Coaching Business PCI: Your Simple Guide to Credit Card Security Compliance
Take a Deep Breath — This Is Easier Than You Think
If you just received a PCI compliance questionnaire from your payment processor and feel overwhelmed, you’re not alone. Most coaching business owners have the same reaction when they first encounter terms like “SAQ” and “ASV scan.” Here’s the good news: for the vast majority of small coaching businesses, PCI compliance is much simpler than it first appears. In fact, you can probably complete your requirements in an afternoon with the right guidance.
This guide will walk you through exactly what you need to know — no technical jargon, no unnecessary complexity. Just clear, actionable steps to get you compliant and back to focusing on your clients.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is simply a set of security requirements created to protect credit card information. If your coaching business accepts credit cards — whether in person, online, or over the phone — these requirements apply to you.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But here’s who actually enforces them: your acquirer (the bank or payment processor that handles your credit card transactions). They’re the ones who sent you that compliance questionnaire.
What Happens If You Don’t Comply?
The consequences range from annoying to business-threatening:
- Monthly fines from your payment processor (typically $20-100 for small businesses)
- If card data is compromised, you’re liable for the breach costs
- In extreme cases, you could lose the ability to accept credit cards entirely
But here’s the crucial point: most small coaching businesses qualify for the simplest compliance requirements. You’re not facing the same complexity as a large retailer or e-commerce platform.
Do You Need to Be PCI Compliant?
The answer is straightforward: if you accept credit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you’re a solo life coach seeing three clients a week or running a multi-coach wellness center — if plastic cards or card numbers touch your business, PCI applies.
Your Merchant Level
Most coaching businesses fall into Merchant Level 4 — processing fewer than 20,000 Visa transactions annually. This is good news because Level 4 merchants have the simplest compliance requirements:
- Complete a self-assessment questionnaire (SAQ)
- Run quarterly vulnerability scans if you have any internet-facing systems
- Submit your compliance validation annually
Your payment processor determines your exact requirements. When they sent you that compliance questionnaire, they’re essentially saying, “It’s time to prove you’re protecting card data properly.”
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) is your main compliance document. Think of it as a security checklist tailored to how you accept payments. There are different versions, and choosing the right one is crucial — it’s the difference between answering 20 questions and answering 300+.
Here’s how to determine which SAQ fits your coaching business:
| How You Accept Payments | Your SAQ Type | Number of Questions |
|---|---|---|
| Square, Clover, or similar standalone terminal | SAQ B or B-IP | 41 or 82 |
| Online booking with Stripe Checkout, PayPal, or similar | SAQ A | 22 |
| Card numbers entered on your website | SAQ A-EP | 191 |
| Phone payments where you type card numbers | SAQ C-VT | 84 |
| You store card numbers (please reconsider!) | SAQ D | 340+ |
Common Coaching Business Scenarios
Virtual coaching with online payments: If clients book and pay through your website using Stripe Checkout, Square, or PayPal’s hosted payment pages (where customers are redirected to enter card details), you likely need SAQ A — the simplest form with just 22 yes/no questions.
In-person sessions with a card reader: Using a Square Reader, Clover Go, or similar device? You’ll complete SAQ B (if it’s not connected to the internet) or SAQ B-IP (if it connects via Wi-Fi or cellular).
Phone bookings with manual card entry: If you take card numbers over the phone and enter them into a virtual terminal or payment system, you need SAQ C-VT.
The key to keeping things simple? Never store card numbers. Use your payment processor’s tools to handle all the card data, and your compliance requirements stay manageable.
How to Complete Your SAQ
Once you know which SAQ you need, the actual completion process is straightforward. The questionnaire consists of yes/no questions about your payment security practices. Here’s what to expect:
What “Yes” Really Means
Each “yes” answer means you’re following that specific security practice. For example:
- “Do you change default passwords?” Yes means you’ve actually changed them
- “Is your payment terminal in a secure location?” Yes means it’s not sitting unattended in a public area
- “Do you have a firewall?” Yes means it’s installed, configured, and active
If you answer “no” to any required control, you’ll need to fix that issue before you can be compliant.
Documentation You’ll Need
For most small coaching businesses, documentation requirements are minimal:
- Your payment processor agreement
- Any policies you’ve written (even simple ones) about handling card data
- Results from your quarterly ASV scans (if required)
- Your network diagram (for SAQ C and D — can be a simple drawing)
The Quarterly ASV Scan
If your SAQ type requires it, you’ll need an Approved Scanning Vendor to check your internet-facing systems for vulnerabilities every 90 days. This automated scan typically takes minutes to run and checks for common security issues. Your ASV will provide a report showing any vulnerabilities found and how to fix them.
Submitting Your Compliance
Once you’ve answered all questions and gathered your documentation:
1. Complete your Attestation of Compliance (AOC) — a formal declaration that you’ve completed the SAQ honestly
2. Submit both documents to your payment processor through their compliance portal
3. Schedule your next quarterly scan (if required)
4. Mark your calendar for next year’s assessment
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your payment setup, but here’s what most coaching businesses can expect:
Compliance platform and SAQ tools: $100-300 annually for a guided questionnaire platform that walks you through the process and stores your documentation.
Quarterly ASV scanning: $200-400 annually for required vulnerability scans. Some compliance platforms bundle this service.
If you need a QSA: Only the largest merchants need a Qualified Security Assessor. If your coaching business processes over 6 million transactions annually (unlikely!), budget $15,000-50,000 for a formal assessment.
The Real Cost Is Non-Compliance
Missing compliance deadlines typically results in:
- Monthly non-compliance fees: $20-100 from your processor
- Breach liability: Average small business breach costs exceed $50,000
- Lost business: You literally can’t accept cards without compliance
For most coaching businesses, annual compliance costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — it’s about protecting your business and your clients’ trust.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your payment processor expects annual revalidation, and if you need ASV scans, those happen quarterly. Here’s how to stay on track:
Set Up Your Compliance Calendar
Mark these dates:
- Annual SAQ due date (usually the anniversary of your last submission)
- Quarterly scan dates (every 90 days if required)
- Policy review reminders (annually, before your SAQ)
- Password change reminders (every 90 days for systems handling card data)
What Triggers a New Assessment
Certain changes require immediate attention:
- Switching payment processors or adding new payment methods
- Moving from in-person to online payments (or vice versa)
- Starting to store card numbers (please don’t!)
- Adding new locations or payment terminals
Making Compliance Automatic
The easiest approach? Use a compliance management platform that tracks your deadlines, runs your scans automatically, and alerts you when action is needed. Think of it like having a compliance assistant who never forgets a deadline.
FAQ
I’m just one person with five clients. Do I really need to do this?
Yes, if you accept credit cards, PCI compliance applies regardless of business size. The good news is your requirements will be minimal — likely just completing an SAQ A or B annually, which takes about an hour.
My payment processor says I need an ASV scan but I don’t have a website. What do they mean?
They probably mean any internet-connected payment system, not just a website. If you use an internet-connected payment terminal or virtual terminal, you’ll need quarterly scans. If you truly have no internet-facing payment systems, contact your processor to clarify.
Can I just say “yes” to all the questions to pass?
Absolutely not — false attestation is fraud and could result in significant fines and loss of card processing privileges. Answer honestly, fix any “no” answers, then resubmit. Most issues are simple to resolve.
What’s the difference between PCI compliance and being “PCI certified”?
There’s no such thing as being “PCI certified” — you’re either compliant with the current standard or you’re not. Compliance is validated annually through your SAQ and AOC submission. Anyone offering to “certify” you is using imprecise language.
I use Square for everything. Am I automatically compliant?
Not automatically, but Square does handle the complex security for you. You still need to complete your annual SAQ (likely SAQ B), run any required scans, and follow basic security practices. Square makes it easier, not automatic.
How long does the whole process take?
For most coaching businesses: 2-4 hours to complete your first SAQ, 30 minutes for ASV scan setup, and about an hour annually after that. If you need to fix security issues, add time for those corrections. It’s an afternoon, not a week-long project.
What if I just ignore this whole thing?
Your payment processor will start charging monthly non-compliance fees, typically $20-100. Eventually, they may suspend your ability to process cards. Plus, if card data is compromised, you’re fully liable. The few hours of compliance work prevents major headaches later.
Do I need to hire a security consultant?
Most coaching businesses don’t need outside help beyond a good compliance platform. If you’re SAQ A or B, the requirements are straightforward enough to handle yourself. Only consider a consultant if you’re SAQ D or facing complex technical requirements.
Your Next Steps Are Simple
PCI compliance for your coaching business doesn’t have to be overwhelming. In most cases, you’re looking at a few hours of work annually to protect your business and maintain your ability to accept cards. Start by identifying which SAQ type fits your payment methods, complete the questionnaire honestly, fix any gaps, and submit your compliance validation.
The path forward is clear: Use PCICompliance.com’s free SAQ Wizard to identify exactly which questionnaire you need — just answer a few simple questions about how you accept payments. Our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard tracks all your deadlines so nothing falls through the cracks. Whether you’re completing your first SAQ or maintaining ongoing compliance, we guide you through each step. Get started with our free SAQ Wizard today, or contact our compliance team if you need help determining your requirements. Your coaching business deserves simple, straightforward compliance — and that’s exactly what we deliver.
