How to pass PCI for multi-merchant setups — portfolio SAQ in 2026

PCI DSS is required for everyone accepting card payments. It is not optional. Multi-brand operators either run it correctly as a coordinated portfolio effort, or they end up paying non-compliance fees on nine different statements while never actually being compliant on any of them.

1. Understand which SAQ each brand needs

The Payment Card Industry Data Security Standard has different Self-Assessment Questionnaires depending on how you accept payments:

• SAQ A — fully outsourced checkout (Stripe redirect, PayPal, Braintree hosted fields). Simplest, ~22 questions.
• SAQ A-EP — e-commerce with partial outsourcing (Stripe.js, iframes that touch the page). ~154 questions.
• SAQ D — everything else. ~329 questions. Avoid this if you can.
• ROC (Report on Compliance) — required above 6 million transactions/year. Auditor-led, not self-assessment.

Every brand in your portfolio has its own checkout, and therefore its own SAQ. Sometimes they differ. Pass the one that fits each brand's actual flow.

See our general PCI compliance guide and SAQ glossary entry.

2. Reduce scope first

Scope = any system that stores, processes, or transmits cardholder data. Reducing scope is the single highest-ROI PCI activity.

• Never store full PAN. Use processor tokens only.
• Never log PAN in application logs. Redact at the gateway.
• Use hosted fields everywhere. Stripe Elements, Braintree hosted, Authorize.Net Accept.js — these keep card data out of your servers.
• Redirect-only where possible. Fully hosted checkout = SAQ A, smallest scope.

See PCI scope reduction for multi-brand.

3. The portfolio attestation strategy

You have two realistic models:

Model A: per-brand attestations

• Each brand's LLC submits its own SAQ to its own acquirer.
• Appropriate if brands have different checkout architectures or are on different processors.
• Overhead: roughly 2-4 hours per brand per year.

Model B: consolidated attestation

• One portfolio-level compliance effort covers shared infrastructure (checkout platform, customer support systems, data warehouse).
• Each brand references the portfolio attestation plus a short brand-specific SAQ.
• Requires a Payment Application Data Security Standard (PA-DSS) or P2PE cert on the shared platform.
• Overhead: front-loaded (4-6 weeks for the initial portfolio cert), then ~1 hour per brand per year.

Portfolios above 8-10 brands should consider Model B. Under that, Model A is usually simpler.

4. Quarterly vulnerability scans

PCI requires quarterly external ASV (Approved Scanning Vendor) scans on every domain accepting card payments. 20 domains = 20 scans per quarter.

Most ASVs charge per-domain — roughly $50-$150/domain/year. On a 20-brand portfolio that is $1-3k/year. Budget it.

Common ASVs: Trustwave, SecurityMetrics, ControlScan, Qualys. All comparable quality.

5. The non-compliance fee trap

Processors charge $25-$35/month per MID in "PCI non-compliance" fees if they do not have a current attestation on file. Across 20 brands that is $500-$700/month of avoidable expense.

Track attestation renewal dates in the same dashboard you track Apple Pay domain registrations. PCI attestations are annual — set a calendar reminder 45 days before expiry.

If you are being charged non-compliance fees right now, submit current attestations and ask for retroactive credit. Most processors will credit 1-3 months.

6. Vendor management — the hidden scope

Any third-party vendor that touches your cardholder data environment is in PCI scope. That includes:

• Your hosting provider
• Your email / communication platform if used for support
• Analytics platforms (especially if they capture checkout events)
• Customer service platforms where reps handle card data
• Any contractor with access to production systems

Maintain a vendor list with PCI attestations from each. Acquirer audits will ask for this list.

Working example: 12-brand DTC portfolio, consolidated attestation

Setup:

• All 12 brands on Shopify with Stripe backend — SAQ A eligibility.
• Shared customer service tool (Gorgias) — SAQ A-EP because reps occasionally assist with saved-card updates.
• One ASV (Trustwave) scanning all 12 domains quarterly.
• One attestation covering the shared infrastructure, 12 brand-specific SAQ-A attachments.

Annual cost: ~$1,400 (ASV) + ~$600 (attestation service) = $2,000 total. Non-compliance fees eliminated across all 12 brands: $4,800/year savings. Net: $2,800 annual benefit plus actual compliance.

FAQ

Do I need a QSA (Qualified Security Assessor)? Only if you process above 6M transactions/year on any single MID or if your acquirer requires it. Below that, self-assessment works.

What about Level 4 vs Level 1 merchants? Level is set per card brand per acquirer. Under 20k transactions/year = Level 4 usually. Most multi-brand operators are Level 4 per brand but aggregate up.

Do I need PCI if I use Stripe Checkout? Yes. The SAQ A is simpler but still required.

What about Apple Pay / Google Pay? Wallet tokens never contain real PAN, but you still need to complete the SAQ that matches your overall checkout.

CTA

If you want portfolio PCI run as a single coordinated effort with per-brand attestations tracked in one dashboard, apply to multiflow. Or see pricing.