CentOS 7 PCI compliance

CentOS 7 PCI Compliance

by

That PCI compliance letter From Your Payment Processor? It’s Not as Scary as It Looks

If you just received a PCI compliance questionnaire from your payment processor and your first thought was “What is this?” — you’re not alone. Every day, business owners open these letters and feel overwhelmed by the technical jargon and implied threats of fines. Here’s the truth: for most small businesses, PCI compliance is simpler than it sounds, and you can probably complete it in an afternoon.

Think of PCI compliance like a safety inspection for businesses that accept credit cards. Just as restaurants need health inspections and buildings need fire inspections, businesses that handle card payments need to show they’re protecting customer data. The good news? If you’re using modern payment tools like Square, Stripe, or PayPal, you’re already doing most of what’s required.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. They formed the PCI Security Standards Council to manage these standards, but it’s actually your payment processor or acquiring bank who enforces them and sends you that compliance questionnaire.

The standard exists for one simple reason: to protect credit card data from theft. Every business that accepts, processes, stores, or transmits credit card information must comply with PCI DSS. This includes the card number (the PAN or Primary Account Number), but also the expiration date, cardholder name, and especially the security code.

Who Enforces This and What Happens If You Don’t Comply?

Your payment processor (the company that deposits card payments into your bank account) is required by the card brands to ensure all their merchants are compliant. If you don’t complete your annual compliance requirements, here’s what typically happens:

  • Monthly non-compliance fees ranging from $20 to $100
  • Higher processing rates on all your transactions
  • Full liability if there’s a data breach at your business
  • Potential termination of your merchant account (losing the ability to accept cards)

The consequences are real, but here’s the encouraging part: most small businesses qualify for the simplest compliance options. If you’re reading this article, you probably don’t need the complex assessments that large retailers face.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit cards in any form, yes. This includes:

  • Swiping, dipping, or tapping cards at a terminal
  • Entering card numbers into a virtual terminal
  • Taking payments through your website
  • Processing cards over the phone
  • Using mobile card readers like Square

What Merchant Level Are You?

PCI compliance requirements are based on your merchant level, which is determined by how many card transactions you process annually:

Merchant Level Annual Visa Transactions Compliance Requirements
Level 1 Over 6 million Annual onsite assessment by QSA
Level 2 1 to 6 million Annual self-assessment + quarterly scans
Level 3 20,000 to 1 million Annual self-assessment + quarterly scans
Level 4 Under 20,000 Annual self-assessment + quarterly scans

Most small businesses are Level 4 merchants, which means you can self-certify your compliance using a Self-Assessment Questionnaire (SAQ) instead of hiring an expensive QSA (Qualified Security Assessor).

Why Your Payment Processor Sent That Letter

Payment processors are required to verify that all their merchants maintain PCI compliance. That questionnaire they sent is their way of:

  • Determining which type of SAQ you need to complete
  • Collecting your annual compliance attestation
  • Ensuring they meet their own obligations to the card brands

The letter probably included deadlines and mentioned potential fees. These are real, but completing your compliance is usually straightforward once you know which path to take.

Which SAQ Do You Need?

The Self-Assessment Questionnaire comes in different versions based on how you accept payments. Think of it like tax forms — there’s a simple version for straightforward situations and more complex versions for complicated scenarios. Here’s how to determine which one applies to your business:

The SAQ Decision Tree for Small Businesses

How You Accept Payments Your SAQ Type Number of Questions Difficulty
Fully outsourced (PayPal, Square online) SAQ A 22 Easy
E-commerce with hosted payment page SAQ A-EP 191 Moderate
Standalone terminal only SAQ B 41 Easy
Terminal connected to internet SAQ B-IP 82 Easy-Moderate
Manual entry or phone orders SAQ C-VT 160 Moderate
Store card data or complex setup SAQ D 329 Complex

Let’s break down the most common scenarios:

SAQ A: You fully outsource all payment processing. Examples include:

  • Using PayPal standard checkout where customers leave your site
  • Shopify Payments where you never touch card data
  • Any setup where your business never sees the actual card number

SAQ B or B-IP: You use standalone payment terminals. Examples include:

  • Square terminal or Square Stand
  • Clover station or Clover Flex
  • Traditional credit card machines
  • Any terminal that connects to phone line (SAQ B) or internet (SAQ B-IP)

SAQ C-VT: You manually enter card numbers. Examples include:

  • Taking orders over the phone and entering cards into virtual terminal
  • Typing card numbers into your payment processor’s website
  • Mail order or telephone order (MOTO) businesses

SAQ D: You store card numbers or have complex payment setups. If this is you, please consider changing your processes — SAQ D involves all 12 requirements of PCI DSS and often requires professional help.

PCICompliance.com offers a free SAQ Wizard that asks simple questions about your payment setup and tells you exactly which questionnaire applies. It takes less than five minutes and removes all the guesswork.

How to Complete Your SAQ

Once you know which SAQ type you need, the actual completion process is straightforward. Here’s what to expect:

What the Questionnaire Looks Like

Your SAQ is a series of yes/no questions about your payment security practices. For example:

  • “Do you have a firewall protecting your payment systems?”
  • “Do you change default passwords on payment equipment?”
  • “Do you have a process to install security patches?”

For each question, you’re declaring whether you meet that requirement. Important: Answering “yes” means you actually do that thing, not that you plan to or think it’s a good idea.

How Long Does It Take?

  • SAQ A: 30-60 minutes (22 questions about your payment provider)
  • SAQ B: 60-90 minutes (41 questions about your terminal)
  • SAQ B-IP: 90-120 minutes (82 questions about terminal and network)
  • SAQ C-VT: 2-4 hours (160 questions about virtual terminal use)
  • SAQ D: Multiple days (329 questions covering all security domains)

Documentation You’ll Need

Before starting, gather:

  • Your merchant account information
  • Payment terminal models and software versions
  • Network diagrams (for SAQ B-IP and above)
  • Security policies (for SAQ C-VT and above)
  • List of any third-party payment service providers

The Quarterly ASV Scan

If you’re SAQ B-IP, C-VT, or D, you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This isn’t as technical as it sounds:

1. You provide your business’s external IP addresses
2. The ASV runs automated security scans
3. You get a report showing any vulnerabilities
4. You fix any critical issues and request a rescan
5. Once you pass, you get a certificate for compliance

PCICompliance.com includes ASV scanning in our compliance packages — we’ll remind you every quarter, run the scans, and help interpret the results.

Submitting Your Compliance

After completing your SAQ, you’ll:
1. Generate an Attestation of Compliance (AOC) — a formal declaration that you’ve met all requirements
2. Submit both documents to your payment processor
3. Upload any required evidence (like ASV scan certificates)
4. Receive confirmation of your compliant status

Most payment processors have online portals where you upload these documents. Some still accept email or paper submissions.

What It Costs

Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you do it yourself or use a service:

Compliance Platform Costs

  • DIY approach: Free (but time-consuming and risky if you make mistakes)
  • Basic SAQ tools: $150-300 per year
  • Full-service platforms: $300-600 per year
  • Enterprise solutions: $1,000+ per year

ASV Scanning Costs

  • Standalone ASV service: $150-300 per year (4 quarterly scans)
  • Bundled with compliance platform: Often included
  • Remediation support: $50-150 per incident if you need help fixing issues

If You Need Professional Help

  • QSA consultation: $500-2,000 for guidance
  • Full QSA assessment: $10,000-50,000 (only required for Level 1 merchants)
  • Compliance consultant: $150-300 per hour

The Cost of Non-Compliance

Here’s why compliance is worth it:

  • Monthly non-compliance fees: $20-100 (that’s $240-1,200 per year)
  • Data breach average cost: $150 per compromised card
  • Card brand fines: $5,000-100,000 per incident
  • Lost reputation: Impossible to calculate but devastating

For most small merchants, annual compliance costs less than three months of non-compliance fees. It’s simply good business.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done activity. Your status expires annually, and certain requirements need attention throughout the year:

Annual Requirements

  • Complete your SAQ questionnaire
  • Submit your Attestation of Compliance
  • Update any changed payment processes
  • Review and update security policies

Quarterly Requirements

  • ASV vulnerability scans (if required for your SAQ type)
  • Review of security patches and updates
  • Firewall and router configuration reviews (for higher SAQ types)

What Triggers a New Assessment

You’ll need to reassess your compliance if you:

  • Change payment processors or add new payment methods
  • Start storing card data (please don’t)
  • Experience a significant business change (new locations, e-commerce launch)
  • Have a security incident

Making It Easy

Set calendar reminders for:

  • Annual SAQ renewal (30 days before expiration)
  • Quarterly ASV scans (if required)
  • Monthly reviews of processor statements for compliance fees

PCICompliance.com’s compliance dashboard tracks all these dates automatically and sends reminders when action is needed. You’ll never miss a deadline or pay an unnecessary non-compliance fee.

Frequently Asked Questions

I’m just a small business. Do I really need to do this?

Yes, size doesn’t matter when it comes to PCI compliance. If you accept credit cards, you need to comply. The good news is that small businesses typically qualify for the simplest SAQ types, which you can complete in an hour or two.

What if I only process a few cards per month?

You still need to comply, but you’re likely a Level 4 merchant with the simplest requirements. Your SAQ type depends on how you process those cards, not how many. Even one card transaction per year requires compliance.

Can I just pay the non-compliance fee instead?

This is expensive and risky. Non-compliance fees add up to hundreds or thousands per year, and you’re fully liable if there’s a breach. Completing compliance is usually cheaper than paying ongoing fees.

What happens if I fail my ASV scan?

Failing is normal — most businesses fail their first scan. The ASV provides a report showing what needs fixing. You make the changes, request a rescan, and repeat until you pass. You only need one passing scan per quarter.

Do I need to hire a QSA?

Probably not. Only Level 1 merchants (processing over 6 million transactions annually) require a QSA assessment. Most businesses can self-assess using the appropriate SAQ.

What if I use multiple payment processors?

You need to be compliant with each processor’s requirements. However, you typically complete one SAQ that covers your highest-risk payment method and submit it to all processors.

How do I know if I’m storing card data?

Check your systems for saved card numbers, even partial ones. Common places include: email, spreadsheets, customer databases, voicemail systems, and paper files. If you find stored card data, secure it immediately and consider switching to tokenization.

Can I use the same SAQ every year?

You need to complete a fresh SAQ annually, but the type usually stays the same. Review your payment processes each year to confirm nothing has changed that would require a different SAQ type.

Your Next Steps Toward PCI Compliance

That compliance questionnaire from your payment processor isn’t going away, but now you understand what it means and how to handle it. For most small businesses, achieving PCI compliance is a manageable task that protects both your customers and your business.

Start by determining which SAQ type applies to your payment setup. PCICompliance.com’s free SAQ Wizard makes this simple — answer a few questions about how you accept payments, and we’ll tell you exactly which questionnaire you need. Our platform then guides you through each question, provides ASV scanning for those who need it, and maintains all your compliance documentation in one secure dashboard.

Don’t let non-compliance fees eat into your profits or put your business at risk. Whether you process ten cards or ten thousand per month, PCI compliance is achievable. Take the first step with our SAQ Wizard, or contact our compliance team for a personalized assessment of your needs. We’ve helped thousands of merchants achieve and maintain compliance — from single-location retailers to growing e-commerce businesses — and we’re ready to help you too.

Leave a Comment

1,650 PCI scans completed this month
Michael IT Manager just completed a PCI ASV scan