GitHub Actions PCI Compliance
The bottom line: If you just received a PCI compliance questionnaire and you’re feeling overwhelmed, take a breath. For most small businesses, PCI compliance is actually simpler than it sounds. If you’re using modern payment systems like Square, Stripe, or PayPal, you’re likely already doing most of what’s required. This guide will show you exactly what you need to do — in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. If your business accepts credit cards — whether in-person, online, or over the phone — these requirements apply to you.
The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through an organization called the PCI Security Standards Council. But here’s the important part: your acquirer (the bank or payment processor that handles your card transactions) is the one who enforces it.
When your acquirer sends you that compliance questionnaire, they’re not trying to make your life difficult. They’re required to verify that every merchant they work with is protecting cardholder data. If they don’t, the card brands fine them — and they pass those fines along to you.
The consequences of non-compliance include monthly fines from your processor (typically $25-$100 for small merchants), liability if there’s a data breach, and in extreme cases, losing your ability to accept credit cards. But here’s the good news: most small businesses qualify for the simplest compliance requirements, which you can complete in an afternoon.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. It doesn’t matter if you process one transaction or one thousand — PCI compliance is mandatory.
Your merchant level determines how you demonstrate compliance. For most small businesses, you’re Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you can self-assess using an SAQ (Self-Assessment Questionnaire) instead of hiring an expensive auditor.
When your payment processor sends you a compliance questionnaire, they’re asking you to complete three things:
- An appropriate SAQ based on how you accept payments
- Quarterly ASV scans if you have any internet-facing systems
- An AOC (Attestation of Compliance) stating you’ve met the requirements
Think of it like filing your taxes — it’s an annual requirement that keeps you in good standing with your payment processor.
Which SAQ Do You Need?
The key to simple compliance is choosing the right SAQ. There are different versions based on how you handle card payments, and picking the right one makes all the difference.
Here’s how to determine which SAQ applies to your business:
| How You Accept Payments | Your SAQ Type | Questions to Answer | Typical Time |
|---|---|---|---|
| Redirect to payment page (PayPal, Stripe Checkout) | SAQ A | 22 questions | 30 minutes |
| Payment fields on your site (Stripe Elements, Square Web SDK) | SAQ A-EP | 139 questions | 2-3 hours |
| Standalone terminal (no internet connection) | SAQ B | 41 questions | 1 hour |
| Terminal with internet (Square, Clover, most modern terminals) | SAQ B-IP | 82 questions | 1-2 hours |
| Phone orders (call center, virtual terminal) | SAQ C-VT | 80 questions | 1-2 hours |
| Other/complex setup | SAQ D | 329 questions | Hire a QSA |
If you use a modern payment terminal like Square, Clover, or Toast, you’re likely SAQ B-IP. These terminals connect to the internet to process transactions but handle all the card data securely.
If you have an e-commerce site with hosted checkout (where customers are redirected to PayPal or Stripe to enter card details), you qualify for SAQ A — the simplest questionnaire with just 22 yes/no questions.
If you take payments over the phone using a virtual terminal or web-based system, you’ll complete SAQ C-VT. This applies even if you’re just typing card numbers into your processor’s website.
If you store card numbers in any form — spreadsheets, customer database, even post-it notes — you’re stuck with SAQ D. This is the full questionnaire with 329 questions. If this is you, consider switching to a system that doesn’t require storing card data.
Not sure which one applies? PCICompliance.com’s free SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. Each questionnaire consists of yes/no questions about your payment security practices.
What “yes” means: When a question asks “Do you change default passwords?” a “yes” answer means you actually do this — not that you plan to or know you should. Be honest. The goal is to identify and fix security gaps, not just check boxes.
Documentation you might need:
- List of who has access to payment systems
- Your network diagram (even a simple sketch works for small businesses)
- Policies for handling card data (can be one page)
- Evidence of quarterly ASV scans (if required)
The quarterly ASV scan sounds technical but it’s actually simple. An Approved Scanning Vendor runs an automated scan of your website or payment systems looking for vulnerabilities. It’s like a security checkup four times per year. If you have any internet-facing systems that handle payments, these scans are required.
After answering all questions and passing your ASV scans (if applicable), you’ll sign the Attestation of Compliance. This is your official declaration that you’ve met PCI requirements. Submit this to your payment processor, and you’re done — until next year.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your setup, but here’s what most small businesses spend:
Compliance platforms and SAQ tools: $100-300 per year for automated questionnaires, guidance, and tracking. Some payment processors include basic tools for free.
Quarterly ASV scanning: $40-80 per quarter ($160-320 annually) for required vulnerability scans. Many compliance platforms bundle this with their annual fee.
If you need a QSA: Only required for Level 1 merchants or complex SAQ D scenarios. Budget $10,000-50,000 for a formal assessment. Most small businesses never need this.
The cost of NON-compliance: Monthly fines start at $25-100 for small merchants but can escalate quickly. A data breach could cost thousands in forensic investigation fees, card replacement costs, and liability. One breach typically costs more than a decade of compliance.
For most small merchants, you’re looking at $300-500 annually for full compliance — less than the cost of a single non-compliance fine from your processor.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox. Your SAQ expires after one year, and ASV scans are required quarterly. But staying compliant is easier than the initial setup.
Set these reminders:
- Annual SAQ renewal (same month each year)
- Quarterly ASV scans (every 90 days)
- Review access when employees change
- Update your SAQ if you change payment methods
What triggers a new assessment:
- Switching payment processors or terminals
- Adding new payment channels (like e-commerce)
- Significant network changes
- Moving from redirect to on-page payment forms
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and maintains your compliance history. No more scrambling when your processor asks for documentation.
FAQ
My payment processor says I need to be PCI compliant. Is this a scam?
No, this is legitimate. Every business that accepts credit cards must validate PCI compliance annually. Your processor is required by the card brands to verify your compliance or face fines themselves.
I only process a few transactions per month. Do I still need to comply?
Yes. PCI requirements apply to any business that accepts credit cards, regardless of volume. The good news is that low-volume merchants typically qualify for the simplest SAQ types.
What happens if I ignore the compliance request?
Your processor will likely start charging monthly non-compliance fees ($25-100 typically). Eventually, they may terminate your merchant account, meaning you can no longer accept credit cards.
I use Square/PayPal/Stripe. Aren’t they PCI compliant for me?
These providers are PCI compliant for their part of the transaction, but you’re still responsible for your own compliance. Using these services usually qualifies you for simpler SAQ types, but you still need to complete the questionnaire.
How do I know if I’m storing credit card data?
Check anywhere you might save customer information: databases, spreadsheets, email, paper files, even voicemail systems. If you can see a full card number anywhere in your business, you’re storing card data.
Can I just answer “yes” to everything on the SAQ?
Only answer “yes” to practices you actually follow. False attestation is considered fraud and could result in serious penalties if there’s ever a breach.
Do I really need those quarterly scans?
If your SAQ type requires ASV scans (most do except SAQ A and B), then yes. Skipping scans will show as non-compliant when you try to submit your annual attestation.
What if I fail a scan or can’t answer “yes” to an SAQ question?
This is normal. Most businesses have some gaps initially. Document compensating controls, fix the issues, or work with a compliance expert to find compliant alternatives.
Conclusion
PCI compliance might seem daunting when that first questionnaire arrives, but it’s genuinely manageable for most businesses. If you’re using modern payment tools and following basic security practices, you’re likely already doing 90% of what’s required.
The key is identifying your correct SAQ type, answering the questions honestly, and setting up a simple system to maintain compliance year-round. PCICompliance.com streamlines this entire process — our free SAQ Wizard identifies exactly which questionnaire you need, our integrated ASV scanning service handles your quarterly vulnerability scans with automatic scheduling, and our compliance dashboard keeps you on track with reminders and documentation storage. You can complete most SAQs in under two hours, maintain everything in one place, and never worry about missing a deadline. Start with our free SAQ Wizard to see which questionnaire applies to your business, or talk to our compliance team for personalized guidance.
