Infrastructure as Code PCI
If you just received a PCI compliance questionnaire from your payment processor and your heart rate spiked, take a deep breath. For most small businesses, PCI compliance is far simpler than it sounds. You don’t need to be a security expert or hire expensive consultants — you just need to understand which requirements apply to your specific way of accepting credit cards. This guide will walk you through exactly what PCI compliance means for your business and how to complete your compliance requirements without the overwhelm.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. If your business accepts, processes, stores, or transmits credit card information — even if it’s just swiping cards through a Square reader — these requirements apply to you.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through an organization called the PCI Security Standards Council. But here’s the important part: your acquirer (the bank or payment processor that handles your credit card transactions) is the one who enforces these requirements and sends you that compliance questionnaire.
Think of it this way: the card brands created the rules, and your payment processor makes sure you follow them. If you don’t maintain compliance, your processor can fine you, increase your processing rates, or even terminate your ability to accept credit cards. If a data breach occurs and you weren’t compliant, you could be liable for fraud losses and breach-related costs.
The good news? Most small businesses qualify for the simplest compliance options. You’re not held to the same standards as Amazon or Walmart. The requirements scale based on your transaction volume and how you handle card data.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit or debit cards in any form, yes. It doesn’t matter if you’re a food truck with a mobile reader, an online boutique, or a consulting firm that takes payments over the phone. Accept cards? You need to comply with PCI DSS.
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you can self-assess your compliance using a simplified questionnaire rather than hiring an external auditor.
When your payment processor sends you that annual compliance questionnaire, they’re fulfilling their obligation to the card brands. They need to verify that all their merchants — including you — are following security best practices. That questionnaire isn’t busywork; it’s your processor protecting both of you from the liability of a data breach.
Which SAQ Do You Need?
The questionnaire your processor wants you to complete is called a Self-Assessment Questionnaire (SAQ). There are different versions based on how you accept payments, and choosing the right one is crucial — it’s the difference between answering 20 questions or 300+ questions.
Here’s how to determine which SAQ applies to your business:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect customers to a hosted payment page (PayPal, Stripe Checkout) | SAQ A | ~20 | Simplest |
| E-commerce with payment fields on your site (but you don’t store cards) | SAQ A-EP | ~140 | Moderate |
| Standalone terminals only (no connected systems) | SAQ B | ~40 | Simple |
| Standalone terminals with IP connection | SAQ B-IP | ~80 | Simple-Moderate |
| Manual card entry (virtual terminal, phone orders) | SAQ C-VT | ~80 | Moderate |
| Face-to-face with connected POS systems | SAQ C | ~140 | Moderate |
| Store, process, or transmit card data electronically | SAQ D | 300+ | Complex |
If you use Square, Clover, or similar standalone terminals, you’re likely SAQ B or SAQ B-IP depending on whether your terminal connects via phone line or internet.
If you have an e-commerce site using Shopify Payments, WooCommerce with Stripe, or similar hosted checkout solutions, you’re likely SAQ A — the simplest form.
If you take payments over the phone using a virtual terminal or web-based portal, you’re typically SAQ C-VT.
If you store credit card numbers in any form (spreadsheets, customer database, paper files), you’re SAQ D — and you should strongly consider stopping this practice to simplify your compliance.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Your SAQ consists of yes/no questions about your security practices. Each “yes” means you’ve implemented that specific security control. Here’s what to expect:
The questions cover areas like:
- Who has access to payment systems
- How you protect payment terminals
- Whether you have security policies in place
- How you handle receipts and reports with card numbers
For most small merchants, completing the SAQ takes 1-2 hours. You’ll need to gather some basic documentation like your network provider details and list of who has access to your payment systems.
Quarterly ASV scans are required if you have any internet-facing systems (like an e-commerce website). An Approved Scanning Vendor runs automated security scans of your website or IP addresses to check for vulnerabilities. Think of it as a security checkup four times per year. The scan typically takes minutes to run and generates a report showing if you passed or need to fix any issues.
After completing your SAQ, you’ll fill out an Attestation of Compliance (AOC) — a formal declaration that you’ve completed the assessment and met all applicable requirements. Submit both documents to your payment processor, and you’re done for the year (except for those quarterly scans).
What It Costs
Let’s talk real numbers so you can budget appropriately:
Compliance platform fees typically range from $150-500 annually for small merchants. This includes access to the SAQ, guidance on answering questions, and compliance tracking tools.
Quarterly ASV scanning usually costs $100-300 per year total (not per scan). Many compliance platforms include this in their annual fee.
If you’re a larger merchant requiring a formal assessment by a QSA, budget $15,000-50,000+ depending on your environment’s complexity. But remember — most small businesses never need this level of assessment.
The cost of NON-compliance is where it gets expensive. Payment processors can fine non-compliant merchants $5,000-100,000 per month. If a breach occurs and you weren’t compliant, you could face breach-related costs averaging $150 per compromised card number. One breach affecting 1,000 cards? That’s $150,000 in liability, plus fines, plus forensic investigation costs, plus the loss of customer trust.
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not just good security — it’s good business.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor will ask for updated compliance validation every year, and those ASV scans need to happen quarterly if required for your SAQ type.
Set calendar reminders for:
- Annual SAQ due date (usually 12 months from your last submission)
- Quarterly ASV scan dates (every 90 days)
- Security awareness training for any staff who handle payments
Changes that trigger a fresh assessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or gateways
- Implementing new POS systems
- Starting to store card data (please don’t)
PCICompliance.com’s compliance dashboard tracks all these dates for you, sending reminders before deadlines and maintaining your compliance history in one place. No more scrambling when your processor asks for last year’s AOC.
FAQ
What happens if I ignore the compliance questionnaire?
Your payment processor will likely start with reminder emails, then escalate to monthly non-compliance fees ($25-100 typically). Eventually, they may increase your processing rates or terminate your merchant account. Without a merchant account, you can’t accept credit cards — devastating for most businesses.
Can I just mark “yes” to all questions even if it’s not true?
This is fraud and makes you personally liable if a breach occurs. The attestation you sign is a legal document. Answer honestly — if you need to answer “no” to some questions, the SAQ will guide you on fixing those gaps.
Do I need to hire a security consultant?
For most Level 4 merchants using standard payment solutions, no. The SAQ is designed for self-assessment. If you’re struggling with technical questions, your payment processor or a compliance platform can provide guidance without the expense of a consultant.
What’s the difference between PCI compliance and being secure?
PCI DSS represents baseline security requirements — the minimum needed to protect card data. True security might go beyond these requirements, but achieving PCI compliance means you’ve covered the fundamentals that prevent most common breaches.
My payment processor says I need a “network scan” — is this the same as an ASV scan?
Usually, yes. When processors refer to required network scans or vulnerability scans, they typically mean quarterly ASV scans. Confirm with your processor, but if you have any internet-facing systems, you’ll need these quarterly scans from an approved vendor.
How do I know if I’m storing credit card data?
Check everywhere: databases, spreadsheets, email, paper files, even post-it notes. If you can see full card numbers anywhere in your business after the transaction completes, you’re storing card data. This dramatically increases your compliance complexity — consider tokenization or switching to solutions that avoid storage entirely.
What if I only accept payments once in a while?
Frequency doesn’t matter — if you can accept card payments, you need to maintain compliance. The good news is that low-volume merchants typically qualify for the simplest SAQ types and lowest merchant level requirements.
Can I use the same SAQ forever?
SAQs are updated periodically as security threats evolve and requirements change. Always use the current version from your payment processor or compliance platform. Your annual revalidation ensures you’re using the latest version and accounting for any changes in your payment environment.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most small businesses, it’s surprisingly manageable. Identify how you accept payments, complete the appropriate SAQ (usually the simpler versions), schedule quarterly scans if needed, and submit your documentation. An afternoon’s work protects you from significant fines and breach liability.
The key is starting with the right SAQ type — attempting SAQ D when you qualify for SAQ A wastes time and creates unnecessary complexity. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round.
Don’t let PCI compliance intimidate you. With the right guidance and tools, you can complete your requirements, protect your business from liability, and get back to what you do best — running your business. Start with the free SAQ Wizard or talk to our compliance team to map out your simplest path to compliance.
