How to Verify Vendor PCI: A Clear Guide for Small Business Owners
If you just received a PCI compliance questionnaire from your payment processor and your first reaction was “What is this?”, you’re in the right place. Here’s the bottom line: PCI compliance sounds scarier than it usually is for small businesses. Most merchants can complete their requirements in a few hours with the right guidance, and we’ll show you exactly how to verify vendor PCI compliance step by step.
Think of PCI compliance like getting a business license — it’s a requirement for accepting credit cards, but once you understand what’s needed, it’s straightforward to complete and maintain. Let’s demystify this together.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. If you accept, process, store, or transmit credit card payments in any form — whether through a terminal, online, or over the phone — these requirements apply to you.
The major card brands (Visa, Mastercard, Discover, American Express) created these standards through the PCI Security Standards Council. But here’s what matters to you: your acquirer (the bank or payment processor that handles your card transactions) is the one who enforces these requirements and sends you that compliance questionnaire.
Why This Matters to Your Business
Non-compliance has real consequences:
- Fines from your processor (typically $5,000-$100,000 depending on severity)
- Liability for fraud losses if there’s a breach
- Loss of card processing privileges (yes, they can shut off your ability to accept cards)
- Mandatory forensic investigation costs if you’re breached
But here’s the good news: most small businesses qualify for the simplest compliance requirements. You’re not facing the same standards as Amazon or Walmart. The PCI standards scale based on your size and how you handle card data.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes.
It doesn’t matter if you:
- Only process a few transactions per month
- Use a “secure” payment provider
- Never see or touch the actual card numbers
- Only accept cards occasionally at events
If you can accept credit card payments, you need to be PCI compliant.
Understanding Your Merchant Level
Your merchant level determines how you demonstrate compliance:
| Annual Visa Transactions | Merchant Level | Compliance Requirement |
|---|---|---|
| Over 6 million | Level 1 | Annual ROC by QSA |
| 1-6 million | Level 2 | Annual SAQ, Quarterly scans |
| 20,000-1 million | Level 3 | Annual SAQ, Quarterly scans |
| Under 20,000 | Level 4 | Annual SAQ, Quarterly scans* |
*Some acquirers may waive scan requirements for very small Level 4 merchants
Most small businesses are Level 4 merchants, which means you’ll complete a self-assessment questionnaire (SAQ) annually and may need quarterly vulnerability scans.
What Your Payment Processor Expects
When your acquirer sends that compliance questionnaire, they’re typically asking you to:
1. Complete the appropriate SAQ for your business
2. Run quarterly ASV scans if required
3. Submit your AOC (Attestation of Compliance)
4. Maintain compliance year-round
The questionnaire packet might seem overwhelming, but most of it is boilerplate. You’ll only fill out the sections that apply to your specific payment setup.
Which SAQ Do You Need?
This is where most businesses get confused. There are different SAQ types based on how you accept payments. Here’s a plain-language guide:
| How You Accept Payments | Your SAQ Type | Complexity |
|---|---|---|
| Fully outsourced (customer enters card on PayPal, Square, Stripe) | SAQ A | Simplest (22 questions) |
| E-commerce with hosted payment page (WooCommerce + Stripe, Shopify) | SAQ A-EP | Simple (139 questions) |
| Standalone terminal (Square Reader, Clover, Verifone) | SAQ B | Simple (41 questions) |
| Terminal + internet connection (terminal that dials out over internet) | SAQ B-IP | Moderate (91 questions) |
| Virtual terminal / phone orders (you key in cards manually) | SAQ C-VT | Moderate (84 questions) |
| You store card numbers (please stop doing this) | SAQ D | Complex (329 questions) |
Common Scenarios
“I use Square for everything” → You’re likely SAQ B (if using their physical terminal) or SAQ A (if customers enter their own cards on Square’s website)
“I have a Shopify store” → You’re SAQ A if using Shopify Payments checkout
“I take orders over the phone” → You’re SAQ C-VT if entering cards into a virtual terminal
“I have an old credit card machine” → You’re SAQ B for dial-up terminals or SAQ B-IP for IP-connected terminals
Not sure? Use PCICompliance.com’s free SAQ Wizard — answer a few simple questions about your payment setup and we’ll tell you exactly which SAQ applies.
How to Complete Your SAQ
Once you know your SAQ type, completing it is straightforward:
What the Questionnaire Looks Like
Your SAQ is a series of yes/no questions about your security practices. For example:
- “Do you have a firewall?”
- “Do you change default passwords?”
- “Do you restrict access to cardholder data?“
Important: “Yes” means you currently do this, not that you plan to. If you answer “no” to any required control, you’ll need to implement it or explain why it’s not applicable.
Documentation You’ll Need
Gather these before you start:
- Network diagram (even a simple sketch works for small merchants)
- List of payment systems (terminals, software, websites)
- Security policies (can be simple one-pagers for small businesses)
- ASV scan reports (if required for your SAQ type)
The Quarterly ASV Scan
If your SAQ requires it, you’ll need an Approved Scanning Vendor to scan your network quarterly. This automated scan looks for vulnerabilities in your internet-facing systems. Here’s what to know:
- Scans typically take 1-2 hours to run
- You’ll get a report showing any vulnerabilities
- You must fix critical issues and rescan to pass
- Budget $200-$500 per year for ASV scanning
PCICompliance.com includes ASV scanning with our compliance platform — no need to find a separate vendor.
Submitting Your Compliance
After completing your SAQ:
1. Review all answers for accuracy
2. Have it signed by an executive officer
3. Complete the AOC (a summary attestation form)
4. Submit to your acquirer through their portal
5. Save copies for your records
Most acquirers give you 30-90 days to complete this process.
What It Costs
Let’s be honest about the investment:
Compliance Tools and Platforms
- SAQ completion tools: $200-$500/year
- Compliance management platforms: $500-$2,000/year
- PCICompliance.com: Starting at $299/year (includes SAQ tools and ASV scanning)
ASV Scanning
- Standalone ASV service: $50-$150 per scan
- Annual contracts: $200-$500/year
- Included with PCICompliance.com platform
If You Need a QSA
Most small merchants don’t need a QSA, but if you do:
- Level 1 merchant ROC: $15,000-$50,000
- SAQ validation by QSA: $2,000-$5,000
- Consulting/gap assessment: $150-$300/hour
The Cost of Non-Compliance
Consider the alternative:
- Monthly non-compliance fees: $20-$100 from your processor
- Breach fines: $5,000-$100,000
- Forensic investigation: $20,000+ if breached
- Lost business from suspended card processing
For most small merchants, annual compliance costs less than a single month of non-compliance fees.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done exercise — it’s an annual requirement with ongoing responsibilities.
Annual Requirements
- Complete your SAQ every 12 months
- Update if your payment methods change
- Renew your AOC with your acquirer
Quarterly Requirements
- Run ASV scans (if required)
- Review and fix any vulnerabilities
- Keep passing scan reports on file
Setting Up for Success
Create a compliance calendar:
- January: Annual SAQ due date reminder
- March, June, September, December: Quarterly scan reminders
- Monthly: Review any payment processing changes
When you add new payment methods or change providers, reassess your SAQ type. Moving from a simple terminal to e-commerce might change you from SAQ B to SAQ A-EP.
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and maintaining your compliance history in one place.
FAQ
I’m just a small business – do I really need to worry about PCI?
Yes, but it’s usually simpler than you think. Level 4 merchants (processing less than 20,000 Visa transactions annually) typically complete a short SAQ in under an hour. The real risk is ignoring it — processors can fine you monthly for non-compliance or terminate your merchant account.
What if I only use PayPal or Square?
You still need to be compliant, but you qualify for SAQ A — the simplest form with only 22 questions. Since PayPal and Square handle all the card data, your requirements are minimal. You’ll basically confirm you don’t touch card data and that you redirect customers to their secure pages.
How do I know if I’m storing credit card data?
Check these places: Excel spreadsheets, customer databases, email systems, paper files, and old point-of-sale systems. If you find card numbers anywhere, you’re storing card data. The best practice is to immediately stop storing it and use tokenization or your payment processor’s customer vault instead.
What’s the difference between PCI compliance and being “PCI certified”?
There’s no such thing as “PCI certification” for merchants — you’re either compliant or non-compliant. When vendors claim to be “PCI certified,” they usually mean they’ve completed their own compliance validation. Always ask for their AOC to verify their compliance status.
Do I need to hire a QSA?
Most small businesses don’t need a QSA. You only need one if you’re a Level 1 merchant (over 6 million transactions) or if your acquirer specifically requires it. Level 2-4 merchants complete self-assessment questionnaires without QSA involvement.
What if I fail my ASV scan?
Don’t panic — failing the first scan is common. The scan report will list the vulnerabilities found. Work with your IT provider to fix critical and high-risk issues, then request a rescan. You need a clean passing scan once per quarter, but you can run unlimited scans to get there.
How often do I need to complete PCI requirements?
Annually for your SAQ and quarterly for ASV scans (if required). Your acquirer will typically send reminders, but it’s your responsibility to maintain continuous compliance. Set calendar reminders or use a compliance platform to track deadlines.
Can I just ignore PCI requirements if I’m a small business?
While some very small merchants fly under the radar temporarily, it’s risky. Acquirers are increasingly automated in tracking compliance, issuing fines, and even terminating non-compliant merchants. Plus, if you’re breached while non-compliant, you’re personally liable for all fraud losses.
Conclusion
PCI compliance might seem overwhelming when you first receive that questionnaire, but now you understand what’s actually required. For most small businesses, it’s a matter of completing the right SAQ annually and possibly running quarterly scans. The investment is minimal compared to the risk of fines or losing your ability to accept cards.
The key is identifying your correct SAQ type and staying organized with annual deadlines. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You can complete most SAQs in under an hour with our guided process, and we’ll remind you when it’s time to renew.
Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team if you need guidance. PCI compliance doesn’t have to be complicated — with the right tools and support, you can check this off your list and get back to running your business.
