Heartland Payment PCI Compliance: A Small Business Owner’s Guide to Getting (and Staying) Compliant
Bottom Line Up Front
That PCI compliance questionnaire from Heartland sitting in your inbox? It’s not as scary as it looks. For most small businesses, Heartland PCI compliance is straightforward — answer some yes/no questions, run a quarterly security scan, and submit your paperwork once a year. You don’t need to be a security expert or hire expensive consultants. This guide will walk you through exactly what you need to do, step by step.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. If you accept credit cards, these requirements apply to you. Think of it as the card industry’s way of making sure everyone handling card data follows basic security practices.
The card brands created a council called the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. That’s where your payment processor — in this case, Heartland — comes in. Heartland enforces PCI compliance as part of your merchant agreement because they’re on the hook if something goes wrong.
Here’s what happens if you’re not compliant:
- Monthly fines from your processor (typically $25-100 for small merchants)
- Liability for fraud if card data gets compromised
- Higher processing rates or losing the ability to accept cards entirely
But here’s the good news: most small businesses qualify for the simplest compliance options. You’re not held to the same standards as Amazon or Target. The requirements scale based on your size and how you handle card data.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a one-person shop or process just a few transactions a month. Accept cards? You need to be compliant.
Your merchant level determines how much documentation you need:
- Level 1: Over 6 million transactions annually (full on-site assessment required)
- Level 2: 1-6 million transactions (self-assessment with quarterly scans)
- Level 3: 20,000-1 million transactions (self-assessment with quarterly scans)
- Level 4: Under 20,000 transactions (self-assessment with quarterly scans)
Most small businesses are Level 4 merchants, which means you can self-assess using a simplified questionnaire called an SAQ (Self-Assessment Questionnaire).
That letter or email from Heartland asking about PCI compliance? They’re required to verify your compliance annually. The questionnaire they sent is your SAQ — a checklist of security practices you need to confirm you’re following. Miss their deadline and you’ll start seeing those monthly non-compliance fees on your statement.
Which SAQ Do You Need?
The hardest part of PCI compliance is figuring out which questionnaire applies to your business. There are different SAQ types based on how you accept and process card payments:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment page (PayPal, Square Online) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminal (no computer connection) | SAQ B | 41 | Easy |
| Terminal connected to internet | SAQ B-IP | 91 | Moderate |
| Phone/mail orders entered into virtual terminal | SAQ C-VT | 160 | Moderate |
| Face-to-face with computer-connected systems | SAQ C | 160 | Moderate |
| Store card numbers or complex setup | SAQ D | 329 | Complex |
Here’s how to determine your type:
If you use a payment terminal like Square, Clover, or a traditional credit card machine:
- Terminal not connected to your computer or cash register? → SAQ B
- Terminal connects to internet for processing? → SAQ B-IP
If you have an e-commerce website:
- Customers leave your site to pay (PayPal, Stripe Checkout)? → SAQ A
- Payment fields embedded on your site? → SAQ A-EP
If you take payments over the phone and type them into a web-based virtual terminal? → SAQ C-VT
If you store credit card numbers in any form (spreadsheet, customer database, filing cabinet)? → SAQ D (and please stop storing card numbers — it’s rarely worth the risk)
Not sure? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ you need. No guesswork required.
How to Complete Your SAQ
Once you know your SAQ type, the actual questionnaire is straightforward. It’s a series of yes/no questions about your security practices. Here’s what to expect:
The questions cover things like:
- Do you have a firewall? (Your router probably counts)
- Do you use antivirus software? (Windows Defender counts)
- Do you change default passwords? (Please say yes)
- Do you limit access to card data? (Only letting certain employees process payments)
“Yes” means you’re doing that security practice. You don’t need perfection — you need to honestly assess whether you meet each requirement. For most small businesses using modern payment systems, you’ll answer “yes” to most questions without changing anything.
Documentation you’ll need:
- Network diagram (can be hand-drawn showing your internet, router, and payment devices)
- List of payment applications (your POS software, virtual terminal, etc.)
- Security policies (basic written procedures for handling card data)
- ASV scan results (quarterly vulnerability scans — more on this below)
The ASV scan is a required quarterly security scan of any internet-facing systems. An Approved Scanning Vendor runs automated tests looking for vulnerabilities. For most small businesses, this means scanning your website and any IP addresses associated with payment processing. Schedule your first scan as soon as you start the compliance process — you’ll need a passing scan to submit with your SAQ.
Submitting your compliance involves:
1. Complete all SAQ questions
2. Include your most recent passing ASV scan
3. Sign the Attestation of Compliance (AOC) — a formal declaration that you completed the assessment
4. Submit through Heartland’s compliance portal or mail the physical forms
The whole process typically takes 2-4 hours for simple SAQ types, longer for complex setups.
What It Costs
PCI compliance costs vary based on your setup and which tools you use:
Compliance platforms and SAQ tools:
- Basic platforms: $120-300/year
- Full-service platforms with support: $300-600/year
- Enterprise solutions: $1,000+/year
Quarterly ASV scanning:
- Standalone ASV service: $200-400/year
- Often included with compliance platforms
- You need four passing scans per year
If you need a QSA (only for Level 1 merchants or complex environments):
- Full assessments: $15,000-50,000+
- Pre-assessment gap analysis: $5,000-15,000
The cost of NON-compliance:
- Monthly fines: $25-100 for Level 4 merchants
- Breach liability: $50-90 per compromised card
- Forensic investigation: $10,000-100,000+
- Lost ability to process cards: priceless
For most small merchants, annual compliance costs less than three months of non-compliance fines. It’s not just about avoiding penalties — it’s about protecting your business from devastating breach costs.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your compliance expires annually, and certain requirements need attention throughout the year:
Annual requirements:
- Complete your SAQ
- Submit your AOC to Heartland
- Review and update security policies
Quarterly requirements:
- Run ASV scans (every 90 days)
- Review scan results and fix any failures
- Keep scan reports for your records
Set reminders for:
- SAQ renewal date (same time each year)
- Quarterly scan dates
- Heartland compliance deadlines
Changes that trigger reassessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or terminals
- Storing card data when you didn’t before
- Major network or system changes
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sends reminders before deadlines, and keeps your documentation organized year-round. No more scrambling when Heartland sends that annual notice.
FAQ
What happens if I don’t complete PCI compliance for Heartland?
Heartland will start charging monthly non-compliance fees (typically $25-100) after their deadline passes. Continue ignoring it and you risk higher fees, increased liability for fraud, and potentially losing your merchant account. The fees add up quickly — it’s cheaper to just complete the requirements.
How long does PCI compliance take?
For most small businesses using simple payment setups (SAQ A or B), expect 2-4 hours total. This includes completing the questionnaire, running your first ASV scan, and submitting documentation. Complex setups with stored card data can take significantly longer.
Do I need to hire someone to help with PCI compliance?
Most Level 4 merchants can complete compliance themselves using a compliance platform. You only need professional help if you’re Level 1, have a complex environment, or store significant card data. The questionnaires are designed for self-assessment.
What’s the difference between PCI compliance and EMV compliance?
EMV refers to chip card acceptance — the physical security of the payment terminal. PCI covers overall data security for your entire payment environment. You need both: EMV protects against counterfeit cards, PCI protects against data breaches.
How often do I need to complete PCI compliance?
Annually for your full assessment, with quarterly ASV scans throughout the year. Heartland will notify you when your annual compliance is due. Mark your calendar — the requirements don’t change much year to year, so subsequent assessments are usually faster.
Can I use the same PCI compliance for multiple payment processors?
Yes and no. The PCI requirements are universal, but each processor needs their own attestation. If you use Heartland and another processor, you’ll need to submit compliance documentation to both, though you can use the same SAQ answers.
What if I fail my ASV scan?
Don’t panic — failing your first scan is common. The scan report shows exactly what failed and how to fix it. Most failures are minor issues like outdated SSL certificates or unnecessary services running. Fix the issues and rescan. You only need one passing scan per quarter.
Conclusion
Heartland PCI compliance doesn’t have to be overwhelming. For most small businesses, it’s a matter of completing a short questionnaire, running quarterly scans, and submitting your paperwork once a year. The security practices PCI requires are things you should be doing anyway — using firewalls, updating software, and limiting access to sensitive data.
The key is knowing which SAQ applies to your business and staying on top of the quarterly scanning requirements. Once you complete it the first time, annual renewals are even easier.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Instead of juggling multiple vendors and deadlines, you get a single platform that walks you through each requirement and keeps you compliant year after year. Start with the free SAQ Wizard to identify your requirements, or talk to our compliance team if you need guidance on your specific situation.
