One-Time Payment PCI: Everything You Need to Know About PCI Compliance
The Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses accepting one time payment PCI transactions, compliance is far simpler than it initially appears. You’re likely looking at a straightforward self-assessment questionnaire that takes an hour or two to complete — not the complex audit you might be imagining. This guide will walk you through exactly what you need to do, step by step.
What Is PCI Compliance (In Plain English)
PCI compliance refers to the Payment Card Industry Data Security Standard (PCI DSS) — a set of security requirements that apply to any business that accepts, processes, stores, or transmits credit card information. If you take card payments in any form, these standards apply to you.
The major card brands (Visa, Mastercard, American Express, Discover, JCB, and UnionPay) created these standards through the PCI Security Standards Council (PCI SSC). However, it’s your payment processor or acquiring bank that enforces them. When they send you that compliance questionnaire, they’re fulfilling their obligation to ensure everyone in the payment chain maintains proper security.
The consequences of non-compliance are real but manageable:
- Monthly fines from your processor (typically $5-$100 for small merchants)
- Increased liability if there’s a data breach
- In extreme cases, loss of ability to accept card payments
- Higher transaction fees as processors offset their risk
Here’s the good news: Most small businesses qualify for the simplest compliance paths. If you’re using modern payment terminals or hosted checkout pages, you’re already doing most of what PCI requires. The compliance process mainly involves documenting these good practices.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. This includes:
- Physical card swipes or chips at a terminal
- Online payments through your website
- Phone orders where customers read you their card number
- Mobile payments through apps or card readers
- Even one-time charity donations or event registrations
Your merchant level determines how rigorous your compliance requirements are. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you complete a self-assessment questionnaire rather than undergoing a formal audit.
What your payment processor expects:
1. Complete the appropriate Self-Assessment Questionnaire (SAQ)
2. If applicable, pass quarterly vulnerability scans by an Approved Scanning Vendor (ASV)
3. Submit your Attestation of Compliance (AOC)
4. Maintain compliance year-round
That compliance questionnaire they sent isn’t arbitrary — it’s their way of ensuring you meet the card brands’ security requirements and protecting both of you from potential breaches.
Which SAQ Do You Need?
The SAQ you need depends entirely on how you accept payments. Think of it as choosing the right tax form — pick the one that matches your business setup:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Simplest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminal with no electronic storage | SAQ B | 41 | Simple |
| Terminal with IP connection | SAQ B-IP | 93 | Simple-Moderate |
| Manual entry/phone orders, no storage | SAQ C-VT | 85 | Moderate |
| Store card data electronically | SAQ D | 329+ | Complex |
| Service providers | SAQ D-SP | 329+ | Complex |
Common scenarios:
- Square or Clover terminal at your shop: You’re likely SAQ B or SAQ B-IP
- Shopify store or WooCommerce with Stripe: Usually SAQ A if using hosted checkout
- Taking orders over the phone: Typically SAQ C-VT if you don’t store card numbers
- Old POS system that saves card data: Unfortunately, you’re looking at SAQ D
Not sure which one? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire applies. It takes less than five minutes and removes the guesswork.
How to Complete Your SAQ
Once you know which SAQ you need, the process is straightforward:
1. Download or access your SAQ
Your payment processor might provide a link, or you can get it directly from the PCI SSC website. Many compliance platforms (including PCICompliance.com) provide interactive versions that are easier to complete.
2. Answer the yes/no questions
Each question asks about a specific security practice. For example:
- “Do you have a firewall?”
- “Do you change default passwords?”
- “Is your payment terminal behind a locked door?”
“Yes” means you do that thing consistently, not just sometimes. If you can’t honestly answer yes, that’s a gap you need to address.
3. Gather supporting documentation
While not always submitted, you should have:
- Network diagrams (even simple ones)
- Security policies (can be basic for small merchants)
- Vendor compliance certificates
- ASV scan reports (if required)
4. Complete your quarterly ASV scans (if applicable)
SAQ A-EP, B-IP, C, C-VT, and D require quarterly external vulnerability scans. An Approved Scanning Vendor scans your internet-facing systems for vulnerabilities. Schedule these every 90 days — they typically take 24-48 hours to complete.
5. Submit your Attestation of Compliance
The AOC is your official declaration that you’ve completed the SAQ and meet all applicable requirements. Sign it, date it, and submit it to your processor along with any required scan reports.
Time investment:
- SAQ A: 30-60 minutes
- SAQ B: 1-2 hours
- SAQ C-VT: 2-4 hours
- SAQ D: Several days to weeks (you probably need help)
What It Costs
PCI compliance costs vary based on your size and complexity, but for most small merchants, it’s quite reasonable:
Compliance platforms and tools:
- Basic SAQ completion tools: Free to $20/month
- Comprehensive platforms with scanning: $30-100/month
- Enterprise solutions with full support: $200+/month
Quarterly ASV scanning:
- Standalone ASV service: $30-50 per scan
- Bundled with compliance platform: Often included
- Annual cost for four scans: $120-200
Professional help (if needed):
- QSA consultation for complex setups: $150-500/hour
- Full QSA assessment (Level 1 merchants): $10,000-50,000+
- Remediation assistance: $100-300/hour
The cost of NON-compliance:
- Monthly processor fines: $5-500 (escalating over time)
- Breach liability: $50-90 per compromised card
- Forensic investigation: $10,000-100,000+
- Lost ability to process cards: Devastating
Honest assessment: For most small merchants, annual compliance costs less than a single month’s non-compliance fine. Budget $200-500 annually for tools and scanning — consider it insurance for your ability to accept cards.
Staying Compliant Year-Round
PCI compliance isn’t a checkbox you tick once — it’s an ongoing commitment that protects your business and your customers.
Annual requirements:
- Complete your SAQ every 12 months
- Submit updated AOC to your processor
- Review and update security policies
- Train staff on security procedures
Quarterly requirements (if applicable):
- ASV vulnerability scans every 90 days
- Review scan results and fix any failures
- Keep passing scan reports for your records
What triggers a reassessment:
- Changing payment processors or methods
- Adding new payment channels (like going online)
- Significant changes to your network or systems
- Moving to a higher processing volume tier
Setting up for success:
- Calendar reminders 30 days before deadlines
- Assign someone to own compliance tracking
- Document your security procedures as you go
- Use a compliance dashboard to monitor status
PCICompliance.com’s platform tracks all these dates for you, sends automatic reminders, and maintains your compliance history in one place. No more scrambling when your processor asks for documentation.
FAQ
Do I need PCI compliance for one-time payments?
Yes, even a single credit card transaction requires PCI compliance. The card brands don’t distinguish between one-time and recurring payments when it comes to security requirements. However, if you only process occasional one-time payments, you likely qualify for the simplest SAQ types.
What if I only accept payments once a year at an event?
You still need to be compliant, but your approach can match your limited exposure. Using a mobile reader from Square or similar providers keeps you at SAQ B level. Just complete your annual SAQ before your event and maintain basic security practices.
Can I just use PayPal or Stripe to avoid PCI compliance?
Using these providers significantly reduces your PCI scope, but doesn’t eliminate it entirely. You’ll typically complete SAQ A (the simplest form) confirming that you properly redirect to their hosted payment pages. It’s minimal effort — usually under an hour annually.
What happens if I ignore the compliance questionnaire?
Your payment processor will likely start with reminder notices, then move to monthly non-compliance fees. These fees increase over time and can eventually result in account termination. Some processors also increase your transaction rates for non-compliant merchants.
Is PCI compliance the same as being secure?
PCI DSS represents baseline security requirements, not comprehensive protection. Think of it as the minimum safety features in a car — necessary but not sufficient for all situations. Good security goes beyond PCI requirements, but PCI provides a solid foundation.
How do I know if I’m storing card data?
Check your systems for saved card numbers, even partial ones. Common hiding places include old spreadsheets, email archives, CRM notes, and paper files. If you can see full card numbers anywhere in your systems, you’re storing card data and need SAQ D.
Do I need to hire a QSA?
Most small merchants (Level 3 and 4) don’t need a Qualified Security Assessor. Self-assessment questionnaires are designed for businesses to complete independently. You only need a QSA if you’re a Level 1 merchant or your acquirer specifically requires it.
Can I complete PCI compliance myself or do I need IT support?
For simpler SAQ types (A, B), many business owners complete compliance independently. The questions are straightforward and focus on business practices rather than technical details. For more complex scenarios, involving your IT team or provider helps ensure accurate responses.
Conclusion
PCI compliance might seem daunting when you first receive that questionnaire from your payment processor, but for most small businesses accepting one-time payments, it’s a manageable process. Start by identifying which SAQ type fits your payment setup — this single step eliminates 90% of the confusion. From there, it’s simply a matter of answering questions about your current security practices and fixing any gaps.
Remember, the goal isn’t perfection — it’s protecting your customers’ payment data while maintaining your ability to accept cards. The requirements exist because card fraud is real, but so are the solutions. Modern payment terminals, hosted checkout pages, and cloud-based systems handle most security heavy lifting for you.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll spend less time worrying about compliance and more time running your business. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team if you need guidance on your specific situation.
