Changed Processor: New PCI?
The Truth About Changing Payment Processors and PCI Compliance
So you just changed payment processor PCI requirements landed in your inbox, and now you’re wondering if you need to start your compliance journey all over again. Here’s the good news: if you were already PCI compliant with your previous processor, you’re likely still compliant — you just need to update some documentation and possibly complete a new questionnaire for your new processor. Let’s walk through exactly what you need to do and why changing processors doesn’t mean starting from scratch.
If this is your first time dealing with PCI compliance (maybe your old processor never asked about it), don’t panic. For most small businesses, achieving compliance is simpler than the intimidating acronyms suggest. This guide will help you understand what PCI compliance actually means, what your new processor needs from you, and how to get it done without losing your mind.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card information. If your business accepts, processes, stores, or transmits credit card payments in any way — whether through a terminal, website, or over the phone — these requirements apply to you.
The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through an organization called the PCI Security Standards Council. But here’s the important part: your payment processor or acquiring bank is who actually enforces these requirements and sends you those compliance questionnaires.
Why should you care? Three big reasons:
- Fines: Your processor can charge monthly non-compliance fees (typically $25-300/month)
- Liability: If card data gets stolen from your business, you could face fines up to $500,000
- Card acceptance: Persistent non-compliance could mean losing your ability to accept credit cards
But here’s what they don’t tell you upfront: most small businesses qualify for the simplest UK PCI Compliance. If you’re using modern payment tools like Square, Stripe, or a standard terminal from your bank, you’re already doing most of what’s required.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards, yes. It doesn’t matter if you’re a food truck taking five transactions a day or an online store processing thousands — the requirement applies to everyone who touches payment cards.
Your merchant level determines how you prove compliance. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means:
- You complete a Self-Assessment Questionnaire (SAQ) instead of hiring an expensive auditor
- You need quarterly security scans if you have any internet-facing systems
- You submit an Attestation of Compliance (AOC) to your processor annually
When your payment processor sends that compliance questionnaire, they’re not trying to trip you up. They’re required by the card brands to verify that every merchant in their portfolio maintains basic security standards. That questionnaire is your opportunity to show you’re protecting cardholder data properly.
Which SAQ Do You Need?
The Self-Assessment Questionnaire comes in different versions based on how you accept payments. Think of it like tax forms — you don’t fill out a 1040EZ if you have a complex business structure. Here’s how to determine which SAQ applies to your business:
| How You Accept Payments | Your SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Fully outsourced (PayPal, Square online) | SAQ A | 22 | Simplest |
| E-commerce with payment page redirect | SAQ A-EP | 191 | Moderate |
| Terminal only, no electronic storage | SAQ B | 41 | Simple |
| Terminal only with IP connection | SAQ B-IP | 82 | Simple |
| Phone/mail orders, no electronic storage | SAQ C-VT | 160 | Moderate |
| Any electronic card storage | SAQ D | 329+ | Complex |
Quick decision guide:
- Using Square, PayPal, or similar? You’re likely SAQ A — the simplest form with just 22 yes/no questions
- Have a payment terminal from your bank? That’s probably SAQ B or SAQ B-IP depending on how it connects
- Take orders over the phone? You’ll need SAQ C-VT if you don’t store card numbers electronically
- Actually storing card numbers in your system? That’s SAQ D territory — consider switching to tokenization immediately
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire applies. No guesswork required.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. The questionnaire consists of yes/no questions about your security practices. Here’s what the process actually looks like:
Step 1: Download or access your SAQ
Your processor might provide a link, or you can get it from PCICompliance.com’s compliance portal. The questions are standardized — every merchant completing the same SAQ type answers identical questions.
Step 2: Answer the questions honestly
Each question asks about a specific security control. For example: “Do you change default passwords on payment terminals?” A “yes” answer means you’ve implemented that control. If you answer “no,” you’ll need to either implement the control or explain why it doesn’t apply to your environment.
Step 3: Gather supporting documentation
While the SAQ itself doesn’t require you to submit evidence, keep documentation ready in case your processor asks. This might include:
- Network diagrams (even a simple sketch works for small merchants)
- Vendor agreements showing PCI compliance status
- Policies for handling card data (can be one page for simple setups)
Step 4: Complete quarterly ASV scans (if required)
If you have any systems accessible from the internet — including your business website — you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. These automated scans check for security holes and typically take 24-48 hours to complete.
Step 5: Submit your attestation
Once you’ve answered all questions and passed any required scans, you’ll complete an Attestation of Compliance (AOC). This is basically your signature saying “yes, we’re following these security requirements.” Submit this to your processor through their portal or compliance platform.
Most small merchants can complete their SAQ in 30-60 minutes once they understand what’s being asked.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your size and complexity, but here’s what most small businesses can expect:
Compliance platforms and tools: $100-500 per year for SAQ completion software, documentation tracking, and support. Some processors include basic tools free with your merchant account.
Quarterly ASV scanning: $200-400 per year for required vulnerability scans. Many compliance platforms bundle this with their annual fee.
Professional help: If you need a QSA (only required for Level 1 merchants or complex environments), expect $5,000-50,000 for a formal assessment. Good news: most small businesses never need this level of review.
The cost of non-compliance is where it gets expensive:
- Monthly non-compliance fees from your processor: $25-300
- Fines after a breach: $5,000-500,000 depending on the severity
- Forensic investigation costs: $10,000+ if you’re breached
- Lost ability to process cards: priceless (and business-ending)
For most small merchants, annual compliance costs less than two months of non-compliance fees. It’s genuinely cheaper to be compliant than not.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track without it becoming a full-time job:
Annual requirements:
- Complete and submit your SAQ
- Update your AOC
- Review and update security policies
- Train staff on card handling procedures
Quarterly requirements:
- Run ASV scans (if applicable)
- Review scan results and fix any issues
- Keep scan reports for your records
Ongoing requirements:
- Maintain the security controls you attested to
- Update your compliance status if your payment methods change
- Keep vendor agreements current
Set calendar reminders for 30 days before each deadline. Better yet, use a compliance management platform like PCICompliance.com that tracks all your deadlines and sends automatic reminders. When you know a quarterly scan is coming up, you won’t scramble at the last minute.
What triggers a reassessment:
- Adding new payment channels (like adding e-commerce to a retail-only business)
- Changing how you handle card data
- Implementing new payment technology
- Significant network or system changes
FAQ
Q: I just switched from Square to a traditional processor. Do I need new PCI compliance?
A: Yes, you’ll likely need to complete a different SAQ type. Square qualifies you for SAQ A (the simplest), while a traditional terminal setup requires SAQ B or B-IP. The good news is these are still relatively simple questionnaires.
Q: My old processor never asked about PCI compliance. Why does my new one require it?
A: All processors are supposed to enforce PCI compliance, but some are stricter than others. Your new processor is following the card brand requirements properly. Consider it a good sign that they take security seriously.
Q: Can I just copy my old SAQ for my new processor?
A: Not quite. While your actual compliance status hasn’t changed, you’ll need to complete a fresh questionnaire for your new processor’s records. The answers should be the same if your payment setup hasn’t changed.
Q: How long do I have to complete PCI compliance after switching processors?
A: Most processors give you 30-90 days to submit your initial compliance documentation. Check your merchant agreement or ask your account representative for your specific deadline.
Q: What happens if I don’t complete PCI compliance requirements?
A: Your processor will likely start charging monthly non-compliance fees ($25-300 typically) after the grace period. Continued non-compliance could eventually result in account termination.
Q: Do I need to hire a security consultant to help with PCI compliance?
A: For most small businesses using standard payment setups, no. The self-assessment questionnaires are designed for business owners to complete themselves. If you’re storing card data or have complex systems, professional help might be worthwhile.
Q: If I use multiple payment processors, do I need separate PCI compliance for each?
A: You only need to complete PCI compliance once for your business, but you may need to submit your compliance documentation to each processor. Some processors accept compliance certificates from other processors.
Your Next Steps
Changing payment processors doesn’t mean starting your PCI compliance journey from scratch. If you were compliant before, you’re likely still compliant — you just need to document it for your new processor. If this is your first time dealing with PCI requirements, remember that most small businesses qualify for the simplest questionnaires that take less than an hour to complete.
The key is understanding which SAQ type applies to your business and staying on top of the annual and quarterly requirements. With the right tools and a basic understanding of what’s required, PCI compliance becomes just another routine business task — like filing taxes or renewing your business license.
PCICompliance.com makes this entire process manageable with our free SAQ Wizard that identifies exactly which questionnaire you need, integrated ASV scanning service for your quarterly vulnerability scans, and a compliance dashboard that tracks all your deadlines and documentation in one place. Whether you’re completing your first SAQ or your tenth, our platform guides you through each requirement and keeps you compliant year-round. Start with our free SAQ Wizard to identify your questionnaire type, or contact our compliance team for personalized guidance on your specific situation.
