PostgreSQL PCI Compliance: A Small Business Owner’s Guide to Card Payment Security
What You Actually Need to Know Right Now
Here’s the truth: if you just received a PCI compliance questionnaire from your payment processor, you’re probably feeling overwhelmed. The good news? PostgreSQL PCI compliance is almost certainly simpler than you think, especially for small businesses. Most merchants can complete their compliance requirements in an afternoon with the right guidance.
You don’t need to become a security expert. You don’t need to hire expensive consultants. And you definitely don’t need to panic. This guide will walk you through exactly what PCI compliance means for your business, which questionnaire you need to complete, and how to get it done without the headache.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist designed to protect credit card data from theft.
If you accept credit cards in any form — whether through a terminal, online, or over the phone — these requirements apply to you. The card brands created the PCI Security Standards Council to manage the standard, but it’s your acquiring bank or payment processor (the company that handles your card transactions) who enforces it.
Here’s what non-compliance can mean for your business:
- Monthly fines from your payment processor (typically $50-$500 for small merchants)
- If card data gets stolen, you’re liable for the breach costs
- Your processor could terminate your ability to accept cards
- You lose the “safe harbor” protection that compliance provides
But here’s the crucial part most people miss: the vast majority of small businesses qualify for the simplest compliance options. If you’re using modern payment tools like Square, Stripe, or PayPal, you’re already 90% of the way there.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards, yes. It doesn’t matter if you process one transaction or one million — the requirement applies to everyone who handles card payments.
Your merchant level determines how you demonstrate compliance:
- Level 4 (under 20,000 transactions annually): Self-assessment questionnaire (SAQ)
- Level 3 (20,000-1 million): SAQ with quarterly scans
- Level 2 (1-6 million): SAQ with quarterly scans
- Level 1 (over 6 million): Annual on-site assessment by a QSA
Most small businesses are Level 4, which means you complete a self-assessment questionnaire annually and that’s it. The compliance questionnaire your processor sent? That’s them asking you to complete this annual requirement.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Here’s how to figure out which one applies to you:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminal only (Square, Clover) | SAQ B | 41 | Easy |
| Terminal connected to internet | SAQ B-IP | 82 | Easy-Moderate |
| Phone/mail/fax orders (no storage) | SAQ C-VT | 160 | Moderate |
| Multiple channels, no storage | SAQ C | 160 | Moderate |
| Store card numbers anywhere | SAQ D | 329 | Complex |
The reality check: If you’re reading this guide, you probably need SAQ A, B, or B-IP. These cover 95% of small businesses and can be completed without technical expertise.
Not sure which one? PCICompliance.com’s free SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire to use.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your payment security practices. Here’s what the process looks like:
1. Download the right SAQ (or use an online platform)
The questionnaire asks about things like:
- Do you have a firewall? (Your internet router counts)
- Do you use antivirus? (Windows Defender counts)
- Do you change default passwords? (Please say yes)
2. Answer honestly
“Yes” means you do this consistently. If you’re not sure, the answer is probably “no” — and that’s okay. The questionnaire helps identify what needs fixing.
3. Gather basic documentation
You’ll need:
- Your network diagram (can be hand-drawn)
- List of who has access to payment systems
- Your security policies (templates are fine)
4. Complete quarterly scanning (if required)
Levels 1-3 merchants need quarterly ASV scans — automated security scans of your public-facing systems. Your compliance platform handles this; you just review the results.
5. Submit your attestation
Once complete, you sign an Attestation of Compliance (AOC) stating you’ve met the requirements. Submit this to your payment processor, and you’re done for the year.
Total time? For SAQ A or B, expect 2-4 hours. For more complex SAQs, budget a few days to gather documentation and implement any missing controls.
What It Costs
Let’s talk real numbers for small businesses:
Compliance platform with SAQ tools: $200-500/year
- Includes questionnaire wizard, policy templates, and submission tracking
- Some processors provide basic tools free
Quarterly ASV scanning: $100-300/year
- Required for Levels 1-3 and some SAQ types
- Often bundled with compliance platforms
If you need a QSA (rare for small businesses): $15,000-50,000
- Only required for Level 1 merchants
- Most small businesses never need this
The cost of NOT complying:
- Monthly non-compliance fees: $50-500
- Data breach without compliance: $50,000-500,000+ in liability
- Loss of card acceptance: Priceless (and business-ending)
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not an expense — it’s insurance.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your processor will ask for proof of compliance every year, and some requirements need quarterly attention.
Set these reminders now:
- Annual SAQ due date (usually 12 months from last submission)
- Quarterly ASV scans (every 90 days) if required
- Review access when employees leave
- Update your SAQ if you change payment methods
Common triggers for reassessment:
- Adding a new payment channel (like starting e-commerce)
- Changing payment processors
- Storing card numbers (please don’t)
- Major network changes
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and keeping your documentation organized year-round.
Frequently Asked Questions
Q: What if I only process a few transactions per month?
A: Volume doesn’t matter — if you accept cards, you need to comply. The good news is that low-volume merchants get the simplest requirements. Complete your SAQ once per year and you’re set.
Q: My payment processor says I’m non-compliant. What now?
A: Don’t panic. They’re likely just missing your annual attestation. Complete the appropriate SAQ, submit your AOC, and the non-compliance fees stop immediately. Most processors give you 30-90 days to complete it.
Q: Can I just use PayPal/Square/Stripe and avoid all this?
A: Using these providers definitely simplifies compliance, but doesn’t eliminate it. You’ll likely qualify for SAQ A (the easiest), but you still need to complete it annually. The provider handles the complex security; you handle the basics.
Q: What’s the difference between PCI compliance and being “PCI certified”?
A: There’s no such thing as “PCI certification” for merchants. You’re either compliant or non-compliant. Service providers can be certified, but merchants validate compliance through SAQs or assessments.
Q: Do I need to hire a QSA?
A: Probably not. Only Level 1 merchants (processing over 6 million transactions annually) need a QSA assessment. Everyone else self-assesses using the appropriate SAQ.
Q: What if I fail my vulnerability scan?
A: Failing vulnerabilities need to be fixed and rescanned. Most are simple issues like outdated software. Your ASV provides a report explaining what needs fixing — it’s usually straightforward updates.
Q: Is PCI compliance actually enforced for small businesses?
A: Yes, through your payment processor. They’re required to ensure merchant compliance and will impose monthly fines for non-compliance. While enforcement varies, the fines are real and add up quickly.
Q: What about storing cards for recurring billing?
A: If you must store cards, use a payment processor’s vault or tokenization service. Never store card numbers in your own systems — it puts you in the most complex SAQ category and dramatically increases your risk.
Your Next Steps
PCI compliance sounds intimidating, but for most small businesses, it’s a straightforward annual task. The key is identifying which SAQ applies to your payment setup and working through it methodically. You don’t need to become a security expert — you just need to follow the checklist.
Start with PCICompliance.com’s free SAQ Wizard to identify exactly which questionnaire you need. Our platform then guides you through each requirement with plain-English explanations, provides templates for required documentation, and handles your quarterly ASV scanning if needed. Our compliance dashboard tracks your progress and sends reminders before deadlines, so you never fall out of compliance again.
Whether you’re completing your first SAQ or managing compliance across multiple locations, we make the process as simple as possible. Take the SAQ Wizard now to see how straightforward compliance can be, or talk to our compliance team for personalized guidance. Most merchants complete their initial assessment in under four hours — and sleep better knowing their business is protected.
