You Just Got a PCI Compliance Questionnaire — Don’t Panic
Here’s what matters: if you accept credit cards at your Pennsylvania business, you need to be PCI compliant. That compliance questionnaire from your payment processor isn’t optional, but for most small businesses, it’s far simpler than you think. You’re probably looking at a few hours of work once a year, not the massive undertaking you might fear.
Pennsylvania PCI compliance follows the same rules as everywhere else — these are global standards set by the card brands. Your local coffee shop in Philadelphia faces the same requirements as a boutique in Pittsburgh or an online store in Harrisburg. The good news? Most small merchants qualify for the simplest compliance paths.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. They formed the PCI Security Standards Council to manage these standards, but it’s your payment processor or acquiring bank that actually enforces them.
Think of it this way: the card brands want to protect cardholder data from breaches. They created these standards and told payment processors “make sure your merchants follow these rules.” Your processor then passes that requirement to you through compliance questionnaires and annual assessments.
If you don’t comply, your payment processor can:
- Fine you (typically $5,000-$100,000 per month of non-compliance)
- Increase your processing rates
- Hold you liable for fraud losses
- Terminate your ability to accept cards entirely
The consequences are real, but here’s what they don’t tell you upfront: most small businesses qualify for SAQ A or SAQ B, the simplest questionnaires that take 30-60 minutes to complete. You’re not facing the same requirements as Target or Home Depot.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit or debit cards in any form — in person, online, over the phone, even manually — yes, you need to be PCI compliant.
Your merchant level determines how you demonstrate compliance:
- Level 4 (under 20,000 e-commerce transactions OR under 1 million total transactions annually): Self-assessment questionnaire
- Level 3 (20,000-1 million e-commerce transactions annually): Self-assessment questionnaire
- Level 2 (1-6 million transactions annually): Self-assessment questionnaire, though some processors require a QSA
- Level 1 (over 6 million transactions annually): On-site assessment by a QSA
Most small and medium Pennsylvania businesses fall into Level 4, which means you complete a self-assessment questionnaire (SAQ) annually and run quarterly vulnerability scans if you have any internet-facing systems.
That compliance questionnaire your processor sent? It’s their way of saying “prove you’re following PCI standards.” They need this proof to satisfy the card brands. Ignore it, and they’ll eventually suspend your merchant account.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in several flavors, each designed for different payment scenarios. Here’s the decision tree in plain language:
| Your Payment Scenario | Your SAQ Type | Questions | Complexity |
|---|---|---|---|
| E-commerce with fully hosted checkout (PayPal, Stripe Checkout) | SAQ A | ~22 | Simplest |
| E-commerce with payment fields on your site (Stripe Elements, Square Web Payments) | SAQ A-EP | ~191 | Moderate |
| Standalone terminals with dial-up/cellular (no computer connection) | SAQ B | ~41 | Simple |
| Standalone terminals connected via Ethernet/computer | SAQ B-IP | ~82 | Simple-Moderate |
| Virtual terminal or taking cards over phone | SAQ C-VT | ~160 | Moderate |
| Traditional retail with integrated POS | SAQ C | ~160 | Moderate |
| P2PE-validated solution | SAQ P2PE | ~33 | Simple |
| Storing card data or complex environments | SAQ D | ~329 | Complex |
Common scenarios for Pennsylvania merchants:
- Running a Shopify store? You’re likely SAQ A
- Using Square or Clover terminals at your retail location? Probably SAQ B or SAQ B-IP
- Taking orders over the phone and entering them into a virtual terminal? That’s SAQ C-VT
- Storing customer card numbers in a filing cabinet or spreadsheet? You’re SAQ D (and need to stop immediately)
Not sure which one fits? PCICompliance.com’s SAQ Wizard walks you through a few simple questions about how you accept payments and tells you exactly which questionnaire applies.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. “Yes” means you’re doing what the requirement asks. “No” means you need to fix something or it doesn’t apply to your environment.
What you’ll see:
- Questions grouped by requirement area (network security, access control, etc.)
- Each question references a specific PCI DSS requirement number
- Space to explain any “No” answers or special circumstances
Documentation you’ll need:
- Your network diagram (even if it’s just “one computer connected to the internet”)
- List of who has access to payment systems
- Your security policies (informal counts — “only Sarah and I can run transactions”)
- Results from your quarterly ASV scans (if required)
The quarterly ASV scan applies if you have any systems connected to the internet that handle card data — even indirectly. An Approved Scanning Vendor runs automated scans looking for vulnerabilities. It’s not invasive, won’t affect your systems, and typically costs $200-500 per year for all four quarterly scans.
Once complete, you’ll generate an Attestation of Compliance (AOC) — a formal declaration that you’ve completed the assessment and meet all requirements. Submit this along with your SAQ and ASV scan results to your payment processor.
What It Costs
PCI compliance costs vary by complexity:
For most small merchants (SAQ A, B, B-IP):
- Compliance platform/tools: $100-300/year
- Quarterly ASV scanning: $200-500/year
- Total annual cost: $300-800
For moderate complexity (SAQ A-EP, C-VT, C):
- Compliance platform/tools: $300-600/year
- Quarterly ASV scanning: $200-500/year
- Possible penetration testing: $2,000-5,000/year
- Total annual cost: $500-6,100
For complex environments (SAQ D):
- QSA assessment: $15,000-50,000+
- Quarterly ASV scanning: $500-2,000/year
- Annual penetration testing: $5,000-20,000
- Total annual cost: $20,000-70,000+
The cost of NON-compliance:
- Monthly fines: $5,000-100,000
- Breach liability: $50-90 per compromised card
- Forensic investigation: $20,000-100,000
- Lost ability to process cards: invaluable
For most Pennsylvania small businesses spending $500-1,000 annually on compliance, that’s less than a single month’s non-compliance fine.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor expects annual certification with quarterly scans throughout the year.
Mark your calendar for:
- Annual SAQ due date (usually the anniversary of your last submission)
- Quarterly ASV scan windows (every 90 days)
- Security update reminders for payment systems
- Employee training refreshers (anyone who handles payments)
What triggers a new assessment:
- Changing payment processors
- Adding new payment channels (starting e-commerce, adding mobile payments)
- Significant network changes
- Moving from standalone terminals to integrated POS
- Starting to store card data (please reconsider)
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sends reminders before deadlines, and maintains your compliance history. No more scrambling when your processor asks for last year’s AOC.
Frequently Asked Questions
Do I really need to do this if I’m just a small business?
Yes, size doesn’t matter when it comes to PCI compliance. If you accept credit cards, you need to comply. The good news is that small businesses typically qualify for the simplest SAQ types that take under an hour to complete annually.
What happens if I just ignore the compliance questionnaire?
Your payment processor will eventually fine you or terminate your merchant account. Most processors give you 60-90 days to respond before penalties begin. Fines typically start at $25-50/month and escalate to thousands per month.
Can I just say “yes” to all the questions?
Only if the answers are truthfully “yes” — you’re attesting under penalty that your answers are accurate. If you suffer a breach and the investigation reveals false attestation, you face personal liability for fraud losses. Better to answer honestly and fix any gaps.
I use Square/PayPal/Stripe — aren’t they responsible for PCI compliance?
They handle their part, but you’re still responsible for your environment. These providers secure the payment processing, but you need to secure your devices, networks, and any place you might see or store card data. You’ll likely qualify for SAQ A or B, the simplest types.
Do I need to hire a QSA?
Most Level 4 merchants (under 1 million transactions) don’t need a QSA. You can complete the self-assessment questionnaire yourself or with help from a compliance platform. Only Level 1 merchants and some Level 2 require formal QSA assessment.
How often do I need to run vulnerability scans?
Quarterly — four times per year, at least 87 days apart. This applies only if you have internet-facing systems that store, process, or transmit card data. Many SAQ A merchants don’t need scans at all.
What if I fail my vulnerability scan?
Fix the identified vulnerabilities and rescan — you typically get unlimited rescans within the quarter. Common failures include outdated SSL certificates, missing security patches, or unnecessary services running. Your ASV provides specific remediation guidance.
I take cards at craft fairs using my phone — does PCI apply?
Yes, mobile payment acceptance still requires PCI compliance. If you’re using Square, PayPal Here, or similar mobile solutions, you’ll likely complete SAQ B. The good news: these solutions handle most security requirements for you.
Your Next Steps
PCI compliance might seem overwhelming at first glance, but for most Pennsylvania businesses, it’s a manageable annual task. Start by identifying which SAQ type fits your payment methods — that alone will show you exactly what’s required.
PCICompliance.com simplifies the entire process. Our free SAQ Wizard identifies your questionnaire type in minutes. Our platform guides you through each question with plain-English explanations. Our ASV scanning service handles quarterly vulnerability scans automatically. And our compliance dashboard keeps you on track year-round, storing your documentation and sending reminders before deadlines.
Don’t let that compliance questionnaire intimidate you. Whether you’re a Main Street retailer in Scranton or an online seller in Erie, PCI compliance is achievable. Start with our free SAQ Wizard to see exactly what you’re facing — it’s probably simpler than you think. Or talk to our compliance team for guidance specific to your business. We’ve helped thousands of merchants achieve compliance, and we’ll help you too.
