Completing your PCI Self-Assessment Questionnaire (SAQ) is an important step in meeting industry security requirements for handling customer card data.
This guide provides step-by-step instructions on how to complete your SAQ directly within your Helcim account.
If you'd first like a refresher on what PCI compliance is all about and why it matters, you can find more information here: What is PCI compliance? |
In this article
How you'll know it's time to complete your SAQ
You'll know it's time to complete or renew your PCI compliance when you see a notification in the account updates section on your Helcim account home page.
For new Helcim merchants: You generally have 90 days from when your account is approved to complete your first SAQ.
For annual renewals: PCI compliance is an ongoing, annual requirement. You’ll be able to access the renewal questionnaire once you are less than 90 days away from your current PCI compliance expiring. The notification in your account updates section will prompt you when this renewal period begins.
Finding the PCI compliance section in your account
This is where your PCI compliance journey with Helcim begins.
Log in to your Helcim account.
Click on All Tools.
Select My Business.
On the left-hand side menu, click on Security and Compliance.
On this page, you can learn more about PCI Compliance, see why it is important, and view your current compliance status (e.g. "Compliant," "Not Compliant," or when it's valid until).
Starting a new questionnaire or renewing your compliance
Depending on whether this is your first time or your annual renewal, and depending on which payment products you use, the steps are slightly different.
For new merchants
Your status will likely show as "Not Compliant".
Click the PCI DSS tile begin. Remember, you generally have 90 days from your account approval to do this the first time.
If you see an option to ‘Answer a few questions’: Great! Select it, and continue following the steps in this guide.
If you only see an option for a manual submission: This means your specific business setup requires a manual compliance process. Don't worry, we have a guide just for you! Please switch to: Manually submitting your PCI compliance.

Scenario 1: Answer a questionnaire
For renewing your annual compliance
You'll be able to renew once you are less than 90 days away from your current PCI compliance expiring.
You should see a prompt to Renew Compliance on the Security and Compliance page. Click the PCI DSS tile to start the renewal process.
If you see an option to ‘Answer a few questions’: Select it, and continue following the steps in this guide.
If you only see an option for a manual submission: This means your specific business setup requires a manual compliance process. Don't worry, we have a guide just for you! Please switch to: Manually submitting your PCI compliance.

Scenario 1: Answer a questionnaire
Understanding the questions: How Helcim tailors your SAQ
If you are now seeing Helcim's online questionnaire, here's what to understand about the questions presented:
The questions you see are specifically generated based on how you use Helcim to process payments.
Helcim automatically determines the Self-Assessment Questionnaire (SAQ) type(s) that apply to you based on the Helcim payment products you've recently used (like Online Checkout, the Helcim POS App, Virtual Terminal, etc.).
The Helcim portal questionnaire supports several common SAQ types, including SAQ A, SAQ C, and SAQ C-VT.
If you use multiple Helcim tools that fall under different SAQ requirements, our system cleverly combines the necessary questions into a single, streamlined questionnaire for you, and then will generate multiple SAQ reports for your records. This is much simpler than having to fill out multiple separate forms.
Some specific integrations like Helcim.js (WooCommerce) or Helcim API, have the SAQ A-EP or SAQ D types, respectively. These particular SAQ types cannot be completed through our automated online questionnaire. If this applies to you, you'll need to complete your PCI compliance manually via the PCI Security Standards Council website and upload the documentation to your dashboard. |

An example SAQ (your actual questions may vary)
Tips for answering the questionnaire
Work through the questionnaire thoughtfully.
Read each question carefully. The questionnaire is a self-assessment of your business's security practices.
Answer all questions honestly based on your current operations.
If you need more clarity on a specific question, click the i (information) icon located on the right-hand side of that question for a more detailed explanation.
Optional: Towards the bottom of the questionnaire, you might see an optional section to list Third Party Vendors. This is relevant if you use external IT providers or other vendors who manage parts of your card processing environment on your behalf. You can add up to nine such vendors if applicable. If you don't use any, you can skip this.
Examples of when you might list a ‘Third Party Vendor’
This section could apply if you use services such as:
An external IT support company that helps manage your computer network, Wi-Fi, or the devices you use for processing payments.
A separate Point of Sale (POS) system provider who installs and maintains your POS equipment and its payment software.
A web developer or agency if they are responsible for the security of your e-commerce website, especially how it handles redirection to payment pages.
If you manage all these aspects of your business yourself, or if your services are directly with primary providers (like Helcim for your payment processing itself), you likely don't need to list any vendors here.
Submitting your completed SAQ
Once you've answered all the questions:
Review your answers one last time.
Click the Submit Compliance button at the top of the page.
You should then see your new compliance status updated on the Security and Compliance page, along with the date it's valid until.
What to do if your business operations change
If how you accept credit cards or other significant parts of your business operations change during the year, your SAQ responses might no longer be accurate.
In this scenario, you may need to manually submit PCI compliance again before your renewal is triggered. Here’s how:
Return to the Security and Compliance page.
Click on the PCI DSS tile.
This will say ‘Complaint until X date’ if you’ve already done the SAQ before.
Manually submit or upload your compliance documentation
Upload files: Select the compliance file from your device.
Compliance type: Use the drop-down menu to select your SAQ type.
Your business name: This should be auto-populated with your business name.
Your name: This should be auto-populated with the owner’s name.
Your title: This should be auto-populated with the title entered in your account settings.
Once done, click Submit Compliance.
Remember, if your account was identified for manual submission from the outset due to your SAQ type (like A-EP or D), our dedicated guide on submitting your PCI compliance manually provides the most tailored instructions for your initial submission. |
Next steps
Once you've submitted your SAQ, your compliance status in your Helcim account will update. We'll cover more about what happens after submission, including your compliance documents, in this article: Accessing your PCI compliance report.
Need to manually submit because of your business type? Visit this article: Manually submitting your PCI compliance.
Remember that PCI compliance is an annual requirement, so you'll need to renew it each year.
FAQs
How long will it take me to complete the questionnaire?
The questionnaire is streamlined, but the time can vary depending on your business and the specific questions you need to answer. For most, it might take anywhere from 5 to 10 minutes. The most important thing is to answer accurately, not to rush.
I'm stuck on a question about my business practices. Can Helcim tell me how to answer it?
While our support team can help you navigate the questionnaire tool itself within your Helcim account, we can't advise you on the specifics of your business operations or tell you how to answer questions about your unique security practices.
The SAQ is a self-assessment, so the answers must reflect your business. The PCI Security Standards Council website offers extensive documentation if you need more general guidance on PCI standards.
What happens if I don't complete my PCI compliance by the due date?
Failing to complete your PCI compliance can put your business at risk. As mentioned in our first article, this could include potential fines, and in some cases, it could impact your ability to continue processing payments through Helcim. We strongly encourage you to complete it on time.