You Just Got a PCI Compliance Questionnaire — Don’t Panic
Here’s the truth: that PCI compliance questionnaire sitting in your inbox looks more intimidating than it actually is. For most small businesses using modern payment systems like Google Cloud Functions for their PCI compliance needs, achieving compliance is straightforward and manageable. You don’t need to become a security expert overnight, and you definitely don’t need to panic.
Think of PCI compliance like getting a driver’s license — there are rules to follow and a test to pass, but millions of businesses do it successfully every year. The key is understanding which requirements actually apply to your specific situation. Most small merchants discover they qualify for the simplest compliance paths, often completing their assessment in an afternoon.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules created by the major card brands — Visa, Mastercard, American Express, and Discover. These companies formed the PCI Security Standards Council to manage the standard, but they don’t enforce it directly. That’s where your acquirer or payment processor comes in — they’re the ones who sent you that questionnaire.
The purpose is simple: protect credit card data from theft. If you accept credit cards in any form — whether through a terminal, online, or over the phone — these rules apply to you. Your payment processor enforces them because they’re on the hook if something goes wrong.
Non-compliance isn’t just about fines (though those can range from $5,000 to $100,000 per month). You could lose the ability to accept credit cards entirely, face liability for fraud losses, and destroy customer trust if a breach occurs. But here’s the good news: for most small businesses, compliance involves answering a simple questionnaire and running quarterly security scans — not the complex audits you might fear.
Do You Need to Be PCI Compliant?
The simple answer: if you accept, process, store, or transmit credit card information in any way, yes. This includes:
- Swiping cards through a terminal
- Taking payments on your website
- Accepting cards over the phone
- Storing customer card numbers (even in a spreadsheet)
- Processing recurring payments
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a Self-Assessment Questionnaire (SAQ) rather than undergoing a full audit.
That questionnaire your payment processor sent? It’s their way of ensuring you’re following the rules. They’re required to verify your compliance annually, and they’ll keep asking until you complete it. Ignoring it won’t make it go away — but completing it is usually simpler than you think.
Which SAQ Do You Need?
The PCI Security Standards Council offers different SAQ types based on how you handle card data. Here’s the decision tree in plain language:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to payment page (PayPal, Stripe Checkout) | SAQ A | ~20 | Easiest |
| Payment form on your site, but you don’t touch card data | SAQ A-EP | ~140 | Moderate |
| Standalone terminal with no electronic storage | SAQ B | ~40 | Easy |
| Terminal connected to internet for processing only | SAQ B-IP | ~80 | Easy-Moderate |
| Phone/mail orders entered into virtual terminal | SAQ C-VT | ~80 | Moderate |
| You store card numbers electronically | SAQ D | ~300+ | Complex (avoid this!) |
Most small businesses fall into the first few categories. If you’re using:
- Square, Clover, or similar terminals: You’re likely SAQ B or B-IP
- Shopify, WooCommerce with Stripe: Usually SAQ A
- Taking orders by phone: Probably SAQ C-VT
- Storing card numbers in your system: SAQ D (seriously, stop doing this)
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Your SAQ is essentially a checklist of security practices written as yes/no questions. For example:
- “Do you have a firewall protecting your payment systems?”
- “Do you change default passwords on payment terminals?”
- “Is antivirus software installed and updated?”
A “yes” answer means you’re doing that security practice. A “no” means you need to either implement it or explain why it doesn’t apply to your situation. The questions aren’t trick questions — they’re asking about basic security hygiene.
Here’s what you’ll need to complete your SAQ:
1. Network diagram (if you process payments on computers) — can be hand-drawn
2. List of payment applications you use
3. Security policies — often just documenting what you already do
4. ASV scan results — quarterly vulnerability scans of your website
The quarterly ASV scan catches many businesses by surprise. If you have any web presence (even just a marketing site), you need an Approved Scanning Vendor to scan for vulnerabilities every 90 days. The scan takes minutes to set up and runs automatically — it’s checking for common security holes that hackers might exploit.
Once complete, you’ll sign an Attestation of Compliance (AOC) stating your answers are accurate, then submit both documents to your payment processor. The whole process typically takes 2-4 hours for SAQ A or B, or 1-2 days for more complex types.
What It Costs
Let’s talk real numbers for PCI compliance:
Compliance platforms and tools: $20-200/month depending on your SAQ type and features needed. This typically includes your SAQ questionnaire, guidance on answering questions, and compliance tracking.
Quarterly ASV scanning: $30-100 per scan, or $120-400 annually. Many compliance platforms bundle this service.
QSA assessment (only for Level 1 merchants): $15,000-50,000 annually. Most small businesses never need this.
Time investment: 2-8 hours annually for most small merchants, plus 30 minutes per quarter for scan reviews.
Compare that to the cost of non-compliance:
- Monthly fines from your processor: $5,000-100,000
- Breach liability: Average $150 per compromised card
- Lost ability to accept cards: Devastating for most businesses
- Forensic investigation costs: $10,000-100,000 if breached
For most small businesses, annual compliance costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — it’s about protecting your business and your customers.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your SAQ expires after one year, and you’ll need those quarterly ASV scans to maintain compliance. Here’s how to stay on track:
Set calendar reminders for:
- Annual SAQ renewal (60 days before expiration)
- Quarterly ASV scans (every 90 days)
- Security updates for payment software
- Password changes on payment systems
Major changes to your payment setup require reassessment:
- Adding new payment channels
- Changing payment processors
- Implementing new payment software
- Starting to store card data (please don’t)
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and flagging any changes that might affect your SAQ type. You’ll never miss a scan or renewal date.
FAQ
I’m just a small business. Do I really need to worry about this?
Yes, but it’s probably simpler than you think. Card brands require all merchants to comply, regardless of size. However, small businesses typically qualify for the easiest SAQ types that take just a few hours to complete annually. The questionnaire your processor sent isn’t going away, so tackle it now while it’s manageable.
What happens if I ignore the compliance questionnaire?
Your payment processor will start with reminder emails, then phone calls. Eventually, they’ll impose monthly non-compliance fees (typically $25-300/month). If you continue ignoring it, they can terminate your merchant account, meaning you lose the ability to accept credit cards. Some processors give you 90 days, others act faster.
Can I just answer “yes” to everything on the SAQ?
Absolutely not. False attestation is fraud and can result in immediate termination of your merchant account, massive fines, and personal liability if a breach occurs. Answer honestly — many requirements have straightforward fixes if you’re currently non-compliant. Your compliance platform can guide you through remediation.
Do I need to hire an IT security expert?
For most small businesses using modern payment solutions, no. If you qualify for SAQ A or B, the requirements are basic security practices you can handle yourself. SAQ C and D merchants might benefit from IT help, but even then, many requirements involve policies and procedures rather than complex technical implementations.
What’s this ASV scan and why do I need it quarterly?
An Approved Scanning Vendor scan checks your external-facing systems (website, email servers, etc.) for known vulnerabilities. It’s required quarterly for most SAQ types. The scan runs automatically and takes about 30 minutes. If it finds issues, you’ll get clear instructions on what to fix — usually updating software or adjusting firewall rules.
My payment processor says I need SAQ D, but I don’t store card numbers. What’s happening?
This is common when processors don’t understand your actual payment flow. If you’re truly not storing card data, you probably qualify for a simpler SAQ type. Document how your payments actually work — where cards are entered, how data flows, what you can access. PCICompliance.com’s SAQ Wizard helps identify your correct type based on your actual practices, not assumptions.
How do I know if I’m storing card data?
Check everywhere: databases, spreadsheets, email, order management systems, backups, log files, and even paper records. If you can see full card numbers anywhere in your environment after a transaction completes, you’re storing card data. Modern payment systems should never show you full card numbers — only the last four digits.
What if I fail my ASV scan?
Don’t panic — failing initially is common. The scan report shows exactly what failed and why. Most failures involve outdated software, unnecessary services running, or overly permissive firewall rules. Fix the identified issues and rescan. You need one clean scan per quarter, not perfection on the first try.
The Path Forward Is Clear
PCI compliance might seem overwhelming when that first questionnaire arrives, but now you understand what’s actually required. For most businesses, it’s a few hours of work annually plus some basic security practices you should be doing anyway. The real question isn’t whether to comply — it’s how to make compliance as painless as possible.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance. Our free SAQ Wizard identifies exactly which questionnaire you need — no more guessing or overcomplicating your requirements. Our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard tracks your progress year-round, sending reminders before any deadlines. Whether you’re completing your first SAQ or renewing for the tenth time, our platform guides you through each requirement in plain English. Start with the free SAQ Wizard to discover your actual compliance path, or talk to our compliance team to get your specific questions answered. Most merchants complete their first assessment in under two hours — you’ve already spent more time worrying about it than it takes to actually do it.