Welcome to PCI Compliance — It’s Not as Scary as You Think
You just received an email from your payment processor with “PCI Compliance Questionnaire” in the subject line. Your first thought might be panic — what is this? What happens if you don’t complete it? How much is this going to cost?
Take a deep breath. For most small businesses using Weebly Payments PCI compliance is straightforward. You probably qualify for one of the simpler self-assessment questionnaires that takes about an hour to complete. The quarterly scans your processor requires? They’re automated and usually cost less than your monthly coffee budget. And that intimidating compliance questionnaire? We’ll walk you through exactly what it means and how to complete it.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as the baseline security practices you need to follow when accepting credit card payments.
The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquiring bank or payment processor (like Square, Stripe, or PayPal) sends you compliance questionnaires and monitors your compliance status. They’re the ones who’ll fine you for non-compliance or potentially terminate your merchant account.
Why Should You Care?
Beyond the obvious “because you have to” answer, there are real consequences to ignoring PCI compliance:
- Fines from your processor ranging from $5,000 to $100,000 per month
- Liability for fraud losses if your business experiences a breach
- Loss of card processing privileges — you literally can’t accept credit cards anymore
- Damage to your reputation if customer data is compromised
The good news? Most small businesses qualify for the simplest compliance paths. You’re not building Fort Knox — you’re implementing basic security practices that protect both your business and your customers.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes.
It doesn’t matter if you process one transaction or one million. It doesn’t matter if you use a simple card reader or a sophisticated e-commerce platform. If credit card data touches your business in any way, PCI compliance applies to you.
Your Merchant Level
PCI groups merchants into four levels based on annual transaction volume:
- Level 1: Over 6 million transactions annually
- Level 2: 1 to 6 million transactions annually
- Level 3: 20,000 to 1 million transactions annually
- Level 4: Fewer than 20,000 transactions annually
Most small businesses fall into Level 4, which means you can self-assess your compliance using an SAQ (Self-Assessment Questionnaire) instead of hiring an expensive QSA for a full assessment.
What Your Payment Processor Expects
That compliance questionnaire your processor sent? They’re required to verify your compliance status annually. Here’s what they typically want:
- A completed SAQ appropriate to your payment processing methods
- An Attestation of Compliance (AOC) — basically your signature saying the SAQ is accurate
- Passing quarterly vulnerability scans if you process payments online
- Evidence of compliance if they request it
Miss these deadlines and you’ll start seeing monthly non-compliance fees on your merchant statements — usually $25 to $100 per month until you comply.
Which SAQ Do You Need?
The PCI Security Standards Council offers multiple SAQ types, each designed for different payment scenarios. Using the wrong one isn’t just inefficient — it could mean you’re not actually compliant.
Here’s how to determine which SAQ fits your business:
| How You Accept Payments | Your SAQ Type | Questions | Difficulty |
|---|---|---|---|
| Redirect to payment provider (PayPal, Stripe Checkout) | SAQ A | ~20 | Easy |
| E-commerce with payment fields on your site | SAQ A-EP | ~140 | Moderate |
| Physical terminal only (no connected systems) | SAQ B | ~40 | Easy |
| Physical terminal connected to internet | SAQ B-IP | ~80 | Moderate |
| Manual card entry (phone/mail orders) | SAQ C-VT | ~80 | Moderate |
| Any other scenario or storing card data | SAQ D | ~320 | Complex |
Common Scenarios
Using Weebly Payments on your website? You’re likely SAQ A if customers are redirected to Weebly’s hosted payment page. If payment fields appear directly on your site, you might be SAQ A-EP.
Coffee shop with a Square terminal? That’s typically SAQ B if it’s a standalone device, or SAQ B-IP if it connects through your Wi-Fi.
Taking orders over the phone? You’re looking at SAQ C-VT for virtual terminal transactions.
Storing credit card numbers in a spreadsheet? First, stop doing that immediately. Second, you’re SAQ D — the most complex type requiring professional help.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Once you know your SAQ type, the actual completion process is straightforward. Each SAQ consists of yes/no questions about your security practices.
What “Yes” Actually Means
When you answer “yes” to a question like “Do you restrict access to cardholder data by business need-to-know?” you’re confirming:
- You’ve implemented this security control
- You have evidence to prove it if asked
- You’ll maintain this control going forward
Can’t honestly answer “yes”? You’ll need to implement the missing control before marking the requirement as met. For SAQ A merchants, this is usually simple — most requirements are already handled by your payment provider.
Documentation You’ll Need
Gather these items before starting your SAQ:
- Network diagram (even a simple one showing your payment terminal and router)
- List of who has access to payment systems
- Security policies (many small businesses use templates — that’s fine)
- ASV scan reports if you process payments online
- Service provider compliance status (your payment processor should provide this)
The Quarterly ASV Scan
If you have any internet-facing systems that handle payments, you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. These automated scans check for security vulnerabilities in your web servers and generate a report showing pass/fail status.
The scan itself takes minutes to run and costs about $50-150 per quarter. Schedule your first scan as soon as possible — you need a passing scan before submitting your SAQ.
Submitting Your Compliance Package
Your completed compliance submission includes:
1. The filled-out SAQ with all questions answered
2. A signed Attestation of Compliance (AOC)
3. Passing ASV scan reports (if required)
4. Any additional documentation your processor requests
Most processors accept these through their online portal. Some use third-party compliance platforms. Either way, submission typically takes just a few minutes once everything is complete.
What It Costs
Let’s talk real numbers — both for achieving compliance and for ignoring it.
Compliance Costs
SAQ completion tools: Free to $300/year for automated platforms that guide you through the process
Quarterly ASV scanning: $200-600/year for four quarterly scans
Compliance platform: $300-1,200/year for comprehensive tools including SAQ wizard, scanning, and tracking
Professional help: $2,000-5,000 if you need a consultant (most Level 4 merchants don’t)
Total for typical small merchant: $500-1,500/year
Non-Compliance Costs
Monthly processor fees: $25-100/month until you comply
Breach fines: $5,000-100,000 depending on severity
Fraud liability: You’re responsible for any fraudulent charges
Forensic investigation: $10,000+ if you’re breached
Lost processing privileges: Priceless — you literally can’t run your business
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — it’s about protecting your business’s ability to accept payments.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your compliance status resets annually, and certain requirements need attention throughout the year.
Annual Requirements
- Complete and submit your SAQ by your processor’s deadline
- Update your security policies to reflect any business changes
- Review user access and remove anyone who no longer needs it
- Test your incident response plan (even informally)
Quarterly Requirements
- Run ASV scans if you process payments online
- Review firewall and router configurations
- Check for security patches on payment systems
When You Need a New Assessment
Major changes to your payment setup trigger reassessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment providers or processors
- Storing card data when you didn’t before
- Experiencing a breach or security incident
Making It Manageable
Set quarterly calendar reminders for your scan dates. Use a compliance platform that tracks deadlines and sends alerts. Keep documentation organized in a dedicated “PCI Compliance” folder. When your processor sends the annual questionnaire, you’ll be ready instead of scrambling.
PCICompliance.com’s compliance dashboard shows your current status, upcoming deadlines, and exactly what needs attention — making year-round compliance as simple as checking a dashboard.
Frequently Asked Questions
What happens if I ignore the PCI compliance questionnaire?
Your payment processor will start charging monthly non-compliance fees — typically $25-100. Ignore it long enough and they may increase your processing rates, hold your funds, or terminate your merchant account entirely. The questionnaire doesn’t go away, and neither do the requirements.
Can I just mark “yes” on everything to pass?
Technically yes, but it’s fraud. If a breach occurs and investigators find you lied on your SAQ, you’re personally liable for all fraud losses and fines. Answer honestly — it’s better to implement a missing control than to lie about having it.
Do I need to hire a QSA?
Most small businesses don’t. Level 4 merchants (under 20,000 transactions annually) can self-assess using an SAQ. Only Level 1 merchants and service providers typically need a QSA to perform a full Report on Compliance (ROC).
What’s the difference between PCI compliance and being secure?
PCI DSS represents baseline security requirements — the minimum needed to protect card data. True security might require going beyond PCI requirements. Think of PCI as passing your driving test, while being secure is actually being a safe driver.
How often do I need to run vulnerability scans?
If you’re required to run ASV scans (any merchant with internet-facing payment systems), you need them quarterly — four times per year. Miss a quarter and you’re technically non-compliant until you have four consecutive passing scans again.
Can my web developer handle this for me?
They can help with technical requirements like installing SSL certificates or configuring firewalls, but you’re ultimately responsible for compliance. Many technical requirements are straightforward — the challenge is usually understanding what’s required, not implementing it.
What if I only accept payments through PayPal or Square?
You still need to be PCI compliant, but your requirements are minimal. These providers handle most security controls for you. You’ll likely qualify for SAQ A — the simplest questionnaire with about 20 yes/no questions.
Is PCI compliance the same as GDPR or CCPA?
No, they’re completely different. PCI DSS protects payment card data specifically. GDPR and CCPA are privacy regulations covering all personal data. You might need to comply with all three, but they have different requirements and penalties.
Moving Forward with Confidence
PCI compliance sounds intimidating, but for most small businesses, it’s surprisingly manageable. You’re not implementing bank-level security — you’re following basic practices that any business handling sensitive data should follow anyway.
Start by identifying your SAQ type. Complete the questionnaire honestly, implementing any missing controls as you go. Schedule your quarterly scans if needed. Submit your compliance package to your processor. Then set reminders to do it again next year.
The key is starting now. That compliance questionnaire from your processor isn’t going away, and neither are the monthly fees for ignoring it. Take an hour to understand your requirements, another hour to complete your SAQ, and you’ll wonder why you worried so much.
PCICompliance.com simplifies the entire process — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard tracks your progress year-round. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and guidance to achieve and maintain PCI compliance without the complexity. Start with our free SAQ Wizard to identify your requirements, or talk to our compliance team for personalized guidance on your Weebly Payments PCI compliance journey.