Affirm PCI Compliance
The Bottom Line (What You Really Need to Know)
If you just received a PCI compliance questionnaire and you’re feeling overwhelmed, take a breath. For most small businesses, PCI compliance is much simpler than it first appears. You don’t need to become a security expert or hire expensive consultants. What you do need is to answer some questions about how you accept credit card payments, run quarterly scans if required, and document your practices. That compliance form sitting on your desk? It’s likely one of the simpler SAQ types that takes less than an hour to complete. Let’s break down exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules created by the major card brands (Visa, Mastercard, American Express, and Discover) to protect credit card information. If you accept credit cards in any way — whether through a terminal, online, or over the phone — these rules apply to you.
The card brands created an organization called the PCI Security Standards Council (PCI SSC) to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your credit card transactions) enforces compliance. They’re the ones who sent you that questionnaire, and they’re the ones who can fine you if you don’t comply.
The consequences of non-compliance are real but manageable. Your payment processor can fine you monthly until you comply — typically $5-100 per month for small merchants. More seriously, if card data gets stolen from your business and you weren’t compliant, you could face liability for the fraud losses and investigation costs. In extreme cases, you could lose the ability to accept credit cards entirely.
Here’s the good news: The vast majority of small businesses qualify for the simplest compliance requirements. If you use modern payment terminals or hosted checkout pages that keep card data away from your systems, you’re already doing most of what PCI requires. The compliance process is really about documenting what you’re already doing right.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. It doesn’t matter if you process one transaction or one million — the moment you accept card payments, PCI compliance requirements apply.
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news because Level 4 merchants have the simplest compliance requirements — typically just completing an annual Self-Assessment Questionnaire (SAQ) and running quarterly vulnerability scans if you have an e-commerce presence.
That questionnaire your payment processor sent? It’s their way of verifying you’re following PCI standards. They’re required to confirm all their merchants are compliant, and this questionnaire is how they do it. Ignore it, and you’ll start receiving non-compliance fees on your monthly processing statements.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Using the wrong one wastes time and could leave you non-compliant. Here’s how to choose:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Outsourced completely (PayPal, Square online) | SAQ A | ~22 | Simplest |
| E-commerce with hosted payment page | SAQ A-EP | ~190 | Moderate |
| Terminal only (no e-commerce) | SAQ B | ~41 | Simple |
| Terminal with IP connection | SAQ B-IP | ~82 | Simple |
| Manual entry (phone/mail order) | SAQ C-VT | ~160 | Moderate |
| Any electronic storage of card data | SAQ D | ~330+ | Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B (standalone terminal) or SAQ B-IP (terminal connected to internet). These are straightforward — mostly questions about physical security of the terminal.
If you have an e-commerce site using Shopify Payments, Stripe Checkout, PayPal, or similar hosted checkout pages where customers enter card details on the payment provider’s page (not yours), you’re likely SAQ A — the simplest questionnaire with just 22 questions.
If you take payments over the phone and enter them into a virtual terminal or payment software, you’re probably SAQ C-VT. This one’s longer because phone payments involve more human interaction with card data.
If you store card numbers in any electronic format — spreadsheets, databases, even email — you’re stuck with SAQ D, the full questionnaire. Honestly? Stop storing card numbers. It’s rarely worth the compliance burden.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ you need — no guessing required.
How to Complete Your SAQ
The questionnaire itself is a series of yes/no questions about your payment security practices. Each “yes” means you’re doing what the standard requires. Each “no” means you need to either implement that control or explain why it doesn’t apply to you.
Here’s what “yes” really means: For example, when SAQ A asks “Are you confirming all payment pages are loaded using HTTPS?” a “yes” means you’ve actually checked that your payment provider uses HTTPS (they do) and you’re not modifying their secure pages.
Documentation you’ll need:
- Your payment processing agreement (to confirm who handles what)
- Network diagram (for more complex SAQs — can be hand-drawn for small setups)
- Security policies (often just documenting what you already do)
- Vendor compliance documents (your payment provider’s PCI compliance status)
The quarterly ASV scan applies if you have any systems accessible from the internet — typically e-commerce sites. An Approved Scanning Vendor runs automated scans looking for vulnerabilities. It’s not invasive and usually takes 24-48 hours. Schedule these quarterly, fix any critical issues found, and keep the passing reports.
Submitting your compliance: Once complete, you’ll generate an Attestation of Compliance (AOC) — basically a formal declaration that you’ve completed the assessment. Submit this to your acquirer through their portal or however they requested it. Keep copies for your records.
What It Costs
Compliance platforms and SAQ tools typically run $20-100/month depending on features. Basic platforms help you complete the questionnaire, while comprehensive ones like PCICompliance.com include guided SAQ completion, automated scanning, and compliance tracking.
Quarterly ASV scanning costs $30-90 per scan if purchased separately, though many compliance platforms include it. You need four passing scans annually for most SAQ types.
If you need a QSA (only for Level 1 merchants or if your acquirer specifically requires it), expect $15,000-50,000 for a full assessment. Good news: small merchants almost never need this.
The cost of NON-compliance hits harder:
- Monthly non-compliance fees: $5-100 from your processor
- Breach-related fines: $5,000-100,000 depending on severity
- Forensic investigation costs if breached: $10,000+
- Lost ability to process cards: priceless (and business-ending)
Honest assessment: For most small merchants, annual compliance costs less than $500 — often under $200. That’s less than a single month’s non-compliance fee and a tiny fraction of breach-related costs.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done deal. Your acquirer will ask for updated documentation annually, and certain SAQ types require quarterly vulnerability scans. Mark your calendar now.
Set up these reminders:
- Annual SAQ due date (usually 12 months from last submission)
- Quarterly ASV scan dates (every 90 days)
- Security update checks (monthly for e-commerce platforms)
- Employee security training (annually, if you have staff handling payments)
Changes that trigger a new assessment:
- Adding new payment channels (like adding e-commerce to a retail store)
- Changing payment providers or processors
- Starting to store card data (please don’t)
- Major changes to your payment systems or networks
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sends reminders before deadlines, and maintains your compliance history. No more scrambling when your acquirer asks for documentation.
Frequently Asked Questions
I’m just a small business. Do I really need to worry about this?
Yes, but it’s not as scary as it seems. Size doesn’t exempt you from PCI requirements — accepting cards does. The good news is small businesses usually have the simplest compliance path.
What happens if I just ignore the compliance questionnaire?
Your payment processor will start charging non-compliance fees — typically $5-100 monthly. Eventually, they may increase your processing rates or terminate your merchant account entirely.
I use Square/PayPal/Stripe exclusively. Am I already compliant?
You’re most of the way there! These providers handle the complex parts, but you still need to complete SAQ A annually. It’s the simplest questionnaire — just 22 questions confirming you’re using their tools correctly.
How long does the assessment take?
SAQ A takes 20-30 minutes. SAQ B takes about an hour. More complex SAQs can take several hours to a few days, depending on your documentation readiness. Most small merchants finish in under two hours.
Do I need to hire a security consultant?
Rarely. Most small businesses can complete their required SAQ using self-service tools. Only Level 1 merchants or those with complex payment environments typically need professional help.
What’s this ASV scan and do I need one?
ASV (Approved Scanning Vendor) scans check for vulnerabilities in internet-facing systems. You need them if you have e-commerce or any payment-related systems accessible online. They’re automated, non-intrusive, and usually find common issues like outdated software.
My payment processor says I’m non-compliant but I submitted everything. What now?
Check that you submitted the right SAQ type and included all required documentation (SAQ, AOC, and ASV scans if applicable). Contact their compliance department — sometimes it’s just a processing delay or missing signature.
Can I just say “yes” to everything on the questionnaire?
Absolutely not. False attestation is fraud and makes you fully liable for any breaches. Answer honestly — if you can’t say “yes” to something, either implement the control or work with your payment providers to address it.
Making PCI Compliance Manageable
PCI compliance might seem overwhelming when that first questionnaire arrives, but it’s genuinely manageable for most businesses. You’re likely already doing most of what’s required — using secure payment terminals, letting payment providers handle the complex stuff, and following basic security practices. The compliance process just formalizes what you’re already doing.
Start by identifying which SAQ type applies to your business. If you’re unsure, PCICompliance.com’s free SAQ Wizard walks you through a few simple questions and tells you exactly which questionnaire you need. From there, our platform guides you through each requirement, handles your ASV scanning needs, and keeps your compliance documentation organized year-round. Whether you need help getting started or maintaining ongoing compliance, our tools and support team make the process straightforward. Don’t let PCI compliance intimidate you — with the right approach, it’s just another part of accepting card payments securely.
