So You Got a PCI Compliance Questionnaire — Don’t Panic
Your payment processor just sent you something about Podia PCI compliance — or maybe it was your bank, or that company that handles your credit card processing. The email has terms like “SAQ” and “AOC” and mentions potential fines. Before you close the email and pretend you didn’t see it, take a breath. For most small businesses, PCI compliance is actually simpler than it sounds.
Here’s what you need to know: if you accept credit cards, you need to be PCI compliant. But — and this is the important part — most small businesses can complete their compliance requirements in an afternoon. You don’t need to hire consultants or restructure your entire business. You just need to understand what’s being asked of you and complete the right questionnaire.
This guide will walk you through exactly what PCI compliance means, which questionnaire you need to fill out, and how to get it done without losing your mind. By the end, you’ll understand why your processor sent that email and how to respond to it.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — to protect credit card data. Think of it as a security checklist that ensures businesses handle card information safely.
The card brands don’t enforce these requirements directly. Instead, they work through the PCI Security Standards Council to maintain the standards, while your acquirer (the bank or payment processor that handles your card transactions) enforces them. When your processor sends you a compliance questionnaire, they’re fulfilling their obligation to ensure all their merchants meet these security standards.
Why This Matters to You
If you’re not compliant, several things can happen:
- Your payment processor can charge you monthly non-compliance fees (typically $20-100/month)
- If there’s a data breach, you’re liable for fraud losses and forensic investigation costs
- Your processor can increase your rates or terminate your ability to accept cards
- You could face fines from the card brands themselves (ranging from $5,000 to $100,000)
The good news? Most small businesses fall into the simplest compliance categories. You’re not being asked to implement the same security as Amazon or Walmart. The standards scale based on your transaction volume and how you handle card data.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit or debit cards in any form, yes. This includes:
- Swiping, inserting, or tapping cards at a terminal
- Entering card numbers into a virtual terminal
- Taking payments through your website
- Accepting cards over the phone
- Processing recurring billing or subscriptions
- Using mobile card readers like Square or PayPal Here
Your merchant level determines how much compliance documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants typically complete a self-assessment questionnaire rather than hiring an outside assessor.
What Your Payment Processor Expects
That compliance questionnaire your processor sent? They need you to:
1. Determine which SAQ (Self-Assessment Questionnaire) type applies to your business
2. Complete the questionnaire honestly
3. Fix any security gaps the questionnaire reveals
4. Submit your AOC (Attestation of Compliance)
5. Complete quarterly vulnerability scans if required
They’ll keep sending reminders until you comply, and many processors start charging non-compliance fees after 60-90 days.
Which SAQ Do You Need?
The most confusing part of PCI compliance is figuring out which questionnaire applies to you. There are nine different SAQ types, but most small businesses use one of these four:
| How You Accept Cards | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Standalone terminal only (no connected systems) | SAQ B | 41 | Simple |
| Terminal connected to internet/network | SAQ B-IP | 82 | Simple |
| E-commerce with fully hosted checkout (customer never enters card data on your site) | SAQ A | 22 | Simplest |
| Taking cards over the phone | SAQ C-VT | 81 | Moderate |
| Storing card numbers or using connected POS systems | SAQ D | 329+ | Complex |
Common Scenarios
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B or SAQ B-IP. The difference depends on whether your terminal connects to the internet. That Square reader that plugs into your phone? That’s SAQ B-IP.
If you have an e-commerce site using Shopify Payments, Stripe Checkout, PayPal, or similar services where customers are redirected to enter their card details, you’re likely SAQ A. This is the simplest questionnaire with only 22 questions.
If you take card payments over the phone and enter them into a virtual terminal or payment system, you’re likely SAQ C-VT. This applies even if you don’t record or store the card numbers.
If you store card numbers in any form — in your accounting software, on paper, in spreadsheets — you’re in SAQ D territory. This is the most complex questionnaire and honestly, you should stop storing card numbers immediately.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is straightforward. Each question requires a yes or no answer about your security practices. Here’s what the process looks like:
Understanding the Questions
The questions ask about specific security controls. For example:
- “Are all payment terminals physically secured to prevent tampering?”
- “Do you change default passwords on all payment systems?”
- “Is antivirus software installed and regularly updated?”
When the questionnaire asks if you do something, “yes” means you currently do it, not that you plan to do it. Be honest — this isn’t a test where you’re trying to get 100%. It’s a tool to identify security gaps.
Documentation You’ll Need
Gather these items before starting your questionnaire:
- A list of all payment terminals and their locations
- Your network diagram (even a simple sketch works for small businesses)
- Security policies (informal practices count — just document them)
- Vendor agreements for any third-party payment services
- Recent vulnerability scan results (if applicable)
The Quarterly ASV Scan
If you’re SAQ B-IP, C-VT, or D, you need quarterly vulnerability scans from an Approved Scanning Vendor. Don’t let the technical term scare you — it’s an automated scan that checks your network for security vulnerabilities. The scan typically takes 30 minutes to a few hours, and you’ll receive a report showing any issues that need fixing.
Submitting Your Compliance
After completing your SAQ:
1. Review your answers and fix any “no” responses that create immediate security risks
2. Complete the Attestation of Compliance (a formal declaration that you completed the assessment)
3. Submit both documents to your payment processor
4. Schedule your next quarterly scan if required
5. Mark your calendar for next year’s assessment
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you handle it yourself or use a compliance platform:
SAQ Tools and Platforms: $100-500 per year for small businesses. This typically includes the questionnaire wizard, document storage, and compliance tracking. Some payment processors include basic tools for free.
Quarterly ASV Scanning: $30-100 per scan, or $120-400 annually. Many compliance platforms bundle scanning with their annual fee.
QSA Assessment: Only required for Level 1 merchants. If you’re reading this guide, you probably don’t need one. But for reference, QSA assessments start around $10,000.
The Cost of Non-Compliance: This is where it gets expensive. Monthly non-compliance fees from your processor average $20-100. A data breach investigation starts at $10,000. Card brand fines begin at $5,000. Loss of card processing ability means loss of revenue.
For most small merchants, annual compliance costs less than two months of non-compliance fees — and far less than a single breach incident.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox. Your processor will ask for updated documentation every year, and certain SAQ types require quarterly scans. Here’s how to stay on track:
Set Annual Reminders: Mark your calendar 30 days before your compliance anniversary. This gives you time to complete your assessment without rushing.
Track Quarterly Scans: If you need ASV scans, schedule them for the same date each quarter. Most scanning services can automate this.
Document Changes: Adding new payment terminals, changing processors, or updating your e-commerce platform might change your SAQ type. Keep notes on any changes to your payment acceptance methods.
Monitor Your Status: PCICompliance.com’s compliance dashboard shows your current status, upcoming deadlines, and any outstanding items. You’ll never wonder whether you’re compliant.
Update Your Training: If employees handle card payments, remind them annually about security basics: never write down card numbers, always verify terminal tampering, report suspicious activity immediately.
FAQ
What happens if I ignore the compliance questionnaire?
Your payment processor will start charging monthly non-compliance fees, typically $20-100. After several months, they may increase your processing rates or terminate your merchant account. If a breach occurs while you’re non-compliant, you’re fully liable for all costs and fines.
Can I just say “yes” to all the questions?
Falsifying your SAQ is fraud and makes you liable for any security incidents. The questionnaire isn’t about passing — it’s about identifying and fixing security gaps. Answer honestly and address any issues you discover.
Do I need to hire a security consultant?
Most small businesses don’t need outside help for PCI compliance. If you’re SAQ A, B, or B-IP, you can complete everything yourself. Consider help only if you’re SAQ D or having trouble understanding the requirements.
What if I fail my vulnerability scan?
Failing vulnerabilities are normal on first scans. The report will list what needs fixing — usually software updates or configuration changes. Fix the critical and high-risk items, then rescan. Most businesses pass after addressing the initial findings.
How do I know which payment processor questions to answer?
Your processor’s compliance packet should specify which SAQ type they want you to complete. If not, use the payment method criteria above or try PCICompliance.com’s SAQ Wizard. When in doubt, ask your processor’s support team.
Do I need PCI compliance for PayPal/Venmo/Cash App?
If you use these services through their basic person-to-person features, no. But if you use their business accounts or card readers to accept customer payments, yes. The moment you accept card payments in a business context, PCI DSS applies.
Can I reduce my compliance scope?
Yes! This is called scope reduction. Use payment terminals that encrypt card data immediately. Never store card numbers. Use hosted checkout pages instead of handling card data on your website. The less card data you touch, the simpler your compliance.
What’s the difference between PCI compliance and other security standards?
PCI DSS specifically protects payment card data. You might also encounter requirements for HIPAA (healthcare), SOC 2 (service organizations), or state privacy laws. Each standard has different requirements, though good security practices often satisfy multiple standards.
Your Next Steps
PCI compliance feels overwhelming when you first encounter it, but remember: thousands of businesses your size complete their assessments every day. You don’t need to become a security expert or restructure your business. You just need to understand what type of SAQ applies to you, answer the questions honestly, and fix any significant gaps.
Start by identifying how you accept payments, then use that information to determine your SAQ type. Set aside a few hours to complete the questionnaire — most small merchants finish in an afternoon. Schedule any required scans, submit your documentation, and mark your calendar for next year.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll never miss a deadline or wonder about your compliance status again. Start with the free SAQ Wizard to identify your questionnaire type, or talk to our compliance team if you need guidance. Either way, you’ll have your compliance handled before that next reminder email arrives.
