When You Open a New Location: Your PCI Compliance Impact
Opening a new location is exciting — you’re expanding your business, reaching new customers, and growing your revenue. But that payment processor questionnaire sitting in your inbox about new location PCI compliance? That’s probably not what you want to think about right now.
Here’s the good news: for most businesses, adding a new location doesn’t dramatically change your PCI compliance obligations. If you’re already compliant at your existing locations, you’re halfway there. If this is your first time dealing with PCI compliance, it’s simpler than the jargon-filled forms make it seem.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standards) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. They formed the PCI Security Standards Council to manage these standards, but it’s your payment processor or acquiring bank that actually enforces them.
Think of it this way: the card brands want to protect their customers’ credit card data. They require anyone who accepts cards to follow certain security practices. Your payment processor passes these requirements down to you because they’re responsible for the merchants in their network.
The consequences of non-compliance range from annoying to business-ending. Your processor can fine you monthly (typically $50-500 for small merchants), increase your processing rates, or terminate your ability to accept cards. If there’s a data breach and you weren’t compliant, you could face liability for fraud losses and forensic investigation costs that can reach hundreds of thousands of dollars.
But here’s what the scary compliance letters don’t tell you: most small businesses qualify for the simplest compliance requirements. If you use modern payment terminals or hosted e-commerce solutions, you’re probably looking at a questionnaire that takes 30-60 minutes annually, not the months-long project you might be imagining.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards at your new location in any form — whether through a terminal, online, over the phone, or even on paper — yes, you need to be PCI compliant.
Most small businesses fall into Merchant Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news because Level 4 merchants have the simplest compliance requirements: complete an annual Self-Assessment Questionnaire (SAQ) and possibly run quarterly vulnerability scans.
Your payment processor expects you to:
- Complete the appropriate SAQ annually
- Run quarterly ASV scans if required for your SAQ type
- Submit your Attestation of Compliance (AOC) to prove you’ve completed the process
- Fix any security issues discovered during the process
That compliance questionnaire they sent? It’s their way of reminding you that your annual assessment is due. The confusing part is figuring out which type of SAQ applies to your business — there are nine different versions, each for different payment scenarios.
Which SAQ Do You Need?
The SAQ type you need depends entirely on how you accept and process credit cards at your new location. Here’s the decision tree in plain language:
| How You Accept Payments | SAQ Type | Complexity | Questions |
|---|---|---|---|
| Payment terminal only (Square, Clover, standalone) | SAQ B or B-IP | Simple | 22-83 |
| E-commerce with hosted checkout (Shopify, Stripe Checkout) | SAQ A | Simplest | 22 |
| E-commerce with payment fields on your site | SAQ A-EP | Moderate | 191 |
| Phone orders only (no electronic storage) | SAQ C-VT | Simple | 84 |
| Paper forms only | SAQ C | Moderate | 160 |
| Store card numbers electronically | SAQ D | Complex | 329+ |
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B (if standalone) or SAQ B-IP (if connected to your network). These are designed for brick-and-mortar locations.
If you have an e-commerce site with hosted checkout — where customers are redirected to PayPal, Stripe Checkout, or your processor’s payment page — you qualify for SAQ A, the simplest questionnaire with only 22 questions.
If you take payments over the phone at your new location but don’t record or store card numbers electronically, you’ll complete SAQ C-VT (Virtual Terminal). This assumes you’re entering cards into a web-based virtual terminal, not storing them.
If you store card numbers in any electronic format — in your POS system, in a spreadsheet, in your customer database — you’re stuck with SAQ D, the full questionnaire. This is where PCI gets complex and expensive. If you’re storing card data, your first project should be figuring out how to stop.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need. It takes less than five minutes and removes the guesswork.
How to Complete Your SAQ
Once you know which SAQ type applies to your new location, the actual completion process is straightforward. The questionnaire presents a series of yes/no questions about your payment security practices.
Here’s what “yes” actually means: you have the security control in place and can prove it if asked. For example, if the question asks “Do you change default passwords?” a “yes” means you’ve actually changed them, not that you plan to. If you answer “no” to any required question, you’ll need to fix that issue or explain how you’re addressing the risk differently.
You’ll need to gather some basic documentation:
- Network diagram (can be hand-drawn) showing how payment devices connect
- List of people who can access payment systems
- Vendor agreements if you use third-party payment services
- Security policies (many SAQ tools provide templates)
For most SAQ types, you’ll also need quarterly ASV scans. These are automated vulnerability scans run by an Approved Scanning Vendor that check your internet-facing systems for security issues. They’re not invasive — think of them like a security camera checking your digital doors and windows four times a year. Each scan typically takes a few hours to run and costs $50-150.
After completing the questionnaire and passing your scans, you’ll sign an Attestation of Compliance (AOC). This is your official declaration that you’ve met PCI requirements. Submit this to your payment processor (they’ll tell you how), and you’re compliant for another year.
What It Costs
Let’s talk real numbers. PCI compliance for a new location doesn’t have to break the bank:
Compliance platform and SAQ tools typically run $10-50 per month for small merchants. This includes the questionnaire wizard, policy templates, and compliance tracking. Many payment processors include basic tools with your merchant account.
Quarterly ASV scanning costs $200-600 annually for most small businesses. Some compliance platforms bundle this with their monthly fee. You need four passing scans per year, one each quarter.
If you need a QSA (Qualified Security Assessor), you’re looking at $5,000-50,000+ depending on your size and complexity. Good news: only Level 1 merchants and service providers typically need a QSA. If you’re reading this wondering what PCI is, you probably don’t need one.
Now consider the cost of non-compliance: Monthly fines from your processor ($50-500), increased processing rates (0.5-1% higher), potential breach liability (average $150 per compromised card), and the nuclear option — losing your ability to accept credit cards entirely.
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not a profit center for your processor — they genuinely don’t want you to get breached because it costs them money too.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your new location needs to maintain compliance annually, with quarterly scans if required by your SAQ type.
Set calendar reminders for:
- Annual SAQ completion (same time each year)
- Quarterly ASV scans (every 90 days)
- Security updates for payment systems
- Password changes (every 90 days for payment system access)
- Review of who has access to payment systems
Certain changes at your new location trigger a reassessment:
- Adding new payment channels (like adding e-commerce to a retail location)
- Changing payment processors or terminals
- Starting to store card data (please don’t)
- Significant network changes affecting payment systems
PCICompliance.com’s compliance dashboard tracks all these dates for you, sending reminders before deadlines and showing your compliance status across all locations at a glance. No more spreadsheets or sticky notes.
FAQ
Do I need separate compliance for each location?
It depends on your setup. If all locations use the same payment systems and network, you might complete one SAQ covering all locations. If each location has different payment methods or separate networks, you’ll need location-specific assessments. Your payment processor can clarify their requirements.
What if my new location only accepts cash and checks?
No credit cards means no PCI compliance requirements. But the moment you start accepting cards — even one transaction — you’re in scope. Plan for compliance before you add card acceptance.
Can I just say we’re compliant without doing the assessment?
Technically you could, but it’s fraud and a terrible idea. Your processor can request proof anytime. If there’s a breach and you lied about compliance, you’re facing massive liability plus potential criminal charges for fraud.
How long does the first assessment take?
For simple SAQ types (A, B, C-VT), budget 2-4 hours for your first assessment including gathering documentation. The questionnaire itself takes 30-60 minutes once you have everything ready. Subsequent years are faster because you’ve already done the setup work.
What if I fail my ASV scan?
Don’t panic — most merchants fail their first scan. The report shows exactly what needs fixing, usually outdated software or unnecessary services. Fix the issues (your IT person can usually handle it in an hour or two) and rescan. You get unlimited rescans until you pass.
Do food trucks and pop-up locations need compliance too?
Yes, if they accept credit cards. The good news is mobile payment solutions like Square typically qualify for simpler SAQ types. Treat each mobile location like a fixed location for compliance purposes.
What happens if I don’t complete my SAQ?
Your processor will start with reminder emails, then monthly fines (typically $50-500), then potentially increase your processing rates. Continued non-compliance can result in termination of your merchant account. It’s much easier to just complete the questionnaire.
Can my payment processor help with compliance?
Most processors provide basic tools and guidance, but they can’t complete your assessment for you — that would be like your accountant signing your tax return without your involvement. They’ll point you to resources and may offer compliance tools, but the attestation is your responsibility.
Moving Forward with Confidence
Opening a new location brings enough challenges without PCI compliance keeping you up at night. The reality is that for most businesses, maintaining compliance at a new location is a manageable task that protects both your business and your customers.
Start by understanding which SAQ type applies to your new location — this single piece of information determines 90% of your compliance workload. Use modern payment solutions that minimize your PCI scope. Complete your annual assessment, run quarterly scans if required, and track your compliance status throughout the year.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Whether you’re adding your second location or your twentieth, we help you maintain compliance across your entire business. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team about managing multiple locations efficiently.
