What You Need to Know About PCI Compliance
If you just received a PCI compliance questionnaire from your payment processor and your first thought was “What is this and why are they asking me about it?” — take a deep breath. For most small businesses, Minnesota PCI compliance is much simpler than it first appears. You’re not alone in feeling overwhelmed by the technical jargon and security requirements, but here’s the reality: if you’re like most small merchants, you can complete your compliance requirements in an afternoon with the right guidance.
Think of PCI compliance like having a smoke detector in your business — it’s a safety requirement that protects you and your customers. The good news is that the payment card industry has created streamlined paths for small businesses that don’t store card numbers or have complex payment systems. This guide will walk you through exactly what you need to do, in plain English, without the technical complexity that makes compliance seem impossible.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. These companies formed the PCI Security Standards Council to establish consistent security standards for anyone who handles credit card information. If you accept credit cards in your business, these standards apply to you.
Your acquirer (the bank or payment processor that handles your card transactions) is responsible for making sure you follow these rules. That’s why they sent you that compliance questionnaire. They’re not trying to make your life difficult — they’re required by the card brands to verify that every merchant in their portfolio maintains proper security standards.
The consequences of non-compliance are real but manageable. Your payment processor can impose monthly fines (typically $20-100 for small merchants), you could face significant liability if card data is stolen from your business, and in extreme cases, you could lose the ability to accept credit cards. However, these consequences are entirely avoidable by completing your annual compliance requirements.
Here’s what should give you hope: the vast majority of small businesses qualify for the simplest compliance paths. If you use modern payment terminals or hosted payment pages, you’re already doing most of what’s required. The compliance process is mainly about documenting what you’re already doing right.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form — in person, online, over the phone, or even occasionally at events — you need to be PCI compliant. There’s no minimum transaction volume or business size that exempts you from these requirements.
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total Visa transactions annually). Level 4 merchants complete a Self-Assessment Questionnaire (SAQ) rather than undergoing a full assessment by a QSA. This is good news — it means you can handle compliance yourself without hiring expensive consultants.
When your payment processor sends you a compliance questionnaire, they’re asking you to complete your annual PCI assessment. This isn’t a one-time request — PCI compliance is an ongoing requirement that you’ll need to address every year. Your processor needs this documentation to show the card brands that their merchants are maintaining proper security standards.
The questionnaire they sent likely includes instructions for accessing a compliance portal or completing an SAQ. Don’t ignore it — processors typically start charging non-compliance fees after 90 days, and these monthly fees continue until you complete your requirements.
Which SAQ Do You Need?
The SAQ you need depends entirely on how you accept and process credit cards. There are different questionnaires for different payment scenarios, ranging from simple (20-30 questions) to complex (300+ questions). Here’s how to determine which one applies to your business:
| How You Accept Payments | Your SAQ Type | Number of Questions | Typical Completion Time |
|---|---|---|---|
| Customers enter cards on payment processor’s website (PayPal, Stripe Checkout, Square Online) | SAQ A | 22 | 30-60 minutes |
| E-commerce site where you control the checkout page | SAQ A-EP | 139 | 2-4 hours |
| Standalone terminals with no electronic storage | SAQ B | 41 | 1-2 hours |
| Standalone terminals connected to internet | SAQ B-IP | 91 | 2-3 hours |
| Taking cards over the phone (no recording) | SAQ C-VT | 85 | 2-3 hours |
| Any electronic storage of card numbers | SAQ D | 329 | Days to weeks |
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B or SAQ B-IP. The difference depends on whether your terminal connects to the internet directly (B-IP) or dials out over a phone line (B).
If you have an e-commerce site with hosted checkout — where customers are redirected to PayPal, Stripe, or another processor’s page to enter card details — you qualify for SAQ A, the simplest questionnaire. If you control the checkout page but don’t store cards, you’ll need SAQ A-EP.
If you take card payments over the phone and type them into a virtual terminal or payment software, you’ll complete SAQ C-VT. This assumes you don’t record calls or write down card numbers.
If you store card numbers in any electronic format — in your accounting software, CRM, or even in email — you’ll need to complete SAQ D, the full questionnaire. This is the path you want to avoid if at all possible.
PCICompliance.com offers a free SAQ Wizard that asks you a few simple questions about your payment setup and tells you exactly which questionnaire applies. It takes less than five minutes and removes all the guesswork.
How to Complete Your SAQ
Once you know which SAQ you need, the actual completion process is straightforward. Each questionnaire consists of yes/no questions about your security practices. “Yes” means you’re doing what the question asks, you can prove it if asked, and you do it consistently.
For example, a common question asks whether you have a firewall protecting your payment environment. If you use a standalone terminal, your answer is likely “yes” because the terminal itself has built-in security features. If you process e-commerce transactions, your web hosting provider’s firewall counts.
You’ll need to gather some basic documentation before starting:
- A simple network diagram or description of how payments flow through your business
- Your payment processor agreements and setup documentation
- Any security policies you’ve written (don’t panic if you don’t have formal policies — templates are available)
- Contact information for your IT support or managed service provider
The quarterly ASV scan requirement applies to all merchants with any internet-facing systems. An Approved Scanning Vendor runs automated security scans of your public IP addresses to check for vulnerabilities. These scans are painless — you provide your website or IP address, the ASV runs the scan, and you receive a passing or failing report. Most small businesses pass on the first try, and any failures usually involve simple fixes like updating software.
After completing your SAQ and passing your ASV scans, you’ll sign an Attestation of Compliance (AOC). This is your official declaration that you’ve met all applicable PCI DSS requirements. Submit both documents through your processor’s compliance portal or as directed in their questionnaire.
What It Costs
PCI compliance costs vary based on your setup and which tools you use, but for most small businesses, the annual investment is minimal — especially compared to the cost of non-compliance.
Compliance platforms and SAQ tools typically charge $100-300 annually for small merchants. These platforms guide you through the questionnaire, store your documentation, track your compliance dates, and often include ASV scanning. Some payment processors include basic compliance tools with your merchant account.
Quarterly ASV scanning runs $50-100 per scan if purchased separately, though many compliance platforms bundle scanning with their annual fees. You need four passing scans per year (one per quarter) to maintain compliance.
If you need a QSA — which only applies to Level 1 merchants or those who can’t self-assess — expect to pay $10,000-50,000 for a full Report on Compliance (ROC). Fortunately, this doesn’t apply to most small businesses.
The cost of non-compliance adds up quickly. Monthly non-compliance fees from your processor range from $20-100. If you suffer a breach while non-compliant, you could face fines from $5,000 to $100,000 per month until you prove the situation is resolved. You’d also be liable for fraud losses, card reissuance costs, and forensic investigation fees.
When you consider that annual compliance for a small merchant costs less than three months of typical non-compliance fees, the investment makes sense purely from a financial perspective — before even considering the security benefits and peace of mind.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an ongoing commitment to protecting your customers’ payment data. Your processor will ask you to recertify annually, and you’ll need to complete quarterly ASV scans throughout the year.
Set calendar reminders for:
- Your annual SAQ due date (usually the anniversary of your last submission)
- Quarterly ASV scan windows (every 90 days)
- Security update checks for your payment systems
- Review of any service provider changes that might affect your compliance
Certain changes to your business require immediate attention to compliance:
- Adding new payment channels (like starting e-commerce or phone orders)
- Changing payment processors or adding payment types
- Implementing new software that touches payment data
- Moving to a new location or opening additional locations
PCICompliance.com’s compliance dashboard automatically tracks all these dates and sends you reminders before deadlines approach. The platform maintains your compliance history, stores your documentation, and makes annual recertification as simple as reviewing last year’s answers and confirming what’s changed.
Frequently Asked Questions
My payment processor says I need to be PCI compliant. Is this legitimate?
Yes, this is absolutely legitimate. Every business that accepts credit cards must comply with PCI DSS requirements. Your payment processor is required by Visa, Mastercard, and other card brands to ensure their merchants maintain proper security standards. The questionnaire they sent is how you demonstrate compliance as a small merchant.
I only process a few transactions per month. Do I still need to comply?
Yes, PCI compliance applies regardless of your transaction volume. There’s no minimum threshold that exempts you from these requirements. The good news is that your low volume means you qualify for the simplest compliance methods and won’t need expensive assessments.
What happens if I don’t complete my PCI compliance?
Your processor will likely start charging monthly non-compliance fees (typically $20-100) after their grace period expires. More seriously, if card data is compromised at your business while you’re non-compliant, you could face fines up to $100,000 per month and liability for fraud losses. You could also lose the ability to accept credit cards.
I use Square/PayPal/Stripe. Don’t they handle PCI compliance for me?
These providers handle security for the payment data they process, but you still have responsibilities. You need to complete an SAQ (usually the simple SAQ A) confirming you’re following proper procedures like not writing down card numbers and keeping your devices secure. Your compliance requirements are minimal but not eliminated.
How often do I need to complete PCI requirements?
PCI compliance is an annual requirement, with quarterly ASV scans if you have any internet-connected systems. Mark your calendar for both your annual SAQ due date and quarterly scan windows. Most compliance platforms send automatic reminders to keep you on track.
Can I just pay someone to handle this for me?
For most small merchants, hiring consultants isn’t necessary — the self-assessment process is designed for business owners to complete independently. However, compliance platforms like PCICompliance.com provide guided questionnaires and support that make the process much easier. If you’re a larger merchant or have complex payment systems, working with a QSA might make sense.
Taking the Next Step
PCI compliance might seem overwhelming when you first encounter it, but remember — thousands of small businesses just like yours successfully complete their requirements every year. The key is understanding which path applies to your specific situation and taking it one step at a time.
Start by identifying which SAQ matches your payment setup using PCICompliance.com’s free SAQ Wizard. This simple tool asks questions in plain English about how you accept payments and immediately tells you which questionnaire applies. Once you know your SAQ type, you can accurately estimate the time and resources needed for compliance.
For most small merchants, achieving Minnesota PCI compliance is a matter of documenting the security practices you already follow. Modern payment terminals and hosted checkout pages handle most technical requirements automatically. Your role is primarily answering questions honestly and maintaining basic security hygiene like not storing card numbers and keeping your systems updated.
Don’t let the technical jargon or security requirements intimidate you into inaction. The monthly non-compliance fees and potential liability far outweigh the few hours it takes to complete your annual assessment. With the right tools and guidance, you can achieve compliance quickly and maintain it with minimal ongoing effort.
PCICompliance.com provides everything you need to achieve and maintain PCI compliance in one platform — our SAQ Wizard identifies your requirements, our ASV scanning service handles quarterly vulnerability scans automatically, and our compliance dashboard tracks your progress throughout the year. More importantly, our support team understands that you’re running a business, not a security department. We’re here to make compliance as simple as possible while ensuring you meet all requirements. Start with our free SAQ Wizard today, or reach out to our compliance team for a conversation about your specific situation.