12 PCI Compliance Questions Every Merchant Should Ask

By Phillip Parker|April 13, 2026

CPO was created by business owners to help others avoid unethical and expensive merchant account providers. To support the continued operation of this website we sell advertising to ethical... processors who have earned top marks in pricing, support, and business practices. Some of the recommendations found on this website may be paid placements.

graphic depicting a business owner asking questions about PCI Compliance

PCI Compliance and Protecting Your Business

PCI DSS compliance protects your business, your customers, and your reputation. The rules can feel confusing, and the jargon does not help. Asking the right questions makes compliance easier to understand and faster to achieve.

Below are the most important questions every merchant should ask. Use them with your processor, your IT team, and your Qualified Security Assessor. The answers will guide your next steps and protect you from costly mistakes.

1. Which PCI DSS Version Applies to My Business Right Now?

PCI DSS 4.0.1 is the current standard. Version 3.2.1 was retired on March 31, 2024. All merchants must now meet the 4.0.1 requirements. Confirm with your processor that your compliance validation reflects the newest version.

You can review the official standard on the PCI Security Standards Council document library. The full framework is free to download.

2. What Merchant Level Am I, and What Does That Require?

Merchant levels are set by card brands based on yearly transaction volume. Your level decides what validation work is required. Levels range from 1 (highest volume) down to 4 (lowest volume).

Level 1: Over 6 million transactions per year. Requires an annual Report on Compliance from a QSA.
Level 2: 1 to 6 million transactions. Usually needs a Self-Assessment Questionnaire and sometimes a QSA review.
Level 3: 20,000 to 1 million e-commerce transactions. Requires a Self-Assessment Questionnaire.
Level 4: Under 20,000 e-commerce or up to 1 million total. Requires a Self-Assessment Questionnaire.

3. Which Self-Assessment Questionnaire (SAQ) Should I Use?

The SAQ that fits your business depends on how you accept cards. Picking the wrong SAQ can leave you out of compliance even if you answer all questions correctly.

SAQ A: For e-commerce merchants who fully outsource card data handling.
SAQ A-EP: For e-commerce merchants whose website affects payment security but does not store data.
SAQ B: For merchants using only imprint machines or standalone dial-out terminals.
SAQ B-IP: For standalone IP-connected payment terminals with no data storage.
SAQ C: For merchants with payment applications connected to the internet.
SAQ C-VT: For merchants using only virtual terminals on isolated computers.
SAQ D: For merchants that do not qualify for any other SAQ or that store card data.
SAQ P2PE: For merchants using a validated point-to-point encryption solution.
SAQ SPoC: For merchants using validated Software-based PIN Entry on Commercial off-the-shelf devices.

4. How Is My Cardholder Data Actually Protected?

Ask your processor exactly how your customer card data is secured at every point. Data should be encrypted in transit and at rest. Tokenization should replace card numbers wherever possible.

Point-to-point encryption (P2PE) is the gold standard for card-present transactions. If you use P2PE, confirm the solution appears on the official PCI P2PE solutions list. Many processors claim encryption without using a validated solution.

5. Are My Systems Using Multi-Factor Authentication?

PCI DSS 4.0.1 requires multi-factor authentication (MFA) for all access into the cardholder data environment. This rule applies to staff, admins, and third parties. Passwords alone are no longer enough.

Ask your vendors if they use MFA on every admin account. Ask if MFA covers remote access, cloud panels, and local workstations that touch card data. Weak authentication is one of the most common breach causes.

6. How Often Are Vulnerability Scans and Penetration Tests Performed?

External vulnerability scans must be performed every three months by an Approved Scanning Vendor. Internal scans are required after significant system changes. Penetration testing is required at least once per year.

Ask your processor or IT team who handles these scans and how results are reported. Failed scans must be corrected and rescanned until a passing result is achieved. Keeping scan records in order is critical during any audit.

7. Who Has Access to Cardholder Data, and Why?

PCI DSS requires access to cardholder data on a strict need-to-know basis. Every employee account must be unique. Shared logins are not allowed anywhere that card data is processed.

Review who can reach cardholder data every quarter. Remove access the moment an employee changes roles or leaves the company. Audit logs must capture every access event and be kept for at least one year.

8. How Are We Logging and Monitoring Activity?

PCI DSS requires detailed logging of all actions within the cardholder data environment. Logs must be reviewed every day. Automated tools make daily review realistic for small teams.

Ask who reviews the logs and what happens when something unusual shows up. A log that is never read does not protect your business. Logs must be retained for at least one year with three months quickly available.

9. Do We Have a Written Incident Response Plan?

A written incident response plan is required under PCI DSS. The plan must cover detection, containment, eradication, and recovery. It also needs to name who is in charge during a breach.

Test the plan at least once per year. Many merchants discover gaps only after a real incident. Practicing ahead of time saves your data and your reputation.

10. How Does PCI Compliance Interact With My Third Parties?

Any service provider that touches card data must also be PCI compliant. That includes your processor, your gateway, your hosting provider, and any SaaS tool that handles transactions.

Request an Attestation of Compliance (AOC) from each vendor every year. Keep these on file. If a vendor cannot provide an AOC, you may be carrying their risk.

11. What Happens If My Business Has a Breach?

A breach brings fines, forensic investigation fees, card brand assessments, and required customer notifications. Costs can reach tens of thousands of dollars even for small merchants. Some businesses never recover.

Ask your processor about their breach response process and what support they offer. Consider data breach insurance to cover the worst case.

12. How Do We Stay Compliant Going Forward?

PCI compliance is not a once-a-year event. It is a continuous set of practices. Assign someone on staff to own compliance and schedule regular reviews of controls, access, and vendor status.

Train every employee who handles cards at least once per year. Review the official PCI DSS standard page for updates. New guidance is released regularly.

Common Merchant Mistakes to Avoid

Many small merchants assume their processor handles everything. PCI compliance is shared. The merchant is always responsible for their part of the environment.

Watch out for processors that push expensive PCI programs with hidden fees. Get credit card processing quotes from reputable processors. Ask for all PCI fees in writing.

For a deeper look at common confusion, see our guide to PCI compliance myths and misunderstandings. It covers misconceptions that trip up even experienced merchants.

Final Thoughts on PCI Compliance

Asking these questions will save you money, time, and stress. PCI compliance protects your customers and keeps your business running. Make compliance part of everyday operations, not an afterthought.

Need help identifying other risks? Read our articles on six ways hackers steal credit card data and POS system security flaws. Both pair well with the checklist above.

About The Author

Phillip Parker

CPO Creator & Founder

Since 2009, I have researched over 1,000 merchant services providers and published hundreds of payment education-related articles. This work has received national recognition, and my expertise in payments is regularly sought by large media outlets such as CNN, MSN, and INC Magazine, among dozens of others.

Shortly after graduating from college, I was recruited into a sales role with a credit card processor. Only later did I realize that the so-called "training" centered on selling expensive processing agreements... layered with hidden fees and long-term contracts. In my earliest transactions, I unknowingly steered friends and family into costly arrangements after they trusted my recommendation. When I fully understood the structure of what I had been selling, I resigned immediately and committed myself to exposing those practices. That commitment became the foundation of this website.

As Has Appeared In

About Us

CardPaymentOptions.com

Established 2009

This website was launched in 2009 as a modest blog dedicated to exposing questionable marketing and pricing practices within the credit card processing industry and how they negatively impact small business owners. What began as a side project has since evolved into a widely recognized platform advocating for transparency, accountability, and ethical standards in merchant services.

You Should Also Read

various depictions of card holder verification methods

Cardholder Verification Methods Explained

Cardholder Verification Methods (CVMs) serve as an important component in the security of payment card transaction, safeguarding both consumers and merchants against fraud and unauthorized payments. At its core, CVM encompasses a variety of techniques and technologies designed to confirm the identity of a cardholder during the transaction process. This verification acts as a checkpoint to ensure that the person attempting the transaction is indeed the rightful card owner.

Here's a simple illustration depicting the concept of a monthly minimum fee as a heavy weight hanging over a small store.

What is a Merchant Account Monthly Minimum Fee?

A merchant account monthly minimum fee is a charge that some payment processors require businesses to pay if their total transaction fees (from credit card sales) do not reach a certain threshold set by the processor each month. This fee ensures that the payment processor covers its costs and makes a profit, even if the business doesn’t process many transactions in a given month.

a depiction of merchant account batch fees

Merchant Account Batch Fees: How They Affect Your Business

Merchant account batch fees are charges imposed by payment processors to consolidate and settle credit and debit card transactions at the end of each business day. These fees are a standard part of the financial operations for businesses that accept credit card payments. Understanding batch fees is important as they can affect transaction costs.