The Bottom Line Up Front
If you’re here because your payment processor just sent you a PCI compliance questionnaire and you’re wondering what on earth you’re supposed to do with it, take a deep breath. For most small businesses using modern payment systems, Kartra PCI compliance is simpler than you think. You probably won’t need to hire consultants, implement complex security controls, or spend months preparing documentation. In fact, if you’re using Kartra’s integrated payment features the right way, you might only need to answer a handful of yes/no questions once a year.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major credit card brands — Visa, Mastercard, American Express, and Discover — through an organization called the PCI Security Standards Council. Think of it as the rulebook for keeping credit card data safe.
Here’s what matters to you: if you accept credit cards in any form, these rules apply to your business. Your acquirer (the bank or payment processor that handles your card transactions) enforces these rules because they’re on the hook if something goes wrong.
The consequences of non-compliance aren’t theoretical. Your payment processor can fine you monthly until you comply — typically $25-$100 per month for small merchants, but potentially thousands for larger businesses. If there’s a breach and you weren’t compliant, you could face liability for fraudulent transactions and breach-related costs. In extreme cases, you could lose the ability to accept credit cards entirely.
But here’s the good news that compliance platforms don’t always lead with: most small businesses qualify for the simplest SAQ types (Self-Assessment Questionnaires), which means you’re looking at answering 20-80 straightforward questions, not the 300+ questions that large retailers face.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards, yes. It doesn’t matter if you process one transaction or one thousand, if you’re a nonprofit or for-profit, if you’re online-only or have a physical location. Credit card acceptance equals PCI compliance requirements.
Most small businesses fall into Merchant Level 4 — processing fewer than 20,000 e-commerce transactions or up to 1 million total Visa transactions annually. Don’t worry about counting transactions precisely; your payment processor already knows your level and will tell you what they need.
That compliance questionnaire they sent? It’s their way of verifying you’re following the rules. They’re required to collect it annually, and they’ll keep sending reminders (and eventually fines) until you complete it. The questionnaire itself is called an SAQ, and which one you need depends on how you accept payments.
Which SAQ Do You Need?
The key to simple compliance is figuring out which SAQ applies to your business. There are several types, but most small businesses need one of these four:
| Payment Method | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirected to payment page (PayPal, Stripe Checkout) | SAQ A | 22 | Simplest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminal (Square Reader, Clover) | SAQ B or B-IP | 41-82 | Simple |
| Taking cards over the phone | SAQ C-VT | 80 | Moderate |
| Storing card numbers | SAQ D | 329 | Complex |
For Kartra users specifically, your SAQ type depends on how you’ve configured payments:
- If you’re using Kartra’s native payment integration that redirects to a hosted payment page, you’re likely SAQ A
- If you’ve embedded payment forms directly on your Kartra pages, you might be SAQ A-EP
- If you’re manually entering customer cards through a virtual terminal, that’s SAQ C-VT
The fastest way to know for sure? Use PCICompliance.com’s SAQ Wizard — answer a few questions about your payment setup and we’ll tell you exactly which questionnaire applies.
How to Complete Your SAQ
Your SAQ is essentially a security checklist with yes/no questions. Each “yes” means you’re doing what the standard requires. A “no” means you need to either implement that control or explain why it doesn’t apply to your business.
For SAQ A (the simplest), you’ll answer questions like:
- Do you have a policy for protecting cardholder data?
- Do you restrict access to payment systems to authorized personnel?
- Are you using secure, supported systems?
Most questions are straightforward when you understand what they’re really asking. “Do you have an incident response plan?” doesn’t mean you need a 50-page document — a simple one-page plan stating who to call if something goes wrong counts as “yes.”
You’ll need to gather some basic documentation:
- Your payment processing agreement
- Any security policies you have (even simple ones)
- Results from your quarterly ASV scan (more on that below)
Speaking of ASV scans — if you have any systems connected to the internet that touch payment data, you need quarterly vulnerability scans from an Approved Scanning Vendor. This automated scan checks for basic security issues and typically takes a few minutes to set up. You’ll need four passing quarterly scans to submit with your annual SAQ.
Once complete, you’ll submit your SAQ along with an AOC (Attestation of Compliance) — basically a formal declaration that your answers are accurate — to your payment processor.
What It Costs
Let’s talk real numbers. For most small businesses, annual PCI compliance costs break down like this:
Compliance platform and tools: $100-$300/year for SAQ management software that guides you through the questions and stores your documentation.
Quarterly ASV scanning: $200-$400/year for four quarterly scans. Some compliance platforms include this in their fee.
If you need a QSA: This only applies if you’re processing millions of transactions or your acquirer specifically requires it. QSA assessments start around $10,000 annually — but again, most small merchants never need this.
Compare that to the cost of non-compliance: monthly fines from your processor starting at $25-$100, potential breach liability that can reach thousands per compromised card, and the business impact of losing card acceptance abilities. For most merchants, the math is simple — compliance costs less than a single month of non-compliance fines.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your SAQ expires after one year, and you’ll need those quarterly ASV scans throughout the year. When your acquirer sends the annual compliance questionnaire, you’ll go through the process again.
The good news? Once you’ve done it once, subsequent years are much easier. Your answers from last year carry forward, and you just update anything that’s changed.
Set calendar reminders for:
- Quarterly ASV scans (every 90 days)
- Annual SAQ renewal (same month each year)
- Any significant changes to your payment setup
Major changes that might affect your compliance include switching payment processors, adding new payment channels (like a physical terminal when you were online-only), or significantly increasing your transaction volume.
PCICompliance.com’s compliance dashboard tracks all these dates for you, sending reminders when scans are due and flagging any issues that need attention before your renewal.
FAQ
I’m just a small business using Kartra. Do I really need to worry about this?
Yes, but it’s likely simpler than you think. If you’re using Kartra’s standard payment integrations without storing card numbers yourself, you probably qualify for SAQ A — just 22 yes/no questions once a year.
What happens if I ignore the compliance questionnaire?
Your payment processor will start with reminder emails, then monthly fines (typically $25-$100), and eventually could terminate your ability to accept cards. It’s far easier to spend an hour completing the questionnaire.
Do I need to hire a security consultant?
For most small businesses using modern payment platforms like Kartra, no. The SAQ is designed for business owners to complete themselves. You only need professional help if you’re storing card data or processing very high volumes.
What’s this ASV scan they’re asking for?
It’s an automated security scan of any systems connected to the internet that handle payments. Takes minutes to set up, runs automatically each quarter, and checks for basic vulnerabilities. Think of it as a safety check, not a test you can fail.
I don’t store credit card numbers. Why do I still need to comply?
Even if you never see or store card numbers, you’re still part of the payment ecosystem. PCI compliance ensures every link in the chain maintains basic security standards. The good news is that not storing cards qualifies you for the simpler SAQ types.
How long does the whole process take?
For a typical small business qualifying for SAQ A or B, expect 1-2 hours for your first assessment, including gathering documents and setting up quarterly scans. Renewals typically take 30 minutes since you’re just updating last year’s answers.
What if I answer “no” to some questions?
That’s normal. You’ll need to either implement that security control or document a compensating control that achieves the same goal. Many “no” answers can be fixed with simple policy documents or minor configuration changes.
Can I just say “yes” to everything to pass?
Don’t do this. Your attestation is a legal declaration. If there’s a breach and investigation shows your answers were false, you face serious liability. Answer honestly — most small merchants can achieve compliance without implementing every single control.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most businesses using modern payment systems like Kartra, it’s a manageable annual task. The key is understanding which SAQ applies to your specific setup and tackling it systematically rather than letting it pile up with the other paperwork.
Remember, the goal isn’t perfection — it’s reasonable security practices that protect both your business and your customers’ card data. Start by identifying your correct SAQ type, set aside an hour or two to work through the questions, and set up those quarterly scans. Once you’ve completed your first assessment, maintaining compliance becomes part of your regular business routine.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team if you need guidance getting started. We’ve helped thousands of merchants navigate their first PCI assessment, and we can help you too.