Phone Orders: Which SAQ?
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re taking phone orders PCI compliance seriously, here’s the good news: most businesses that accept card payments over the phone qualify for one of the simpler SAQ types. You don’t need a computer science degree or a security team. You just need to understand which questionnaire applies to your business and answer some straightforward yes/no questions about how you handle card data.
The compliance process typically takes a few hours, not weeks. And once you’re compliant, maintaining it is mostly about remembering to complete your annual questionnaire and quarterly scans. Let’s walk through exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of PCI and Virtual created by the major card brands — Visa, Mastercard, American Express, and Discover — through an organization called the PCI Security Standards Council. Think of it as a security checklist designed to protect credit card information from theft.
If you accept credit cards in any form — whether through a terminal, online, or over the phone — these requirements apply to you. Your payment processor or acquiring bank enforces them because they’re ultimately responsible to the card brands for any security breaches in their merchant network.
The consequences of non-compliance are real but manageable. Your processor can fine you (typically $5,000-$100,000 per month until you’re compliant), you’ll be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards. But here’s what they don’t tell you: achieving compliance is straightforward for most small businesses, especially if you’re already following basic security practices.
Your payment processor sends that annual questionnaire because the card brands require them to verify that every merchant in their portfolio is following security standards. They’re not trying to make your life difficult — they’re protecting both of you from the massive costs of a data breach.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. This includes:
- Swiping, dipping, or tapping cards through a terminal
- Taking payments over the phone
- Processing cards through your website
- Manually entering card numbers into any system
- Even if you only process one card per year
Most small businesses fall into Merchant Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total Visa transactions annually). This is good news because Level 4 merchants complete a self-assessment questionnaire (SAQ) rather than hiring an external auditor.
Your payment processor expects you to:
1. Complete the appropriate SAQ annually
2. Run quarterly vulnerability scans if you have any systems connected to the internet
3. Attest that you’re following the security practices outlined in your SAQ
4. Submit your compliance documentation by their deadline
That questionnaire they sent? It’s your starting point. They’re asking you to self-assess your security practices and confirm you’re protecting cardholder data appropriately.
Which SAQ Do You Need?
The type of SAQ you complete depends entirely on how you accept and process card payments. Here’s the decision tree in plain language:
| How You Accept Payments | Your SAQ Type | Complexity | Questions |
|---|---|---|---|
| Standalone terminal only (no connected systems) | SAQ B | Simple | 41 |
| Terminal connected to internet/computer | SAQ B-IP | Simple | 82 |
| Phone orders with virtual terminal | SAQ C-VT | Moderate | 160 |
| E-commerce with fully hosted checkout | SAQ A | Simplest | 22 |
| E-commerce with payment fields on your site | SAQ A-EP | Simple | 191 |
| Paper forms, multiple channels | SAQ C | Moderate | 160 |
| Store card numbers in any system | SAQ D | Complex | 329 |
For phone orders specifically, your SAQ type depends on how you enter the card information:
- If you use a web-based virtual terminal (logging into your processor’s website), you need SAQ C-VT
- If you key cards into a standalone terminal, you need SAQ B or SAQ B-IP
- If you write down card numbers first (please stop), you need SAQ C or SAQ D
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no technical knowledge required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Each question asks whether you’ve implemented a specific security control. Here’s what the process looks like:
1. The Questions
Most questions are straightforward: “Do you change default passwords?” or “Is your payment terminal in a secure location?” When you answer “yes,” you’re confirming that control is in place. If you answer “no,” you’ll need to either implement that control or explain why it doesn’t apply to your business.
2. Documentation You’ll Need
Gather these before you start:
- List of all payment terminals and their locations
- Your network diagram (even a simple sketch works for small businesses)
- Vendor agreements for any third-party payment services
- Written security policies (many SAQ tools provide templates)
3. The Quarterly ASV Scan
If your SAQ type requires it, you’ll need an Approved Scanning Vendor to scan your internet-facing systems four times per year. This automated scan checks for vulnerabilities in your network. It’s not invasive — think of it as a security checkup that runs from outside your network. Schedule your first scan as soon as you identify your SAQ type, as it can take a few days to get results.
4. Submitting Your Compliance Package
Once you’ve answered all questions and passed your scan (if required), you’ll generate an Attestation of Compliance (AOC). This is your official declaration that you meet PCI requirements. Submit this along with your completed SAQ and passing scan results to your payment processor by their deadline.
The entire process typically takes 2-4 hours for simple SAQ types, or 1-2 days for more complex ones. You’re not writing an essay — you’re checking boxes and gathering existing documentation.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and chosen approach:
Compliance Platform/Tools
- Self-service SAQ tools: $100-300/year
- Guided compliance platforms: $200-500/year
- Full-service with support: $500-1,500/year
ASV Scanning (if required)
- Basic quarterly scanning: $200-400/year
- Scanning with remediation support: $400-800/year
- Unlimited scanning packages: $600-1,200/year
Professional Help (rarely needed for Level 4 merchants)
- QSA consultation: $150-300/hour
- Full QSA assessment: $5,000-15,000 (only for Level 1 merchants)
The Cost of NON-Compliance
- Monthly processor fines: $5,000-100,000
- Breach liability: $50-90 per compromised card
- Forensic investigation: $10,000-100,000
- Lost ability to process cards: business-ending
For most small merchants accepting phone orders PCI compliance costs less than $1,000 annually — far less than a single month’s non-compliance fine. It’s not an expense; it’s insurance against catastrophic losses.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor will ask for updated documentation every year, and certain SAQ types require quarterly scanning. Here’s how to stay on track:
Set Annual Reminders
Mark your calendar 60 days before your compliance anniversary. This gives you time to complete your SAQ without rushing. Most processors send reminders, but don’t count on them.
Track Quarterly Scans
If you need ASV scanning, schedule all four quarterly scans at once. Missing a quarter means non-compliance, even if everything else is perfect.
Monitor for Changes
These changes require reassessing your SAQ type:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or terminals
- Storing card data when you didn’t before
- Significantly increasing transaction volume
Use a Compliance Dashboard
Manual tracking leads to missed deadlines. PCICompliance.com’s dashboard shows your compliance status at a glance, sends automated reminders, and stores all your documentation in one secure location.
FAQ
Q: I only process a few cards per month. Do I really need to comply?
Even if you process just one card per year, PCI DSS applies to you. The good news is that your low volume means simpler requirements and lower costs. Your processor doesn’t care about your volume when it comes to compliance — they care that every merchant protects card data.
Q: What happens if I just ignore the compliance questionnaire?
Your processor will start with reminder notices, then move to monthly fines (typically starting at $5,000). Eventually, they can terminate your merchant account, meaning you lose the ability to accept credit cards. Compliance is part of your merchant agreement — ignoring it isn’t an option.
Q: Can I just say “yes” to all the questions to pass?
Falsely attesting to compliance is fraud and makes you personally liable for any breach. The questions are designed to be achievable — if you can’t answer “yes” truthfully, the fix is usually simple. Better to implement the control than to lie about it.
Q: Do I need to hire a QSA?
Level 4 merchants (most small businesses) complete self-assessment questionnaires without external validation. You only need a QSA if you’re Level 1 or your acquirer specifically requires it. For phone orders, a QSA is almost never required unless you’re processing millions of transactions.
Q: I use a virtual terminal for phone orders. Am I storing card data?
Using a web-based virtual terminal doesn’t mean you’re storing data — the terminal provider handles storage. However, if you write down card numbers, save them in spreadsheets, or keep them in your email, that’s storage and dramatically increases your compliance burden.
Q: How long does PCI compliance take?
For most merchants using SAQ B or C-VT, expect 2-4 hours to complete your first assessment. Annual recertification is faster — usually under an hour if nothing has changed. The quarterly scan is automated and requires no time beyond initial setup.
Q: What if I fail my vulnerability scan?
Failing your first scan is normal — most merchants have at least one finding to address. Your ASV provides a detailed report showing what needs fixing. Common issues include outdated software or unnecessary services. Fix the issues and rescan; most problems are resolved within days.
Q: Is PCI compliance the same as being secure?
PCI DSS establishes minimum security standards, not maximum protection. Think of it as the foundation of payment security. Smart merchants go beyond PCI requirements with additional security measures, but compliance is your essential starting point.
Conclusion
PCI compliance for phone orders PCI compliance sounds intimidating until you understand what’s actually required. For most businesses taking payments over the phone, it means completing an SAQ C-VT questionnaire annually, running quarterly scans if you have internet-connected systems, and following common-sense security practices you’re probably already doing.
The key is identifying your correct SAQ type and using the right tools to guide you through the process. PCICompliance.com makes this simple — our free SAQ Wizard determines exactly which questionnaire applies to your business, our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard keeps you on track throughout the year.
Start with our SAQ Wizard to identify your requirements in under five minutes, or talk to our compliance team if you need guidance. We’ve helped thousands of merchants achieve and maintain compliance without the confusion or complexity. Your payment processor sent you that questionnaire for a reason — let’s help you complete it correctly and keep your business protected.
