What Ohio Businesses Need to Know About PCI Compliance
If you just received a PCI compliance questionnaire from your payment processor and your first thought was “What is this and do I really need to deal with it?” — take a breath. For most small businesses in Ohio, PCI compliance is simpler than it looks. Yes, you need to complete it if you accept credit cards. No, it’s not as complicated as that 50-page questionnaire makes it seem. Most businesses can complete their requirements in an afternoon with the right guidance.
Here’s the bottom line: PCI compliance protects your customers’ credit card data and keeps you from hefty fines or losing the ability to accept cards. The good news? If you’re using modern payment systems like Square, Stripe, or Shopify, you’re already doing most of what’s required. Let’s walk through exactly what you need to know.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as the security rulebook for anyone who accepts credit cards. The major card brands (Visa, Mastercard, Discover, American Express) created these rules through the PCI Security Standards Council to protect cardholder data from theft.
If you accept, process, store, or transmit credit card information in any way — whether through a terminal at your counter, an online store, or even over the phone — these rules apply to you.
Your acquirer (the bank that processes your credit card transactions) or payment processor enforces these rules. That’s who sent you the compliance questionnaire. They’re required to verify that every merchant they work with follows PCI standards.
What happens if you ignore that questionnaire? Your processor can fine you monthly non-compliance fees (typically $20-100 per month). If there’s a data breach and you weren’t compliant, you could face fines up to $100,000 from the card brands, plus liability for fraud losses. Worst case, they can terminate your ability to accept credit cards entirely.
But here’s what most small businesses don’t realize: achieving compliance isn’t nearly as hard as it sounds. Most qualify for the simplest SAQ types that take 30-60 minutes to complete.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards, yes. It doesn’t matter if you’re a small boutique in Cleveland, a restaurant in Columbus, or an online retailer in Cincinnati. Accept Visa, Mastercard, Discover, or Amex? You need to be PCI compliant.
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 Visa transactions annually). Level 4 merchants complete a Self-Assessment Questionnaire (SAQ) instead of hiring an outside assessor.
What your payment processor expects from you:
- Complete the appropriate SAQ annually
- Pass quarterly ASV scans if you have any internet-facing systems
- Submit your Attestation of Compliance (AOC)
- Keep documentation proving your compliance
That questionnaire they sent? It’s either the SAQ itself or instructions on how to access their compliance portal. Either way, it’s not optional — it’s a requirement of your merchant agreement.
Which SAQ Do You Need?
The scariest part of that compliance packet is often seeing multiple SAQ types listed. There are nine different SAQs, but most small businesses only need to worry about four. Here’s how to figure out which one applies to you:
| How You Accept Payments | Your SAQ Type | Questions | Complexity |
|---|---|---|---|
| Standalone terminal only (no computer connection) | SAQ B | 41 | Simple |
| Terminal connected to internet | SAQ B-IP | 82 | Moderate |
| E-commerce with fully hosted checkout (customer never enters card on your site) | SAQ A | 22 | Simplest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Complex |
| Taking cards over the phone | SAQ C-VT | 160 | Complex |
| Storing card numbers anywhere | SAQ D | 329 | Most Complex |
Let’s make this even clearer with real examples:
SAQ B or B-IP: You run a retail store, restaurant, or service business with a countertop terminal. If it’s a standalone device like an old-school Verifone terminal, you’re SAQ B. If it’s a modern system like Square, Clover, or Toast that connects to the internet, you’re SAQ B-IP.
SAQ A: Your e-commerce site uses Shopify Payments, Stripe Checkout, PayPal, or another fully hosted checkout where customers are redirected away from your site to enter card details. This is the holy grail — only 22 questions.
SAQ C-VT: You take orders over the phone and either key them into a virtual terminal or a computer-based system. Common for B2B companies, medical offices, and service businesses.
SAQ D: You store credit card numbers in any form — in your computer, accounting software, or filed away. If this is you, stop immediately. Storing card data is a massive liability and pushes you into the most complex compliance category.
Not sure which applies? PCICompliance.com’s free SAQ Wizard asks a few simple questions about how you accept payments and tells you exactly which SAQ you need.
How to Complete Your SAQ
Once you know your SAQ type, completing it is straightforward. Each SAQ is a series of yes/no questions about your security practices. Here’s what to expect:
The questions ask about things like:
- Do you change default passwords on payment equipment?
- Is your payment terminal in a secure location?
- Do you have anti-virus on computers that handle payments?
- Who has access to your payment systems?
For each “yes” answer, you’re confirming you follow that security practice. A “no” means you need to either implement that control or explain why it doesn’t apply to your environment.
Documentation you’ll need:
- List of your payment terminals or software
- Network diagram (for SAQ B-IP and above)
- Security policies (can be simple one-pagers for small businesses)
- ASV scan reports (if required)
The quarterly ASV scan: If you have any systems connected to the internet (including your website), you need quarterly vulnerability scans from an Approved Scanning Vendor. This automated scan checks for security holes in your public-facing systems. It typically takes 24-48 hours to run and costs $150-300 per year for all four quarters.
After completing your SAQ, you’ll sign the Attestation of Compliance (AOC) — a formal declaration that your answers are accurate. Submit both documents to your payment processor through their portal or email.
What It Costs
Let’s talk real numbers for Ohio PCI compliance costs:
Compliance platforms and tools: $100-500 annually for small businesses. This typically includes:
- Access to the correct SAQ
- Guided questionnaire with plain-English help
- Document templates
- Compliance tracking dashboard
ASV scanning: $150-300 annually for all four quarterly scans. Some compliance platforms include this.
If you need a QSA: Only required for Level 1 merchants or if you can’t self-assess. QSA assessments start at $10,000 but most small businesses never need one.
The cost of non-compliance:
- Monthly processor fees: $20-100
- Data breach fines: $5,000-100,000
- Fraud liability: You’re on the hook for fraudulent charges
- Lost ability to accept cards: Devastating for most businesses
Reality check: Annual compliance for most small merchants costs less than a single month of non-compliance fees. It’s also far less than the smallest data breach fine.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done exercise. Your compliance expires annually, and you need quarterly ASV scans if applicable. Here’s how to stay on track:
Set reminders:
- Annual SAQ due date (usually anniversary of last submission)
- Quarterly ASV scans (every 90 days)
- Security update schedules
What triggers a reassessment:
- Adding new payment channels (like adding e-commerce to retail)
- Changing payment processors or systems
- Significant changes to how you handle card data
Documentation to maintain:
- Completed SAQs and AOCs from previous years
- ASV scan reports
- Evidence of security controls (photos of locked terminals, security policies)
PCICompliance.com’s compliance dashboard tracks all these dates and sends automatic reminders. You’ll never miss a deadline or scramble to find last year’s documentation.
FAQ
Do I really need to do this if I’m just a small business?
Yes. Size doesn’t matter when it comes to PCI compliance — acceptance of credit cards does. Your payment processor requires it as part of your merchant agreement, regardless of transaction volume.
What if I only process a few cards per month?
You still need to comply, but you’re likely eligible for the simplest SAQ types. Low volume actually makes compliance easier, not optional.
Can’t I just pay the non-compliance fee instead?
That’s like paying speeding tickets instead of following speed limits. The monthly fees add up, you’re still liable if there’s a breach, and your processor can terminate your merchant account.
How long does the SAQ take to complete?
SAQ A takes 20-30 minutes. SAQ B takes 30-60 minutes. More complex types can take a few hours, but you can save and return to them.
What’s this ASV scan and do I need it?
An ASV scan checks your internet-facing systems for vulnerabilities. You need it if you have any online presence — even just a basic website. It’s automated and requires no technical knowledge.
What if I don’t understand a question on the SAQ?
Most compliance platforms provide plain-English explanations for each question. PCICompliance.com includes context-sensitive help and examples throughout the questionnaire.
Can I just click “yes” to everything?
Don’t. False attestation is fraud. Answer honestly — if you have gaps, the SAQ helps identify what to fix.
What if my payment processor has their own compliance program?
Many processors offer their own programs. Compare costs and features — third-party platforms often provide better tools and support at similar or lower prices.
Making PCI Compliance Manageable
PCI compliance sounds intimidating, but for most Ohio businesses, it’s a straightforward process. Identify your SAQ type, answer the questions honestly, run your scans if needed, and submit your documentation. An afternoon of work protects your business from significant financial risk.
The key is using the right tools. PCICompliance.com gives you everything needed to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Rather than dreading that annual questionnaire from your processor, you’ll have everything ready to go. Start with the free SAQ Wizard to identify your requirements, or talk to our compliance team for guidance on your specific situation.
