Side Hustle Payment Compliance
Bottom Line Up Front
If you’re running a side hustle and accept credit card payments, you need to be PCI compliant — but here’s the good news: for most small businesses, it’s simpler than you think. That intimidating questionnaire your payment processor just sent? It’s likely one of the shorter SAQ forms that takes less than an hour to complete. With the right guidance, you can achieve compliance without hiring consultants or spending thousands of dollars.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover — through an organization called the PCI Security Standards Council. Think of it as a security checklist designed to protect credit card data from theft.
Here’s the key point: if you accept credit card payments in any form — whether through Square at a farmers market, Stripe on your website, or even old-fashioned paper slips — these requirements apply to you. The standard exists because stolen card data costs everyone money: cardholders deal with fraud, banks issue new cards, and merchants face chargebacks.
Your payment processor or acquiring bank (the company that deposits card payments into your account) enforces these requirements. They’re the ones who sent you that compliance questionnaire, and they’re required by the card brands to ensure all their merchants maintain compliance.
What happens if you ignore PCI requirements? Your processor can fine you monthly — typically $20-100 for small merchants. More seriously, if card data gets stolen from your business and you weren’t compliant, you could face liability for fraud losses, forensic investigation costs, and card reissuance fees. In extreme cases, you could lose the ability to accept credit cards entirely.
But here’s what most compliance companies won’t tell you: the vast majority of small businesses qualify for the simplest SAQ types, which are designed specifically for merchants who don’t store card data. If you’re using modern payment tools, you’re probably already doing most of what’s required.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:
- Physical card readers (Square, Clover, traditional terminals)
- E-commerce websites
- Phone orders
- Mobile payment apps
- Even manual card imprinters (though please upgrade from those)
Your merchant level determines how you demonstrate compliance. Most side hustles and small businesses are Level 4 merchants — those processing fewer than 20,000 Visa transactions annually. At Level 4, you complete a self-assessment questionnaire (SAQ) rather than hiring an external assessor.
Your payment processor expects three things from you:
1. Complete the appropriate SAQ annually
2. Run quarterly vulnerability scans if you have any internet-connected systems (more on this later)
3. Submit an Attestation of Compliance (AOC) confirming you’ve met the requirements
That questionnaire they sent you? It’s their way of collecting this documentation. Some processors make it mandatory before you can continue processing cards, while others just add monthly non-compliance fees until you complete it.
Which SAQ Do You Need?
The SAQ (Self-Assessment Questionnaire) you need depends entirely on how you accept and process card payments. Think of SAQs as different versions of the compliance checklist — simpler payment methods get shorter checklists.
| Payment Scenario | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Payment page fully hosted by processor (PayPal, Stripe Checkout) | SAQ A | ~22 | Simplest |
| E-commerce with payment fields on your site | SAQ A-EP | ~139 | Moderate |
| Standalone terminal, no computer connection | SAQ B | ~41 | Simple |
| Terminal connected to internet/computer | SAQ B-IP | ~82 | Simple-Moderate |
| Phone/mail orders, no electronic storage | SAQ C-VT | ~160 | Moderate |
| Any electronic card data storage | SAQ D | ~329 | Complex |
Here’s how to identify yours:
If you use a payment terminal (Square Reader, Clover, traditional credit card machine):
- Terminal operates independently → SAQ B
- Terminal connects to your computer or internet → SAQ B-IP
If you have an e-commerce site:
- Customers leave your site to pay (PayPal, Stripe Checkout) → SAQ A
- Payment form embedded on your site (even if data goes directly to processor) → SAQ A-EP
- You process the payment data yourself → SAQ D (and you should reconsider this approach)
If you take payments over the phone:
- You enter them directly into a virtual terminal → SAQ C-VT
- You write them down first (please stop) → SAQ D
Not sure? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire applies — no guessing required.
How to Complete Your SAQ
Once you know which SAQ you need, the actual questionnaire is straightforward. Each question asks whether you’ve implemented a specific security control, with yes/no answers. “Yes” means you’re doing what the question describes, not that you think you should.
For example, an SAQ A might ask: “Are you using a PCI DSS compliant payment processor?” If you’re using Stripe or PayPal, the answer is yes — they handle the security for you.
Documentation you’ll need:
- Your payment processor agreement (to verify they’re PCI compliant)
- Network diagram (for SAQ B-IP and above — can be hand-drawn)
- Security policies (for longer SAQs — templates are widely available)
- ASV scan results (if required for your SAQ type)
The quarterly ASV scan sounds technical but isn’t complicated. An Approved Scanning Vendor runs automated security scans of your website or payment systems four times per year. Think of it like a safety inspection — they check for known vulnerabilities that hackers might exploit. Most ASV services cost $100-300 annually and include all four quarterly scans.
After completing your SAQ and obtaining clean ASV scans (if required), you’ll fill out an Attestation of Compliance (AOC). This is a formal declaration that you’ve completed the assessment and meet all applicable requirements. Submit both documents to your payment processor through their compliance portal.
Time investment: SAQ A takes most merchants 30-60 minutes. SAQ B might take 1-2 hours. The more complex SAQs can take several hours or days, especially the first time through.
What It Costs
PCI compliance costs vary based on your SAQ type and the tools you choose, but for most small merchants, it’s surprisingly affordable.
Compliance platforms and SAQ tools: $100-300 annually. These services walk you through your SAQ, store your documentation, and remind you about renewal dates. Some payment processors include basic tools for free.
Quarterly ASV scanning: $100-300 annually for all four scans. Required if you have any internet-facing payment systems. Some compliance platforms bundle this with SAQ tools.
QSA assessment: Only required for Level 1 merchants (over 6 million transactions annually). If you’re reading this guide, you probably don’t need one. Cost: $15,000-50,000.
The cost of NON-compliance is where it gets expensive:
- Monthly processor fees: $20-100
- If you suffer a breach while non-compliant: $5,000-50,000 in forensic investigation fees
- Card reissuance costs: $3-5 per compromised card
- Potential fines from card brands: $5,000-100,000
- Lost business and reputation damage: immeasurable
For most small merchants, annual compliance costs less than paying non-compliance fees for just 3-4 months. It’s not just about avoiding fines — it’s about protecting your business and your customers.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an ongoing responsibility. Your SAQ expires annually, and if you require ASV scans, those happen quarterly. Missing deadlines means starting over with non-compliance fees.
Set these reminders:
- Annual SAQ renewal (same month you first submitted)
- Quarterly ASV scans (if required)
- Review after any payment process changes
Changes that trigger a new assessment:
- Switching payment processors
- Adding new payment channels (going from in-person to e-commerce)
- Changing how you handle card data
- Major network or system changes
The key is tracking everything in one place. PCICompliance.com’s compliance dashboard shows your upcoming deadlines, stores your documentation, and sends reminder emails. You’ll never wonder whether you’re current or what’s due next.
Remember: maintaining compliance is much easier than achieving it the first time. Once you understand your requirements and have processes in place, annual renewal typically takes a fraction of the initial effort.
FAQ
Do I really need PCI compliance for my small Etsy shop that uses Stripe?
Yes, any business accepting credit cards needs PCI compliance. However, if Etsy handles all the payment processing, you might not need to do anything additional. If you process payments separately through Stripe for custom orders, you’ll need SAQ A — the simplest form that takes about 30 minutes.
What’s the difference between PCI compliance and SSL certificates?
An SSL certificate encrypts data between a customer’s browser and your website. PCI compliance is a comprehensive set of security requirements that includes encryption but covers much more — like access controls, network security, and security policies. Think of SSL as one tool in the PCI toolbox.
My payment processor says I need a “passing ASV scan” — what does that mean?
An ASV scan is an automated vulnerability scan of your internet-facing systems. A “passing” scan means no high-risk vulnerabilities were found. You’ll need to fix any critical issues and rescan until you pass. Most hosting platforms handle security well enough that scans pass on the first try.
Can I just check “yes” to all the SAQ questions to pass?
Absolutely not. False attestation is considered fraud and can result in serious penalties. The questions aren’t arbitrary — they represent actual security controls. If you can’t honestly answer “yes,” you need to implement the control or work with a payment method that requires fewer controls.
How do I know if I’m storing credit card data?
Check anywhere you might save customer information: databases, spreadsheets, email, paper files, even browser autofill. If you see full 16-digit card numbers anywhere outside your payment terminal or processor’s portal, you’re storing card data. This immediately puts you in SAQ D territory — consider switching to tokenization or a hosted payment page instead.
What happens if I switch from Square to Stripe mid-year?
Major payment processing changes typically trigger a reassessment. You’ll need to complete a new SAQ reflecting your current setup. The good news: if you’re switching between similar services (Square to Stripe), you’ll likely stay in the same SAQ category. Document the change date and keep both SAQs for your records.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most side hustles and small businesses, it’s a manageable process. The key is understanding which requirements actually apply to your specific payment setup. If you’re using modern payment tools like Square, Stripe, or PayPal, you’re already outsourcing the complex security requirements to companies that specialize in them.
Start by identifying your SAQ type — this determines everything else. Use PCICompliance.com’s free SAQ Wizard to remove the guesswork. Once you know your SAQ type, set aside an hour or two to complete the questionnaire, schedule your ASV scans if required, and submit your compliance documentation. Then set a reminder for next year and get back to growing your business.
PCICompliance.com gives you everything you need to achieve and How to Maintain — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll never miss a deadline or wonder about your compliance status again. Start with the free SAQ Wizard or talk to our compliance team about the right solution for your side hustle.
