You Just Got a PCI Compliance Questionnaire. Here’s What It Actually Means.
Your payment processor just sent you something about PCI compliance and you’re staring at acronyms like SAQ, AOC, and ASV wondering if this is some elaborate corporate hazing ritual. Take a breath. For most small businesses — especially seasonal business PCI scenarios like holiday shops, summer camps, or tax prep services — compliance is much simpler than that intimidating questionnaire makes it seem.
Here’s the reality: if you’re reading this because you just got your first compliance request, you’re probably looking at a few hours of work, not weeks. Most seasonal and small businesses qualify for the simplest compliance paths. You don’t need a security team or a compliance consultant. You just need to understand what’s being asked and answer honestly about how you handle credit cards.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. They formed the PCI Security Standards Council to manage these standards, but it’s your payment processor or acquiring bank that actually enforces them.
Think of it this way: the card brands created the rules to protect credit card data, and your payment processor makes sure you follow them. Why? Because if card data gets stolen from your business, everyone loses — you face liability, your processor faces fines, and customers lose trust in the entire payment system.
The consequences of non-compliance aren’t theoretical. Your processor can fine you monthly (typically $20-100 for small merchants), increase your processing rates, or even terminate your ability to accept credit cards. If there’s a breach and you weren’t compliant, you could face tens of thousands in forensic investigation costs and liability for fraudulent charges.
But here’s the good news: most small businesses, including seasonal operations, qualify for the simplest compliance requirements. You’re not held to the same standards as Amazon or Target. The PCI Council recognizes that a Christmas tree lot doesn’t need the same security infrastructure as a major retailer.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form — swiped, dipped, tapped, keyed, or online — yes, you need to be PCI compliant. This applies even if you only process cards for three months out of the year.
Your merchant level determines how much documentation you need to provide. For most small businesses processing less than a million transactions annually, you’re Level 4. This means you complete a self-assessment questionnaire instead of hiring an expensive QSA for a full audit.
What your payment processor expects from you:
- Complete the right Self-Assessment Questionnaire (SAQ) for your business
- Run quarterly vulnerability scans if you have any internet-facing systems
- Submit an Attestation of Compliance (AOC) saying you’ve met the requirements
- Fix any security gaps the process identifies
That questionnaire they sent? It’s your processor’s way of saying “prove to us you’re protecting card data.” They’re required by the card brands to verify your compliance annually. Ignore it, and those monthly non-compliance fees start hitting your merchant account.
Which SAQ Do You Need?
The key to simple compliance is picking the right SAQ. Choose wrong and you’ll face hundreds of unnecessary requirements. Here’s the decision tree in plain language:
If you use a standalone payment terminal (Square Reader, Clover Go, or traditional terminals that connect via phone line or cellular):
- You likely need SAQ B (standalone terminals with no electronic storage)
- Or SAQ B-IP if the terminal connects via your internet
If you have an e-commerce site using fully hosted checkout (Shopify Payments, Stripe Checkout, PayPal):
- You need SAQ A — the simplest one with only 22 requirements
If you redirect customers to a payment page but your site touches the card data in any way:
- You need SAQ A-EP — still relatively simple but more requirements than SAQ A
If you take payments over the phone and enter them into a virtual terminal:
- You need SAQ C-VT — manageable but requires some workstation security
If you store card numbers in any form (spreadsheets, customer database, filing cabinet):
- You need SAQ D — the full questionnaire
- And you should really stop storing card numbers
| Payment Scenario | SAQ Type | Requirements | Complexity |
|---|---|---|---|
| Square Reader at farmers market | SAQ B | 31 | Simple |
| Clover terminal on your network | SAQ B-IP | 91 | Moderate |
| Shopify store with Shopify Payments | SAQ A | 22 | Simplest |
| WooCommerce with Stripe Elements | SAQ A-EP | 191 | Complex |
| Phone orders via PayPal Virtual Terminal | SAQ C-VT | 83 | Moderate |
| Old POS system storing card data | SAQ D | 326 | Very Complex |
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks a few simple questions about how you accept payments and tells you exactly which questionnaire you need. No guessing, no compliance consultant required.
How to Complete Your SAQ
The questionnaire itself is less intimidating than it looks. Every requirement is a yes/no question. “Yes” means you’re doing what’s required. “No” means you need to fix something or explain why it doesn’t apply to your business.
For SAQ A (online merchants with hosted checkout), you’re answering questions like:
- Do you have a policy for who can access payment systems?
- Do you change default passwords?
- Is your checkout page secured with SSL/TLS?
For SAQ B (standalone terminals), expect questions about:
- Physical security of the terminal
- Whether you’ve changed default passwords
- How you dispose of paper receipts
Documentation you’ll need:
- Your network diagram (for SAQ B, this can be as simple as “terminal connects via phone line”)
- Written security policies (templates are fine)
- User access lists (who can process refunds?)
- Your ASV scan results if you have any internet-facing systems
The quarterly ASV scan trips up many seasonal businesses. If you process cards online or your payment terminal connects through your internet, you need an Approved Scanning Vendor to scan your external IP addresses four times per year. It’s automated, takes about 15 minutes to set up, and costs around $200-300 annually. The scan looks for vulnerabilities hackers could exploit.
Once complete, you’ll generate an Attestation of Compliance (AOC) — basically a cover sheet saying you’ve completed the requirements. Submit this along with your SAQ and most recent ASV scan results to your processor. Most processors have an online portal for submission.
What It Costs
Let’s talk real numbers. For a small seasonal business:
Compliance platform and tools: $100-500 per year
- Includes SAQ wizard, policy templates, and compliance tracking
- Some processors include basic tools with your merchant account
Quarterly ASV scanning: $200-400 per year
- Required if you have any internet-facing payment systems
- Includes four quarterly scans and unlimited rescans to fix issues
If you need a QSA (only for Level 1 merchants or if you’ve had a breach):
- $15,000-50,000 for a full Report on Compliance (ROC)
- But remember, most small businesses never need this
The cost of NON-compliance:
- Monthly non-compliance fees: $20-100
- Breach-related fines: $5,000-100,000
- Forensic investigation: $10,000+ if you have a breach
- Lost ability to process cards: priceless
For most seasonal merchants, annual compliance costs less than two months of non-compliance fees. More importantly, it costs far less than a single data breach incident.
Staying Compliant Year-Round
Here’s what surprises seasonal businesses: PCI compliance isn’t a one-time checkbox. Your processor wants annual validation, and if you process online, you need quarterly scans even during your off-season.
Set these reminders now:
- Annual SAQ due date (usually 12 months from your last submission)
- Quarterly ASV scan windows (every 90 days)
- Annual review of who has access to payment systems
- Update policies when you change payment methods
Changes that trigger a new assessment:
- Switching from terminal to online processing
- Starting to take phone orders
- Changing payment processors or gateways
- Storing card data (please don’t)
A compliance dashboard makes this manageable. PCICompliance.com tracks your compliance timeline, sends reminders before deadlines, and stores your documentation history. When your processor asks for proof of compliance two years from now, you’ll have it.
FAQ
We only accept cards for 3 months a year. Do we really need to comply?
Yes. PCI compliance applies to any merchant that accepts credit cards, regardless of volume or seasonality. Your processor will still require annual validation. The good news? If you only use a standalone terminal during your season, you likely qualify for SAQ B, one of the simpler questionnaires.
What happens if we just ignore the compliance request?
Your processor will start charging monthly non-compliance fees (typically $20-100). Eventually, they may increase your processing rates or terminate your merchant account. If you have a breach while non-compliant, you face full liability for fraud losses and investigation costs.
Can we just use Square or PayPal to avoid PCI requirements?
Using Square, PayPal, or similar services can simplify compliance, but doesn’t eliminate it. You still need to complete SAQ A or B depending on how you integrate. However, these services do handle the complex security requirements, leaving you with the simplest possible questionnaire.
How long does the SAQ actually take to complete?
For SAQ A (hosted e-commerce): 1-2 hours. For SAQ B (standalone terminals): 2-3 hours. For SAQ C-VT (phone orders): 3-4 hours. The first time takes longer as you gather documentation. Annual recertification is much faster.
What’s an ASV scan and do we need one?
An ASV (Approved Scanning Vendor) scan checks your internet-facing systems for vulnerabilities. You need quarterly scans if you process e-commerce transactions or your payment terminal connects through your internet. If you only use dial-up terminals or fully hosted payment pages, you don’t need ASV scans.
We store customer card numbers in QuickBooks. Is that okay?
No. Storing card numbers significantly increases your risk and moves you to SAQ D (300+ requirements). Switch to a payment gateway that tokenizes cards or use your processor’s customer vault feature. The convenience isn’t worth the compliance burden and breach risk.
Take Control of Your Compliance
PCI compliance for seasonal businesses doesn’t have to be overwhelming. Most small merchants discover they’re already doing 80% of what’s required — they just need to document it and fix a few gaps. The horror stories you hear usually involve merchants who ignored compliance entirely or stored card data they shouldn’t have.
Your path forward is simple. First, figure out which SAQ applies to your payment setup. PCICompliance.com’s free SAQ Wizard makes this painless — answer a few questions about how you accept payments and get your exact questionnaire type. Then complete the questionnaire, fix any gaps it identifies, and submit your compliance validation. If you need quarterly scans, our ASV scanning service handles everything automatically.
The entire process — from confused recipient of a compliance notice to validated merchant — typically takes less time than setting up your merchant account in the first place. More importantly, once you’re set up with proper tools and reminders, staying compliant year after year becomes a minor administrative task rather than an annual scramble.
Don’t let PCI compliance be the reason you dread opening mail from your processor. With PCICompliance.com’s guided platform, you’ll complete your requirements confidently, maintain compliance automatically, and get back to running your business. Whether you’re selling Christmas trees in December or running a summer camp in July, we’ll make sure you’re covered when the card brands come checking.
