Calculator and tax forms on a dark surface.

What Evidence for SAQ?

by

What Evidence for SAQ? A Simple Guide to PCI Compliance for Small Businesses

Your Payment Processor Just Sent You a Compliance Questionnaire — Now What?

If you just received a PCI compliance questionnaire from your payment processor and your first thought was “What on earth is this?” — you’re not alone. Every day, thousands of business owners open these emails with a mix of confusion and dread. Here’s the good news: for most small businesses, SAQ evidence requirements are far simpler than they first appear. You don’t need a computer science degree or a compliance team. You just need to understand what’s being asked and gather a few basic documents.

Think of PCI compliance like getting a driver’s license. It sounds intimidating at first, but once you understand the process, it’s just a matter of following the steps. This guide will walk you through everything you need to know, in plain English, without the technical jargon that makes compliance seem harder than it is.

What Is PCI Compliance (In Plain English)

PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security rules created by the major credit card brands (Visa, Mastercard, American Express, Discover, JCB) to protect cardholder data. If you accept credit cards — whether in person, online, or over the phone — these rules apply to you.

The card brands created an organization called the PCI Security Standards Council (PCI SSC) to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) does the enforcement. When they send you that compliance questionnaire, they’re essentially saying: “Show us you’re following the rules to protect card data.”

What happens if you don’t comply? Your payment processor can impose fines (typically $5,000-$100,000 per month for non-compliance), and if there’s a data breach, you could be liable for fraud losses and forensic investigation costs. In extreme cases, you could lose the ability to accept credit cards altogether. But here’s the thing most compliance companies won’t tell you: for most small businesses, achieving compliance takes just a few hours per year.

The key is understanding which type of Self-Assessment Questionnaire (SAQ) applies to your business. Most small merchants qualify for the simplest versions, which have as few as 22 yes/no questions.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a Fortune 500 company or a food truck — if you take card payments, PCI compliance applies to you.

Your merchant level determines how you demonstrate compliance. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a self-assessment rather than hiring an external auditor, which saves thousands of dollars.

When your payment processor sends that compliance questionnaire, they’re fulfilling their obligation to the card brands. They need to verify that every merchant in their portfolio follows security standards. The questionnaire typically includes:

  • Instructions for accessing their compliance portal
  • A deadline (usually 30-90 days)
  • References to fines for non-compliance
  • Sometimes, confusing technical terms that make the whole thing seem overwhelming

Don’t panic. That questionnaire is just asking you to confirm you’re following basic security practices — many of which you’re probably already doing.

Which SAQ Do You Need?

The SAQ (Self-Assessment Questionnaire) comes in different versions based on how you handle card payments. Think of it like tax forms — there’s a simple version for straightforward situations and more complex versions for complicated setups. Here’s how to determine which one applies to you:

How You Take Payments SAQ Type Number of Questions Complexity
Redirect to payment processor (PayPal, Square online) SAQ A 22 Simple
E-commerce with payment fields on your site (Stripe Elements) SAQ A-EP 191 Moderate
Terminal only, no electronic storage SAQ B 41 Simple
Terminal with IP connection SAQ B-IP 82 Simple
Manual card entry (virtual terminal) SAQ C-VT 85 Moderate
Mixed/complex environment SAQ C 160 Complex
Store card data electronically SAQ D 329 Very Complex

If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’ll likely complete SAQ B or SAQ B-IP. The difference? SAQ B is for standalone terminals with no network connection, while SAQ B-IP covers terminals that connect via internet.

If you have an e-commerce site with hosted checkout (where customers are redirected to Shopify, PayPal, or another processor’s page to enter card details), you’ll complete SAQ A — the simplest form with just 22 questions.

If you take payments over the phone using a virtual terminal (typing card numbers into a web page), you’ll need SAQ C-VT. This assumes you don’t store card numbers after the transaction.

If you store card numbers in any form — written down, in spreadsheets, in your system — you’re looking at SAQ D, the full questionnaire. Fair warning: if this is you, your first step should be to stop storing card data. It’s rarely worth the compliance burden.

PCICompliance.com offers a free SAQ Wizard that asks a few simple questions about your payment setup and tells you exactly which questionnaire applies. It takes less than two minutes and removes the guesswork.

How to Complete Your SAQ

Once you know which SAQ applies, completing it is straightforward. The questionnaire consists of yes/no questions about your security practices. Here’s what to expect:

The questions look intimidating but often aren’t. For example, an SAQ A might ask: “Is access to system components and cardholder data limited to authorized individuals?” If you’re using Stripe or PayPal, you never touch cardholder data, so this is automatically “yes.”

“Yes” means you do it, not that you have perfect documentation. When the SAQ asks if you have a firewall, and you’re using Windows Defender or your router’s built-in firewall, the answer is yes. You don’t need enterprise-grade security appliances.

For SAQ evidence requirements, you’ll typically need:

  • Network diagram (can be as simple as a hand-drawn sketch showing your internet connection, computers, and payment devices)
  • Asset inventory (a list of computers and devices that handle payments)
  • Security policies (basic written procedures for password requirements and handling card data)
  • ASV scan reports (quarterly scans of your internet-facing systems)

The quarterly ASV scan deserves special mention. If you accept payments online or have any internet-facing systems, you’ll need an Approved Scanning Vendor to scan your external IP addresses four times per year. The scan checks for vulnerabilities that could be exploited by attackers. It’s automated, typically costs $200-$500 per year, and most merchants pass on the first try.

After answering all questions, you’ll generate an Attestation of Compliance (AOC). This is the official document you submit to your payment processor confirming your compliance status. Think of it as your compliance certificate for the year.

What It Costs

Let’s talk real numbers. PCI compliance costs vary based on your setup, but here’s what most small businesses can expect:

Compliance platform and SAQ tools typically run $200-$500 annually. This includes access to the questionnaire, help completing it, and tracking tools to manage your compliance year-round.

Quarterly ASV scanning costs $200-$500 per year for most small merchants. Some compliance platforms bundle this with their annual fee.

If you need a QSA (Qualified Security Assessor), budget $5,000-$15,000 for a formal assessment. However, most small merchants never need this — it’s typically required only for Level 1 merchants or after a breach.

Compare this to the cost of non-compliance: monthly fines from your processor starting at $5,000, potential breach liability averaging $150 per compromised card, and the catastrophic possibility of losing your ability to accept credit cards. When you consider that a single non-compliance fine costs more than a decade of compliance tools, the investment makes sense.

For most Level 4 merchants, annual compliance costs less than you spend on coffee for the office. It’s not a profit center for your business, but it’s essential insurance that keeps you in business.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox. Your compliance status resets annually, and certain requirements need attention throughout the year. Here’s how to stay on track:

Set calendar reminders for your annual SAQ (typically due on the anniversary of your last submission) and quarterly ASV scans. Missing a scan deadline can invalidate your compliance status.

Track what changes. Adding a new payment channel, changing processors, or updating your e-commerce platform might change your SAQ type. When in doubt, re-run the SAQ wizard to confirm you’re completing the right questionnaire.

Keep evidence organized. Store your network diagrams, security policies, and scan reports in one place. When next year’s assessment comes around, you’ll thank yourself for the organization.

Watch for processor communications. Your acquirer might update their requirements or request additional documentation. These emails often look like junk mail but ignoring them can result in fines.

PCICompliance.com’s compliance dashboard automates much of this tracking. It sends reminders for upcoming scans, alerts you to missing requirements, and stores all your compliance documentation in one secure location. Think of it as TurboTax for PCI compliance — guiding you through each requirement and keeping records for future years.

Frequently Asked Questions

What if I only process a few transactions per month?

Transaction volume doesn’t exempt you from PCI compliance. If you accept even one credit card payment per year, PCI DSS applies. The good news is that low-volume merchants typically qualify for the simplest SAQ types, making compliance quick and affordable.

Do I need to hire a security consultant?

Most small businesses don’t need external help beyond basic tools. If you qualify for SAQ A, B, or C-VT, you can complete the assessment yourself using a compliance platform. Only SAQ D merchants typically need consultant support.

What’s the difference between SAQ and ROC?

An SAQ is a self-assessment you complete yourself; a ROC requires an external assessor. Level 4 merchants (most small businesses) use SAQs. Only Level 1 merchants or those required by their acquirer need a formal Report on Compliance (ROC) from a QSA.

How do I know if I’m storing card data?

Check everywhere card numbers might be saved: email, spreadsheets, customer databases, paper files, even post-it notes. If you find any stored card numbers, your immediate priority should be secure deletion and moving to tokenization or a payment processor that handles storage for you.

What if I fail my ASV scan?

Failing an initial scan is common and not catastrophic. The scan report shows exactly what needs fixing — usually outdated software or unnecessary services. Fix the issues, rescan (usually free), and you’ll likely pass. Most merchants pass by their second or third scan.

Can I just ignore PCI compliance?

Technically yes, but the consequences make it a terrible idea. Your processor will eventually catch up, leading to monthly fines, increased transaction fees, or account termination. One breach could bankrupt a small business through fraud liability and investigation costs.

What if my payment processor hasn’t asked for compliance?

Don’t wait for them to ask. Some processors are slow to enforce compliance, but that doesn’t reduce your liability in case of a breach. Proactive compliance protects your business and your customers.

Do I need compliance if I use PayPal/Square/Stripe exclusively?

Yes, but it’s usually the simplest form. These processors significantly reduce your compliance burden, typically qualifying you for SAQ A with just 22 questions. You still need to complete the annual assessment, but it takes less than an hour.

Your Next Steps

PCI compliance might seem overwhelming when that first questionnaire arrives, but you’ve now seen it’s manageable for most small businesses. The SAQ evidence requirements typically involve basic documentation you already have or can quickly create. The key is identifying the right SAQ type for your business and systematically working through the requirements.

Start by understanding how you handle card payments, then use that information to identify your SAQ type. Gather your basic documentation — network diagram, device inventory, and security policies don’t need to be complex to be compliant. Schedule your quarterly ASV scans if required, complete your questionnaire honestly, and submit your attestation.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll join thousands of merchants who’ve discovered that PCI compliance doesn’t have to be the nightmare everyone warns about. Start with our free SAQ Wizard to identify your requirements in under two minutes, or talk to our compliance team if you need guidance. With the right tools and clear guidance, you can achieve compliance in hours, not weeks, and get back to running your business.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP