Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor, take a breath. For most small businesses using modern payment systems, Fresha PCI compliance is simpler than you think. You’re likely looking at a short questionnaire (20-80 questions) that you can complete in an afternoon, not the 300+ question assessment that larger companies face. Here’s what you actually need to know to get compliant and stay that way.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover — to protect credit card data. If you accept card payments in any form, these requirements apply to you. Think of it as the card industry’s security checklist that helps prevent data breaches and fraud.
The card brands created the PCI Security Standards Council (PCI SSC) to manage these standards, but it’s your acquirer (the bank or payment processor that handles your card transactions) who actually enforces them. They’re the ones who sent you that compliance questionnaire, and they’re who you’ll submit your completed assessment to.
The consequences of non-compliance are real but manageable. Your processor can fine you (typically $5,000-$100,000 per month for continued non-compliance), you’ll be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept card payments. But here’s the good news: most small businesses qualify for the simplest compliance requirements, and getting compliant is usually easier than dealing with the consequences of ignoring it.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you process one transaction or one million, use a simple terminal or complex e-commerce platform — if customer card data touches your business in any way, PCI compliance applies.
Most small businesses are Level 4 merchants (processing under 20,000 e-commerce transactions or up to 1 million total transactions annually). This is actually good news — Level 4 merchants have the lightest compliance requirements. You complete a self-assessment questionnaire (SAQ) annually and run quarterly vulnerability scans if you have any internet-facing systems.
Your payment processor expects you to:
- Complete the appropriate SAQ for your payment setup
- Pass quarterly vulnerability scans (if required for your SAQ type)
- Submit your Attestation of Compliance (AOC) annually
- Fix any security issues identified during the process
That compliance questionnaire they sent? It’s their way of confirming you’re meeting these requirements. They’re required by the card brands to verify all their merchants are compliant.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you handle card payments. Here’s the decision tree in plain language:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity Level |
|---|---|---|---|
| Outsource everything to a third party (PayPal, Square online) | SAQ A | 22 | Easiest |
| E-commerce with payment page on your site (Stripe Elements, hosted fields) | SAQ A-EP | 139 | Moderate |
| Standalone terminal with no electronic storage | SAQ B | 41 | Easy |
| Terminal connected to internet (IP terminal) | SAQ B-IP | 82 | Easy-Moderate |
| Take payments over phone/mail, no electronic storage | SAQ C-VT | 80 | Moderate |
| Store card data electronically (please reconsider) | SAQ D | 329+ | Complex |
Common scenarios for Fresha PCI compliance:
- If you’re a salon using Fresha’s integrated payment processing through their app or terminal, you’re likely SAQ B or SAQ B-IP depending on your setup
- If you only use Fresha for bookings but process payments through a separate terminal, your SAQ type depends on that terminal
- If you take card details over the phone for deposits, you might need SAQ C-VT
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
The questionnaire itself is a series of yes/no questions about your security practices. For example, SAQ B might ask: “Are all merchant locations WiFi networks using encryption?” A “yes” answer means you’ve implemented that security control.
Here’s what completing your SAQ looks like:
1. Download the correct SAQ from the PCI SSC website or use an online compliance platform
2. Read each question carefully — they’re specific about what they’re asking
3. Answer honestly (false answers can make you liable in a breach)
4. For any “no” answers, you’ll need to either fix the issue or document a compensating control
5. Complete the Attestation of Compliance (AOC) that summarizes your answers
6. Submit to your payment processor
Documentation you’ll typically need:
- Network diagram (even a simple one)
- List of any systems that handle card data
- Security policies (many templates available online)
- Vulnerability scan results (if required)
About those quarterly ASV scans: If your SAQ type requires them (anything internet-facing usually does), you’ll need to hire an Approved Scanning Vendor to scan your external IP addresses every 90 days. The scan checks for vulnerabilities hackers could exploit. It’s automated, usually costs $200-500 per year, and the ASV helps you fix any issues found.
Most SAQs take 1-4 hours to complete once you understand your payment environment. The hardest part is usually the first time — after that, annual recertification is mostly confirming nothing has changed.
What It Costs
Let’s talk real numbers for Fresha PCI compliance and small business compliance in general:
Compliance platform and SAQ tools:
- Free: Download SAQs directly from PCI SSC website
- $200-500/year: Online platforms with guided questionnaires and compliance tracking
- $500-2,000/year: Full-service platforms with expert support
Quarterly ASV scanning:
- $200-500/year for basic scanning
- $500-1,500/year for scanning with remediation support
If you need a QSA:
- Only required for Level 1 merchants (over 6 million transactions)
- Small merchants can self-assess
- QSA assessment runs $10,000-50,000+ (but again, you probably don’t need this)
The cost of NON-compliance:
- Monthly fines: $5,000-100,000 from your processor
- Breach costs: Average $150 per compromised card number
- Forensic investigation: $10,000-100,000+ if you have a breach
- Lost ability to process cards: Devastating for most businesses
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. Think of it as security insurance that costs less than your actual business insurance.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual certification with quarterly scans (if required). Your processor will ask for updated compliance validation every year.
Set yourself up for success:
- Calendar annual SAQ due date (usually 12 months from last submission)
- Schedule quarterly ASV scans if required (every 90 days)
- Review your payment setup before major changes (new terminal, e-commerce platform, etc.)
- Keep your network diagram and policies updated
Changes that trigger a reassessment:
- New payment channels (adding e-commerce to retail)
- Changing payment processors or terminals
- Starting to store card data (please don’t)
- Major network or system changes
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends reminders before deadlines, and maintains your compliance history. No more scrambling when your processor sends that annual notice.
FAQ
I’m just a small salon using Fresha payments. Do I really need to worry about this?
Yes, but it’s likely simpler than you think. If you’re using Fresha’s integrated payment system with their provided terminals, you probably qualify for SAQ B or B-IP — straightforward questionnaires focused on physical security and basic network protections. The whole process might take you two hours once a year.
What happens if I just ignore the compliance request?
Your payment processor will start with reminder notices, then move to monthly non-compliance fees (typically starting at $25-100 and escalating to thousands). Eventually, they can terminate your merchant account, meaning you can’t accept cards at all. It’s much easier to just complete the questionnaire.
Can I just say “yes” to all the questions?
Absolutely not. False attestation makes you fully liable in case of a breach. If you suffer a compromise and investigators find you lied on your SAQ, you’re responsible for all fraud losses, fines, and remediation costs. Answer honestly and fix any gaps.
Do I need to hire an expensive consultant?
Most small businesses don’t. The self-assessment questionnaires are designed for business owners to complete. If you’re truly stuck, many payment processors offer free compliance support, or you can use an online platform for guided help at a fraction of consultant costs.
How do I know if I’m storing card data?
Check your point-of-sale system, accounting software, email, and any spreadsheets. If you can see full card numbers anywhere after a transaction completes, you’re storing card data. Modern payment systems shouldn’t store this data — if yours does, it’s time to upgrade.
What’s this ASV scan and do I need one?
An Approved Scanning Vendor scan checks your internet-facing systems for vulnerabilities quarterly. You need them if you have any systems connected to the internet that handle card data — including e-commerce sites, IP-enabled terminals, or cloud-based POS systems. The scan is automated and usually finds common issues like outdated software or weak configurations.
My payment processor says I need to be compliant but Fresha handles all my payments. Who’s responsible?
You are. While Fresha (or any payment service provider) handles much of the security burden, you’re still responsible for your piece — physical terminal security, network protections, staff training, etc. The good news is that using a reputable provider like Fresha significantly reduces your compliance scope.
How often do I need to recertify?
Annually for your SAQ and attestation, quarterly for ASV scans (if required). Your payment processor will typically send reminders, but it’s your responsibility to track these dates. Missing deadlines triggers non-compliance fees surprisingly quickly.
Making PCI Compliance Manageable
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most businesses using modern payment solutions like Fresha, it’s a manageable annual task. You’re likely looking at a few hours once a year to complete a straightforward questionnaire, plus quarterly scans if you process payments online.
The key is understanding which requirements actually apply to your specific setup. Using integrated payment solutions, avoiding card data storage, and maintaining basic security practices keeps you in the simplest compliance categories.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard identifies exactly which questionnaire applies to your payment setup — no more guessing which form to use. Our ASV scanning service handles quarterly vulnerability scans with automatic scheduling and clear remediation guidance. The compliance dashboard tracks your progress, stores your documentation, and sends timely reminders so you never miss a deadline. Whether you’re achieving PCI compliance for the first time or maintaining it year after year, we provide the tools and guidance to make it straightforward. Start with our free SAQ Wizard to identify your requirements, or contact our compliance team for personalized guidance on your specific payment environment.