PCI Compliance in Contract: What That Letter from Your Payment Processor Actually Means
Bottom Line Up Front
If you just received a PCI compliance contract or questionnaire from your payment processor and you’re feeling overwhelmed — take a breath. For most small businesses, PCI compliance is far simpler than it initially appears. You probably qualify for one of the streamlined questionnaires that takes about an hour to complete, and the whole process costs less than what you’d pay in a single non-compliance fine. Here’s everything you actually need to know to get compliant and stay that way.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover — to protect credit card data. If your business accepts card payments in any form, these requirements apply to you.
Think of it this way: the card brands created these rules through an organization called the PCI Security Standards Council (PCI SSC), but your acquirer (the bank that processes your card transactions) or payment processor (like Square, Stripe, or your merchant services provider) is who actually enforces them. That’s why they sent you that compliance questionnaire.
The consequences of non-compliance are real but manageable. Your processor can fine you (typically $25-100 per month for small merchants), you could be liable for costs if there’s a data breach, and in extreme cases, you could lose the ability to accept credit cards. But here’s the good news: most small businesses qualify for the simplest compliance options that take minimal time and effort.
Your compliance requirements depend on how you accept payments, not how big your business is. A tiny online shop using Shopify checkout might have simpler requirements than a restaurant with old point-of-sale terminals. The system is designed to match PCI and Virtual to actual risk.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you process one transaction a year or thousands per day. Accept cards? You need to comply with PCI DSS.
Most small businesses fall into Merchant Level 4 — processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. Don’t worry about counting transactions precisely; your payment processor already knows your level and will tell you what’s required.
Here’s what your payment processor expects from you:
- Complete an annual Self-Assessment Questionnaire (SAQ) — a yes/no checklist about your security practices
- If you have a website, get quarterly vulnerability scans from an Approved Scanning Vendor (ASV)
- Submit your Attestation of Compliance (AOC) — basically your signature saying you completed the requirements
- Fix any security issues found during the process
That compliance questionnaire they sent you? It’s their way of saying “it’s time for your annual PCI checkup.” They need proof you’re protecting cardholder data, and the SAQ provides that proof.
Which SAQ Do You Need?
The SAQ comes in different versions based on how you handle card payments. Here’s how to determine which one applies to your business:
| How You Accept Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| E-commerce with hosted checkout (Shopify, WooCommerce with PayPal) | SAQ A | Simplest (22 questions) | ~20 questions |
| E-commerce where you control the checkout page (custom site with Stripe Elements) | SAQ A-EP | Simple (139 questions) | ~140 questions |
| Physical terminal with no electronic storage (basic credit card machine) | SAQ B | Simple (41 questions) | ~40 questions |
| Physical terminal connected to internet (Square Stand, Clover) | SAQ B-IP | Simple (91 questions) | ~90 questions |
| Phone/mail/fax orders entered into virtual terminal | SAQ C-VT | Moderate (83 questions) | ~80 questions |
| Any other method, or if you store card numbers | SAQ D | Complex (329 questions) | ~330 questions |
If you use Square, PayPal Here, or similar mobile readers: You’re likely SAQ B-IP if connected to internet, or SAQ B if using dial-up.
If you have a website: Using a fully hosted checkout (customer goes to PayPal or Stripe to pay)? That’s SAQ A. Payment form on your site? That’s SAQ A-EP.
If you take orders by phone: Entering them into an online virtual terminal? SAQ C-VT is your match.
Still confused? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ applies — no guesswork required.
How to Complete Your SAQ
The questionnaire itself is straightforward — every question is yes or no. Here’s what the process looks like:
1. Download or access your SAQ through your processor’s portal or a compliance platform. The questions cover security basics like “Do you change default passwords?” and “Is your payment terminal in a secure location?”
2. Answer honestly — “Yes” means you currently do this thing, not that you plan to. If you answer “No” to any question, you’ll need to either implement that security control or explain why it doesn’t apply to your business.
3. Gather basic documentation:
– List of all payment acceptance locations
– Your network setup (for SAQ A-EP and above)
– Any service provider agreements (payment gateway, hosting provider)
– Security policies if you have them (templates are fine for small merchants)
4. Schedule your quarterly ASV scan if you have any web presence. An ASV is a company approved by PCI SSC to scan your website for vulnerabilities. The scan is automated — you provide your website URL, they scan it, you get a report. If issues are found, you fix them and rescan. Most small sites pass on the first try.
5. Complete your Attestation of Compliance (AOC) — this is your formal declaration that you’ve met all requirements. It’s typically a few pages where you confirm your business details and compliance status.
6. Submit everything to your payment processor through their portal or email. Keep copies for your records — you’ll need them next year.
For most small merchants using modern payment systems, the whole process takes 1-3 hours annually, plus maybe 30 minutes per quarter for ASV scans.
What It Costs
Let’s talk real numbers for PCI compliance costs:
Compliance platforms and SAQ tools: Free to $30/month for small merchants. These guide you through the questionnaire and track your compliance status.
Quarterly ASV scanning: $20-50 per scan, or $80-200 annually. Required if you have any web presence. PCICompliance.com includes ASV scanning in our compliance packages.
If you need a QSA: Only required for large merchants (Level 1) or if you’ve had a breach. QSA assessments start around $10,000 — but again, most small businesses never need one.
The cost of NON-compliance:
- Monthly non-compliance fees: $25-100 from your processor
- Breach liability: $50-90 per compromised card
- Forensic investigation: $10,000+ if you have a breach
- Lost ability to accept cards: priceless
Honest assessment: for most small merchants, annual compliance costs less than a single month of non-compliance fees. It’s not a profit center for anyone — it’s insurance against much larger costs.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done deal — it’s an annual requirement with quarterly checkpoints. Here’s how to stay on track:
Set calendar reminders for:
- Annual SAQ due date (usually anniversary of last submission)
- Quarterly ASV scan windows (every 90 days)
- Password changes (every 90 days for any system touching card data)
- Security update checks (monthly for payment systems)
Know what triggers a reassessment:
- Changing payment processors or methods
- Adding e-commerce to a physical store
- Starting to store card numbers (please don’t)
- Significant network or system changes
Use a compliance tracking system — whether it’s a spreadsheet or a platform like PCICompliance.com’s dashboard. Track your SAQ status, scan dates, and any remediation items in one place.
Train your staff — even for SAQ A, everyone who handles payments should know basics like never writing down card numbers and reporting suspicious activity.
FAQ
My payment processor says I’m non-compliant and charging me fees. What do I do?
First, find out exactly what’s missing — usually it’s an incomplete SAQ or missed ASV scan. Most processors give you 30-90 days to complete requirements before fees start. Complete your SAQ immediately (it only takes an hour for most merchants) and schedule any required scans. Once submitted, fees typically stop within one billing cycle.
I’m just a small business. Do these requirements really apply to me?
Yes, if you accept credit cards, size doesn’t matter — payment method does. The good news: small businesses usually qualify for the simplest SAQ types. Your corner coffee shop using Square probably has easier requirements than a large company with complex systems.
What’s the difference between PCI compliance and security compliance for other regulations?
PCI DSS is specifically about credit card data protection. It’s separate from HIPAA (healthcare), GDPR (privacy), or other regulations. Focus on PCI if you take card payments — it’s the one your payment processor cares about and can fine you for.
Can’t I just use cash only and avoid all this?
Technically yes, but you’ll lose significant business. Studies show cash-only businesses lose 20-40% of potential sales. PCI compliance for small merchants costs less annually than you’d lose in a single week of cash-only operations.
How do I know if I’m storing card data?
Check these places: spreadsheets, email, customer databases, paper files, and old point-of-sale systems. If you find card numbers anywhere except your payment terminal or processor’s system, you’re storing card data. Stop immediately and use tokenization or your processor’s customer vault instead.
What if I fail my ASV scan?
Don’t panic — most failures are minor issues like outdated software versions. Your ASV provides a report showing what needs fixing. Address the critical and high vulnerabilities, rescan, and you’ll usually pass. PCICompliance.com includes remediation guidance with our scanning service.
Conclusion
PCI compliance might seem daunting when that first questionnaire arrives, but remember — millions of small businesses successfully maintain compliance every year. For most merchants, it’s a few hours of work annually that protects both your business and your customers.
The key is choosing the right SAQ for your payment methods and staying organized with quarterly scans if required. Modern payment systems are designed to minimize your compliance burden — take advantage of them.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You can start with our free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team if you need guidance. We’ve helped thousands of merchants navigate their first compliance questionnaire and stay compliant year after year.
Remember: PCI compliance is a contract requirement from your payment processor, but it’s also good business. Protecting your customers’ payment data protects your reputation and your bottom line. Take it one step at a time, and you’ll find it’s far more manageable than that initial questionnaire made it seem.
