Employee Security Agreement Template
Your payment processor just sent you a PCI compliance questionnaire, and you’re staring at terms like “SAQ” and “ASV scan” wondering what you’ve gotten yourself into. Take a breath — for most small businesses, PCI compliance is simpler than it sounds. If you’re looking for an employee security agreement template as part of your compliance requirements, you’re already thinking ahead. Let’s demystify PCI compliance and get you on the right path.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts credit card payments. Think of it as the card industry’s rulebook for keeping customer payment data safe. If you swipe, insert, key in, or process credit cards in any way, these rules apply to you.
The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through an organization called the PCI Security Standards Council. But here’s the key part: your payment processor or acquiring bank enforces them. That’s why they sent you that compliance questionnaire.
What happens if you ignore it? Your processor can fine you (typically $5,000-$100,000 per month of non-compliance), you’ll be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards altogether. The good news? Most small businesses qualify for the simplest compliance requirements — often just answering a questionnaire and running quarterly security scans.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a food truck with a Square reader or an online boutique — if customers can pay with plastic, PCI DSS applies to you.
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants typically complete a Self-Assessment Questionnaire (SAQ) rather than undergo a full on-site audit.
Your payment processor expects you to:
- Complete the appropriate SAQ annually
- Run quarterly vulnerability scans if you have any internet-facing systems
- Fix any security issues those scans identify
- Submit your compliance documentation when requested
That questionnaire they sent? It’s their way of verifying you’re following the rules. Ignore it, and those monthly non-compliance fees start adding up fast.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in several flavors, each designed for different payment scenarios. Here’s how to figure out which one applies to you:
| How You Take Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Outsourced completely (PayPal, Square online) | SAQ A | 22 | Easiest |
| E-commerce with payment page redirect | SAQ A-EP | 139 | Moderate |
| Standalone terminal only (no connected systems) | SAQ B | 41 | Easy |
| Standalone terminal with IP connection | SAQ B-IP | 82 | Easy-Moderate |
| Phone/mail orders (no electronic storage) | SAQ C-VT | 80 | Moderate |
| Other payment methods | SAQ C | 139 | Complex |
| Store card data electronically | SAQ D | 329 | Most Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine that’s not connected to your other systems, you’re likely SAQ B or B-IP. The difference? B-IP is for terminals that connect via internet rather than phone lines.
If you have an e-commerce site with hosted checkout — where customers get redirected to PayPal, Stripe Checkout, or your payment provider’s page — you’re likely SAQ A, the simplest form with only 22 questions.
If you take card payments over the phone and type them into a virtual terminal or payment portal (without storing them), you’re likely SAQ C-VT.
If you store card numbers in any electronic format — spreadsheets, databases, even “temporarily” — you’re SAQ D, the most complex questionnaire. Seriously consider stopping this practice; it’s rarely worth the compliance burden.
Not sure which applies? Use PCICompliance.com’s SAQ Wizard — answer a few simple questions about your payment setup, and we’ll tell you exactly which SAQ you need.
How to Complete Your SAQ
Your SAQ is essentially a checklist of yes/no questions about your security practices. When you answer “yes,” you’re confirming you have that security control in place. Here’s what to expect:
The questionnaire itself varies from 22 to 329 questions depending on your SAQ type. For most small merchants (SAQ A, B, or B-IP), you can complete it in 1-3 hours. The questions ask about things like:
- Do you have a firewall?
- Are your passwords strong?
- Do you have antivirus software?
- Who has access to payment systems?
Documentation you’ll need:
- Network diagram (can be hand-drawn for simple setups)
- Employee security agreement template or policy showing staff understand data security rules
- Evidence of security patches and updates
- List of who has access to payment systems
Quarterly ASV scans are required if you have any internet-facing systems (website, email server, etc.). An Approved Scanning Vendor runs automated security scans of your public IP addresses looking for vulnerabilities. Schedule these quarterly — your compliance depends on passing all four scans each year.
Submitting your compliance package involves:
- Your completed SAQ
- Passing ASV scan reports (if required)
- Your Attestation of Compliance (AOC) — a form stating you’ve met all requirements
- Upload these to your processor’s compliance portal or the platform they designate
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your size and complexity:
Compliance platforms and tools: $200-$500 annually for small merchants. This typically includes your SAQ wizard, document storage, and compliance tracking. Some processors include basic tools for free.
Quarterly ASV scanning: $100-$300 per year for most small businesses. You need four passing scans annually, and most vendors bundle them into annual packages.
If you need a QSA: Only required for Level 1 merchants or if your processor specifically demands it. Budget $15,000-$50,000 for a full assessment. Most small businesses never need this.
The cost of NON-compliance: This is where it gets expensive. Monthly fines range from $5,000-$100,000. If you suffer a breach while non-compliant, you’re liable for fraud losses, forensic investigation costs ($10,000-$100,000+), card reissuance fees, and potential lawsuits.
Bottom line: Annual compliance for most small merchants costs less than a single month’s non-compliance fine.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity — it’s an ongoing commitment. Your processor will ask for updated documentation annually, and those ASV scans happen quarterly.
Set calendar reminders for:
- Annual SAQ renewal (typically on your anniversary date)
- Quarterly ASV scans (every three months)
- Security updates and patches (monthly)
- Employee training on security policies (annually)
Changes that trigger a reassessment:
- Adding new payment channels (like starting to accept phone orders)
- Changing payment processors or systems
- Significant network changes
- Beginning to store cardholder data
PCICompliance.com’s compliance dashboard tracks all these dates and requirements in one place. You’ll get automated reminders before deadlines and can see your compliance status at a glance.
FAQ
I’m just a small business. Do I really need to worry about this?
Yes, size doesn’t exempt you from PCI requirements. The good news is that small businesses typically have the simplest compliance path — often just SAQ A or B with 22-41 questions. Your processor can fine you regardless of size, and those $5,000+ monthly fees hurt small businesses the most.
What’s this ASV scan thing, and do I need it?
ASV (Approved Scanning Vendor) scans are automated security checks of your internet-facing systems. If you have a website, email server, or any system accessible from the internet, you need quarterly scans. They typically take 1-2 hours and cost $100-$300 per year.
Can I just say ‘yes’ to all the questions?
Only if they’re actually true — false attestation can result in personal liability. If you can’t honestly answer ‘yes,’ either implement the missing control or work with your QSA on compensating controls. The questionnaire is a legal attestation, not a suggestion.
What if I don’t store any credit card numbers?
That’s ideal — it dramatically simplifies your compliance requirements. You’ll likely qualify for SAQ A, B, or C-VT, avoiding the complex SAQ D requirements. Not storing card data is the single best thing you can do for both security and compliance simplicity.
My payment processor says I’m compliant. Am I done?
Not quite — compliance is an ongoing state, not a one-time achievement. Your processor’s confirmation means you’ve met this year’s requirements. Mark your calendar for next year’s renewal and keep up with quarterly scans if required.
What’s an employee security agreement template?
It’s a document where employees acknowledge their responsibilities for protecting payment card data. While not explicitly required by PCI DSS for all merchants, it demonstrates security awareness training and helps meet several requirements around personnel security. A basic template covers data handling rules, password policies, and consequences for violations.
How long does the whole process take?
For most small merchants: 2-4 hours for your first SAQ, then 1-2 hours annually after that. Add time for quarterly ASV scans (mostly waiting for results) and any remediation needed. The first year takes longest as you implement any missing controls.
What if I fail my ASV scan?
Don’t panic — failing scans are common and fixable. The scan report shows exactly what needs fixing. Address the critical and high-risk findings, rescan, and repeat until you pass. Most issues are outdated software or unnecessary services that can be updated or disabled.
Conclusion
PCI compliance sounds intimidating, but for most small businesses, it’s a manageable process that protects both you and your customers. Start by identifying which SAQ applies to your business — that alone demystifies 80% of the process. Complete your questionnaire honestly, schedule those quarterly scans if needed, and maintain your security controls throughout the year.
Remember, the cost of compliance is fraction of a single breach or non-compliance fine. More importantly, following PCI requirements means you’re taking smart steps to protect your customers’ payment data and your business’s reputation.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You don’t have to figure this out alone. Start with our free SAQ Wizard to identify your requirements, or talk to our compliance team for personalized guidance. We’ve helped thousands of businesses just like yours navigate PCI compliance successfully, and we can help you too.
