Black device in a white gift box with ribbon

Do Invoice Payments Need PCI?

by

Do Invoice Payments Need PCI?

Bottom Line Up Front

If you accept credit card payments for invoices — whether online, over the phone, or even through paper forms — you need to be PCI compliant. But here’s what your payment processor didn’t tell you: for most small businesses, PCI compliance is far simpler than it sounds. You probably qualify for one of the easier self-assessment questionnaires (SAQs) that takes an hour or two to complete annually, not the complex audits you might have heard about.

Your payment processor sent you that compliance questionnaire because the card brands (Visa, Mastercard, American Express, Discover) require it. They want to make sure you’re protecting your customers’ card data. The good news? If you’re using modern payment tools like Square, Stripe, or PayPal to collect invoice payments, you’re already doing most of what’s required. This guide will walk you through exactly what you need to do, in plain English.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major credit card companies. Think of it as a security checklist for anyone who handles credit card information. The standard exists because credit card fraud costs billions annually, and the card brands want to ensure everyone in the payment chain does their part to protect cardholder data.

The PCI Security Standards Council (PCI SSC) maintains these standards, but they don’t enforce them directly. Instead, your acquiring bank or payment processor — the company that handles your credit card transactions — enforces compliance. That’s why Stripe, Square, or your merchant services provider sent you that questionnaire.

What happens if you don’t comply? Your payment processor can fine you (typically $5,000-$100,000 per month of non-compliance), increase your processing rates, or terminate your ability to accept cards entirely. If there’s a data breach and you weren’t compliant, you’re liable for the fraud losses, forensic investigation costs, and card reissuance fees. One breach can easily cost a small business $50,000 or more.

Here’s the good news: most small businesses that accept invoice payments qualify for the simplest compliance requirements. If you’re using hosted payment pages, modern terminals, or virtual terminals from reputable providers, you’re likely looking at SAQ A or SAQ B — questionnaires with 20-40 yes/no questions that take an hour or two to complete once a year.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes. This includes:

  • Online invoice payments through your website
  • Phone payments where customers read you their card number
  • Email invoices with “Pay Now” buttons
  • Paper order forms where customers write their card details
  • Mobile card readers for on-site payments
  • Recurring billing for subscriptions or payment plans

Your merchant level determines how you demonstrate compliance. Most small businesses processing under 6 million transactions annually are Level 4 merchants. This means you self-assess using an SAQ (Self-Assessment Questionnaire) rather than hiring a QSA (Qualified Security Assessor) for a full audit.

Your payment processor expects you to:
1. Complete the appropriate SAQ annually
2. Run quarterly vulnerability scans if you have any internet-facing systems
3. Complete an AOC (Attestation of Compliance) stating you’ve met the requirements
4. Submit these documents by their deadline (usually annually)

That compliance questionnaire they sent? It’s either the actual SAQ or a simplified version that helps determine which SAQ type you need. Either way, ignoring it won’t make it go away — they’ll eventually suspend your account or start charging non-compliance fees.

Which SAQ Do You Need?

The key to simple compliance is using the right SAQ type. Here’s how to determine yours based on how you accept invoice payments:

How You Accept Payments SAQ Type Number of Questions Complexity
Customers pay through hosted checkout pages (Stripe Checkout, PayPal, Square) SAQ A 22 Easiest
Standalone terminals with no electronic storage (basic Square reader) SAQ B 41 Easy
Terminal connected to internet but isolated from other systems SAQ B-IP 43 Easy
You enter cards into a virtual terminal website SAQ C-VT 81 Moderate
Phone payments entered into your computer/software SAQ C 139 Moderate
You store card numbers anywhere (stop doing this!) SAQ D 329 Complex

Quick Decision Guide:

SAQ A applies if your customers enter their card details on someone else’s website. Examples:

  • Invoice emails with “Pay Online” buttons that go to Stripe Checkout
  • WooCommerce with PayPal redirects
  • Invoicing software that uses iframes for payment collection

SAQ B or B-IP applies if you use standalone terminals or mobile readers:

  • Square Terminal for in-person invoice payments
  • Clover Flex that’s not integrated with your POS
  • PayPal Here for mobile collections

SAQ C-VT applies if you log into a payment provider’s website to process cards:

  • Authorize.net virtual terminal
  • PayPal’s virtual terminal
  • Your processor’s web portal for phone orders

SAQ C or D applies if card data touches your own systems. This is where compliance gets complex and expensive. If you’re storing card numbers in spreadsheets, customer databases, or even email, you need to stop immediately and switch to tokenization or a hosted solution.

Not sure which applies? PCICompliance.com’s free SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ you need.

How to Complete Your SAQ

Once you know your SAQ type, the actual completion process is straightforward:

Step 1: Download or access the correct SAQ. Your payment processor might provide this, or you can use PCICompliance.com’s digital version that saves your progress.

Step 2: Answer the yes/no questions. Each question asks about a specific security control. For example:

  • “Do you have a firewall?” (For SAQ A, this usually means your office internet router)
  • “Is antivirus installed?” (Your Windows Defender counts)
  • “Do you have a written security policy?” (We provide templates)

“Yes” means you’re doing it, not that you have extensive documentation. For small businesses, “yes” to firewall requirements might simply mean you’re using your internet router’s built-in firewall with default deny rules.

Step 3: Gather basic documentation:

  • Network diagram (can be hand-drawn showing your internet, computers, and payment devices)
  • Written policies (use our templates)
  • ASV scan results (if required for your SAQ type)
  • Service provider attestations (your payment processor should provide these)

Step 4: Complete quarterly ASV scans (if required). An Approved Scanning Vendor runs automated scans of your external IP addresses looking for vulnerabilities. Think of it as a security checkup for any systems visible from the internet. PCICompliance.com is an approved ASV — our scans take about 15 minutes to run and we help you fix any issues found.

Step 5: Submit your package:

  • Completed SAQ
  • Passing ASV scans (if applicable)
  • AOC (Attestation of Compliance) — a one-page form saying you completed the requirements
  • Upload to your processor’s compliance portal or email to their compliance team

Most Level 4 merchants can complete their entire annual compliance in 2-4 hours, including scanning time.

What It Costs

Let’s talk real numbers for small business compliance:

SAQ and Compliance Tools: $100-300 annually for platforms like PCICompliance.com that include:

  • Digital SAQ with guidance for each question
  • Policy templates and documentation tools
  • Compliance tracking dashboard
  • Email reminders for quarterly scans

ASV Scanning: $200-400 annually for quarterly scans. Many compliance platforms include this. Standalone ASV services charge $50-100 per quarter.

If You Need a QSA: Only required for Level 1 merchants (over 6 million transactions) or if you’ve had a breach. QSA assessments cost $10,000-50,000 depending on complexity. The vast majority of businesses accepting invoice payments never need this.

Time Investment: Figure 4-6 hours annually:

  • 2 hours for initial SAQ completion
  • 30 minutes per quarterly scan
  • 1 hour for annual updates

The Cost of Non-Compliance:

  • Monthly processor fines: $5,000-100,000
  • Breach costs: $50,000+ (forensics, card reissuance, fraud liability)
  • Increased processing rates: 0.5-1% higher
  • Loss of card acceptance privileges

For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — PCI compliance actually protects your business from fraud and breach liability.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox. Your processor requires annual recertification and quarterly scans (if applicable). Here’s how to stay on track:

Set Annual Reminders: Mark your calendar for:

  • SAQ renewal (same month each year)
  • Quarterly ASV scans (every 90 days)
  • Policy reviews (annually)
  • Employee security training (annually for anyone handling cards)

Track What Changes: Certain changes require immediate action:

  • New payment methods or channels
  • New locations or terminals
  • Different payment processing software
  • Storing card data when you didn’t before (don’t do this)
  • Moving from outsourced to in-house processing

Use a Compliance Dashboard: Manual tracking in spreadsheets gets messy fast. PCICompliance.com’s dashboard shows your compliance status, upcoming deadlines, and scan history in one place. You’ll get email reminders before each deadline and alerts if anything needs attention.

Keep Your Documentation Current: When your processor asks for proof of compliance (usually annually), you’ll need:

  • Current year’s SAQ and AOC
  • Last four passing ASV scans (if applicable)
  • Evidence of any remediation efforts
  • Updated network diagrams and policies

The key is making compliance part of your routine operations, not a last-minute scramble when your processor threatens fines.

FAQ

What if I only accept checks and ACH for invoices, not credit cards?

PCI DSS only applies to credit and debit card payments. ACH, checks, wire transfers, and other payment methods have different security requirements but aren’t covered by PCI. However, if you accept even one credit card payment per year, you need to comply.

Can I just tell customers we don’t accept credit cards?

You can, but you’ll likely lose 30-50% of potential payments. Most B2B buyers prefer credit cards for the rewards, payment terms, and purchase protection. Instead of avoiding cards entirely, use a simple hosted payment solution that minimizes your compliance burden.

What if I use QuickBooks, FreshBooks, or another invoicing system?

Most major invoicing platforms use hosted payment pages or iframes, qualifying you for SAQ A. Check if the payment form is hosted on their domain (good) or embedded in yours (more complex). When in doubt, ask your invoicing provider which SAQ type their integration requires.

Do I need to be compliant if I only process a few cards per month?

Yes. PCI DSS applies regardless of transaction volume. Even one card payment per year triggers the requirement. The good news is that very small merchants usually qualify for the simplest SAQ types.

What if I’m already using Stripe or Square — aren’t they compliant?

Your payment processor’s compliance covers their systems, not yours. You’re still responsible for your part: how you handle cards before sending them to the processor, your network security, and your policies. Think of it as a shared responsibility model.

How do I know if I’m storing card data?

Search your systems for 16-digit numbers, spreadsheets with customer payment info, emails with card details, or CRM records with full card numbers. Finding any of these means you’re storing card data and need to either stop immediately or implement SAQ D controls.

What happens if I fail my ASV scan?

Failing scans are common on the first try. You’ll get a report showing what failed (usually outdated software or unnecessary services). Fix the issues and rescan — you only need one passing scan per quarter. PCICompliance.com includes remediation guidance with each scan.

Can I just ignore this whole thing?

Technically yes, but it’s expensive. Non-compliance fines start at $5,000/month and increase over time. Your processor can also raise your rates, hold your funds, or terminate your account. One small breach without compliance could bankrupt a small business.

Conclusion

If you accept credit cards for invoice payments, PCI compliance is required — but it’s manageable. Most businesses collecting payments through modern processors qualify for the simpler SAQ types that take just a few hours annually to complete. The key is identifying your correct SAQ type, using tools that simplify the process, and maintaining compliance year-round rather than scrambling at deadline time.

PCICompliance.com gives you everything needed to achieve and maintain PCI compliance. Start with our free SAQ Wizard to identify exactly which questionnaire applies to your invoice payment setup. Our platform then guides you through each requirement, handles your quarterly ASV scans, and tracks your compliance status year-round. Whether you’re completing your first SAQ or managing compliance across multiple locations, we make the process straightforward and affordable. Take the SAQ Wizard now or talk to our compliance team to get started — most merchants complete their initial assessment in under two hours.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP