Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses, PCI compliance is simpler than it sounds — often just a matter of answering some yes/no questions about how you handle credit card payments and running quarterly security scans. This guide will walk you through exactly what you need to do, step by step, in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card information. If your business accepts credit cards — whether through a terminal, online, or over the phone — these requirements apply to you.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But they don’t enforce them directly. Instead, your acquirer (the bank that processes your card payments) or payment processor (like Square, Stripe, or your merchant services provider) handles enforcement. That’s why they sent you that compliance questionnaire.
What Happens If You Don’t Comply?
Non-compliance comes with real consequences:
- Monthly fines from your processor (typically $25-$500 per month for small businesses)
- Full liability if there’s a data breach
- Potential loss of your ability to accept credit cards
- Higher processing rates
The good news? Most small businesses qualify for the simplest compliance requirements. You’re not facing the same standards as Amazon or Target — your compliance process is much more straightforward.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes.
It doesn’t matter if you’re a solo freelancer taking occasional card payments or a multi-location retailer — if credit card data touches your business in any way, PCI compliance applies. This includes:
- Swiping, dipping, or tapping cards at a terminal
- Taking payments through your website
- Accepting card numbers over the phone
- Processing mail-order payments
- Storing card numbers (even in a filing cabinet)
Understanding Merchant Levels
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you can self-assess using an SAQ (Self-Assessment Questionnaire) rather than hiring an expensive QSA for a full audit.
What Your Payment Processor Expects
That questionnaire your processor sent? They need it to prove to the card brands that their merchants are following security standards. They’ll typically ask for:
- A completed SAQ (the specific type depends on how you accept payments)
- An AOC (Attestation of Compliance) — basically your signature saying the SAQ is accurate
- Proof of quarterly ASV scans if you have any internet-facing systems
- Sometimes additional documentation like network diagrams or policies
Missing their deadline means those monthly non-compliance fees start hitting your merchant account.
Which SAQ Do You Need?
The biggest confusion in PCI compliance? Figuring out which SAQ applies to your business. There are several types, each with different requirements based on how you handle card data.
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Simple |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminal with dial-up/cellular | SAQ B | 41 | Simple |
| Standalone terminal with network connection | SAQ B-IP | 91 | Moderate |
| Payment application connected to internet | SAQ C-VT | 80 | Moderate |
| Any card data storage or complex setup | SAQ D | 329+ | Complex |
Common Scenarios
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely looking at SAQ B (for dial-up or cellular terminals) or SAQ B-IP (for terminals connected to your network).
If you have an e-commerce site with hosted checkout — where customers get redirected to PayPal, Stripe Checkout, or your processor’s payment page — you qualify for SAQ A, the simplest form with just 22 questions.
If you take payments over the phone using a virtual terminal or payment software, you’ll complete SAQ C-VT. This applies whether you’re entering cards into QuickBooks, your processor’s virtual terminal, or any web-based payment form.
If you store card numbers anywhere — in your system, on paper, in spreadsheets — you’re stuck with SAQ D, the full questionnaire. Seriously consider stopping this practice; it dramatically increases your compliance burden and risk.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ you need.
How to Complete Your SAQ
Once you know which SAQ applies, the actual completion process is straightforward. Each SAQ contains yes/no questions about your security practices. Here’s what to expect:
What the Questions Look Like
Questions range from simple (“Do you have a firewall?”) to more specific (“Do you change default passwords on all systems?”). For each question, you’ll answer:
- Yes – We do this
- No – We don’t do this
- N/A – This doesn’t apply to our environment
“Yes” means you have implemented the control and can prove it if asked. Don’t just answer “yes” because it sounds good — false attestation can lead to serious penalties if there’s a breach.
Documentation You’ll Need
Gather these items before starting your SAQ:
- List of all payment terminals and their models
- Your network diagram (even a simple sketch works for small businesses)
- Any written security policies
- Vendor agreements for payment processing
- Results from your latest ASV scan (if required)
The Quarterly ASV Scan
If you have any internet-facing systems (website, email server, remote access), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. These automated scans check for security holes hackers could exploit. They typically:
- Take 20-30 minutes to run
- Cost $100-300 per year for small businesses
- Must pass (no high-risk vulnerabilities) for compliance
- Need to be run every 90 days
Submitting Your Compliance Package
Once complete, you’ll submit:
1. Your completed SAQ
2. The signed AOC (Attestation of Compliance)
3. Passing ASV scan reports (if required)
4. Any additional documentation your processor requests
Most processors accept these through their online portal, though some still use email or paper forms.
What It Costs
PCI compliance costs vary based on your setup and SAQ type, but here’s what to budget:
Compliance Tools and Platforms
- SAQ completion tools: $100-500/year for guided questionnaires and compliance tracking
- Full compliance platforms: $500-2,000/year including SAQ tools, policy templates, and support
- Free option: Download SAQs directly from PCI SSC (but no guidance or tracking)
ASV Scanning
- Basic scanning: $100-300/year for quarterly scans
- Advanced scanning with remediation help: $300-1,000/year
- Multiple IP addresses: Add $50-200/year per additional IP
Professional Services (If Needed)
- QSA assessment: $5,000-50,000 (only required for Level 1-2 merchants)
- Compliance consultant: $150-300/hour for specific help
- Penetration testing: $2,000-10,000 (only for SAQ D)
The Cost of Non-Compliance
- Monthly processor fines: $25-500 for Level 4 merchants
- Breach liability: Average small business breach costs $50,000+
- Lost processing ability: Priceless — you need to accept cards
For most small merchants, annual compliance costs less than a single month of non-compliance fines. It’s an investment in keeping your business running.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor will ask for updated documentation annually, and you need quarterly ASV scans if applicable. Here’s how to stay on track:
Set Up Your Compliance Calendar
- Quarterly: ASV scans due every 90 days
- Annually: Full SAQ reassessment and attestation
- Ongoing: Update documentation when systems change
- Monthly: Review any security alerts or patches
When You Need to Reassess
Certain changes trigger immediate compliance review:
- Adding new payment channels or methods
- Changing payment processors or terminals
- Moving from outsourced e-commerce to self-hosted
- Starting to store card data (please don’t)
- Major network or system changes
Making It Manageable
PCICompliance.com’s compliance dashboard tracks all your deadlines, stores your documentation, and sends reminders when action is needed. You’ll never miss a scan window or attestation deadline again.
FAQ
Q: Do I need PCI compliance if I only process a few cards per month?
A: Yes, transaction volume doesn’t matter for whether compliance applies — only for which merchant level you fall under. Even one transaction per year requires compliance. The good news is that low volume means you’re definitely Level 4 with the simplest requirements.
Q: Can I just check “yes” to all questions to pass?
A: Absolutely not. The AOC you sign is a legal attestation, and false statements can result in personal liability if there’s a breach. Answer honestly — if you have “no” answers, fix those items or work with a QSA on compensating controls.
Q: What’s the difference between PCI compliance and other security standards?
A: PCI DSS is specifically for protecting payment card data, required by your payment processor. Other standards like SOC 2 or ISO 27001 are broader security frameworks. PCI is typically the only mandatory one for small merchants accepting cards.
Q: Do I need a special certification to become PCI compliant?
A: No certification needed for merchants — you self-assess using the SAQ. Only security assessors (QSAs, ASVs) and certain solution providers need PCI certifications. Your compliance is demonstrated through your completed SAQ and AOC.
Q: How long does PCI compliance take?
A: For SAQ A (redirect to hosted payment page): 1-2 hours. For SAQ B or B-IP (standalone terminals): 2-4 hours. For SAQ C-VT (virtual terminal): 4-6 hours. SAQ D can take weeks with full documentation requirements.
Q: Can I outsource PCI compliance entirely?
A: You can outsource much of it by using compliant payment providers and terminals, which is why choosing the right setup matters. But you always retain some responsibility — even with SAQ A, you still need to complete the questionnaire and maintain basic security practices.
Q: What if I fail my ASV scan?
A: Don’t panic — failing the first scan is common. The report shows exactly what vulnerabilities were found. Fix the high-risk items (usually software updates or configuration changes), then rescan. Most ASV providers include free rescans for this reason.
Q: Do I need PCI compliance for multiple business locations?
A: Yes, but you can usually cover multiple businesses PCI compliance under a single SAQ if they use the same payment methods and processes. Different payment setups at different locations might require separate SAQs or a more comprehensive assessment approach.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most small businesses, it’s a manageable process. Identify your SAQ type, answer the questions honestly, run your quarterly scans if needed, and submit your paperwork annually. The entire process typically takes just a few hours per year.
PCICompliance.com streamlines this entire journey — our free SAQ Wizard identifies exactly which questionnaire you need in under two minutes, our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard keeps all your documentation organized and tracks every deadline. Whether you’re completing your first SAQ or managing compliance for multiple locations, we provide the tools and guidance to make PCI compliance as painless as possible. Start with our free SAQ Wizard to see exactly what your business needs, or reach out to our compliance team for personalized guidance on your specific situation.
