icon

Teachable PCI Compliance

by

Teachable PCI Compliance

Bottom Line Up Front

If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses, Teachable PCI compliance is much simpler than it first appears. You won’t need a security team or expensive consultants — just a few hours to answer some questions about how you accept credit card payments.

Here’s what matters: if you use modern payment tools like Square terminals or Stripe for your website, you’re already doing most of what PCI requires. This guide will help you understand what that questionnaire is asking, which form you actually need to fill out, and how to get it done without the headaches.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that apply to anyone who accepts credit card payments. Think of it as basic security hygiene for handling payment cards — like washing your hands in the food service industry.

The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But here’s who actually enforces them: your acquirer (the bank or payment processor that deposits card payments into your account). That’s why you received the compliance questionnaire from them, not from Visa or Mastercard directly.

The Consequences of Non-Compliance

Your payment processor can fine you for non-compliance — typically starting at $50-200 per month. More seriously, if card data gets stolen from your business and you weren’t compliant, you could face:

  • Breach liability costs that can reach tens of thousands of dollars
  • Loss of your ability to accept credit cards
  • Damage to your reputation and customer trust

The Good News

Most small businesses qualify for the simplest compliance requirements. If you’re using modern payment tools and following basic security practices, you’re probably already doing 90% of what’s required. The compliance process is mostly about documenting what you’re already doing right.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes. This includes:

  • Physical card terminals or point-of-sale systems
  • Online payments through your website
  • Phone orders where customers read you their card number
  • Mobile card readers attached to phones or tablets

Your Merchant Level

PCI groups merchants into four levels based on annual transaction volume:

Merchant Level Annual Visa Transactions What This Means
Level 1 Over 6 million Full annual assessment by QSA
Level 2 1-6 million Annual self-assessment
Level 3 20,000-1 million Annual self-assessment
Level 4 Under 20,000 Annual self-assessment

Most small businesses are Level 4 merchants, which means you complete a self-assessment questionnaire (SAQ) annually instead of hiring an expensive assessor.

What Your Payment Processor Expects

That questionnaire they sent you? It’s their way of verifying you’re following the security standards. They need:

  • A completed Self-Assessment Questionnaire (SAQ) — a series of yes/no questions about your payment security
  • An Attestation of Compliance (AOC) — basically your signature saying the SAQ is accurate
  • Proof of quarterly vulnerability scans if you have any systems connected to the internet
  • Evidence that you’re maintaining compliance year-round, not just at questionnaire time

Which SAQ Do You Need?

The hardest part for most merchants is figuring out which SAQ applies to their business. There are several types, each with different requirements based on how you handle card payments.

Common Payment Scenarios

How You Accept Payments SAQ Type Number of Questions Complexity
Payment terminal only (Square, Clover) SAQ B or B-IP 41 or 82 Easy
E-commerce with hosted checkout (Shopify, Stripe Checkout) SAQ A 22 Very Easy
E-commerce with payment fields on your site SAQ A-EP 191 Moderate
Phone orders (virtual terminal) SAQ C-VT 85 Easy-Moderate
You store card numbers SAQ D 329 Complex – Get Help!

Making the Right Choice

If you use a standalone payment terminal like Square or Clover that connects via phone line or cellular: you’re likely SAQ B (41 questions).

If that terminal connects to your internet: you’re likely SAQ B-IP (82 questions).

If you have an e-commerce website where customers are redirected to PayPal, Stripe Checkout, or your shopping cart’s payment page: you’re likely SAQ A (just 22 questions!).

If you take payments over the phone using a virtual terminal web page: you’re likely SAQ C-VT (85 questions).

If you store credit card numbers in any form (including written down): you need SAQ D and should seriously consider stopping this practice.

Not sure? PCICompliance.com’s free SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ you need.

How to Complete Your SAQ

Once you know which SAQ applies, the actual completion process is straightforward.

What the Questionnaire Looks Like

Your SAQ is a series of yes/no questions about your payment security practices. For example:

  • “Are all passwords at least 7 characters long?”
  • “Do you install security patches provided by vendors?”
  • “Is antivirus software installed on all computers?”

“Yes” means you currently do this and can prove it if asked. If you answer “no” to any question, you’ll need to either implement that security control or explain why it doesn’t apply to your business.

Documentation You’ll Need

Before starting your SAQ, gather:

  • A list of any systems that process, store, or transmit card data
  • Your network diagram (even a simple sketch works for small businesses)
  • Copies of your security policies (password policy, acceptable use, etc.)
  • Results from your last vulnerability scan

Don’t have formal policies? PCICompliance.com provides templates you can customize.

The Quarterly ASV Scan

If you have any internet-facing systems (website, email server, remote access), you need quarterly vulnerability scans by an Approved Scanning Vendor (ASV). This automated scan checks for security holes hackers could exploit.

The scan takes about 30 minutes and costs $50-150 per quarter. You’ll need four passing scans per year — one each quarter. PCICompliance.com’s ASV scanning service handles this automatically and helps you fix any issues found.

Submitting Your Compliance

After completing your SAQ:
1. Review your answers for accuracy
2. Complete the Attestation of Compliance (AOC) — this legally attests your answers are true
3. Submit both documents to your payment processor through their portal
4. Save copies for your records

Most processors give you 30-90 days to complete this process after sending the initial request.

What It Costs

Let’s talk real numbers so you can budget appropriately.

Compliance Platform and Tools

  • SAQ completion tools: Free to $30/month
  • Full compliance platforms (like PCICompliance.com): $20-100/month depending on features
  • Policy templates and documentation: Often included with platforms

Quarterly ASV Scanning

  • Basic scanning: $50-150 per quarter
  • Scanning with remediation help: $75-200 per quarter
  • Unlimited scanning packages: $500-1,000 annually

If You Need Professional Help

  • Consultant to guide SAQ completion: $500-2,000
  • Full QSA assessment (only for Level 1 merchants): $10,000-50,000+
  • Ongoing compliance management: $200-500/month

The Cost of NON-Compliance

  • Monthly non-compliance fees: $50-200 from your processor
  • Data breach without compliance: $50,000-500,000+ in fines and liability
  • Loss of card acceptance: Devastating for most businesses

Reality check: For most small merchants, annual compliance costs less than a single month of non-compliance fees. It’s far cheaper to comply than to ignore it.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly obligations.

Annual Requirements

Every 12 months, you need to:

  • Complete and submit your SAQ
  • Review and update your security policies
  • Train staff on security procedures
  • Test your incident response plan

Quarterly Requirements

Every 3 months, you need to:

  • Run and pass an ASV vulnerability scan (if applicable)
  • Review user access and remove terminated employees
  • Install security patches on all systems
  • Review firewall and router rules

What Triggers a New Assessment

You’ll need to complete a new SAQ if you:

  • Change how you accept payments (adding e-commerce to a retail store)
  • Switch payment processors or gateways
  • Start storing cardholder data
  • Experience a significant security incident

Making It Easy

Manual tracking is a recipe for missed deadlines. PCICompliance.com’s compliance dashboard tracks all your requirements, sends reminders before deadlines, and maintains your compliance documentation in one place. You’ll never miss a scan or forget an annual submission again.

FAQ

Q: I only process a few transactions per month. Do I really need to do this?
A: Yes, PCI compliance applies regardless of transaction volume. The good news is that low-volume merchants typically qualify for the simplest SAQ types, which take just an hour or two to complete.

Q: What happens if I just ignore the compliance request?
A: Your payment processor will start charging non-compliance fees (typically $50-200 monthly). Eventually, they may terminate your merchant account, leaving you unable to accept credit cards.

Q: I use Square/PayPal/Stripe. Aren’t they responsible for PCI compliance?
A: They handle security for the payment processing, but you’re still responsible for your part — like keeping your login credentials secure and using their tools properly. You’ll still need to complete an SAQ, though it will be a simple one.

Q: Do I need to hire a security consultant?
A: Most small merchants don’t need professional help. If you qualify for SAQ A or B (the most common types), you can complete it yourself with basic guidance.

Q: How long does the SAQ take to complete?
A: SAQ A takes 30-60 minutes. SAQ B takes 1-2 hours. SAQ C-VT takes 2-3 hours. SAQ D requires significant time and often professional assistance.

Q: What’s this vulnerability scan requirement?
A: If you have any systems accessible from the internet, you need quarterly scans by an Approved Scanning Vendor. The scan is automated and usually takes 30 minutes — you just need to fix any critical issues found.

Q: Can I just answer “yes” to everything on the SAQ?
A: No — false attestation is fraud. Answer honestly, and where you answer “no,” either implement the control or explain why it’s not applicable to your environment.

Q: How do I know if I’m doing this right?
A: Start with PCICompliance.com’s SAQ Wizard to ensure you’re completing the right form. The platform then guides you through each question with plain-English explanations and practical examples.

Conclusion

PCI compliance might seem daunting when you first receive that questionnaire, but for most small businesses, it’s a manageable process that protects both you and your customers. The key is identifying the right SAQ for your payment setup and methodically working through the requirements.

Remember: if you’re using modern payment tools and following basic security practices, you’re already most of the way there. The compliance process just documents what you’re doing and fills in any gaps.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll never miss a deadline or wonder if you’re compliant. Start with the free SAQ Wizard to see how simple compliance can be, or talk to our compliance team if you need guidance getting started.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP