Can I Skip PCI Scans? The Truth About PCI Compliance for Small Businesses
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re wondering “can I skip PCI scan requirements?” — here’s what you need to know: No, you can’t skip PCI compliance if you accept credit cards, but for most small businesses, it’s much simpler than you think.
The scary-looking questionnaire in your inbox is probably just an SAQ (Self-Assessment Questionnaire), and depending on how you accept payments, you might only need to answer a handful of yes/no questions. The quarterly scan everyone talks about? It’s an automated vulnerability scan that takes minutes to set up. This guide will walk you through exactly what you need to do, how much it costs, and how to get it done without hiring a consultant.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist designed to protect credit card data from hackers. If you accept, process, store, or transmit credit card information in any way, these requirements apply to you.
The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquiring bank or payment processor (the company that handles your credit card transactions) is responsible for making sure you comply. That’s why you received that questionnaire — your processor needs to verify you’re following the rules.
What happens if you ignore it? Your processor can fine you anywhere from $5,000 to $100,000 per month for non-compliance. If there’s a data breach and you weren’t compliant, you’re liable for the fraud losses, forensic investigation costs, and card reissuance fees. In extreme cases, you could lose the ability to accept credit cards entirely.
The good news? Most small businesses qualify for the simplest compliance paths. If you’re using modern payment tools like Square, Stripe, or PayPal, you’re already doing most of what’s required. The compliance process just documents what you’re doing.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, you need to be PCI compliant. It doesn’t matter if you’re a massive retailer or a single-person consultancy — if credit card numbers touch your business in any way, the requirements apply.
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants typically complete a self-assessment rather than hiring an outside assessor.
Your Payment Processor PCI expects you to:
- Complete the appropriate SAQ for your business annually
- Submit an Attestation of Compliance (AOC) confirming you’ve met the requirements
- If required by your SAQ type, pass quarterly ASV scans of your internet-facing systems
- Maintain compliance throughout the year, not just at assessment time
That questionnaire they sent you is your annual compliance requirement. It’s not optional, and it won’t go away if you ignore it. But completing it is probably easier than you think.
Which SAQ Do You Need?
The PCI Security Standards Council offers different SAQ types based on how you handle card data. Here’s how to figure out which one applies to your business:
| How You Accept Payments | SAQ Type | Complexity | Requirements |
|---|---|---|---|
| Redirect to payment provider (PayPal, Stripe Checkout) | SAQ A | Simplest | 22 questions |
| E-commerce with payment fields on your site (Stripe Elements) | SAQ A-EP | Simple | 139 questions |
| Standalone terminal only (Square Reader, Clover) | SAQ B | Simple | 41 questions |
| Terminal + internet connection | SAQ B-IP | Moderate | 91 questions |
| Phone orders (no electronic storage) | SAQ C-VT | Moderate | 81 questions |
| Manual key entry on computer | SAQ C | Complex | 139 questions |
| Store card numbers electronically | SAQ D | Most Complex | 329 questions |
Common scenarios:
- Coffee shop with a Square terminal: SAQ B or B-IP
- Online store using Shopify: SAQ A (Shopify handles everything)
- Service business taking cards over the phone: SAQ C-VT
- Restaurant with traditional POS system: Likely SAQ D (time to modernize!)
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need. No technical knowledge required.
How to Complete Your SAQ
Once you know which SAQ type you need, here’s what the process looks like:
The questionnaire itself is a series of yes/no questions about your security practices. For example, SAQ A might ask: “Are all payment pages hosted by a PCI DSS compliant service provider?” If you use Stripe Checkout, the answer is yes.
Each “yes” answer means you’re doing what the standard requires. A “no” answer means you need to either implement that control or explain why it doesn’t apply to your business (called a compensating control).
Documentation you’ll need:
- List of all payment acceptance methods
- Contracts with payment service providers
- Network diagram (for more complex SAQ types)
- Security policies (templates are usually acceptable for small businesses)
- ASV scan reports (if required)
The quarterly ASV scan applies if your SAQ type requires it (most do, except SAQ A and SAQ B). An Approved Scanning Vendor runs automated scans of your external IP addresses looking for vulnerabilities. It’s not invasive — think of it as a security checkup for your internet-facing systems. You’ll need to:
- Provide your public IP addresses
- Run the scan quarterly
- Fix any failing vulnerabilities
- Obtain a passing scan report
Submitting your compliance:
- Complete all SAQ questions
- Gather required documentation
- Sign the Attestation of Compliance
- Submit everything to your payment processor
- Schedule your next annual assessment
Most small businesses can complete their SAQ in a few hours once they understand what’s being asked.
What It Costs
Let’s talk real numbers for PCI compliance costs:
Compliance platform and SAQ tools: $100-500 annually for small merchants. This typically includes:
- Access to the correct SAQ
- Guidance for each question
- Document templates
- Compliance tracking
Quarterly ASV scanning: $50-150 per scan, or $200-600 annually. Many compliance platforms bundle this with their SAQ tools.
If you need a QSA: Small businesses rarely need a Qualified Security Assessor. Level 1 merchants (processing over 6 million transactions annually) must have a QSA perform an assessment, which costs $10,000-50,000+. But if you’re reading this guide, you probably don’t need one.
The cost of NON-compliance:
- Monthly fines from your processor: $5,000-100,000
- Breach liability: Average of $150 per compromised card
- Forensic investigation: $10,000-100,000+
- Loss of card processing privileges: Priceless (and business-ending)
Bottom line: For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not an expense — it’s insurance.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your annual assessment expires after 12 months, and you’ll need quarterly ASV scans (if required) throughout the year. Here’s how to stay on track:
Set up reminders for:
- Annual SAQ renewal (2 months before expiration)
- Quarterly ASV scans (every 90 days)
- Security updates for payment systems
- Employee security training (annually)
What triggers a new assessment:
- Changing payment processors
- Adding new payment channels (like adding e-commerce to a retail store)
- Significant changes to your network or payment systems
- Moving from outsourced to in-house payment processing
PCICompliance.com’s compliance dashboard tracks all your deadlines, sends automatic reminders, and maintains your compliance history. You’ll never wonder when your next scan is due or where to find last year’s AOC.
Year-round best practices:
- Keep payment systems updated
- Train staff on security policies
- Document any changes to your payment environment
- Maintain your ASV scan schedule
- Review your SAQ type if your business model changes
FAQ
Q: What happens if I just ignore the PCI compliance questionnaire?
Your payment processor will likely start with reminder emails, then escalate to monthly non-compliance fees (typically $20-100 for small merchants). Eventually, they may increase your processing rates, hold your funds, or terminate your merchant account entirely. It’s much easier to just complete the questionnaire.
Q: I only process a few cards per month. Do I still need to comply?
Yes, PCI DSS applies to any business that accepts credit cards, regardless of volume. The good news is that with low volume, you’re likely eligible for one of the simpler SAQ types that takes less than an hour to complete.
Q: My payment processor says they handle PCI compliance. Am I covered?
Your processor might handle the security of transactions once they reach their systems, but you’re still responsible for compliance at your end. If you redirect all card data to them (never touching your systems), you qualify for SAQ A, the simplest form — but you still need to complete it.
Q: Do I need to hire a security consultant to help with PCI compliance?
Most small businesses don’t need a consultant. If you qualify for SAQ A, A-EP, B, or B-IP, the questionnaire is straightforward enough to complete yourself with basic guidance. Compliance platforms like PCICompliance.com provide the templates and help you need without consultant fees.
Q: What’s the difference between a vulnerability scan and penetration testing?
ASV scans are automated checks of your external-facing systems, required quarterly for most SAQ types. Penetration testing is a manual security assessment required only for SAQ D merchants. Most small businesses only need the automated scans.
Q: Can I self-certify my compliance or do I need an auditor?
Level 4 merchants (most small businesses) can self-certify by completing the appropriate SAQ. Only Level 1 merchants need a formal assessment by a QSA. Your merchant level depends on your annual transaction volume, which your processor can tell you.
Q: What if I fail my ASV scan?
Don’t panic — failing vulnerabilities are common on the first scan. Your ASV provider will give you a report showing what needs to be fixed. Address the vulnerabilities (usually updating software or adjusting firewall rules), then request a rescan. You have unlimited rescans within your quarterly window.
Q: How long does PCI compliance take?
For simple SAQ types (A, B): 1-2 hours to complete the questionnaire. For moderate complexity (A-EP, C-VT): 4-8 hours including documentation. Setting up and passing your first ASV scan might take another 2-4 hours. After the first year, renewals are much faster.
Conclusion
Can you skip PCI scan requirements? No — but for most small businesses, PCI compliance is far less daunting than it first appears. That intimidating questionnaire from your payment processor probably boils down to a few dozen yes/no questions about practices you’re already following. The quarterly scans are automated, the costs are reasonable, and the alternative — fines, liability, and lost processing privileges — makes compliance a no-brainer.
The key is identifying which SAQ type applies to your business and understanding what’s actually required. Modern payment tools have already done most of the heavy lifting for you. Your job is simply to document your setup and maintain a few basic security practices.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll spend less time on compliance and more time on what matters: running your business. Start with our free SAQ Wizard to see just how simple your path to compliance really is, or talk to our compliance team if you need guidance getting started.
