Why Is Encryption Required?
If you just received a PCI compliance questionnaire from your payment processor and you’re wondering why encryption is required for PCI, here’s the simple answer: encryption protects credit card data from being stolen, and PCI DSS requires it to keep your business and customers safe. The good news? For most small businesses, meeting PCI encryption requirements is simpler than you might think — especially if you’re already using modern payment terminals or hosted checkout pages.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to every business that accepts credit cards. Think of it as a security checklist created by Visa, Mastercard, American Express, and Discover to protect Cardholder data from theft.
The PCI Security Standards Council (PCI SSC) maintains these standards, but your acquirer (the bank or payment processor that handles your card transactions) enforces them. When they send you that annual compliance questionnaire, they’re essentially saying: “Show us you’re protecting card data according to these rules.”
Why should you care? Non-compliance can result in:
- Monthly fines from your processor (typically $25-100 for small merchants)
- Liability for fraud losses if card data gets stolen
- Losing your ability to accept credit cards entirely
Here’s the good news: most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as Amazon or Target — the requirements scale based on your transaction volume and how you handle card data.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes, you need to be PCI compliant.
This includes:
- Swiping, dipping, or tapping cards at a terminal
- Taking payments through your website
- Accepting cards over the phone
- Processing recurring payments
- Even manually entering card numbers into a virtual terminal
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you complete a Self-Assessment Questionnaire (SAQ) rather than hiring an expensive auditor.
That compliance questionnaire your processor sent? It’s their way of verifying you meet the requirements for your merchant level. They need it annually to maintain their own compliance with the card brands.
Which SAQ Do You Need?
The SAQ is your primary compliance document — a questionnaire that verifies you’re following security practices appropriate for how you handle card data. There are different SAQ types based on your payment setup:
| How You Take Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to hosted payment page (PayPal, Stripe Checkout) | SAQ A | 22 | Simplest |
| E-commerce with payment fields on your site | SAQ A-EP | 139 | Moderate |
| Standalone terminals only (no connected systems) | SAQ B | 41 | Simple |
| Terminals connected to your network | SAQ B-IP | 82 | Moderate |
| Phone/mail orders without electronic storage | SAQ C-VT | 80 | Moderate |
| You store card numbers electronically | SAQ D | 329+ | Complex |
Quick scenarios to help you identify your type:
- Square or Clover terminal at your counter? You’re likely SAQ B or B-IP
- Shopify store with their checkout? That’s SAQ A
- WooCommerce with Stripe Elements? You’re probably SAQ A-EP
- Taking orders over the phone? SAQ C-VT if you don’t store the numbers
- Saving card numbers in QuickBooks? Unfortunately, that’s SAQ D (and you should stop)
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Your SAQ consists of yes/no questions about your security practices. Each “yes” means you’re doing what’s required; each “no” means you need to fix something. The questions cover areas like:
- Whether you have a firewall protecting payment systems
- If you change default passwords on payment devices
- How you restrict access to card data
- Whether you’re using encryption
What you’ll need:
- List of all payment terminals and software
- Network diagram (even a simple one)
- Security policies (we provide templates)
- Vendor compliance certificates (from your payment processor, gateway, etc.)
Most SAQs also require quarterly ASV scans — automated security scans of your internet-facing systems. An Approved Scanning Vendor runs these scans to check for vulnerabilities. They typically take 15-30 minutes to complete and cost around $150-300 per year for all four quarterly scans.
Once complete, you’ll submit:
- Your filled-out SAQ
- The Attestation of Compliance (AOC) — a summary form stating you’re compliant
- ASV scan reports (if required for your SAQ type)
- Any requested documentation
Your processor reviews these and marks you compliant for the year.
What It Costs
Let’s talk real numbers for small business compliance:
Compliance tools and platforms: $200-500 annually for SAQ completion tools, policy templates, and compliance tracking. Some processors include basic tools with your merchant account.
ASV scanning: $150-300 annually for all four quarterly scans. Required for most SAQ types except SAQ B.
Professional help: Only needed if you’re SAQ D or having trouble. QSA consulting runs $150-300 per hour, but most Level 4 merchants don’t need it.
The cost of NON-compliance:
- Monthly fines: $25-100 (varies by processor)
- Per-incident breach fines: $5,000-100,000
- Forensic investigation costs: $10,000+
- Lost ability to accept cards: priceless
For most small merchants, annual compliance costs less than a single month of non-compliance fines. Think of it as security insurance that costs less than your business liability policy.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly touchpoints. Here’s your compliance calendar:
Annually:
- Complete your SAQ
- Update your security policies
- Train staff on card data security
- Review and update your network diagram
Quarterly:
- Run ASV scans (if required)
- Review scan results and fix any failures
- Check for changes that might affect your SAQ type
As needed:
- Update compliance when you change payment providers
- Reassess if you add new payment channels
- Document any new security measures
Set calendar reminders for these tasks, or use PCICompliance.com’s compliance dashboard to track everything automatically. The dashboard sends alerts before scans are due and tracks your progress throughout the year.
FAQ
My payment processor says I need to be PCI compliant. Is this a scam?
No, this is legitimate. Every merchant that accepts credit cards must validate PCI compliance annually. Your processor is required by Visa, Mastercard, and other card brands to verify your compliance.
I only process a few transactions per month. Do I still need to comply?
Yes. PCI DSS applies to all merchants regardless of transaction volume. The good news is that smaller merchants have simpler requirements.
What happens if I ignore the compliance request?
Your processor will likely start charging monthly non-compliance fees ($25-100 typically). Eventually, they may terminate your ability to accept credit cards. If card data gets stolen, you could face significant fines and liability.
Can’t I just check “yes” to all the SAQ questions?
The SAQ is a legal attestation. Falsely claiming compliance when you’re not meeting requirements is fraud. If a breach occurs, you’ll face much higher fines and potential legal action.
How long does the SAQ take to complete?
For SAQ A (the simplest): 30-60 minutes. For SAQ B: 1-2 hours. More complex SAQs can take several hours or days, especially the first time.
Why do I need to do this every year if nothing has changed?
Security isn’t static. New vulnerabilities emerge, staff changes, and payment setups evolve. Annual validation ensures your security measures stay current and effective.
What’s this ASV scan and why does it fail?
ASV scans check your internet-facing systems for security vulnerabilities. Common failures include outdated SSL certificates, unnecessary open ports, or unpatched software. Your scanning provider should give you a report explaining what to fix.
If I use Square/PayPal/Stripe, aren’t they responsible for PCI compliance?
They handle security for their systems, but you’re still responsible for how you use their services. You need to complete an SAQ confirming you’re following secure practices on your end.
Conclusion
That PCI compliance questionnaire in your inbox isn’t as scary as it looks. For most small businesses, compliance means answering a straightforward questionnaire, running quarterly security scans, and following basic security practices you’re probably already doing. The entire process typically costs less than what you’d pay in non-compliance fines after just a few months.
PCICompliance.com simplifies the entire compliance journey — our free SAQ Wizard identifies exactly which questionnaire you need based on your specific payment setup, our ASV scanning service handles your quarterly vulnerability scans with clear remediation guidance, and our compliance dashboard tracks your progress year-round with automatic reminders. Rather than juggling spreadsheets and calendar alerts, you get a single platform that guides you through each requirement. Start with our free SAQ Wizard to identify your questionnaire type in under 5 minutes, or talk to our compliance team for personalized guidance on your path to PCI compliance.
