North Carolina PCI

North Carolina PCI Compliance

by

Bottom Line Up Front

If you just received a PCI compliance questionnaire from your payment processor and you’re wondering what you’ve gotten yourself into, take a breath. For most small businesses in North Carolina, PCI compliance is much simpler than it sounds. You probably need to fill out a short questionnaire (often just 22 questions), run a quarterly security scan on your website, and submit the paperwork once a year. That’s it. No auditors, no expensive consultants, no IT overhaul — just some basic security practices you’re likely already following.

The questionnaire your processor sent isn’t a trap or a test. They’re required to collect it to prove their merchants are protecting card data. Most small businesses can complete the entire process in an afternoon. This guide will show you exactly what to do.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts credit cards. The major card brands — Visa, Mastercard, Discover, and American Express — created these standards through the PCI Security Standards Council to reduce credit card fraud.

Here’s the simple version: if you accept credit cards, you need to follow certain security practices and prove you’re following them once a year. Your acquirer (the bank or payment processor that handles your card transactions) enforces these requirements because they’re on the hook if one of their merchants gets breached.

The consequences of ignoring PCI compliance are real but manageable:

  • Your payment processor can fine you (typically $5,000-$100,000 depending on your size)
  • If you have a breach, you’re liable for the fraud losses and investigation costs
  • In extreme cases, you could lose the ability to accept credit cards

But here’s the good news most compliance companies won’t tell you: if you’re a small business using modern payment tools, you’re already doing most of what PCI requires. Square terminal? Stripe checkout? PayPal? These tools handle the heavy lifting of security for you. Your job is mainly to document that you’re using them correctly.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:

  • Physical stores with card terminals
  • E-commerce websites
  • Phone orders
  • Mobile payments
  • Even if you only process one card payment per year

Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 Visa transactions annually). Here’s what that means:

  • Complete a Self-Assessment Questionnaire (SAQ) annually
  • Run quarterly vulnerability scans if you have a website
  • No need for an outside auditor
  • No need for penetration testing

That compliance questionnaire your processor sent? It’s asking you to complete your annual SAQ and prove you’re protecting card data. They send it because they’re required to verify all their merchants are compliant. It’s not personal — it’s just compliance.

Which SAQ Do You Need?

The hardest part of PCI compliance is figuring out which questionnaire applies to your business. There are nine different SAQ types, but most small businesses use one of these four:

How You Accept Payments SAQ Type Number of Questions Complexity
Redirect to payment page (PayPal, Stripe Checkout) SAQ A 22 Easiest
E-commerce with payment fields on your site SAQ A-EP 139 Moderate
Standalone terminal (Square, Clover) SAQ B or B-IP 41 Easy
Phone orders (no electronic storage) SAQ C-VT 81 Moderate
Store card numbers electronically SAQ D 329 Complex

Let’s decode these scenarios:

SAQ A – You never touch card data. When customers pay, they’re redirected to a payment provider’s website (think PayPal checkout or Stripe’s hosted payment page). The card details never hit your servers.

SAQ A-EP – You have an e-commerce site where customers enter card details, but you’re using a payment provider’s JavaScript (like Stripe Elements or Authorize.net Accept.js) that sends the data directly to them, not through your server.

SAQ B or B-IP – You have a physical payment terminal that connects directly to your processor. B is for dial-up terminals (yes, they still exist), B-IP is for internet-connected ones. If you use Square, Clover, or similar modern terminals, this is probably you.

SAQ C-VT – You take orders over the phone and key them into a virtual terminal (a web page from your processor). As long as you don’t write down or store the card numbers, this simplified questionnaire applies.

SAQ D – The big one. If you store card numbers in any electronic format — spreadsheets, databases, even email — you’re in SAQ D territory. This requires all 329 questions and significantly more security controls. Our advice? Stop storing card data and use tokenization instead.

Not sure which one fits? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire to use. No guessing required.

How to Complete Your SAQ

Once you know which SAQ applies, the actual completion process is straightforward:

1. Download or access your SAQ. Your payment processor might provide a link, or you can get it from PCICompliance.com’s platform. It’s a PDF or online form with yes/no questions about your security practices.

2. Answer each question honestly. The questions sound technical but usually translate to simple practices. For example:

  • “Is cardholder data storage minimized?” = “Do you avoid saving card numbers?”
  • “Are security patches installed?” = “Do you update your software?”
  • “Is access to cardholder data restricted?” = “Do only necessary employees handle payments?”

3. Gather supporting documentation. You don’t usually submit these, but keep them handy:

  • Your network diagram (even a simple sketch works)
  • Security policies (basic written procedures count)
  • Employee training records (can be a sign-off sheet)
  • Scan reports (see below)

4. Complete your quarterly ASV scan. If you have any internet-facing systems (website, email server, etc.), you need an Approved Scanning Vendor to run vulnerability scans every three months. The scan checks for obvious security holes. It’s automated — you just provide your website URL or IP address, and the ASV does the rest. Most scans pass on the first try.

5. Submit your SAQ and Attestation of Compliance (AOC). The AOC is a summary form stating you completed the questionnaire and meet the requirements. Your processor will tell you how to submit these — usually through their compliance portal.

Total time investment? SAQ A takes about an hour. SAQ B might take two hours. Even the longer ones rarely take more than a day to complete if you have basic security measures in place.

What It Costs

Let’s talk real numbers. PCI compliance costs vary, but for most small businesses:

Compliance platform and tools: $100-300 per year

  • Includes SAQ wizard, form hosting, and submission
  • Some processors include this free
  • PCICompliance.com’s platform starts at $149/year

Quarterly ASV scanning: $200-400 per year

  • Four scans at $50-100 each
  • Some compliance platforms include this
  • Required only if you have internet-facing systems

QSA assessment: Not required for Level 4 merchants

  • Level 1 merchants budget $15,000-50,000
  • Most small businesses never need this

Total annual cost for most small merchants: $300-700

Compare that to non-compliance costs:

  • Monthly non-compliance fees from your processor: $20-100
  • Initial non-compliance fine: $5,000-100,000
  • Breach liability: $50-90 per compromised card
  • Forensic investigation: $10,000-100,000
  • Lost ability to accept cards: priceless

The math is clear — compliance costs less than a single month of breach-related expenses. Plus, the security practices PCI requires actually protect your business from fraud and chargebacks.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done exercise. Your processor will ask for updated documentation every year, and you need quarterly scans if required. Here’s how to stay on track:

Set annual reminders for your SAQ renewal. Most processors want it on the same date each year. Put it in your calendar now.

Schedule quarterly scans in advance. ASV scans are due every 90 days. Set them to auto-run if your platform supports it.

Update your SAQ when things change. New payment terminal? Different e-commerce platform? Moving from retail-only to e-commerce? These changes might require a different SAQ type.

Keep security top-of-mind. The practices PCI requires — updating software, restricting access, not storing card data — should be part of your regular operations, not just annual checkboxes.

Use a compliance dashboard. Tracking all these dates and requirements in a spreadsheet gets overwhelming. PCICompliance.com’s dashboard shows your compliance status at a glance, sends reminder emails, and stores all your documentation in one place.

FAQ

Q: My processor says I need PCI compliance but I use Square. Doesn’t Square handle this?
A: Square handles the security of the payment processing, but you still need to complete an annual SAQ (likely SAQ B) confirming you’re using their terminals securely. It’s mostly questions about physical security and employee training — takes about an hour.

Q: What happens if I just ignore the compliance request?
A: Your processor will start charging monthly non-compliance fees ($20-100 typically). Eventually, they may fine you ($5,000+) or terminate your merchant account. Compliance is actually easier than dealing with the consequences of ignoring it.

Q: I’m a tiny business processing maybe $10,000/year. Do I really need to do this?
A: Yes, PCI requirements apply regardless of volume. The good news is you qualify for the simplest questionnaires. An hour per year protects you from significant liability — it’s worth doing.

Q: Can I just pay someone to handle this for me?
A: Compliance platforms like PCICompliance.com can guide you through the process and handle the technical parts like scanning, but you still need to answer the questions about your business practices. Think of it like taxes — tools help, but you still need to provide the information.

Q: What’s this about quarterly scanning? My website is just a basic WordPress site.
A: If your website is on the internet, PCI requires quarterly vulnerability scans to check for security holes. An ASV runs automated scans that take about 15 minutes. Most basic websites pass without issues.

Q: I take phone orders but type them into my processor’s website. Which SAQ do I need?
A: If you’re using your processor’s virtual terminal and not storing card numbers anywhere (not even writing them down), you qualify for SAQ C-VT. It’s specifically designed for this scenario.

Q: How do I know if I’m storing card data?
A: Search your computer for files containing test card numbers like 4111111111111111. Check your email for order confirmations with full card numbers. Look in any spreadsheets or databases where customer information lives. If you find card numbers, you need to remove them and use SAQ D.

Conclusion

PCI compliance sounds intimidating, but for most small businesses, it’s surprisingly manageable. That questionnaire from your processor isn’t a test you can fail — it’s a checklist to confirm you’re following basic security practices. Answer honestly, run your scans if required, and submit the paperwork once a year.

The entire process typically takes less time than you spend on your quarterly sales tax filing, and it protects you from significant financial liability. More importantly, the security practices PCI requires actually help prevent the types of breaches that put small businesses out of business.

PCICompliance.com makes the entire process even simpler. Our free SAQ Wizard identifies exactly which questionnaire you need based on your payment setup — no more guessing. Our ASV scanning service handles your quarterly vulnerability scans automatically. And our compliance dashboard tracks everything in one place, sending reminders when it’s time to renew. You can start with the free SAQ Wizard to see which questionnaire applies to your business, or talk to our compliance team if you need guidance. Either way, you’ll have your PCI compliance sorted in less time than it took to read this guide.

Leave a Comment

1,650 PCI scans completed this month
Michael IT Manager just completed a PCI ASV scan