Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and your first thought was “What is this?”, take a deep breath. For most small businesses accepting credit cards, Jane App PCI compliance is simpler than it sounds. You’re likely looking at a few hours of work once a year, not the complex security audit you might be imagining.
Here’s what matters: PCI compliance is required if you accept credit cards (yes, that includes you), but the vast majority of small merchants qualify for the simplest questionnaires. Think of it like your business license renewal — necessary, but manageable once you understand the process.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card information. If your business accepts Visa, Mastercard, American Express, or Discover — whether through a terminal, online, or over the phone — these requirements apply to you.
The major card brands created these standards through an organization called the PCI Security Standards Council (PCI SSC). But here’s the key point: the card brands don’t enforce compliance directly. Your acquirer (the bank or payment processor that handles your card transactions) does. That’s who sent you the compliance questionnaire.
Why It Matters
Non-compliance isn’t just bureaucratic hassle. Your payment processor can:
- Charge monthly non-compliance fees (typically $25-100)
- Fine you for not completing annual requirements (often $500-5,000)
- Increase your processing rates
- Terminate your ability to accept cards entirely
If a breach occurs and you’re not compliant, you could face liability for fraudulent charges, forensic investigation costs, and card reissue expenses. One breach can cost tens of thousands — far more than the few hundred dollars annual compliance typically costs.
The Good News
Most small businesses process fewer than 6 million transactions annually, making them Level 4 merchants — the category with the simplest compliance requirements. You won’t need an on-site assessor or complex security audits. Instead, you’ll complete a self-assessment questionnaire designed for businesses just like yours.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit or debit cards in any form, yes. This includes:
- Swiping, dipping, or tapping cards at a terminal
- Taking payments through your website
- Entering card numbers into a virtual terminal
- Processing phone orders
- Storing card numbers for recurring billing (please reconsider this)
Your merchant level determines what type of compliance validation you need:
| Annual Visa Transactions | Merchant Level | What’s Required |
|---|---|---|
| Over 6 million | Level 1 | Annual on-site assessment by QSA |
| 1-6 million | Level 2 | Annual self-assessment, quarterly scans |
| 20,000-1 million e-commerce | Level 3 | Annual self-assessment, quarterly scans |
| Under 20,000 e-commerce or under 1 million total | Level 4 | Annual self-assessment, quarterly scans may be required |
Most small businesses fall into Level 4. Your payment processor will tell you your level — it’s usually in that compliance packet they sent.
What Your Payment Processor Expects
When your acquirer sends that annual compliance questionnaire, they’re asking you to:
1. Complete the appropriate Self-Assessment Questionnaire (SAQ)
2. Fix any security gaps the questionnaire reveals
3. Submit an Attestation of Compliance (AOC) confirming completion
4. If required, pass quarterly vulnerability scans by an Approved Scanning Vendor (ASV)
Think of it as a security checklist combined with a promise that you’re following the rules. The questionnaire helps identify vulnerabilities before criminals find them.
Which SAQ Do You Need?
The Self-Assessment Questionnaire comes in different versions based on how you handle card data. Here’s the decision tree in plain language:
Common Scenarios and Their SAQs
| How You Take Payments | Your SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Simplest |
| E-commerce with payment fields on your site | SAQ A-EP | 139 | Moderate |
| Standalone terminals only (no connected systems) | SAQ B | 41 | Simple |
| Terminals connected to your network | SAQ B-IP | 82 | Moderate |
| Phone/mail orders into virtual terminal | SAQ C-VT | 53 | Simple |
| Multiple channels or storing card data | SAQ D | 329 | Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine:
- Terminal not connected to anything else → SAQ B
- Terminal connected to your network or POS system → SAQ B-IP
If you have an e-commerce site:
- Customers redirected to PayPal, Stripe Checkout, or similar → SAQ A
- Payment form embedded on your site (even if hosted) → SAQ A-EP
- You see or store the full card number → SAQ D (please stop)
If you take payments over the phone and enter them into a web-based virtual terminal → SAQ C-VT
If you store card numbers for any reason → SAQ D (seriously, please stop — use tokenization instead)
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no payment industry jargon required.
How to Complete Your SAQ
Once you know your SAQ type, the actual questionnaire is straightforward. Each question asks whether you’re doing something specific to protect card data. You answer yes, no, or not applicable.
What “Yes” Really Means
When a question asks “Do you have a firewall?”, it’s not asking for enterprise-grade security. For most small merchants:
- Your router’s built-in firewall counts
- Windows Firewall or Mac’s firewall counts
- Basic antivirus software meets malware protection requirements
- Using strong passwords satisfies access control requirements
Documentation You’ll Need
Gather these before starting:
- Network diagram (can be hand-drawn showing internet, router, computers, and terminals)
- List of who has access to payment systems
- Security policies (even simple ones count — “We lock the office at night”)
- Vendor agreements if you use third-party payment services
The Quarterly ASV Scan
If your SAQ type requires it, you’ll need quarterly vulnerability scans by an Approved Scanning Vendor. Despite the intimidating name, this is just an automated security check of your public-facing systems (website, email server, etc.).
The ASV scan:
- Takes 15-30 minutes to run
- Checks for known security vulnerabilities
- Generates a pass/fail report
- Must be run every 90 days
Most ASV scans cost $50-100 per quarter. PCICompliance.com includes ASV scanning with our compliance platform — we’ll remind you when it’s due and help fix any issues found.
Submitting Your Completed SAQ
After answering all questions and passing required scans:
1. Complete the Attestation of Compliance (a one-page form)
2. Submit both documents to your payment processor
3. Keep copies for your records
4. Set a reminder for next year
Most processors have an online portal for submission. The whole process typically takes 2-4 hours for simple SAQ types.
What It Costs
Let’s be honest about the real costs of PCI compliance:
Compliance Platform and Tools
- Basic SAQ completion tools: $100-300/year
- Full compliance platforms: $200-1,200/year
- PCICompliance.com: $299-599/year including ASV scanning
Quarterly ASV Scanning
- Standalone ASV service: $200-400/year
- Often included with compliance platforms
- Required for most online merchants
If You Need a QSA
- Only required for Level 1 merchants
- On-site assessment: $15,000-50,000
- Most small merchants never need this
The Cost of NON-Compliance
- Monthly fees from processor: $25-100
- Annual non-compliance fines: $500-5,000
- Breach costs if non-compliant: $50,000-500,000
- Loss of card processing ability: priceless (not in a good way)
For most Level 4 merchants, annual compliance costs less than $500 — often less than a single month’s non-compliance fee.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done exercise. Your payment processor expects:
- Annual SAQ completion (usually on your merchant account anniversary)
- Quarterly ASV scans if required (every 90 days)
- Updated assessment if your payment setup changes
Setting Up Your Compliance Calendar
Create reminders for:
- Annual SAQ due date (check your processor’s portal)
- Quarterly scan dates (if applicable)
- Security update checks (monthly is reasonable)
- Password changes (every 90 days for payment systems)
What Changes Trigger a New Assessment
You’ll need to reassess if you:
- Add new payment channels (start selling online)
- Change payment processors or terminals
- Begin storing card data (please don’t)
- Experience significant growth in transaction volume
PCICompliance.com’s compliance dashboard tracks all these dates and requirements automatically, sending reminders before deadlines and keeping your compliance documentation organized year-round.
FAQ
I’m just a small business. Do I really need to worry about PCI compliance?
Yes, but it’s probably simpler than you think. If you accept credit cards, PCI compliance is required regardless of business size. The good news is that small businesses typically use the simplest SAQ types, which take just a few hours annually to complete.
What happens if I ignore the compliance questionnaire?
Your payment processor will likely start charging monthly non-compliance fees ($25-100) and may eventually terminate your merchant account. More importantly, if a breach occurs while you’re non-compliant, you could be liable for all associated costs.
Do I need to hire a security consultant?
For most small businesses, no. The self-assessment questionnaires are designed to be completed by business owners or office managers. Compliance platforms like PCICompliance.com provide guidance through each question without requiring technical expertise.
I use Square/PayPal/Stripe. Am I already compliant?
Using a reputable payment processor handles much of the security burden, but you still have responsibilities. You’ll likely qualify for SAQ A or B (the simplest types), but you still need to complete and submit the questionnaire annually.
How long does the SAQ take to complete?
It depends on your SAQ type. SAQ A takes about 30 minutes, SAQ B takes 1-2 hours, and SAQ A-EP or C-VT take 2-4 hours. SAQ D is complex and may take days, but if you qualify for SAQ D, you should seriously consider changing how you handle payments.
What’s an ASV scan and do I need one?
An Approved Scanning Vendor scan is an automated security check of your internet-facing systems. Most e-commerce merchants need quarterly scans. They’re not required for SAQ B (standalone terminals), but are required for most other SAQ types.
Can I just say “yes” to all the questions?
No — false attestation is fraud. The questions are designed to identify real security gaps. Answer honestly, fix any “no” answers, then resubmit. Your payment processor may verify your answers, especially after a breach.
How do I know if I’m storing card data?
If you have customer card numbers written down, saved in spreadsheets, or stored in your system after the transaction completes, you’re storing card data. This puts you in SAQ D territory. The solution: stop storing card data and use tokenization or your processor’s card-on-file feature instead.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most small businesses, it’s a manageable annual task. You’re likely looking at a few hours of work to complete a simple SAQ, possibly quarterly security scans if you sell online, and basic security practices you should be following anyway.
The key is identifying which requirements actually apply to your business. Using standalone payment terminals? You might only need to answer 41 questions once a year. Redirecting to PayPal for online payments? Just 22 questions. Even if you have a more complex setup, the right tools and guidance make compliance achievable.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Instead of dreading that annual questionnaire, you’ll have a clear path to compliance and the confidence that you’re protecting your customers’ payment data. Start with the free SAQ Wizard or talk to our compliance team to turn PCI compliance from a source of stress into just another routine business task.