What Is an ISA? Understanding Internal Security Assessors in PCI Compliance
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re wondering what an ISA is — relax. An ISA (Internal Security Assessor) is someone who helps large companies validate their own PCI compliance internally, and if you’re a small business owner reading this, you probably don’t need one. What you actually need to know: PCI compliance protects credit card data, applies to every business that accepts cards, and for most small merchants, it’s much simpler than it sounds. Let’s break down what you really need to do.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card information. If your business accepts Visa, Mastercard, American Express, or Discover — whether through a terminal, online, or over the phone — these requirements apply to you.
The major card brands created PCI DSS through the PCI Security Standards Council (PCI SSC), but it’s your payment processor or acquiring bank who actually enforces it. They’re the ones who sent you that compliance questionnaire, and they’re the ones who’ll follow up if you don’t complete it.
What happens if you don’t comply? Your payment processor can fine you monthly (typically $20-100 for small merchants), you could be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards. The fines alone often cost more than just becoming compliant.
Here’s the good news: most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as Amazon or Walmart. The process usually involves completing a short questionnaire called an SAQ (Self-Assessment Questionnaire) and running quarterly security scans on your website if you have one.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a food truck with a Square reader or an online boutique — PCI compliance applies to you.
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you complete an SAQ rather than hiring an external assessor for a full audit.
Your payment processor expects you to:
- Complete the appropriate SAQ annually
- Run quarterly vulnerability scans if you have any systems connected to the internet
- Submit your AOC (Attestation of Compliance) — basically a form saying you completed the requirements
- Fix any security issues the scans find
That compliance questionnaire they sent? It’s their way of making sure you’re meeting these requirements. They’re required by the card brands to verify all their merchants are compliant, which is why you’re getting those reminder emails.
Which SAQ Do You Need?
The PCI DSS includes nine different SAQ types, but most small businesses fall into one of four categories. Think of it as choosing the right tax form — you want the simplest one that fits your situation.
Here’s how to determine which SAQ applies to you:
If you redirect customers to a payment page (like PayPal or a payment gateway’s hosted checkout) where you never see card numbers → SAQ A (the simplest, usually 20-30 questions)
If you use a payment terminal that connects to the internet (Square, Clover, or traditional terminals) → SAQ B-IP (about 80 questions focused on the terminal and your network)
If you have standalone terminals that only connect via phone line → SAQ B (similar to B-IP but slightly simpler)
If you take payments over the phone and enter them into a virtual terminal or website → SAQ C-VT (about 80 questions covering your computers and processes)
If you store credit card numbers in any form (files, databases, even written down) → SAQ D (over 300 questions — you really want to avoid this)
| Payment Scenario | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| Online store with PayPal/Stripe Checkout | SAQ A | Simple | 20-30 |
| Restaurant with Square/Clover terminal | SAQ B-IP | Moderate | ~80 |
| Old dial-up credit card terminal | SAQ B | Moderate | ~80 |
| Taking orders by phone | SAQ C-VT | Moderate | ~80 |
| Storing card numbers anywhere | SAQ D | Complex | 300+ |
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which SAQ you need — no guessing required.
How to Complete Your SAQ
Your SAQ is a questionnaire with yes/no questions about your payment security practices. When you answer “yes,” you’re confirming you have that security control in place. Here’s what to expect:
The questionnaire format: Each question describes a security requirement and asks if you meet it. For example: “Do you change vendor-supplied defaults before installing systems on the network?” If you’re using Square, they’ve already done this for you, so you’d answer “yes.”
Time commitment: For SAQ A, expect 30-60 minutes. For B-IP or C-VT, budget 2-4 hours, especially your first time through. SAQ D can take days or weeks, which is why you want to avoid storing card data.
Documentation you’ll need:
- List of all systems that handle payments
- Your network setup (for anything beyond SAQ A)
- Security policies if the SAQ requires them
- Results from your quarterly ASV scans (if applicable)
The quarterly ASV scan: If you have any systems connected to the internet (including just a website), you need an Approved Scanning Vendor to scan them quarterly for vulnerabilities. This isn’t as scary as it sounds — it’s an automated scan that checks for common security issues. Most small businesses pass on the first try, and if you don’t, the ASV tells you exactly what to fix.
Submitting your compliance: Once you complete the SAQ and any required scans pass, you’ll generate an AOC (Attestation of Compliance). This is your official declaration that you’ve met the requirements. Submit this to your payment processor through their portal or however they’ve requested it.
What It Costs
Let’s talk real numbers. PCI compliance has some costs, but they’re usually less than the monthly non-compliance fees your processor charges.
Compliance platform and SAQ tools: Most services charge $100-300 annually for small merchants. This includes access to the SAQ, guidance on answering questions, and compliance tracking.
Quarterly ASV scanning: If you need scans (most merchants do), expect $100-200 per year for basic scanning. Some compliance platforms include this in their annual fee.
If you need a QSA: Small businesses rarely need a QSA (Qualified Security Assessor) unless they’re storing lots of card data or have had a breach. If you do need one, assessments start around $5,000 for small environments.
The cost of NON-compliance:
- Monthly processor fines: $20-100
- Breach liability: $50-90 per compromised card
- Potential loss of card processing ability
- Increased transaction fees as a “high-risk” merchant
Do the math: even basic non-compliance fines of $50/month equal $600/year. That’s double what most small merchants pay for full compliance support. Add the risk of breach liability, and compliance is simply good business.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done exercise — it’s an annual requirement with some quarterly components. Here’s how to stay on track:
Annual requirements: Your SAQ must be completed every year. Set a reminder for 30 days before your anniversary date to avoid last-minute scrambling.
Quarterly requirements: If you need ASV scans, they must run every 90 days. Missing a quarter means starting over, so consistency matters.
What triggers a new assessment:
- Changing payment processors or methods
- Adding new payment channels (like starting e-commerce)
- Storing card data when you didn’t before
- Having a security breach
Tracking made simple: PCICompliance.com’s compliance dashboard shows your status at a glance — when your next scan is due, how many days until SAQ renewal, and what documentation you’ve completed. No spreadsheets or sticky notes required.
FAQ
What’s the difference between an ISA and a QSA?
An ISA (Internal Security Assessor) is an employee of a large company who’s certified to conduct their own PCI assessments internally. A QSA (Qualified Security Assessor) is an independent third-party assessor. Small businesses typically need neither — you complete a self-assessment instead.
My processor is charging me non-compliance fees. How do I stop them?
Complete your required SAQ and submit the AOC to your processor. If you need ASV scans, ensure they’re passing and current. Most processors stop charging fees within one billing cycle after receiving your documentation.
I use Square/PayPal/Stripe. Am I automatically compliant?
Not automatically, but you’re close. These providers handle the complex security for you, but you still need to complete an SAQ (usually the simple SAQ A) and may need quarterly scans. The good news: your compliance requirements are minimal.
What’s an ASV scan and do I need one?
An ASV (Approved Scanning Vendor) scan is an automated security scan of your internet-facing systems. If you have a website, payment page, or any system connected to the internet that’s involved with payments, you need quarterly scans. They typically take a few hours to run and cost about $25-50 per scan.
Can I just ignore PCI compliance if I’m a small business?
Technically you could, but it’s expensive and risky. Your processor will charge monthly non-compliance fees, you’re liable for fraud losses, and you could lose the ability to accept cards. Compliance is almost always cheaper and easier than non-compliance.
How do I know which SAQ type I need?
Look at how you accept payments. Only redirect to hosted payment pages? That’s SAQ A. Use a terminal? That’s B or B-IP. Take phone orders? C-VT. When in doubt, use PCICompliance.com’s free SAQ Wizard — it asks simple questions and tells you exactly which form you need.
What if I fail my ASV scan?
Don’t panic. The scan report tells you exactly what failed and how to fix it. Common issues include outdated software or unnecessary services running. Fix the issues and rescan — you can run unlimited scans until you pass. Most failures are minor and fixable within a day or two.
Do I need to hire a security consultant for PCI compliance?
Most small businesses don’t. If you’re SAQ A, A-EP, B, B-IP, or C-VT, you can complete the requirements yourself or with basic guidance from a compliance platform. Only SAQ D merchants typically need consultant help, and if you’re storing card data, you should probably stop doing that instead.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most small businesses, it’s a manageable process. You’re not being asked to implement enterprise-level security — just to follow basic practices that protect your customers’ card data and your business from liability.
The key is identifying which SAQ type fits your payment methods and staying consistent with annual assessments and quarterly scans. The cost is minimal compared to non-compliance fees, and the process gets easier each year as you become familiar with the requirements.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll spend less on compliance than you’re probably paying in non-compliance fees right now. Start with the free SAQ Wizard to see just how simple your path to compliance really is, or talk to our compliance team if you need guidance on your specific situation.
