Datadog for PCI Compliance
Here’s the truth about PCI compliance: that intimidating questionnaire from your payment processor is probably simpler than you think. If you’re a small business owner who just received a PCI compliance notice and you’re feeling overwhelmed, take a breath. Most small merchants can complete their requirements in an afternoon, not weeks. This guide will show you exactly what you need to do, step by step, in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. If you accept Visa, Mastercard, American Express, or Discover cards — whether in person, online, or over the phone — these rules apply to you.
The major card brands created these standards through the PCI Security Standards Council (PCI SSC), but your acquirer (the bank or payment processor that handles your card transactions) enforces them. That’s why you received the compliance questionnaire from them, not from Visa or Mastercard directly.
What happens if you ignore that questionnaire? Your payment processor can fine you monthly (typically $25-$100 for small merchants), but the real risk is liability. If card data gets stolen from your business and you weren’t compliant, you could be responsible for the fraud losses, forensic investigation costs, and card replacement fees. Some processors will even terminate your ability to accept cards.
The good news: The vast majority of small businesses qualify for the simplest compliance paths. If you use modern payment terminals or hosted checkout pages, you’re already doing most of what’s required.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit or debit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you process one transaction or one million — the requirement applies to everyone who handles card payments.
Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is actually good news because Level 4 merchants complete a Self-Assessment Questionnaire (SAQ) rather than hiring an outside assessor.
Your payment processor expects you to:
- Complete the appropriate SAQ annually
- Run quarterly network scans if you have any systems connected to the internet
- Submit your Attestation of Compliance (AOC) to prove you’ve done it
That questionnaire they sent? It’s either the SAQ itself or instructions on how to access it through their compliance portal.
Which SAQ Do You Need?
The PCI compliance world has nine different SAQs, but most small merchants only need to worry about four. Here’s how to figure out which one applies to you:
| How You Take Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | Simplest (22 questions) | 15-30 minutes |
| E-commerce with payment fields on your site | SAQ A-EP | Simple (139 questions) | 1-2 hours |
| Standalone terminals (Square, Clover) | SAQ B or B-IP | Simple (41 questions) | 30-45 minutes |
| Take cards over the phone | SAQ C-VT | Moderate (85 questions) | 1-2 hours |
| Store card numbers electronically | SAQ D | Complex (329 questions) | Requires expertise |
Quick decision guide:
- SAQ A: Your customers never enter card details on your website — they’re redirected to PayPal, Stripe, or another processor
- SAQ A-EP: Your website has payment fields, but the data goes directly to your processor (like Stripe Elements or Authorize.net Accept.js)
- SAQ B: You use standalone terminals that aren’t connected to your computer systems
- SAQ B-IP: Same as B, but your terminals connect via internet
- SAQ C-VT: You type card numbers into a virtual terminal or web form
- SAQ D: You store card numbers in your systems (please reconsider this approach)
Not sure? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ you need — no guesswork required.
How to Complete Your SAQ
Your SAQ is a questionnaire with yes/no questions about your payment security practices. Despite the technical-sounding requirements, most questions for small merchants are straightforward.
What “yes” means in practice:
- “Do you restrict access to cardholder data?” = Do you have passwords on your computers?
- “Do you use firewalls?” = Is Windows Firewall or your router’s firewall turned on?
- “Do you have an incident response plan?” = Do you know who to call if something goes wrong?
Documentation you’ll need:
- List of any systems that handle payments
- Names of who has access to payment systems
- Your network/wireless password policy (even informal ones count)
- Contact information for your IT support
For most SAQ types, you’ll also need quarterly ASV scans. An Approved Scanning Vendor runs automated security scans of any systems visible from the internet. The scan takes about 10 minutes to set up and runs automatically. If it finds vulnerabilities, you’ll get a report explaining what to fix — usually simple updates or configuration changes.
Once everything is complete, you’ll fill out the Attestation of Compliance — a one-page form confirming you’ve answered all questions and meet the requirements. Submit both documents to your payment processor, and you’re done for the year.
What It Costs
PCI compliance costs vary, but for small merchants, budget for:
Compliance tools and platforms: $150-$500 annually
- SAQ questionnaire tools
- Compliance tracking dashboards
- Remediation guidance
Quarterly ASV scanning: $200-$400 annually
- Four scans per year
- Unlimited rescans to verify fixes
- Scan reports and compliance certificates
If you need a QSA (only for complex environments): $5,000-$25,000
- Most small merchants never need this
- Only required if you store lots of card data or have complex systems
The cost of NON-compliance:
- Monthly fines: $25-$100 from your processor
- Breach costs: $50-$90 per compromised card
- Forensic investigation: $10,000-$100,000
- Lost ability to accept cards
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — it’s about protecting your business and your customers.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox. Your processor will ask for updated documentation every year, and you’ll need quarterly scans if you have any internet-facing systems.
Set yourself up for success:
- Mark your calendar for annual SAQ renewal (usually on your validation anniversary)
- Schedule quarterly ASV scans (every 90 days)
- Update your assessment if you change payment methods
- Keep documentation organized in one place
Changes that trigger a reassessment:
- Adding a new payment channel (like starting e-commerce)
- Changing payment processors or terminals
- Starting to store card data
- Major network or system changes
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends reminders before deadlines, and stores your documentation securely year after year. No more scrambling when your processor asks for proof of compliance.
FAQ
Q: What if I only process a few transactions per month?
A: Transaction volume doesn’t exempt you from PCI compliance. Even one transaction means you need to comply, but the good news is that low-volume merchants usually qualify for the simplest SAQ types.
Q: Can I just tell my processor I’m compliant without doing the SAQ?
A: Your processor requires actual documentation — the completed SAQ and signed attestation. Some processors auto-fine merchants who don’t submit proper documentation, regardless of verbal assurances.
Q: What’s the difference between the SAQ and a full PCI audit?
A: SAQs are self-assessments where you answer questions about your own environment. Full audits (ROC assessments) require a QSA to independently verify your controls and are only required for Level 1 merchants processing millions of transactions annually.
Q: Do I need to be PCI compliant if I use Square/PayPal/Stripe?
A: Yes, but your compliance requirements are minimal. These processors handle most security controls for you, so you’ll likely qualify for SAQ A or B with very few requirements on your end.
Q: What if I fail my ASV scan?
A: Failed scans are common on the first attempt. The scan report shows exactly what needs fixing — usually software updates or closing unnecessary services. Fix the issues and rescan (unlimited rescans are included) until you pass.
Q: How do I know which version of PCI DSS to follow?
A: Always follow the current version required by your payment processor. They’ll specify which standard applies when they send your annual compliance request. The requirements remain consistent in their intent, even as version numbers change.
Q: Can I do this myself or do I need an IT consultant?
A: Most small merchants can complete SAQ A or B themselves — the questions are straightforward and the requirements are basic. For more complex SAQs or if you’re not comfortable with technology, a few hours with an IT consultant can save time and ensure accuracy.
Q: What happens after I submit my SAQ?
A: Your processor reviews your submission and updates your compliance status. You’ll receive confirmation, and then you’re set until next year’s renewal. Some processors immediately stop monthly non-compliance fees once they receive your documentation.
Conclusion
PCI compliance sounds intimidating, but for most small businesses, it’s a manageable annual task that protects both you and your customers. That questionnaire from your payment processor isn’t a test designed to trip you up — it’s a checklist to ensure basic security practices are in place.
Start by identifying which SAQ applies to your business. If you’re like most small merchants using modern payment tools, you’ll complete a simple questionnaire, run a few security scans, and submit your attestation. The whole process typically takes less time than doing your business taxes.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll never miss a deadline or wonder about your compliance status again. Start with the free SAQ Wizard or talk to our compliance team to get your questions answered by actual humans who understand small business needs.
