Security camera mounted on a brick wall.

Why Are Quarterly Scans Required?

by

Why Are Quarterly Scans Required?

Bottom Line Up Front

If you just received a PCI compliance questionnaire from your payment processor and your eyes glazed over at “quarterly vulnerability scans,” take a deep breath. For most small businesses, why quarterly PCI scans are required comes down to one simple reason: they verify your payment systems remain secure throughout the year, not just on the day you fill out your compliance form. The good news? These scans are automated, affordable, and much simpler than they sound — especially if you’re already following basic security practices like keeping your software updated.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts credit card payments. The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through the PCI Security Standards Council (PCI SSC) to protect cardholder data from theft and fraud.

Think of PCI DSS as the security checklist for handling credit cards. Just like health codes for restaurants or safety standards for vehicles, these requirements ensure businesses handle payment data responsibly. Your acquirer (the bank that processes your card payments) or payment processor enforces these standards by requiring annual compliance validation.

The consequences of non-compliance are real but manageable. Your processor can impose monthly fines ranging from $20 to $100 for small merchants. More seriously, if your business experiences a data breach while non-compliant, you could face liability for fraud losses, forensic investigation costs, and potentially lose your ability to accept credit cards. But here’s the reassuring part: most small businesses qualify for the simplest compliance requirements, which can be completed in an afternoon.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes. This includes:

  • Physical card swipes or chip insertions at your store
  • Online payments through your website
  • Phone orders where customers read you their card number
  • Mobile payments through Square, PayPal Here, or similar services
  • Even if you only process one card payment per year

Most small businesses fall into Merchant Level 4 — processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. This is actually good news because Level 4 merchants have the lightest compliance requirements. You’ll complete a self-assessment questionnaire (SAQ) annually and run quarterly network scans if you have any internet-connected payment systems.

Your payment processor sent you that compliance questionnaire because they’re required to verify all their merchants maintain PCI compliance. It’s not personal — every business that accepts cards gets one. The questionnaire identifies which specific requirements apply to your payment setup.

Which SAQ Do You Need?

The Self-Assessment Questionnaire (SAQ) is your main compliance document. Different payment setups require different SAQs, ranging from the simple 22-question SAQ A to the comprehensive 329-question SAQ D. Here’s how to determine yours:

Your Payment Scenario Your SAQ Type Complexity Questions
E-commerce with fully hosted checkout (PayPal, Stripe Checkout) SAQ A Simple 22
E-commerce with payment fields on your site (Stripe Elements, Square Web SDK) SAQ A-EP Moderate 139
Standalone terminal only (no computer connection) SAQ B Simple 41
Terminal connected to internet/computer SAQ B-IP Moderate 82
Virtual terminal for phone/mail orders SAQ C-VT Moderate 85
Any setup where you store card numbers SAQ D Complex 329

If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B (standalone) or SAQ B-IP (connected to internet). If you have an e-commerce site using Shopify Payments, WooCommerce with Stripe, or similar hosted checkout pages, you’re probably SAQ A. If you take payments over the phone using your processor’s virtual terminal, that’s SAQ C-VT.

The absolute worst-case scenario is SAQ D, which applies if you store credit card numbers in any form — spreadsheets, customer databases, or even paper files. If this is you, stop storing card numbers immediately. It’s rarely necessary and dramatically increases both your compliance burden and breach risk.

Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no payment industry expertise required.

How to Complete Your SAQ

Your SAQ contains yes/no questions about your payment security practices. Despite the technical-sounding language, most questions translate to common-sense security measures. When a question asks if you have a “firewall,” it’s asking if your internet router has its security features turned on. When it asks about “access controls,” it means: do you have passwords on your computers?

“Yes” means you’re already doing it, not that you need to start. For each “no” answer, you’ll need to either implement that security control or explain why it doesn’t apply to your business. Most small merchants can answer “yes” to SAQ A or B questions without changing anything — the requirements often describe security features already built into modern payment systems.

You’ll need to gather some basic documentation:

  • Your network setup (for many small businesses, this is just “we have a router and use WiFi”)
  • List of who has access to payment systems
  • Your basic security policies (even informal ones count)

The quarterly ASV scan requirement sounds intimidating but isn’t. An Approved Scanning Vendor runs automated scans of your internet-facing systems looking for vulnerabilities — think of it as a security checkup for any system connected to the internet. For businesses using cloud-based services or hosted payment pages, these scans often find nothing because you’re not hosting the systems being scanned. Schedule your first scan when you complete your SAQ, then set calendar reminders for every 90 days.

After completing your questionnaire and running a passing scan, you’ll sign an Attestation of Compliance (AOC) — basically a form saying “yes, we completed our PCI requirements” — and submit it to your payment processor. That’s it. You’re compliant.

What It Costs

PCI compliance costs vary by business size and complexity, but for most small merchants, it’s surprisingly affordable:

Compliance platforms and SAQ tools typically run $100-$300 annually for small businesses. This includes access to the questionnaire, guidance on answering questions, and compliance tracking. Some payment processors include basic tools free with your merchant account.

Quarterly ASV scanning costs $30-$50 per scan, or $120-$200 annually. Many compliance platforms bundle scanning with their annual fee. If you’re SAQ A (fully outsourced e-commerce), you might not need scans at all.

QSA assessments only apply to larger merchants (Level 1 and some Level 2). If you’re reading this guide, you probably don’t need one. These formal assessments by Qualified Security Assessors cost $5,000-$50,000+ depending on scope.

Now compare those costs to non-compliance penalties. Monthly fines from your processor range from $20-$100 for small merchants — that’s $240-$1,200 annually just in fines. If you experience a breach while non-compliant, costs skyrocket: forensic investigations ($20,000+), card reissuance fees, fraud reimbursement, and potential lawsuits. You could also lose your merchant account, forcing you to find high-risk processing at much higher rates.

The honest assessment: for most small merchants, annual compliance costs less than three months of non-compliance fines and infinitely less than a single breach.

Staying Compliant Year-Round

PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly touch points. Your processor will send that questionnaire every year, and those ASV scans need to happen every 90 days. But maintaining compliance is mostly about not breaking what’s already working.

Set up these simple reminders:

  • Annual: Complete SAQ (same month each year)
  • Quarterly: Run ASV scan (every 90 days from your first scan)
  • Ongoing: Review if you change payment providers or add new ways to accept cards

Certain changes trigger reassessment of your SAQ type. Adding a new payment channel (like starting to accept phone orders), changing payment providers, or starting to store card data all potentially move you to a different SAQ. The good news: if you’re staying with the same payment methods, your UK PCI Compliance rarely change.

PCICompliance.com’s compliance dashboard tracks all these dates automatically, sends reminders before deadlines, and alerts you if any payment system changes might affect your SAQ type. No spreadsheets, no calendar management — just clear visibility into your compliance status.

FAQ

Q: My payment processor says I need quarterly scans, but I only use a standalone credit card terminal. Do I really need them?

A: If you truly have a standalone terminal with no connection to the internet or your computer systems (SAQ B), then no, you don’t need quarterly ASV scans. However, most modern terminals connect to the internet for processing, which makes you SAQ B-IP and requires scans. When in doubt, run the scans — they’re inexpensive insurance against compliance issues.

Q: I’m just a small retailer with one location. Why do I need the same security standards as giant corporations?

A: You don’t — that’s why the SAQ system exists. Large merchants complete 300+ question assessments and undergo formal audits. As a small retailer, you’ll likely complete a 40-80 question self-assessment that focuses on the basics. The standards scale to your size and risk level.

Q: How do I know if my business had a “passing” vulnerability scan?

A: Your ASV scanning provider will issue a clear pass/fail report. “Passing” means no high-risk vulnerabilities were found on internet-facing systems. Most small businesses pass on the first try — common failures involve outdated software or unnecessary services exposed to the internet, both easily fixed.

Q: What happens if I just ignore PCI compliance?

A: Your payment processor will likely start with reminder notices, then monthly fines ($20-$100 typically). Eventually, they may increase your processing rates or terminate your merchant account. If you experience a breach while non-compliant, you become liable for fraud losses and investigation costs that could bankrupt a small business.

Q: Can I just pay someone to handle all this for me?

A: Absolutely. Many Managed Service Providers (MSPs) and IT consultants offer PCI compliance support. For most small businesses, the annual cost ($500-$2,000) is worth the peace of mind. PCICompliance.com also offers guided compliance services that walk you through each requirement.

Q: I use Square for all my payments. Don’t they handle PCI compliance for me?

A: Square (and similar providers) handle most of the technical security, which is why you qualify for simpler SAQ types. However, you still have responsibilities — physical terminal security, employee training, and basic network security. You need to complete your annual SAQ to document that you’re doing your part.

Q: How long does the SAQ take to complete?

A: For SAQ A or B (common for small businesses), expect 1-2 hours if you have your basic information ready. SAQ A-EP or B-IP might take 2-4 hours. The first year takes longest as you learn the terminology — subsequent years go much faster since little typically changes.

Q: What’s the difference between PCI compliance and being “secure”?

A: PCI compliance means meeting specific requirements for handling card data. Being secure is broader — it includes PCI requirements plus protecting all your business data, customer information, and systems. Think of PCI as your minimum security baseline specifically for payment card handling.

Conclusion

Finding that PCI compliance questionnaire in your inbox can feel overwhelming, but now you understand what it means and what you need to do. For most small businesses, PCI compliance boils down to completing a straightforward questionnaire annually and running automated security scans quarterly. The requirements usually confirm security measures you already have in place — that firewall in your router, those passwords on your computers, that secure payment terminal from your processor.

Why quarterly PCI scans and annual assessments are required isn’t about making your life difficult — it’s about systematically verifying that payment card data stays protected throughout the year, not just on assessment day. The cost is minimal compared to the alternatives: processor fines, breach liability, or losing your ability to accept credit cards.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. No more guessing about deadlines, wondering if you’re using the right form, or scrambling when your processor sends that annual notice. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team about guided support. We’ve helped thousands of businesses just like yours turn PCI compliance from a source of stress into a simple part of running a secure business.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP