Remote Access Policy Template
The Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and the words “remote access policy template” are swimming before your eyes — take a breath. For most small businesses, PCI compliance is far simpler than it sounds. Yes, you need to comply if you accept credit cards (and yes, that includes Square, PayPal, or any other payment method). But no, you probably don’t need to become a security expert or hire expensive consultants. Let me walk you through exactly what you need to know.
What Is PCI Compliance (In Plain English)
PCI compliance isn’t some arbitrary rulebook designed to make your life difficult. It’s a set of security standards created to protect credit card data — both your customers’ information and your business from fraud liability.
The Payment Card Industry Data Security Standard (PCI DSS) was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through an organization called the PCI Security Standards Council. Think of it as the credit card industry saying: “If you want to accept our cards, here are the basic security measures you need to have in place.”
Your acquirer (the bank or payment processor that handles your credit card transactions) is the one who enforces these standards. They’re the ones who sent you that compliance questionnaire, and they’re the ones who can impose fines if you don’t comply. These fines typically range from $5,000 to $100,000 per month, depending on your processing volume and the severity of non-compliance.
Here’s the good news: the vast majority of small businesses qualify for the simplest compliance requirements. If you’re using modern payment tools like Square, Stripe, or PayPal, you’re already most of the way there.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit or debit cards in any form — whether in person, online, over the phone, or even by mail — then yes, you need to be PCI compliant.
Most small businesses fall into Merchant Level 4, which means you process fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. This is good news because Level 4 merchants have the simplest compliance requirements: complete a Self-Assessment Questionnaire (SAQ) annually and possibly run quarterly security scans.
Your payment processor expects you to:
- Complete the appropriate SAQ for your business
- Run quarterly vulnerability scans if required
- Fix any security issues identified
- Submit your compliance documentation annually
That questionnaire they sent? It’s their way of verifying you’re meeting these requirements. Ignore it, and you risk monthly non-compliance fees, increased transaction rates, or even losing your ability to accept cards.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in several flavors, each designed for different payment scenarios. Here’s how to determine which one applies to your business:
| How You Accept Payments | SAQ Type | Complexity | Number of Questions |
|---|---|---|---|
| Payment page redirects to processor (PayPal, Square Online) | SAQ A | Simplest | 22 |
| E-commerce with payment fields on your site (Stripe Elements, Authorize.net Accept.js) | SAQ A-EP | Simple | 139 |
| Standalone terminals with no electronic storage | SAQ B | Simple | 41 |
| Terminals connected to internet (but no storage) | SAQ B-IP | Moderate | 82 |
| Manual card entry into virtual terminal | SAQ C-VT | Moderate | 80 |
| Paper forms or any other method | SAQ C | Complex | 160 |
| Store card numbers electronically | SAQ D | Most Complex | 329 |
Quick decision guide:
- Using Square, Clover, or similar terminals? You’re likely SAQ B or B-IP
- Have a website with Shopify, WooCommerce with Stripe Checkout, or similar? You’re likely SAQ A
- Type card numbers into a web form from your payment processor? That’s SAQ C-VT
- Store card numbers in any electronic system? You’re SAQ D (and should seriously consider stopping)
Not sure? PCICompliance.com’s free SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which questionnaire you need — no security jargon required.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. The questionnaire consists of yes/no questions about your security practices. Here’s what to expect:
The format is simple: Each question asks if you have a specific security control in place. For example: “Do you change default passwords on payment terminals?” If yes, you check the box. If no, you’ll need to implement that control or explain why it doesn’t apply to your business.
Documentation you’ll need:
- List of all payment terminals or software you use
- Network diagram (for SAQ B-IP and above — can be as simple as a hand-drawn sketch)
- Security policies (don’t panic — templates are available)
- Results from your quarterly ASV scans if required
About those ASV scans: If you’re SAQ A-EP, B-IP, C, or D, you need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks your internet-facing systems for security vulnerabilities. It takes about 15 minutes to set up and runs automatically. If issues are found, you typically have 30 days to fix them and rescan.
Once complete, you’ll generate an Attestation of Compliance (AOC) — essentially your compliance certificate — and submit it to your payment processor.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you handle it yourself or use a compliance service:
Compliance platforms and tools:
- Basic SAQ completion tools: $20-50/month
- Full compliance platforms with scanning: $30-100/month
- Enterprise solutions: $200+/month
Quarterly ASV scanning:
- Standalone ASV service: $200-400/year
- Often included with compliance platforms
Professional help (if needed):
- Compliance consultant: $150-300/hour
- Full QSA assessment: $10,000-50,000 (only for large merchants)
The cost of NON-compliance:
- Monthly fines from processor: $5,000-100,000
- Increased transaction fees: 0.5-1% additional
- Breach liability: Average $150 per compromised card
- Loss of card acceptance privileges: Priceless (and business-ending)
For most Level 4 merchants, annual compliance costs less than $1,000 — significantly less than a single month’s non-compliance fine.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor requires annual recertification, and if you need ASV scans, those happen quarterly. Here’s how to stay on track:
Set up your compliance calendar:
- Annual SAQ due date (usually your anniversary date with your processor)
- Quarterly ASV scan dates (every 90 days)
- Policy review dates (annually)
- Security training reminders (annually for all staff who handle cards)
Watch for changes that affect your compliance:
- New payment methods or channels
- Changes to your website or payment processing
- New locations or terminals
- Storing card data when you didn’t before (please don’t)
Track your progress: A compliance dashboard helps you monitor scan results, track remediation efforts, and never miss a deadline. PCICompliance.com’s platform sends automatic reminders and keeps all your compliance documentation in one place.
FAQ
My payment processor says I need a “remote access policy” — what is that?
A remote access policy template documents how employees connect to your payment systems from outside the office. Even if nobody works remotely, you need this policy if you’re SAQ B-IP or higher. The policy should cover who can connect remotely, how they authenticate, and what security measures protect these connections. Templates are available that you can customize for your business.
I only use Square — do I really need to do all this?
Yes, but your compliance is much simpler. With Square’s standalone terminals, you’re likely SAQ B (just 41 questions). Square handles most of the security heavy lifting, so your main responsibilities are physical security of the terminal and following Square’s security guidelines.
How long does the whole process take?
For SAQ A or B, expect 2-4 hours including gathering documentation. SAQ A-EP or C-VT might take 4-8 hours. SAQ D requires significantly more time and often professional help. Quarterly ASV scans take minutes to initiate and run automatically.
What happens if I fail an ASV scan?
Don’t panic — failing your first scan is common. The scan report shows exactly what needs fixing (usually software updates or configuration changes). You have 30 days to remediate and rescan. Most issues are resolved with basic IT maintenance.
Can I just ignore this questionnaire?
Technically yes, but it’s expensive. Your processor will likely start charging non-compliance fees within 60-90 days. These fees compound monthly and don’t go away until you comply. Worse, if a breach occurs while you’re non-compliant, you’re liable for all fraud losses.
Do I need to hire a QSA?
Probably not. Only Level 1 merchants (processing over 6 million transactions annually) require a QSA assessment. Level 4 merchants like most small businesses can self-assess using the appropriate SAQ.
What if I store credit card numbers in Excel/QuickBooks/filing cabinet?
Stop immediately. This puts you in SAQ D (the most complex) and significantly increases your breach risk. Modern payment systems eliminate the need to store card data. Transition to tokenization or point-to-point encryption solutions as quickly as possible.
Is PCI compliance the same as being “secure”?
PCI compliance is a security baseline, not comprehensive protection. Think of it as locking your doors and windows — necessary but not sufficient. Good security includes PCI compliance plus regular updates, staff training, and vigilance against new threats.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire lands in your inbox, but for most small businesses, it’s a manageable process that protects both you and your customers. The key is identifying which SAQ applies to your payment methods and systematically working through the requirements.
Remember, modern payment processors have already done much of the security heavy lifting. If you’re using reputable payment tools and following basic security practices, you’re probably closer to compliance than you think. The biggest mistake is ignoring that questionnaire and hoping it goes away — it won’t, and the fines will start accumulating.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team to get your business compliant and keep it that way. The peace of mind knowing you’re protected from fines and fraud liability? That’s worth far more than the modest cost of compliance.
