Compliance Audits
PCI DSS v4.0 · SAQ + ROC

Accept card payments without the PCI headache. SAQ or ROC, scope minimized.

PCI DSS (Payment Card Industry Data Security Standard) applies to every business that accepts card payments. The 4 merchant levels determine your reporting: Level 4 (under 20K transactions) self-attests via SAQ; Level 1 (over 6M transactions) needs a full ROC audited by a QSA. We help you minimize scope (most merchants do not need full PCI DSS) and prep the right SAQ or coordinate the ROC.

All 50 states + DC 60-day money-back SOC 2 Type II
How it works

How we handle PCI DSS, end-to-end.

PCI DSS (Payment Card Industry Data Security Standard) applies to every business that accepts card payments.

1

Merchant level + SAQ type

We confirm your merchant level (1-4 by annual transaction volume) and the appropriate SAQ (A, A-EP, B, C, D-M, P2PE). Most online merchants using Stripe Hosted Checkout qualify for SAQ A (the shortest).

2

Scope reduction

PCI DSS scope is everything that stores, processes, or transmits cardholder data. We help you redirect to hosted payment forms (Stripe Elements, Hosted Checkout), tokenization, and P2PE so your environment falls outside scope.

3

SAQ completion or ROC prep

For SAQ: we complete the questionnaire with you and submit to your acquirer. For ROC (Level 1): we prep for QSA engagement, coordinate evidence, and manage remediation.

4

Annual maintenance

PCI DSS is annual. We re-assess every 12 months, update SAQ, and handle any breach-triggered requirements (forensic investigation, FRP, ASV scans).

What we'll set up for you

A clean handoff, in four steps.

You give us the basics. We handle the state, the IRS, and the compliance clock so you can focus on the business.

01 · Name + Brand

A name that's actually available.

Real-time check against the state register, USPTO trademark database, and matching domains.

02 · State filing

Filed with the Secretary of State.

We submit your Articles, pay the state fee on your behalf, and return the stamped certificate.

03 · Federal IDs

EIN + the right tax setup.

Federal Employer ID with the IRS, plus state tax accounts when your business needs them.

04 · Stay compliant

Registered Agent + deadline tracking.

Your agent on file in every state, with every renewal and annual report tracked in one calendar.

Pricing

Transparent pci dss pricing.

Government fees pass through at cost. No upsells.

SAQ D-M

$9999
Complex merchant SAQ.

For merchants with payment data in their environment (some processed in-house). Full SAQ D-M completion, vulnerability scanning, quarterly ASV scans coordination, annual pentest coordination.

Get started

ROC prep

$29999
Level 1 merchant ROC.

For Level 1 merchants requiring full Report on Compliance audited by a QSA. We prep your environment, coordinate with QSA, manage remediation. QSA audit fee separate ($75K-$200K typical).

Get started
FAQ

About the PCI DSS Compliance Service.

Do I really need PCI DSS?
If you accept card payments, yes. Every merchant has DSS obligations through their acquirer. Most online merchants using hosted forms qualify for SAQ A (the shortest version) but it is still required.
What is the difference between SAQ and ROC?
SAQ: self-assessment questionnaire. You complete and submit to your acquirer. ROC: Report on Compliance audited by a Qualified Security Assessor (QSA). Required for Level 1 merchants (6M+ annual card transactions).
What is scope reduction?
Minimizing what parts of your environment are subject to PCI DSS. Best practice: route all card data to hosted payment forms (Stripe Elements, Hosted Checkout). Your servers never see card numbers. Most DSS requirements then fall away.
Who is a QSA?
Qualified Security Assessor - a company certified by the PCI Council to perform PCI DSS audits. Required for Level 1 ROC. Not required for SAQ (you can self-attest).
What about PCI v4.0?
PCI DSS v4.0 took effect in 2024. New requirements include custom-defined approaches (alternative to defined approaches), targeted risk analyses, expanded MFA. All new SAQs and ROCs use v4.0.
What is the penalty for non-compliance?
Fines from your acquirer ($5K-$100K monthly), higher card processing fees, and (worst case) loss of card processing ability. Plus liability if a breach occurs: forensic investigation costs, card brand fines, customer notification, class actions.
Why File.Business

Premium compliance, no service-fee markup.

Trust you can verify

SOC 2 Type II audited platform. 220,000+ businesses served. 60-day money-back on service fees. State fees passed through at cost with no hidden markup. Explicit AUP on restricted industries.

A compliance partner, not a transaction

Most providers go quiet after checkout. We auto-track every annual report, registered agent renewal, and license deadline across your entities. The Business OS dashboard keeps your compliance score visible year-round.

Premium experience competitors cannot match

Premium positioning, transparent pricing, no service-fee markup on state or federal filings. Premium positioning, transparent pricing, no service-fee markup on state filings.

Start your business in the next 5 minutes.

No state-fee markup. Pay only the state fee. 60-day money-back guarantee.

No state-fee markup 60-day money-back Cancel anytime
$0 + state fee Start my business