PCI DSS Questions, Answered Plainly

If your business accepts, processes, stores, or transmits credit or debit card data in any form, PCI DSS applies to you. This includes businesses of all sizes — from single-location retailers to large enterprises. The scope and complexity of your obligations depends on your transaction volume and how cardholder data moves through your environment, but the requirement to comply is not size-dependent.

The cardholder data environment is the set of people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data — as well as any systems that could impact the security of that data. Defining your CDE accurately is the first and most critical step in a PCI DSS compliance program, because it determines which requirements apply to which systems.

Using a third-party payment processor reduces your PCI DSS scope but rarely eliminates your obligations entirely. Your responsibility depends on how your systems interact with the payment process — specifically, whether cardholder data touches your environment before it reaches the processor. Even businesses that use fully hosted payment pages may have scope under PCI DSS depending on how their website is built. Don't assume you're out of scope without verifying it.

Merchants are categorized into four levels based on annual transaction volume:

Level 1: Over 6 million Visa or Mastercard transactions annually — requires annual QSA audit and quarterly ASV scans.

Level 2: 1–6 million transactions — annual SAQ (or QSA audit at acquirer's discretion) and quarterly ASV scans.

Level 3: 20,000–1 million e-commerce transactions — annual SAQ and quarterly ASV scans.

Level 4: All other merchants — annual SAQ and quarterly ASV scans (requirements may vary by acquirer).

Your payment brand (Visa, Mastercard, etc.) and your acquiring bank ultimately determine which level applies to your business and what validation is required.

A Qualified Security Assessor (QSA) is a PCI SSC-certified individual or company that conducts formal PCI DSS audits and produces official documentation like Reports on Compliance (ROC). QSA audits are required for Level 1 merchants and sometimes Level 2. Operatiqs is not a QSA firm.

We provide compliance support: readiness assessments, gap analysis, vulnerability scanning support, SAQ guidance, and remediation planning. Our work is designed to prepare businesses for formal assessments — so you arrive knowing what to expect rather than discovering problems during the audit itself.

A readiness assessment is a pre-audit review of your compliance posture against PCI DSS requirements. It identifies gaps, maps your cardholder data environment, and gives you a prioritized list of what needs to be addressed before a formal assessment or SAQ submission. Many businesses skip this step and discover their gaps during the formal audit — which is a much more expensive and stressful way to find out. See our PCI DSS Readiness Assessment page for more detail.

A Self-Assessment Questionnaire (SAQ) is the document most small and mid-sized merchants use to annually validate PCI DSS compliance. There are nine SAQ types — A, A-EP, B, B-IP, C, C-VT, D (Merchant), D (Service Provider), and P2PE. The correct type depends on your payment environment: how you accept payments, whether you store card data, whether you use physical terminals, and how your website is built.

Choosing the wrong SAQ type is a common mistake. It can mean you're certifying compliance against incomplete requirements — which creates real liability. See our SAQ Guidance page for a full breakdown by type.

SAQs are typically submitted annually to your acquiring bank. Your acquirer sets the specific deadline and process for submission. Some acquirers also require quarterly ASV scan reports to be submitted alongside the SAQ.

An Approved Scanning Vendor (ASV) scan is an external vulnerability scan that must be conducted quarterly by a vendor approved by the PCI Security Standards Council. It scans your public-facing IP addresses for known vulnerabilities. Most merchants at all levels are required to conduct quarterly ASV scans. Scans must achieve a passing status — no CVSS score 4.0 or higher vulnerabilities — before your compliance can be validated. Operatiqs is not an ASV; we help you understand, interpret, and act on your scan results.

A failed ASV scan means your external scan identified one or more vulnerabilities at CVSS 4.0 or higher that must be addressed before you can demonstrate compliance. The first step is understanding which findings are actually failing (versus informational) and what each one means. Not all failures are equally complex to address. Operatiqs can review your scan report, explain the findings, and build a prioritized remediation plan. See our Vulnerability Scanning Support page.

Non-compliance consequences are primarily enforced through your acquiring bank and payment brands rather than through a government agency. Consequences can include monthly non-compliance fees from your acquirer, increased transaction processing fees, and in the event of a breach, significant fines and liability — particularly if a forensic investigation determines your environment was out of compliance at the time of the incident. The cost of a breach for a non-compliant merchant is substantially higher than the cost of achieving compliance.

No. PCI DSS is a contractual requirement established by the major payment card brands (Visa, Mastercard, American Express, Discover, JCB) through the PCI Security Standards Council. When you sign a merchant agreement with your acquiring bank, you typically agree to comply with PCI DSS as a contract condition. Separate state data breach and privacy laws may also apply to your business depending on your state and the type of data you handle — but those are distinct from PCI DSS.

Most small and mid-sized businesses do not need a full-time compliance hire. What they need is a structured process, the right guidance, and someone to stay accountable to their annual compliance cycle. That's precisely what fractional compliance support — like what Operatiqs provides on a Corp-to-Corp basis — is designed to address. You get the expertise without the overhead of a full-time role.