Xero Payments PCI Compliance: A Small Business Owner’s Guide to Getting (and Staying) Compliant
If you’re here because your payment processor just sent you a PCI compliance questionnaire and you’re wondering what on earth it means, take a deep breath. For most small businesses accepting card payments through Xero or similar systems, PCI compliance is far simpler than it initially appears. You don’t need to become a security expert or hire expensive consultants — you just need to understand which form to fill out and answer some straightforward yes/no questions about how you handle credit card payments.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules created by the major card brands (Visa, Mastercard, American Express, and Discover) to protect credit card information. If you accept credit cards in any form — whether through a terminal, online, or over the phone — these rules apply to you.
The card brands created an organization called the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) is responsible for making sure you’re compliant. That’s why they sent you that questionnaire.
Here’s what happens if you ignore it: Your payment processor can fine you anywhere from $5,000 to $100,000 per month for non-compliance. If there’s a data breach and you weren’t compliant, you could be liable for the fraud losses. In extreme cases, you might lose the ability to accept credit cards entirely.
The good news? Most small businesses fall into the simplest compliance categories. You’re not building Fort Knox — you’re just demonstrating that you follow basic security practices when handling payment cards.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit or debit cards, yes. It doesn’t matter if you process one transaction a year or thousands daily. The moment you accept a card payment, PCI compliance requirements kick in.
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you can self-assess your compliance using a simplified questionnaire called an SAQ (Self-Assessment Questionnaire) instead of hiring an external auditor.
Your payment processor expects you to:
- Complete the appropriate SAQ annually
- Run quarterly security scans if you have any internet-facing systems
- Fix any security issues the scans find
- Submit your compliance documentation on time
That questionnaire they sent you? It’s their way of tracking your compliance status. Ignore it, and those monthly non-compliance fees start rolling in.
Which SAQ Do You Need?
The SAQ you need depends entirely on how you accept and process card payments. There are different versions, each designed for specific payment scenarios. Here’s how to figure out which one applies to you:
| How You Accept Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| Redirect to payment provider (PayPal, Stripe Checkout) | SAQ A | Simplest (22 questions) | About 30 minutes |
| Payment form on your website (Stripe Elements, Square) | SAQ A-EP | Simple (139 questions) | 1-2 hours |
| Standalone terminal (no computer connection) | SAQ B | Simple (41 questions) | About 1 hour |
| Terminal connected to internet/network | SAQ B-IP | Moderate (82 questions) | 2-3 hours |
| Manual entry or phone orders | SAQ C-VT | Moderate (80 questions) | 2-3 hours |
| Store card data electronically | SAQ D | Complex (329 questions) | Multiple days + scans |
If you use standalone payment terminals (like a Square Reader or Clover Flex that isn’t connected to your computer systems), you’ll likely complete SAQ B. Connect that terminal to the internet or your network, and you’re looking at SAQ B-IP.
If you have an e-commerce site where customers are redirected to a payment provider’s page (think PayPal or Stripe Checkout), you qualify for SAQ A — the shortest form. But if your website has payment fields where customers type their card details (even if you’re using Stripe Elements or similar), you need SAQ A-EP.
If you take payments over the phone and type them into a virtual terminal, that’s SAQ C-VT territory.
If you store credit card numbers in any electronic format — spreadsheets, databases, even email — you’re stuck with SAQ D, the full questionnaire. (Seriously, stop storing card numbers. There are better ways.)
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. The questionnaire consists of yes/no questions about your payment security practices. Here’s what to expect:
What “yes” really means: When a question asks “Do you have a firewall?” they’re not looking for enterprise-grade security. A “yes” means you have basic protection in place — even the firewall built into Windows or your internet router counts if it’s properly configured and updated.
You’ll need to gather some basic documentation:
- Network diagram (can be hand-drawn showing how payments flow)
- Security policies (even simple written procedures count)
- Vendor agreements showing who handles what
- Configuration screenshots or settings
The quarterly ASV scan is required if you have any systems connected to the internet (websites, email servers, etc.). An Approved Scanning Vendor runs automated security scans looking for vulnerabilities. Think of it like a safety inspection for your internet-facing systems. The scan typically takes 20-30 minutes to run, and you’ll get a report showing any issues to fix.
After completing your SAQ, you’ll sign an Attestation of Compliance (AOC) — basically a formal declaration that your answers are accurate. Submit both documents to your payment processor, and you’re done for the year.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your setup and which tools you use:
Compliance platforms and SAQ tools typically run $100-500 annually for small merchants. These platforms guide you through the questionnaire, store your documentation, and track your compliance status.
Quarterly ASV scanning costs around $200-400 per year for most small businesses. Some compliance platforms bundle this with their SAQ tools.
QSA assessment only applies if you’re a larger merchant or store card data (SAQ D). Budget $15,000-50,000 for a formal assessment. Most small businesses never need this.
Compare that to the cost of non-compliance:
- Monthly fines: $5,000-100,000
- Breach liability: Average $150 per compromised card
- Forensic investigation: $20,000-100,000
- Lost ability to accept cards: Priceless (in the worst way)
For most small merchants, annual compliance costs less than a single month’s non-compliance fine.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done deal. Your compliance resets annually, with quarterly scans in between. Here’s how to stay on track:
Set calendar reminders for:
- Annual SAQ due date (usually 12 months from last submission)
- Quarterly ASV scans (every 90 days)
- Security update checks (monthly)
- Employee security training (annually)
Watch for changes that might affect your compliance:
- Adding new payment channels (like starting to take phone orders)
- Changing payment providers
- Updating your website or payment forms
- Opening new locations
Any significant change in how you accept payments might mean switching to a different SAQ type.
PCICompliance.com’s compliance dashboard tracks all these dates for you, sending reminders before deadlines and flagging any changes that might affect your compliance status.
FAQ
I’m just a small business. Do I really need to worry about PCI compliance?
Yes, size doesn’t matter when it comes to PCI requirements. The good news is that small businesses usually qualify for the simplest SAQ types, making compliance manageable and affordable.
What happens if I just ignore the compliance questionnaire?
Your payment processor will likely start charging monthly non-compliance fees (typically $20-100/month). If there’s a breach, you could be liable for fraud losses and investigation costs.
Can I just say “yes” to everything on the SAQ to pass?
Don’t do this. False attestation is fraud and makes you fully liable in case of a breach. The questions are designed to be achievable for businesses of all sizes — answer honestly.
I use Xero for invoicing but payments go through Stripe. Which SAQ do I need?
If customers click a Stripe payment link that takes them to Stripe’s hosted payment page, you likely need SAQ A. If you embedded Stripe’s payment form on your own website, that’s SAQ A-EP.
How long does PCI compliance take?
For most small businesses: 1-3 hours annually for the SAQ, plus 30 minutes per quarterly scan. The first year takes longer as you gather documentation, but subsequent years are faster.
My payment processor says I need to be PCI compliant but I only process a few transactions. Is this real?
Yes, it’s real. PCI requirements apply to anyone accepting card payments, regardless of volume. Even one transaction per year triggers compliance requirements.
Can I outsource PCI compliance?
You can outsource many technical controls (like using a payment provider), but you can’t outsource responsibility. You still need to complete your SAQ and ensure your providers are compliant.
What’s the difference between PCI compliance and being secure?
PCI compliance is a minimum security standard — think of it as the floor, not the ceiling. Good security practices go beyond PCI requirements, but compliance is a solid starting point.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire lands in your inbox, but for most small businesses accepting payments through Xero or similar platforms, it’s genuinely manageable. You’re likely looking at one of the simpler SAQ types — a questionnaire you can complete in an afternoon with basic documentation.
The key is understanding which SAQ fits your payment setup and staying organized with annual assessments and quarterly scans. With the right tools and a bit of planning, PCI compliance becomes just another part of running your business, like filing taxes or renewing licenses.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to identify your SAQ type in minutes, or talk to our compliance team if you need guidance getting started. We’ve helped thousands of merchants navigate PCI requirements, and we can help you too.
