When to Update Your SAQ?
That compliance questionnaire from your payment processor sitting in your inbox? It’s probably less scary than you think. If you’re a small business accepting credit cards, when to update SAQ documents is simpler than the jargon makes it sound. Most businesses need about an hour once a year to stay compliant — not the weeks of work you might be imagining.
Here’s what you actually need to know: PCI compliance protects credit card data, your payment processor requires it, and for most small businesses, it’s a straightforward annual questionnaire with quarterly security scans. Let’s break down exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) exists for one reason: to protect credit card information from theft. If you accept Visa, Mastercard, American Express, or Discover anywhere in your business — in person, online, or over the phone — these rules apply to you.
The major card brands created these standards through the PCI Security Standards Council, but your acquirer (the bank or payment processor that handles your credit card transactions) enforces them. When PayPal, Square, Stripe, or your merchant bank sends you a compliance questionnaire, they’re fulfilling their obligation to the card brands.
The Real Consequences
Non-compliance isn’t just theoretical risk. Your payment processor can:
- Fine you monthly (typically $25-$100 for small merchants)
- Hold you liable for fraud losses
- Terminate your ability to accept cards entirely
The good news? Most small businesses qualify for the simplest compliance requirements. That intimidating questionnaire probably boils down to confirming you’re using secure payment tools and following basic security practices you’re likely already doing.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you process one transaction or one million — the moment you accept a credit card payment, PCI DSS applies.
Your Merchant Level
Your transaction volume determines your merchant level, which affects your compliance requirements:
- Level 4: Under 20,000 e-commerce transactions OR up to 1 million total transactions annually (most small businesses)
- Level 3: 20,000 to 1 million e-commerce transactions annually
- Level 2: 1 to 6 million total transactions annually
- Level 1: Over 6 million transactions annually
Most small and medium businesses are Level 4 merchants, which means self-assessment through an SAQ (Self-Assessment Questionnaire) rather than an expensive on-site audit.
What Your Processor Actually Wants
That compliance questionnaire isn’t bureaucracy for its own sake. Your processor needs:
1. A completed SAQ appropriate to how you accept payments
2. Quarterly ASV scans if you have any internet-facing systems
3. An Attestation of Compliance (AOC) stating you’ve met the requirements
Miss these deadlines and those monthly non-compliance fees start immediately.
Which SAQ Do You Need?
The SAQ you need depends entirely on how you handle credit cards. Here’s the plain-language guide:
| How You Accept Cards | Your SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to payment page (PayPal, Square Checkout) | SAQ A | ~22 | Simple |
| Payment form on your site (Stripe Elements, Authorize.net Accept.js) | SAQ A-EP | ~140 | Moderate |
| Standalone terminal (no internet connection) | SAQ B | ~41 | Simple |
| Terminal with internet (Square Terminal, Clover) | SAQ B-IP | ~82 | Moderate |
| Take cards by phone (virtual terminal) | SAQ C-VT | ~80 | Moderate |
| Store card numbers (please stop doing this) | SAQ D | ~326 | Complex |
Real-World Examples
E-commerce scenarios:
- Running WooCommerce with PayPal checkout that redirects customers? → SAQ A
- Using Shopify with their hosted checkout? → SAQ A
- Built a custom checkout with Stripe Elements? → SAQ A-EP
- Storing card numbers in your database? → SAQ D (and immediate action needed)
Brick-and-mortar scenarios:
- Using a Square Reader connected to an iPad? → SAQ B-IP
- Old-school terminal with phone line? → SAQ B
- Taking orders by phone and entering them into a virtual terminal? → SAQ C-VT
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your payment security practices. Despite the technical language, most questions translate to common-sense security:
What ‘Yes’ Really Means
When the SAQ asks “Do you restrict physical access to cardholder data?” it’s asking:
- Is your payment terminal in a secure location?
- Do you lock up any paper receipts with card numbers?
- Is your back office computer password-protected?
A “yes” answer means you’re doing the required practice. “No” means you need to implement it before you can pass compliance.
Documentation You’ll Need
Gather these before starting your SAQ:
- Network diagram (even a simple sketch of your internet and payment setup)
- List of who has access to payment systems
- Security policies (can be simple one-page documents)
- Vendor agreements showing your payment providers are PCI compliant
The Quarterly ASV Scan
If you have any internet-facing systems (website, email server, etc.), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. These automated scans check for security holes hackers could exploit.
The process is straightforward:
1. Sign up with an ASV provider
2. Enter your website/IP addresses
3. Run the scan (takes 30-60 minutes)
4. Fix any failing vulnerabilities
5. Get your passing scan report
Submitting Your Compliance
Once you’ve answered all questions and passed your ASV scan:
1. Complete the Attestation of Compliance (generated automatically by most SAQ tools)
2. Submit to your payment processor through their compliance portal
3. Save your confirmation — you’ll need it next year
Total time for most small businesses? 1-2 hours for the entire annual process.
What It Costs
Direct Compliance Costs
SAQ completion tools:
- Free basic questionnaires from your processor
- $100-300/year for guided compliance platforms
- $300-500/year for full-service solutions with support
Quarterly ASV scanning:
- $50-150 per scan (4 times per year)
- Often bundled with compliance platforms
- Some processors include it free
If you need a QSA (only for complex setups):
- $5,000-15,000 for small business assessment
- Most Level 4 merchants never need this
The Cost of Non-Compliance
Skip compliance and face:
- Monthly fines: $25-100 from your processor
- Breach liability: Average small business breach costs $150,000
- Lost processing: Can’t accept cards = can’t stay in business
For most small merchants, annual compliance costs less than two months of non-compliance fines. It’s simply good business.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your obligations repeat annually, with quarterly scans throughout the year.
When to Update Your SAQ
You’ll need to complete a new SAQ:
- Annually when your processor sends the compliance reminder
- After major changes to how you accept payments
- When adding new payment channels (like adding e-commerce to a retail business)
- After a security incident affecting payment systems
Setting Up for Success
Make compliance automatic:
- Calendar reminders 30 days before your annual deadline
- Quarterly scan scheduling with your ASV provider
- Documentation folder with all your compliance records
- Change tracking when you modify payment processes
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and maintaining your compliance history in one place.
FAQ
Q: I only process a few cards per month. Do I still need to comply?
A: Yes, PCI DSS applies to any business accepting credit cards, regardless of volume. The good news is your low volume means simpler requirements — likely just an annual SAQ A or B.
Q: What happens if I fail my ASV scan?
A: Failing vulnerabilities must be fixed and the scan re-run until you pass. Most failures are common issues like outdated SSL certificates or unpatched software — your ASV report will explain exactly what needs fixing.
Q: Can I just tell my processor I’m compliant without doing the work?
A: This is called false attestation and can result in immediate termination of your merchant account plus liability for any fraud losses. The actual compliance work is usually simpler than trying to fake it.
Q: Do I need to hire a security consultant?
A: Most small businesses don’t need outside help. If you’re SAQ A through C-VT, the questionnaire is designed for self-completion. Only complex environments storing card data typically need professional assistance.
Q: How do I know if my payment provider is reducing my PCI scope?
A: Ask your provider if they offer a PCI-compliant hosted payment page or tokenization. If they handle all the card data and you never see it, you qualify for simpler SAQ types.
Q: What’s the difference between PCI compliance and other security standards?
A: PCI DSS specifically protects payment card data. You might also need general security practices, but PCI compliance focuses solely on how you handle credit card information.
Conclusion
That compliance questionnaire in your inbox represents a simple annual checkpoint, not an insurmountable obstacle. For most businesses, when to update SAQ documents means spending an hour each year confirming you’re using secure payment tools and following basic security practices. The quarterly scans run automatically, the questions have straightforward answers, and the whole process protects both your business and your customers.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team. We’ve guided thousands of businesses through their first compliance assessment, and we’ll make sure yours goes smoothly too.
