PCI Self-Assessment Questionnaire Person Image

PCI Self-Assessment Questionnaire

In order to find out if your business is PCI compliant, the first and most crucial step is to complete a PCI Self-Assessment Questionnaire. By following this process, you will determine whether your business is compliant. If not, there are established steps you can take to achieve regulatory compliance.

Get PCI certified

Click here for the PCI SAQ

What is PCI compliance?

Compliance simply means that your business meets the requirements established by the Payment Card Industry (PCI) Security Standards Council. The council is run by the five major credit card companies – Visa, MasterCard, Discover, American Express and JCB International – and is responsible for enforcing the PCI Data Security Standards (PCI DSS). In order to be in compliance, you must meet these standards.

What does being PCI Compliant Certified mean for your business?

If you are processing credit card payments (as well as debit cards, EBTs and other forms of electronic payment), your business needs to meet the standards for PCI compliance. If you are not in compliance, you’re putting your bottom line and your entire business at risk. While PCI compliance is mandated, it’s also just good sense – from both a security and a budgetary standpoint.

If you don’t meet the PCI standards for compliance and suffer a data breach, you could find yourself on the dark side, facing penalties ranging between $5,000 and $500,000. And while penalties can put a significant dent in the company coffers, they are nothing compared to the overall damage caused by noncompliance.

If your company falls out of compliance, you run the risk of losing your merchant account, which means you’ll be unable to accept credit cards. While that’s detrimental enough, you’ll also be placed in the Visa/MasterCard Terminated Merchant File, making you ineligible to obtain another merchant account for several years. The results can be devastating, irredeemably destroying your credibility, customer loyalty and, ultimately, your business.

How do I know if I’m PCI compliant?

The Security Standards Council has made compliance relatively simple, breaking it down into four basic levels.  Find out where you fit in by referencing the handy guide below.

Level 4

This level is for small businesses processing less than 20,000 eCommerce transactions and less than 1 million other transactions each year. Level 4 businesses are required to complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ).  Quarterly PCI scans, administered by an approved scanning vendor, may also be required.

Level 3

The mid-sized companies at this level range between 20,000 and 1 million transactions annually. They must complete an annual risk assessment using the appropriate SAQ.  Quarterly PCI scans, administered by an approved scanning vendor, may also be required.

Level 2

Companies at Level 2 conduct anywhere between 1 million and 6 million transactions annually. They must conduct a risk assessment each year, using the appropriate SAQ.  Quarterly PCI scans, administered by an approved scanning vendor, may also be required.

Level 1

This is the level of major corporations and “big box” stores. Companies at this level have a minimum of 6 million transactions per year. They must have an annual internal audit conducted by a qualified PCI auditor. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.

The information on this page is not intended to be a source of legal advice. Therefore, you should not rely on the information provided herein as legal advice for any purpose, and should always seek the legal advice of competent counsel in your jurisdiction.