Mighty Networks PCI

Mighty Networks PCI

by

The Bottom Line Up Front

You just received a PCI compliance questionnaire from your payment processor and you’re wondering what you’ve gotten yourself into. Take a breath — for most small businesses, PCI compliance is actually much simpler than it sounds. If you’re using modern payment tools like Square, Stripe, or PayPal, you’re probably already doing most of what’s required. This guide will walk you through exactly what Mighty Networks PCI compliance means for your business, which forms you need to complete, and how to get it done without losing sleep.

Here’s the good news: the vast majority of small merchants qualify for the simplest compliance requirements. You won’t need expensive consultants or complex security audits. You just need to understand which path applies to your business and follow a straightforward checklist.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. Think of it as a security checklist that anyone who touches credit card data needs to follow. The goal is simple: protect cardholder data from breaches and fraud.

The card brands created an organization called the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) is responsible for making sure you comply. That’s why you received that questionnaire — your processor needs to verify that you’re following the rules.

What Happens If You Don’t Comply?

Non-compliance isn’t just a paperwork issue. Your payment processor can:

  • Fine you monthly (typically $25-$100 for small merchants, but it can escalate)
  • Increase your processing rates or add non-compliance fees
  • Hold you liable for fraud losses if there’s a breach
  • Terminate your merchant account in extreme cases, meaning you can’t accept cards at all

The consequences are real, but here’s the thing — compliance for small businesses is usually straightforward. Most merchants can complete their requirements in an afternoon.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a Fortune 500 company or a yoga instructor who occasionally takes cards — if you process payment cards, PCI DSS applies to you.

Your Merchant Level

Your compliance requirements depend on your merchant level, which is based on your annual transaction volume:

  • Level 4: Under 20,000 e-commerce transactions OR under 1 million total transactions annually (most small businesses)
  • Level 3: 20,000 to 1 million e-commerce transactions annually
  • Level 2: 1 to 6 million total transactions annually
  • Level 1: Over 6 million transactions annually

As a Level 4 merchant (which includes most readers of this guide), you’ll complete a Self-Assessment Questionnaire (SAQ) rather than hiring an external auditor. This is good news — it means you can handle compliance yourself.

What Your Payment Processor Expects

That questionnaire your processor sent? They’re asking you to:

1. Identify which SAQ type applies to your payment setup
2. Complete the appropriate SAQ (answer yes/no questions about your security practices)
3. Run quarterly vulnerability scans if you have any systems connected to the internet
4. Submit your compliance documentation annually

Most processors give you 60-90 days to complete this process. Some charge non-compliance fees immediately; others give you a grace period.

Which SAQ Do You Need?

The Self-Assessment Questionnaire comes in different flavors, each designed for specific payment scenarios. Here’s how to determine which one applies to you:

The SAQ Decision Tree

How You Accept Payments SAQ Type Number of Questions Complexity Level
Fully outsourced (PayPal, Square online) SAQ A ~20 Easiest
E-commerce with redirect (Stripe Checkout) SAQ A-EP ~140 Moderate
Standalone terminal only SAQ B ~40 Easy
Terminal connected to internet SAQ B-IP ~80 Easy-Moderate
Manual entry (phone/mail) SAQ C-VT ~80 Moderate
POS system or store card data SAQ D ~330 Complex

Let’s break down the most common scenarios:

If you use a payment terminal like Square Reader, Clover, or a traditional credit card machine, you’re likely SAQ B (if it’s standalone) or SAQ B-IP (if it connects to the internet for processing).

If you have an e-commerce site that redirects to a hosted checkout page (Shopify Payments, WooCommerce with Stripe Checkout, BigCommerce), you’re probably SAQ A — the simplest form.

If you take payments over the phone and type card numbers into a virtual terminal or payment form, you’re looking at SAQ C-VT.

If you store card numbers in any system, database, or even Excel spreadsheets (please stop doing this immediately), you’re stuck with SAQ D — the full questionnaire.

Not sure which one applies? PCICompliance.com offers a free SAQ Wizard that asks a few simple questions about your payment setup and tells you exactly which form you need. It takes less than five minutes and removes the guesswork.

How to Complete Your SAQ

Once you know which SAQ applies, the actual completion process is straightforward:

What the Questionnaire Looks Like

Your SAQ is a series of yes/no questions about your payment security practices. For example:

  • “Do you have a firewall protecting your payment systems?”
  • “Do you change default passwords on payment devices?”
  • “Do you restrict access to cardholder data?”

Here’s the key: answering “yes” means you actually do that thing, not that you plan to or think it’s a good idea. If you answer “no” to any required question, you’ll need to fix that issue before you can be compliant.

Documentation You’ll Need

Depending on your SAQ type, gather:

  • Network diagram (for SAQ B-IP and above — can be hand-drawn)
  • Device inventory (list of payment terminals and computers)
  • Security policies (often templates are fine for small merchants)
  • User access lists (who can access payment systems)

For SAQ A merchants, you typically won’t need any of this — just confirm that you’re using approved payment providers.

The Quarterly ASV Scan

If you have any systems connected to the internet (website, payment gateway, email server), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This sounds scarier than it is:

1. Sign up with an ASV (PCICompliance.com includes this service)
2. Provide your IP addresses or website URLs
3. The ASV runs automated scans looking for vulnerabilities
4. Fix any critical issues they find
5. Get a passing scan report to submit with your SAQ

Most small businesses pass on their first try. Common issues are outdated SSL certificates or unpatched software — usually quick fixes.

Submitting Your Documentation

Once you’ve completed your SAQ and have passing ASV scans (if required), you’ll:

1. Sign the Attestation of Compliance (AOC) — a formal declaration that you’ve completed the requirements
2. Submit everything to your payment processor through their compliance portal
3. Save copies for your records — you’ll need them next year

Most processors confirm receipt within a few days and update your account to show you’re compliant.

What It Costs

Let’s talk real numbers. PCI compliance costs vary based on your size and complexity:

Compliance Platform and Tools

  • SAQ wizard and basic tools: Often free
  • Full compliance platforms: $10-50/month for small merchants
  • Enterprise solutions: $200-500/month for complex environments

Quarterly ASV Scanning

  • Basic scanning service: $20-40 per quarter
  • Bundled with compliance platform: Often included
  • Multiple IPs or complex scans: $100-200 per quarter

If You Need a QSA

Most small merchants never need a Qualified Security Assessor, but if you do:

  • SAQ assistance: $500-2,000
  • Gap assessment: $5,000-15,000
  • Full Report on Compliance: $15,000-50,000+

The Cost of NON-Compliance

This is where it gets expensive:

  • Monthly non-compliance fees: $25-100 (compounds quickly)
  • Breach-related fines: $5,000-50,000 for small merchants
  • Fraud liability: You’re responsible for all fraudulent charges
  • Lost processing privileges: Priceless — you literally can’t do business

Bottom line: Annual compliance for a typical small merchant costs $200-500. A single non-compliance fine can exceed that in just a few months.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done exercise — it’s an annual requirement with quarterly components.

Your Compliance Calendar

  • Annually: Complete and submit your SAQ
  • Quarterly: Run ASV scans (if required)
  • Ongoing: Maintain security practices you attested to
  • As needed: Update your SAQ if your payment methods change

Set calendar reminders for these dates. Missing a quarterly scan can invalidate your entire annual compliance.

What Triggers a Reassessment

You’ll need to complete a new SAQ if you:

  • Add new payment channels (start taking phone orders, add e-commerce)
  • Change payment processors or gateways
  • Significantly increase transaction volume (might change merchant level)
  • Start storing cardholder data (please don’t)

Tracking Your Compliance

Manual tracking gets messy fast. PCICompliance.com’s compliance dashboard:

  • Tracks all deadlines and sends reminders
  • Stores your documentation in one place
  • Monitors your ASV scan status
  • Alerts you to changes in PCI requirements

This turns compliance from an annual scramble into a manageable ongoing process.

FAQ

Q: I only process a few transactions per month. Do I really need to comply?

A: Yes, transaction volume doesn’t exempt you from PCI DSS. Even if you only process one card per year, you still need to complete the appropriate SAQ. The good news is that with low volume, you’ll likely qualify for the simplest SAQ types.

Q: My payment processor handles everything. Why do I need to do anything?

A: Using a secure processor reduces your compliance scope but doesn’t eliminate it. You’re still responsible for things like physical security of devices, employee training, and not writing down card numbers. Your SAQ confirms these practices.

Q: What’s the difference between PCI compliance and being PCI certified?

A: Merchants achieve “compliance,” not “certification.” Only service providers and solution vendors get formally certified. As a merchant, you demonstrate compliance by completing your annual SAQ and meeting all requirements.

Q: Can I just check “yes” to everything on the SAQ?

A: This is fraud and can result in serious consequences. If there’s a breach and investigation reveals false attestation, you’re liable for all damages plus potential criminal charges. Answer honestly and fix any gaps.

Q: How long does the whole process take?

A: For most small merchants, 2-4 hours total. This includes determining your SAQ type, completing the questionnaire, setting up ASV scans, and submitting documentation. Complex environments take longer.

Q: What if I fail my vulnerability scan?

A: Don’t panic — this is common on first scans. The ASV report shows exactly what needs fixing. Most issues are simple updates or configuration changes. Fix them, rescan, and you’ll likely pass.

Q: Do I need to hire a security consultant?

A: Probably not if you’re a Level 4 merchant. Most small businesses can handle SAQ A or B requirements themselves. Consider help only if you’re SAQ D or repeatedly failing scans.

Q: My business is seasonal. When should I complete my SAQ?

A: Complete it during your slow season when you have time to focus. Your compliance is based on your highest transaction period, so even if you’re closed part of the year, requirements still apply.

Conclusion

PCI compliance might seem overwhelming when that first questionnaire arrives, but now you understand what’s actually required. For most small businesses, it’s a matter of confirming you’re using secure payment tools, completing a straightforward questionnaire, and keeping up with quarterly scans. The investment of a few hours annually protects your business from significant fines and breach liability.

The key is getting started. Use PCICompliance.com’s free SAQ Wizard to identify exactly which questionnaire you need — it takes just minutes and eliminates the confusion. Our platform then guides you through each requirement, handles your ASV scanning, and tracks your compliance year-round. Whether you need basic tools or full compliance management, we make PCI as simple as it should be. Talk to our compliance team if you need help getting started, or jump right in with the SAQ Wizard. Your future self (and your payment processor) will thank you.

Leave a Comment

1,650 PCI scans completed this month
Michael IT Manager just completed a PCI ASV scan