What Is Buy Me a Coffee PCI Compliance? A Small Business Guide
If you just received a PCI compliance questionnaire from your payment processor and your first thought was “What is this, and why are they asking me about firewalls?” — take a deep breath. For most small businesses, PCI compliance is much simpler than it initially appears. You probably don’t need to hire a security team or rebuild your payment system. In many cases, you can complete your compliance requirements in an afternoon with the right guidance.
This guide will walk you through exactly what PCI compliance means for your business, which forms you need to complete, and how to stay compliant without breaking the bank or losing your mind.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts credit card payments. Think of it as a security checklist created by the major card brands — Visa, Mastercard, American Express, and Discover — to protect customer card data from theft.
The card brands created the PCI Security Standards Council to manage these requirements, but they don’t enforce compliance directly. Instead, your acquiring bank or payment processor (the company that handles your card transactions) requires you to prove compliance as part of your merchant agreement. When they send you that annual questionnaire, they’re essentially saying: “Show us you’re protecting customer card data properly.”
Here’s what happens if you ignore those compliance requests:
- Your processor can fine you (typically $5,000 to $100,000 depending on your processing volume)
- If there’s a data breach, you’re liable for fraud losses and card reissuance costs
- Your processor could terminate your merchant account, leaving you unable to accept cards
- You might face additional fines from the card brands themselves
But here’s the good news: most small businesses qualify for the simplest compliance requirements. If you’re using modern payment tools like Square, Stripe, or PayPal, you’ve already outsourced most of the security heavy lifting to companies that specialize in it.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form — in person, online, over the phone, or even through invoices — then yes, you need to be PCI compliant.
Your merchant level determines how you prove compliance. Most small businesses are Level 4 merchants (processing less than 20,000 e-commerce transactions or less than 1 million total transactions annually). This means you can self-assess using a Self-Assessment Questionnaire (SAQ) instead of hiring an external auditor.
That compliance questionnaire your processor sent? It’s their way of collecting your annual self-assessment. They need it to satisfy their own compliance requirements with the card brands. From their perspective, every merchant in their portfolio represents potential risk — your completed questionnaire shows you’re managing that risk appropriately.
Which SAQ Do You Need?
The PCI Security Standards Council offers several SAQ types, each designed for different payment scenarios. Choosing the right one is crucial — pick one that’s too simple and you’re not actually compliant; pick one that’s too complex and you’re doing unnecessary work.
Here’s how to determine your SAQ type based on how you accept payments:
| How You Accept Payments | Your SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminal only (no connected systems) | SAQ B | 41 | Easy |
| Terminal connected to internet/network | SAQ B-IP | 93 | Easy-Moderate |
| Manual card entry (virtual terminal, phone orders) | SAQ C-VT | 85 | Moderate |
| Paper forms with card numbers | SAQ C | 139 | Moderate |
| Store card data electronically | SAQ D | 329 | Complex |
Common Scenarios
If you use Square, Clover, or similar terminals: You’re likely SAQ B if the terminal is completely standalone, or SAQ B-IP if it connects to the internet for processing.
If you have an online store: SAQ A applies if customers are redirected to a hosted payment page (like Stripe Checkout or PayPal). If payment fields appear on your website (even if you’re using Stripe Elements or similar), you need SAQ A-EP.
If you take orders by phone: SAQ C-VT covers businesses that manually enter card numbers into a web-based virtual terminal provided by your processor.
If you store card numbers: Please reconsider this practice. If you must store card data electronically, you’ll need to complete SAQ D — the most comprehensive questionnaire with 329 requirements.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment processes and tells you exactly which SAQ type you need.
How to Complete Your SAQ
Once you’ve identified your SAQ type, the actual questionnaire is straightforward. Each question asks whether you’ve implemented a specific security control, with three possible answers:
- Yes: You’ve fully implemented the requirement
- No: You haven’t implemented it
- N/A: The requirement doesn’t apply to your environment
Here’s what “yes” actually means: you can demonstrate the control if asked. For example, if the question asks about password policies, “yes” means you have a written policy, your systems enforce it, and you could show both to an auditor.
Documentation You’ll Need
Before starting your SAQ, gather:
- Network diagram (even a simple sketch showing how your payment devices connect)
- List of payment systems (terminals, software, websites that handle payments)
- Written policies for security procedures (many small businesses create these while completing the SAQ)
- ASV scan results (if required for your SAQ type)
The Quarterly ASV Scan
If you process payments online or your payment systems connect to the internet, you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). Don’t let the technical name intimidate you — it’s an automated scan of your external-facing systems that typically takes 30 minutes to set up.
The ASV scan looks for known vulnerabilities in your web servers, firewalls, and other internet-facing systems. You’ll receive a report showing any issues found and their severity. Minor issues won’t fail your scan, but critical vulnerabilities must be fixed before you can achieve compliance.
Submitting Your Compliance
After completing your SAQ and passing any required scans:
1. Review your answers and ensure all “no” responses have remediation plans
2. Complete the Attestation of Compliance (AOC) — a formal declaration that you’ve accurately assessed your compliance
3. Submit both documents to your processor through their compliance portal
4. Save copies for your records
Most processors require annual submission, though some may request updates quarterly or after significant changes to your payment environment.
What It Costs
PCI compliance costs vary based on your business size and complexity, but for most small merchants, it’s quite manageable:
Compliance platform fees: $100-$500 annually for SAQ completion tools and compliance tracking. Many processors include basic tools with your merchant account.
ASV scanning: $200-$1,000 annually for quarterly scans. Pricing depends on the number of IP addresses and domains scanned.
QSA assessment: Only required for larger merchants (Level 1-2). If you’re reading this guide, you probably don’t need one. When required, expect $15,000-$50,000 for a full assessment.
Training and remediation: Budget for staff time to complete questionnaires and fix any identified issues. Most small businesses need 4-8 hours annually.
Compare these costs to non-compliance:
- Monthly non-compliance fees from your processor: $20-$100
- Initial non-compliance fine: $5,000-$100,000
- Data breach costs: Average $150 per compromised card number
- Lost business from terminated merchant account: Incalculable
For most small merchants, annual compliance costs less than a single non-compliance fine. Think of it as insurance — except this insurance also makes your business more secure.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox. Your processor will ask for updated documentation annually, and certain SAQ types require quarterly activities. Here’s how to stay on track:
Set annual reminders for:
- SAQ renewal (typically 30 days before your compliance expiration)
- Policy reviews and updates
- Security awareness training for staff who handle payments
Set quarterly reminders for:
- ASV scans (if required)
- Firewall rule reviews (for SAQ C and D merchants)
- User access reviews
Monitor for changes that might affect your SAQ type:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or systems
- Storing card data when you didn’t before
- Significant business growth crossing merchant level thresholds
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and flagging any changes that might affect your compliance status.
Frequently Asked Questions
What happens if I ignore PCI compliance?
Your payment processor will likely start with reminder notices, then add monthly non-compliance fees to your statement. Eventually, they may issue fines or terminate your merchant account. If a breach occurs while you’re non-compliant, you face liability for fraud losses and breach-related costs.
My processor says I need PCI compliance but I only process 5 cards per month. Do I really need it?
Yes, PCI DSS applies to all merchants regardless of volume. Even one transaction per year technically requires compliance. The good news is that your low volume qualifies you for the simplest compliance requirements.
I use Square for everything. Am I already compliant?
Square handles much of the security burden, but you still have responsibilities. You’ll likely need to complete SAQ B for your Square terminal. Square provides tools to help with compliance, but you must still complete and submit the appropriate documentation.
What’s the difference between PCI compliant and PCI certified?
Merchants become PCI compliant by meeting all applicable requirements. Only service providers and solution providers can become PCI certified or validated. As a merchant, you’re seeking compliance, not certification.
How do I know if my SAQ was accepted?
Your payment processor should confirm receipt and acceptance of your compliance documentation. Many provide a compliance certificate or update your status in their merchant portal. If you haven’t heard back within 30 days, follow up directly.
Can I just check “yes” to all the questions to pass?
Absolutely not. False attestation is considered fraud and could result in immediate termination of your merchant account. If a breach occurs after false attestation, you face significant legal liability. Answer honestly and create plans to address any “no” responses.
My web developer says our site is secure. Is that enough?
Security and PCI compliance overlap but aren’t identical. Your developer might have implemented strong security, but PCI compliance requires specific controls and documentation. Have them review the applicable SAQ requirements to ensure your site meets all criteria.
Do I need to hire a security consultant?
Most small businesses can achieve compliance without external consultants. If you’re SAQ A or B, the requirements are straightforward enough to handle internally. Consider professional help only if you’re SAQ D or struggling with technical requirements in other SAQ types.
Moving Forward with Confidence
PCI compliance might seem overwhelming when you first encounter it, but remember — millions of small businesses successfully maintain compliance every year. The key is understanding which requirements actually apply to your business and tackling them systematically.
Start by identifying your correct SAQ type. For most small merchants, this immediately eliminates 90% of the PCI DSS requirements. Focus only on what applies to your specific payment methods and business model. Use tools and services designed for small businesses rather than enterprise solutions.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll never miss a deadline or wonder about your compliance status again. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team for personalized guidance. We’ve helped thousands of merchants navigate PCI compliance successfully, and we’re ready to help you too.