SAQ Rejected by Bank? Here’s Why (And How to Fix It)
Your payment processor just notified you that your SAQ was rejected by your bank. Don’t panic — this happens more often than you’d think, and it’s usually fixable within a few days. Most rejections come down to simple issues: wrong SAQ type, incomplete answers, or missing documentation.
Here’s the bottom line: for most small businesses, PCI compliance is simpler than it sounds. You don’t need to be a security expert or hire expensive consultants. You just need to understand what your bank is looking for and provide it in the right format. This guide will walk you through exactly what to do.
What Is PCI Compliance (In Plain English)
Let’s start with the basics. PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to anyone who accepts credit cards. The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through the PCI Security Standards Council to protect cardholder data.
Your acquirer (the bank or payment processor that handles your card transactions) enforces these standards. They’re the ones who sent you that compliance questionnaire and will ultimately approve or reject your submission. Think of them as the middleman between you and the card brands — they’re responsible for making sure all their merchants follow the rules.
The consequences of non-compliance aren’t theoretical. Your processor can fine you monthly (typically $5-$100 for small merchants), increase your processing rates, or even terminate your ability to accept cards. If you experience a data breach while non-compliant, you could face liability for fraud losses and forensic investigation costs that can reach hundreds of thousands of dollars.
The good news? Most small businesses qualify for the simplest SAQ types, which are basically questionnaires with 20-80 yes/no questions. You don’t need to hire security consultants or implement enterprise-grade systems. You just need to accurately describe how you handle credit cards and implement some basic security practices.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form — in person, online, over the phone, or even by mail — yes, you need to be PCI compliant. There’s no minimum transaction volume or business size that exempts you.
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing less than 20,000 Visa transactions or 1 million total card brand transactions annually). Level 4 merchants complete a self-assessment questionnaire rather than undergoing a formal audit by a QSA.
When your payment processor sends you that annual compliance questionnaire, they’re fulfilling their obligation to the card brands. They need to verify that all their merchants — from the corner coffee shop to major retailers — are following PCI DSS requirements. That questionnaire typically includes:
- A request to complete your SAQ (Self-Assessment Questionnaire)
- Requirements for quarterly ASV scans if you have internet-facing systems
- An AOC (Attestation of Compliance) to sign
- Sometimes additional documentation like network diagrams or policies
Your processor expects you to complete this process annually and maintain compliance throughout the year. Missing deadlines or submitting incorrect information triggers those rejection notices.
Which SAQ Do You Need?
This is where most merchants get tripped up. There are different SAQ types based on how you accept and process payments. Choosing the wrong one is the number one reason for rejection.
| How You Take Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Outsourced completely (PayPal, Square online) | SAQ A | ~20 | Easiest |
| E-commerce with payment page redirect | SAQ A-EP | ~140 | Moderate |
| Terminal only, no electronic storage | SAQ B | ~40 | Easy |
| Terminal only with IP connection | SAQ B-IP | ~80 | Easy-Moderate |
| Manual entry (phone/mail), no storage | SAQ C-VT | ~80 | Moderate |
| Manual entry with storage | SAQ C | ~160 | Complex |
| Any electronic storage or processing | SAQ D | ~330 | Most Complex |
Here’s what these mean in real-world terms:
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B (dial-up) or SAQ B-IP (internet-connected). These terminals handle all the card processing — you just see masked card numbers on receipts.
If you have an e-commerce site using hosted checkout (where customers get redirected to Shopify, Stripe, or PayPal to enter card details), you’re likely SAQ A. Your website never touches the actual card data.
If you take payments over the phone and type them into a virtual terminal or payment gateway, you’re likely SAQ C-VT (if you don’t store the numbers) or SAQ C (if you do write them down).
If you store card numbers in any form — spreadsheets, customer database, even paper files — you’re stuck with SAQ D, the most complex type. This is a strong signal to stop storing card data and move to a simpler method.
PCICompliance.com offers a free SAQ Wizard that asks you a series of plain-English questions about your payment setup and tells you exactly which SAQ type applies. It takes about three minutes and eliminates the guesswork.
How to Complete Your SAQ
Once you know your SAQ type, the actual questionnaire is straightforward. Each requirement is a yes/no question about your security practices. For example:
- “Do you change default passwords on payment terminals?”
- “Is your payment processing area restricted to authorized personnel?”
- “Do you have a firewall between your internet connection and payment systems?”
When you answer “yes,” you’re confirming that you’ve implemented that security control. This isn’t about having perfect security — it’s about meeting the specific requirements for your SAQ type. Many requirements don’t apply to small merchants, which is why the simplified SAQ types exist.
Documentation you’ll need:
- List of all payment terminals and their locations
- Your network diagram (can be hand-drawn for simple setups)
- Copies of your security policies (many SAQ types only require basic policies)
- Results from your quarterly ASV scans (if applicable)
- Service provider compliance attestations (if you use third parties)
The quarterly ASV scan trips up many merchants. If your SAQ type requires it (typically anything except SAQ A and SAQ B), you need to have a passing external vulnerability scan from an Approved Scanning Vendor. These scans check your internet-facing systems for security vulnerabilities. They’re automated, usually cost $30-50 per quarter, and take about 15 minutes to set up.
To submit your compliance package:
1. Complete all SAQ questions honestly
2. Gather required documentation
3. Ensure your ASV scans are passing (if required)
4. Sign the Attestation of Compliance (AOC)
5. Submit everything through your processor’s portal
Most processors give you 30-90 days to complete this process. Missing the deadline triggers non-compliance fees.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your business type and chosen approach:
Compliance platforms and SAQ tools: Free to $30/month for basic services. These guide you through the questionnaire and track your compliance status. Premium services with phone support run $50-100/month.
Quarterly ASV scanning: $30-50 per scan, or about $150-200 annually. Some compliance platforms bundle this service. You need four passing scans per year.
QSA assessment: Only required for Level 1-2 merchants. If you’re reading this guide, you probably don’t need one. These formal audits start at $15,000 annually.
The cost of NON-compliance: This is where it gets expensive. Monthly non-compliance fees from your processor range from $5-100. A data breach while non-compliant can result in:
- Forensic investigation costs: $10,000-50,000
- Card brand fines: $5,000-100,000
- Liability for fraud losses: Varies widely
- Loss of card acceptance privileges: Catastrophic for most businesses
For most small merchants, annual compliance costs less than $500 — far less than a single month of non-compliance fines after a breach. It’s not just about checking boxes; it’s about protecting your business.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your annual assessment must be renewed, and certain requirements need ongoing attention:
Set calendar reminders for:
- Annual SAQ renewal (60 days before expiration)
- Quarterly ASV scans (every 90 days)
- Security awareness training for staff (annually)
- Password changes on payment systems (every 90 days)
- Review of service provider compliance (annually)
Changes that trigger a new assessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or gateways
- Implementing new payment terminals or software
- Starting to store card data (please don’t)
- Significant network or system changes
PCICompliance.com’s compliance dashboard tracks all these dates and sends automatic reminders. You can see your compliance status at a glance and know exactly what needs attention before deadlines hit.
FAQ
Why was my SAQ rejected by my bank?
The most common reasons are: selecting the wrong SAQ type, leaving questions blank, failing ASV scans, or missing documentation. Your rejection notice should specify the issue. If it doesn’t, call your processor’s compliance department for clarification.
How long do I have to resubmit after rejection?
Most processors give you 30 days to correct and resubmit. Some may start non-compliance fees immediately, while others have a grace period. Check your processor agreement or call them directly.
Can I change SAQ types after rejection?
Yes, if you selected the wrong type initially. Use PCICompliance.com’s SAQ Wizard or consult your processor’s compliance team to identify the correct type. You’ll need to complete the new SAQ from scratch.
What if I can’t meet all the requirements?
Some requirements might not apply to your business model — mark these as “N/A” with explanation. For requirements you can’t meet, you may need compensating controls (alternative security measures). Document these clearly or consider changing your payment methods to qualify for an easier SAQ type.
Do I need to hire a QSA to help?
Level 4 merchants (most small businesses) don’t need a QSA for their annual assessment. However, a consultant can help if you’re struggling with requirements or need to implement security controls. Expect to pay $150-300/hour for qualified help.
What happens if I don’t complete PCI compliance?
Your processor will likely charge monthly non-compliance fees ($5-100), increase your processing rates, and potentially terminate your merchant account. You’ll also face full liability for any fraud or breach-related costs. The risks far outweigh the effort required for compliance.
Can I just say “yes” to all questions?
This is fraud and makes you fully liable for any breach-related costs. Processors do verify responses through various means. Answer honestly — it’s better to fail initially and fix issues than to falsely attest to compliance.
Why do I need ASV scans if I only use a terminal?
You might not — SAQ B doesn’t require ASV scans. However, if your terminal connects via internet (SAQ B-IP) or you have any web presence, scans are required. The scans check for vulnerabilities that could provide access to your payment environment.
Moving Forward with Confidence
Getting your SAQ rejected by your bank feels overwhelming, but it’s usually a simple fix. Most rejections stem from choosing the wrong SAQ type or missing basic requirements — both easily correctable. The key is understanding what type of merchant you are and what the requirements actually mean in practical terms.
Remember, PCI compliance exists to protect both you and your customers. Those requirements that seem bureaucratic actually prevent the kinds of breaches that destroy small businesses. The hour you spend completing your SAQ correctly could save you from hundreds of thousands in breach-related costs.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard ensures you’re completing the right questionnaire. Our ASV scanning service handles your quarterly vulnerability scans automatically. And our compliance dashboard keeps track of all your deadlines and requirements in one place. Whether you’re fixing a rejected SAQ or starting fresh, we provide the tools and guidance to achieve compliance quickly and maintain it effortlessly. Start with our free SAQ Wizard to identify your correct questionnaire type, or reach out to our compliance team for personalized guidance on your rejection.
