Q: Can I just say “yes” to everything on the questionnaire?

A: Absolutely not. False attestation is fraud and can result in massive fines and liability if there’s a breach. Answer honestly — if you can’t say yes, that’s a control you need to implement.

Q: Do I need to hire a security consultant?

A: Most small merchants don’t need outside help beyond a compliance platform and ASV scanning service. If you’re SAQ A or A-EP, you can typically handle it yourself with the right tools.

Q: How long does the ASV scan take?

A: The scan itself runs in minutes to hours depending on your website size. Getting clean results might take longer if you need to fix vulnerabilities — budget a few days for remediation if issues are found.

Q: What if my website fails the vulnerability scan?

A: Don’t panic — it’s common for first scans to find issues. The scan report will list what needs fixing, usually outdated software or configuration issues. Fix the critical and high-risk findings, rescan, and you’ll pass.

Q: Is PCI compliance different from GDPR or other privacy laws?

A: Yes, PCI DSS is specifically about payment card security, while GDPR covers broader personal data privacy. You might need to comply with both, but they’re separate requirements with different focuses.

Conclusion

PCI compliance might have seemed overwhelming when that questionnaire first landed in your inbox, but now you know the truth: for most small businesses, especially those using modern payment platforms like Wix Payments, it’s a manageable process that protects both you and your customers.

The key is picking the right SAQ type for your business, answering the questions honestly, and keeping up with quarterly scans if required. It’s not about perfect security — it’s about meeting the baseline requirements that keep payment card data safe.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll spend less time worrying about compliance and more time running your business. Start with our free SAQ Wizard to identify your questionnaire type in minutes, or talk to our compliance team if you need guidance getting started.

Remember: staying compliant is always easier (and cheaper) than trying to catch up after you’ve fallen behind. Take that first step today — your future self will thank you when those compliance reminders arrive next year and you’re already prepared.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP