Bottom Line Up Front
Received a PCI compliance questionnaire from your payment processor and feeling overwhelmed? Take a breath. For most small businesses accepting credit cards, Poland PCI compliance is simpler than you think. You’ll likely need to complete a short questionnaire called an SAQ (Self-Assessment Questionnaire), run quarterly security scans, and follow some basic security practices you’re probably already doing. This guide walks you through exactly what you need to know — in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that apply to anyone who accepts credit card payments. The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through the PCI Security Standards Council to protect cardholder data from theft and fraud.
Your acquirer (the bank or payment processor that handles your card transactions) enforces these rules. When they send you that compliance questionnaire, they’re not trying to make your life difficult — they’re required to verify that everyone in their payment chain follows the same security standards.
The consequences of non-compliance are real but manageable. Your payment processor can impose fines (typically €50-200 per month for small merchants), you’ll face liability if there’s a data breach, and in extreme cases, you could lose the ability to accept card payments. But here’s the good news: most small businesses qualify for the simplest compliance requirements, which you can complete in an afternoon.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form — whether through a terminal, online, over the phone, or even on paper — yes, you need to be PCI compliant. This applies whether you process one transaction per month or thousands.
Your merchant level determines how much documentation you need to provide. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a self-assessment rather than hiring an external auditor.
What your payment processor expects from you:
- Complete the appropriate SAQ for your business type
- Run quarterly vulnerability scans if you have any internet-facing systems
- Submit an Attestation of Compliance (AOC) confirming you’ve met the requirements
- Maintain compliance year-round, not just at assessment time
That questionnaire they sent? It’s your annual reminder to complete these steps. Think of it like your annual tax filing — required, but manageable with the right guidance.
Which SAQ Do You Need?
The PCI compliance world has nine different SAQ types, but most small businesses fall into one of four categories. Here’s how to determine which one applies to you:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity Level |
|---|---|---|---|
| Outsource all payment processing (PayPal, Square online) | SAQ A | 22 | Simplest |
| E-commerce with payment form on your site | SAQ A-EP | 139 | Moderate |
| Standalone terminals only (no connected systems) | SAQ B | 41 | Simple |
| Terminals connected to internet/network | SAQ B-IP | 82 | Moderate |
| Manual card entry (virtual terminal, phone orders) | SAQ C-VT | 80 | Moderate |
| Paper forms or storing card numbers | SAQ D | 329 | Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B (if the terminal isn’t connected to your computers) or SAQ B-IP (if it connects to your network or the internet).
If you have an e-commerce site using hosted checkout pages from Shopify, WooCommerce with Stripe Checkout, or similar services where customers are redirected to enter card details, you’re likely SAQ A — the simplest form with only 22 questions.
If you take payments over the phone using a virtual terminal or web-based portal, you’re likely SAQ C-VT. This applies even if you never store the card numbers.
If you store card numbers in any form — spreadsheets, customer databases, or even paper files — you’re SAQ D, the most complex assessment. Consider switching to tokenization or stopping card storage entirely to simplify your compliance.
PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ applies. No guesswork required.
How to Complete Your SAQ
Your SAQ is a questionnaire with yes/no questions about your security practices. Despite the intimidating acronyms, most questions are straightforward: “Do you have a firewall?” “Do you change default passwords?” “Do you have antivirus software?”
Answering “yes” means you have that security control in place and can demonstrate it if asked. You don’t need perfect IT infrastructure — you need honest answers and basic security hygiene. For SAQ A (the simplest), you’ll answer 22 questions. For SAQ B, it’s 41 questions. Most small businesses can complete their assessment in 1-3 hours.
Documentation you’ll need:
- List of payment terminals or software you use
- Your network setup (even a simple diagram helps)
- Security policies (even informal ones count)
- Vendor agreements for any third-party payment services
The quarterly ASV scan is required if you have any internet-facing systems (website, email server, remote access). An Approved Scanning Vendor runs automated security scans of your public IP addresses looking for vulnerabilities. Think of it as a security checkup every three months. The scan typically takes 15-30 minutes to run, and you’ll receive a report showing any issues to fix.
Once complete, you’ll sign an Attestation of Compliance (AOC) — essentially a declaration that you’ve answered accurately and met the requirements. Submit this to your payment processor along with your passing scan reports, and you’re done for the year.
What It Costs
PCI compliance costs vary based on your size and complexity, but for most small businesses, it’s less than you might fear.
Compliance platform and SAQ tools typically run €10-50 per month. These platforms guide you through the questionnaire, store your documentation, and track your compliance status. Some payment processors include basic tools with your merchant account.
Quarterly ASV scanning costs €20-100 per scan, or €80-400 annually. Many compliance platforms bundle scanning with their other services. If you don’t have any internet-facing systems, you might not need scanning at all.
If you need a QSA (Qualified Security Assessor), budget €5,000-25,000 for a formal assessment. But remember: most small businesses never need a QSA. Only larger merchants or those with complex environments require external assessment.
The cost of NON-compliance far exceeds compliance costs. Monthly non-compliance fees from your processor range from €50-500. If you suffer a breach while non-compliant, you face fines starting at €5,000 plus liability for fraud losses and card reissuance costs. One breach can cost more than a decade of compliance.
Honest assessment: for most small merchants, annual compliance costs less than your monthly coffee budget — and certainly less than a single processor fine.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor expects annual recertification, quarterly scans (if required), and ongoing adherence to security practices. But don’t panic — maintaining compliance is mostly about consistency.
Set these reminders:
- Annual SAQ due date (usually your anniversary with the processor)
- Quarterly ASV scan dates (every 90 days)
- Password change reminders (every 90 days)
- Security update checks (monthly)
What triggers a reassessment:
- Changing payment processors or adding new payment channels
- Significant network changes or new locations
- Moving from outsourced to in-house payment processing
- Starting to store cardholder data (please reconsider)
PCICompliance.com’s compliance dashboard tracks all these dates, sends automatic reminders, and shows your compliance status at a glance. No spreadsheets or sticky notes required.
FAQ
My payment processor says I need to be PCI compliant by next month. Is that realistic?
Yes, for most small businesses. If you qualify for SAQ A or B, you can complete the assessment in an afternoon. The quarterly scan (if required) takes about 30 minutes. Start with determining your SAQ type — that’s half the battle.
I’m just a small shop with one credit card terminal. Do these rules really apply to me?
Unfortunately, yes. PCI DSS applies to any business accepting credit cards, regardless of size. The good news is you likely qualify for SAQ B, one of the simpler assessments with just 41 questions about basic security practices.
What happens if I just ignore the compliance notice?
Your payment processor will likely start charging non-compliance fees (€50-500 monthly) after the deadline. Eventually, they may freeze your ability to process new transactions until you comply. It’s far easier to spend a few hours completing the assessment.
I use Square/PayPal/Stripe for everything. Am I already compliant?
Not automatically. While these providers handle the complex security for you (great choice!), you still need to complete SAQ A confirming you’re using them properly. It’s the simplest form with just 22 questions — consider it paperwork that confirms your smart payment choice.
Can I just say “yes” to all the questions to pass?
Technically you could, but it’s a terrible idea. False attestation is fraud, and if you have a breach, investigators will check your answers. Answer honestly — if you can’t say “yes” to something, fix it or document a compensating control.
Do I need to hire an IT security consultant?
For most small businesses, no. SAQ A and B are designed for non-technical users. The questions ask about basic security practices, not complex IT architecture. Save consultant fees for if you’re SAQ D or having specific technical challenges.
How do I know if I’m storing credit card data?
Check these places: spreadsheets, customer databases, email (including sent items), paper files, and backup systems. If you find card numbers anywhere, you’re storing data and likely need SAQ D. Consider stopping this practice — modern payment systems make storage unnecessary.
What’s this ASV scan and do I really need it quarterly?
An ASV scan is an automated security check of your internet-facing systems. If you have a website, email server, or remote access to your network, you need quarterly scans. If you only use standalone terminals with no internet services, you might not need scanning at all.
Conclusion
Poland PCI compliance doesn’t have to be overwhelming. For most small businesses, it’s a matter of completing a straightforward questionnaire, running quarterly security scans if you have internet-facing systems, and following basic security practices you’re likely already doing. The key is understanding which requirements apply to your specific situation.
Start by identifying your SAQ type — this immediately tells you what’s required. Use PCICompliance.com’s free SAQ Wizard to get an instant answer based on your payment setup. Our platform then guides you through each requirement, handles your ASV scanning needs, and tracks your compliance status year-round. Whether you’re completing your first assessment or maintaining ongoing compliance, we provide the tools and support to keep your business secure and your payment processor satisfied. Don’t let another non-compliance fee hit your account — take the first step with our SAQ Wizard or reach out to our compliance team for guidance tailored to your business.