Change Management Policy Template
Relax — for most small businesses, PCI compliance is simpler than you think. If you just received a PCI compliance questionnaire from your payment processor and have no idea where to start, you’re in the right place. While the term “change management policy template” might sound technical and overwhelming, the truth is that most small merchants don’t need complex policies and procedures. The PCI requirements that apply to you are likely much more straightforward than the jargon suggests.
Here’s what you actually need to know: PCI compliance is required if you accept credit cards (spoiler: you do), your payment processor is asking for proof of compliance (that’s the questionnaire they sent), and completing your compliance is probably easier than setting up your original merchant account. Let’s break it down in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) exists for one simple reason: to protect credit card data from hackers and fraud. If you accept, process, store, or transmit credit card information in any way — whether through a point-of-sale terminal, website, or phone orders — these standards apply to you.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But here’s the important part: your acquirer (the bank or payment processor that handles your card transactions) is the one who enforces compliance. They’re the ones who sent you that questionnaire, and they’re the ones who can impose consequences for non-compliance.
Speaking of consequences — let’s be clear about what happens if you ignore PCI compliance. Your payment processor can fine you monthly (typically $20-$100 for small merchants), you become liable for fraud losses if there’s a breach, and in extreme cases, you could lose your ability to accept credit cards altogether. That last one rarely happens to small businesses, but the monthly fines are real and add up quickly.
The good news? Most small businesses qualify for the simplest SAQ (Self-Assessment Questionnaire) types, which can be completed in an afternoon. You don’t need a team of security experts or expensive consultants. You just need to understand which questionnaire applies to you and answer some straightforward yes/no questions about how you handle card payments.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a corner coffee shop with one card reader or an online boutique — if customers can pay you with a credit or debit card, PCI compliance is mandatory.
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news because Level 4 merchants have the simplest UK PCI — typically just completing an SAQ and running quarterly vulnerability scans if you have an e-commerce presence.
What does your payment processor expect from you? They want proof that you’re protecting cardholder data according to PCI standards. That proof comes in the form of:
- A completed Self-Assessment Questionnaire (SAQ) appropriate to how you accept payments
- An Attestation of Compliance (AOC) — basically your signature saying the SAQ answers are accurate
- Quarterly ASV scans if you have any systems connected to the internet that handle card data
- Evidence that you’ve addressed any security vulnerabilities found
That compliance questionnaire they sent you? It’s your payment processor‘s way of saying “it’s time to prove you’re protecting card data properly.” They typically send these annually, though some processors check quarterly. Ignoring it won’t make it go away — it’ll just trigger those monthly non-compliance fees.
Which SAQ Do You Need?
The PCI Security Standards Council offers different SAQ types based on how you accept and process payments. Think of it as choosing the right tax form — you want the one that matches your actual business setup. Here’s the decision tree in plain language:
If you use a standalone payment terminal (like Square, Clover, or a traditional credit card machine) that connects via phone line or cellular → you likely need SAQ B (phone line) or SAQ B-IP (internet protocol). These are short questionnaires with about 20-40 questions focused on physical security of the terminal.
If you have an e-commerce site with hosted checkout where customers are redirected to another site to enter card details (think PayPal, Stripe Checkout, or most Shopify setups) → you likely need SAQ A. This is the shortest questionnaire with only 22 questions, because you never actually touch the card data.
If you take card payments over the phone and type them into a virtual terminal or web-based system → you likely need SAQ C-VT. This one’s a bit longer because you’re handling card numbers directly, even if briefly.
If you store card numbers in any form (spreadsheets, customer database, written down) → you need SAQ D, and you should strongly consider stopping this practice. SAQ D is the full questionnaire with over 200 questions. Seriously, stop storing card numbers.
Here’s a quick reference table:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity Level |
|---|---|---|---|
| Standalone terminal only | SAQ B or B-IP | 20-40 | Easy |
| E-commerce with hosted checkout | SAQ A | 22 | Easiest |
| Phone orders via virtual terminal | SAQ C-VT | 80 | Moderate |
| Store card data anywhere | SAQ D | 200+ | Complex |
| Multiple methods or unsure | Use SAQ Wizard | Varies | Varies |
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ you need — no guesswork required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Don’t let the technical language intimidate you — most questions for small merchants boil down to common sense security. Here’s what the process looks like:
The questionnaire format is straightforward. Each question asks if you have a specific security control in place. “Yes” means you do it, “No” means you don’t, and “N/A” means it doesn’t apply to your business. For most small merchants using modern payment systems, many questions will be “N/A” because your payment provider handles that security for you.
What “Yes” means in practice: When you answer “yes” to a question like “Are payment terminals physically secured?”, you’re saying that your credit card machine is in a location where customers or unauthorized people can’t tamper with it. You don’t need fancy locks or security guards — just common sense placement and basic awareness.
Documentation you’ll need: For most Level 4 merchants, you won’t need to submit evidence beyond the questionnaire itself. However, you should have:
- Your network diagram (even a simple sketch of how your computers connect)
- List of who has access to payment systems
- Your process for adding/removing employee access
- If applicable, your ASV scan reports
The quarterly ASV scan applies if you have any internet-facing systems. An Approved Scanning Vendor runs automated security scans of your website or IP addresses to check for vulnerabilities. It’s like a safety inspection for your online presence. The scan takes about an hour to run, you get a report showing any issues, and you have time to fix problems before rescanning. Most small sites pass on the first or second try.
Submitting your compliance: Once you’ve completed the SAQ and passed any required scans, you’ll generate an Attestation of Compliance (AOC). This is your official declaration that you’ve met PCI requirements. Submit it through your processor’s compliance portal or however they requested it. Keep copies for your records — you’ll need them next year.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your setup, but here’s what to budget:
Compliance platforms and SAQ tools typically run $200-500 annually for small merchants. This includes access to the questionnaire, guidance on answers, and compliance tracking. Some payment processors include basic tools with your merchant account.
Quarterly ASV scanning costs $100-300 per year for most small merchants. You need four passing scans annually. Many compliance platforms bundle this with their SAQ tools for a better deal.
If you need a QSA (Qualified Security Assessor), you’re looking at $5,000-15,000+ for a formal assessment. But here’s the thing — most small merchants never need a QSA. They’re typically required only for Level 1 merchants or those who’ve had a breach.
The cost of NON-compliance hits you monthly. Payment processors typically charge $20-100 per month in non-compliance fees. Over a year, that’s $240-1,200 in pure penalty fees. One data breach can cost small merchants $10,000-50,000 in forensic investigations, card replacement costs, and fines.
Honest assessment: For most small merchants, annual compliance costs less than three months of non-compliance fees. It’s not just about avoiding fines — it’s about protecting your business from catastrophic breach costs.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components. But don’t worry, maintaining compliance is much easier than achieving it the first time.
Your annual tasks: Complete your SAQ renewal (usually faster the second time since you know the questions), update any changed business practices, and submit your new AOC to your processor. Mark your calendar for 11 months after your current compliance date.
Your quarterly tasks: If you need ASV scans, schedule them every 90 days. Fix any vulnerabilities found and rescan if needed. Most scanning services can automate this schedule for you.
What triggers a new assessment: Major changes to how you accept payments require fresh compliance validation. Adding e-commerce to a retail-only business, changing payment processors, or starting to store card data all mean you’ll need to complete a new SAQ — possibly a different type than before.
Setting up for success: Use a compliance dashboard or calendar reminders to track important dates. Many merchants set quarterly reminders for ASV scans and an annual reminder for SAQ renewal. PCICompliance.com’s compliance dashboard automatically tracks your compliance status, upcoming scan dates, and renewal deadlines — no spreadsheets required.
FAQ
What happens if I ignore the PCI compliance questionnaire my processor sent?
Your processor will start charging monthly non-compliance fees (usually $20-100) until you complete it. These fees continue indefinitely and provide no value — you’re literally paying to remain non-compliant. Additionally, if a breach occurs, you’ll be fully liable for fraud losses and investigation costs that could otherwise be covered.
I only process a few transactions per month. Do I still need to comply?
Yes, PCI compliance applies to any business that accepts credit cards, regardless of volume. The good news is that your low volume means you’re definitely a Level 4 merchant with the simplest requirements. You’ll likely qualify for one of the shorter SAQ types that takes less than an hour to complete.
What’s the difference between PCI compliance and EMV chip readers?
EMV chip readers help prevent counterfeit card fraud, while PCI compliance protects card data from being stolen in the first place. Having EMV terminals doesn’t make you PCI compliant, but it might qualify you for a simpler SAQ type. You need both EMV acceptance and PCI compliance for comprehensive protection.
My payment provider says they’re PCI compliant. Doesn’t that cover me?
No, their compliance covers their systems, not yours. Think of it like building security — your landlord having locks doesn’t excuse you from locking your own office. However, using PCI-compliant providers does reduce your own compliance scope, often qualifying you for simpler SAQ types.
Can I just answer “yes” to all the questions to pass?
Absolutely not. False attestation is fraud and can result in immediate termination of your merchant account, significant fines, and legal liability if a breach occurs. Answer honestly — if you can’t answer “yes” to a required control, implement it before submitting your SAQ.
How long does PCI compliance take?
For most small merchants, initial compliance takes 2-4 hours: 30 minutes to determine your SAQ type, 1-2 hours to complete the questionnaire, and another hour for any remediation or scanning setup. Annual renewals typically take half that time since you’re already familiar with the process.
What if I fail my ASV scan?
Don’t panic — most merchants fail their first scan due to minor issues like outdated software. You’ll get a report detailing what needs fixing, typically things like updating WordPress plugins or adjusting firewall settings. Fix the issues and request a rescan. You usually have 30 days to achieve a passing scan.
Do I need to hire a security consultant?
Most small merchants don’t need consultants for PCI compliance. The SAQ questions are straightforward, and resources like PCICompliance.com provide guidance for each requirement. Only consider a consultant if you’re SAQ D (storing card data) or having trouble understanding specific technical requirements.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but you’ve now seen it’s manageable for most small businesses. You know which SAQ type likely applies to your payment setup, what the process involves, and what it really costs. More importantly, you understand that compliance protects both your business and your customers from increasingly common payment card fraud.
The path forward is clear: identify your SAQ type, complete the questionnaire honestly, schedule any required vulnerability scans, and submit your attestation. Then set reminders to stay current with annual renewals and quarterly scans. It’s not complex — it just requires taking that first step.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Instead of juggling multiple vendors and spreadsheets, you get a single platform that guides you through initial compliance and keeps you on track year after year. Start with our free SAQ Wizard to identify your questionnaire type in minutes, or talk to our compliance team if you need help understanding your processor’s requirements. Either way, you’ll move from confusion to compliance faster than you might expect.
