Washington State PCI Compliance
Bottom Line Up Front
Just received a PCI compliance questionnaire from your payment processor? Take a deep breath. For most Washington state businesses, PCI compliance is simpler than you think. If you’re a small retailer using Square terminals or run an online store through Shopify, you’re looking at the easiest compliance requirements — often just a short questionnaire and quarterly security scan. This guide walks you through exactly what you need to do, in plain English, without the jargon that makes PCI sound scarier than it is.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major credit card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist designed to protect credit card data from theft.
If you accept credit cards in any form — whether through a terminal, online, or over the phone — these requirements apply to you. The card brands created the standards through the PCI Security Standards Council, but it’s your payment processor or acquiring bank who actually enforces them. That’s who sent you the compliance questionnaire.
Here’s what happens if you’re not compliant:
- Your payment processor can fine you (typically $5,000-$100,000 depending on your size)
- If there’s a data breach, you’re liable for fraud losses and forensic investigation costs
- In extreme cases, you could lose the ability to accept credit cards
The good news? Most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as Amazon or Target. The SAQ (Self-Assessment Questionnaire) you need to complete might be as short as 22 yes/no questions.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards, yes. It doesn’t matter if you’re a coffee shop with one Square terminal or an online boutique processing thousands of transactions — PCI compliance is mandatory.
Your merchant level determines how much documentation you need:
- Level 4 (under 20,000 e-commerce transactions OR under 1 million total transactions annually): Most small businesses fall here
- Level 3 (20,000-1 million e-commerce transactions annually): Growing online retailers
- Level 2 (1-6 million transactions annually): Large regional businesses
- Level 1 (over 6 million transactions annually): Major retailers
As a Level 4 merchant (which you likely are), your payment processor expects:
- A completed SAQ (Self-Assessment Questionnaire)
- An AOC (Attestation of Compliance) — basically your signature saying the SAQ is accurate
- Passing quarterly ASV scans if you have any internet-facing systems
That questionnaire they sent? It’s your annual compliance reminder. They need you to confirm you’re following security best practices to protect cardholder data.
Which SAQ Do You Need?
The key to easy compliance is identifying the right SAQ for your business. There are different versions based on how you accept payments:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Outsourced completely (PayPal, Square online) | SAQ A | 22 | Easiest |
| E-commerce with payment page redirect | SAQ A-EP | 191 | Moderate |
| Terminal only, no electronic storage | SAQ B | 41 | Easy |
| Terminal with IP connection | SAQ B-IP | 82 | Easy-Moderate |
| Phone/mail/fax orders, no storage | SAQ C-VT | 85 | Moderate |
| Any electronic card data storage | SAQ D | 329 | Complex |
Here’s how to determine yours:
If you use a payment terminal (Square, Clover, Verifone):
- Terminal connects via phone line only → SAQ B
- Terminal connects via internet → SAQ B-IP
If you have an e-commerce site:
- Customers redirected to PayPal, Square, or Stripe Checkout → SAQ A
- Payment form embedded on your site (even if hosted) → SAQ A-EP
- You host your own payment page → SAQ D (please reconsider this)
If you take payments over the phone:
- Using a virtual terminal from your processor → SAQ C-VT
- Writing down card numbers (stop immediately) → SAQ D
Not sure? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Here’s what to expect:
What it looks like: Each question asks if you have a specific security control in place. For example:
- “Do you change default passwords on payment terminals?”
- “Is your payment page served over HTTPS?”
- “Do you have a firewall between your payment systems and the internet?”
How long it takes:
- SAQ A: 30-45 minutes
- SAQ B: 1-2 hours
- SAQ A-EP or C-VT: 2-4 hours
- SAQ D: Multiple days (you probably need help)
What “yes” means: You must be able to prove the control is in place if asked. “Yes” means:
- You currently do this
- You have documentation showing how
- You could demonstrate it to an auditor
Documentation to gather:
- Network diagram (even a simple one)
- Firewall configuration screenshots
- Password policy
- List of who has access to payment systems
- Vendor agreements for any third-party payment services
The quarterly ASV scan: If your SAQ requires it (most do except pure SAQ A), you need an Approved Scanning Vendor to scan your external IP addresses quarterly. It’s automated — the scanner checks for vulnerabilities in any internet-facing systems. Schedule it for the same day each quarter to stay consistent.
Submitting your compliance:
1. Complete all SAQ questions
2. Run and pass your ASV scan (if required)
3. Sign the Attestation of Compliance (AOC)
4. Submit through your processor’s portal or email to your account manager
What It Costs
Let’s talk real numbers for PCI compliance:
Compliance platform fees:
- Basic SAQ tools: Free to $30/month
- Full compliance platform: $50-200/month
- Enterprise solutions: $500+/month
Quarterly ASV scanning:
- Basic scanning: $30-50 per scan
- Multiple IPs: $100-200 per scan
- Annual packages: $300-600
If you need a QSA (only for Level 1 merchants or complex environments):
- Small business assessment: $5,000-15,000
- Full ROC assessment: $20,000-50,000+
The cost of NON-compliance:
- Monthly non-compliance fees: $20-100
- Initial fine for non-compliance: $5,000-100,000
- Breach-related costs: $50-90 per compromised card
- Forensic investigation: $10,000-100,000+
Reality check: For most small merchants, annual compliance costs less than $1,000 — far less than a single non-compliance fine. It’s not just about avoiding fines; it’s about protecting your business from breach liability that could bankrupt you.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your processor will ask for updated documentation every year, and you need quarterly scans if required.
Set these reminders:
- Quarterly: ASV scan due (same date each quarter)
- Annually: SAQ renewal (usually on anniversary of last submission)
- Ongoing: Review any changes to your payment setup
What triggers a new assessment:
- Changing payment processors
- Adding new payment channels (like adding e-commerce to retail)
- Implementing new payment software
- Significant network changes
- Moving from outsourced to in-house processing
Making it easier: PCICompliance.com’s compliance dashboard tracks all your deadlines, stores your documentation, and sends reminders before anything expires. You’ll never miss a quarterly scan or annual renewal again.
FAQ
My payment processor says I need PCI compliance but I only process a few cards a month. Do I really need this?
Yes, PCI compliance is required regardless of transaction volume. However, low-volume merchants typically qualify for the simplest SAQ types. The questionnaire might take you 30 minutes once a year — a small investment to maintain your ability to accept cards and avoid fines.
What happens if I just ignore the compliance request?
Your processor will likely start charging monthly non-compliance fees ($20-100). Eventually, they may fine you ($5,000+) or terminate your merchant account. More importantly, if there’s a breach, you’re fully liable without the protection that compliance provides.
I use Square for everything. Am I already compliant?
Not automatically. While Square handles most of the security heavy lifting, you still need to complete an SAQ (likely SAQ B for terminals or SAQ A for Square’s online checkout). You’re responsible for your piece of the security chain, even if it’s minimal.
Do I need to hire a security consultant?
Most small businesses don’t. If you qualify for SAQ A, B, or C-VT, you can complete it yourself with basic IT knowledge. Only SAQ D or Level 1-2 merchants typically need professional help. PCICompliance.com’s guided questionnaires walk you through each requirement in plain language.
What’s this ASV scan and why do I need it quarterly?
An ASV (Approved Scanning Vendor) scan checks your internet-facing systems for vulnerabilities — think of it as a security checkup. It’s automated and usually takes about an hour to complete. The quarterly frequency ensures new vulnerabilities get caught quickly.
My website is hosted by Shopify/WooCommerce/BigCommerce. Do I still need compliance?
Yes, but it’s usually simple. If customers never enter card data on your actual website (they’re redirected to Shopify Checkout, for example), you likely need SAQ A — the easiest type. Your platform handles the complex security; you just need to document your setup properly.
Conclusion
PCI compliance doesn’t have to be overwhelming. For most Washington state businesses, it’s a straightforward process: identify your SAQ type, answer the security questions honestly, schedule quarterly scans if needed, and submit your documentation annually. The entire process might take a few hours per year — far less time than dealing with a data breach or payment processor fines.
Ready to get started? PCICompliance.com makes PCI compliance simple with our free SAQ Wizard that identifies exactly which questionnaire you need in minutes. Our platform includes ASV scanning services for your quarterly requirement, step-by-step guidance through each SAQ question, and a compliance dashboard that tracks everything in one place. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and support to make PCI compliance painless. Start with our free SAQ Wizard or talk to our compliance team to get your questions answered.
