You Just Got a PCI Compliance Questionnaire — Now What?
Take a deep breath. If you’re reading this because your payment processor just sent you a confusing email about Belgium PCI compliance with terms like “SAQ” and “AOC,” you’re in the right place. Here’s the truth: for most small businesses, PCI compliance is much simpler than it first appears. You don’t need a computer science degree or a security team. You just need to know which form to fill out and how to answer a few straightforward questions about how you accept credit cards.
Think of PCI compliance like a health inspection for restaurants — it’s a checklist of safety practices that protect your customers’ payment information. Just as restaurants follow food safety rules to prevent illness, businesses that accept credit cards follow PCI rules to prevent data theft. The good news? If you’re a typical small business using modern payment tools, you’re probably already doing most of what’s required. You just need to document it.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security requirements created by the major credit card companies (Visa, Mastercard, American Express, Discover, and JCB) through an organization called the PCI Security Standards Council. If you accept, process, store, or transmit credit card information in any way — whether through a physical terminal, online, or over the phone — these requirements apply to you.
Here’s who enforces it: not the government, but your acquiring bank or payment processor (the company that handles your credit card transactions). They’re required by the card brands to ensure all their merchants comply with PCI DSS. That’s why they sent you that questionnaire — they need proof you’re following the security standards.
What happens if you don’t comply? Your payment processor can fine you, typically starting at €50-100 per month for non-compliance. If there’s a data breach and you weren’t compliant, you could face much larger penalties — potentially thousands of euros — plus liability for fraudulent charges. In extreme cases, you could lose the ability to accept credit cards entirely. But here’s the important part: for most small businesses, achieving compliance takes just a few hours per year.
The overwhelming majority of small merchants qualify for the simplest compliance options. If you use modern payment systems like Square, SumUp, or Mollie, or if your website uses hosted checkout pages from Stripe or PayPal, you’re already most of the way there.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit or debit cards in Belgium — whether in-store, online, or over the phone — yes, you need to be PCI compliant. It doesn’t matter if you process one transaction or one thousand, if you’re a sole proprietor or have multiple locations. Accept cards? You need to comply.
Most small businesses fall into Merchant Level 4, which means you process fewer than 20,000 e-commerce transactions or up to 1 million total Visa transactions annually. This is good news because Level 4 merchants have the simplest compliance requirements — typically just completing a self-assessment questionnaire (SAQ) once a year and running quarterly security scans if you have e-commerce.
Your payment processor expects you to complete an annual compliance validation. That questionnaire they sent? It’s asking you to confirm which SAQ type applies to your business and then complete it. Think of the SAQ as a checklist where you answer “yes” or “no” to security practices. The type of SAQ you need depends entirely on how you accept payments.
Which SAQ Do You Need?
The most confusing part of PCI compliance is figuring out which SAQ (Self-Assessment Questionnaire) applies to your business. Here’s a plain-English guide to the most common scenarios:
| How You Accept Payments | Your SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Payment links only (Stripe Payment Links, PayPal invoices) | SAQ A | 22 | Easiest |
| E-commerce with hosted checkout (Shopify, WooCommerce with Stripe) | SAQ A-EP | 191 | Moderate |
| Standalone terminal with dial-up/cellular (no computer connection) | SAQ B | 41 | Easy |
| Terminal connected to internet (Square, Clover, SumUp) | SAQ B-IP | 82 | Easy |
| Phone orders entered into virtual terminal | SAQ C-VT | 160 | Moderate |
| Any scenario where you store card numbers | SAQ D | 329 | Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you likely need SAQ B (for dial-up terminals) or SAQ B-IP (for internet-connected terminals). These are straightforward — mostly confirming that only authorized staff can use the terminal and that you don’t write down card numbers.
If you have an e-commerce site that redirects to a hosted payment page (where customers enter card details on Stripe, PayPal, or your processor’s site), you likely need SAQ A. If the payment form is embedded on your site but still hosted by the processor (like Stripe Elements), you need SAQ A-EP.
If you take payments over the phone and enter them into a web-based virtual terminal, you need SAQ C-VT. This one’s a bit more involved because you’re hearing and typing card numbers.
If you store card numbers in any form — written down, in spreadsheets, in your own database — you need SAQ D, the most comprehensive questionnaire. Fair warning: if this is you, seriously consider changing your processes to avoid storing card data. SAQ D is complex and expensive to validate.
PCICompliance.com offers a free SAQ Wizard that asks a few simple questions about how you accept payments and tells you exactly which SAQ you need. It takes less than two minutes and removes all the guesswork.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. The questionnaire presents a series of yes/no questions about your payment security practices. For example, SAQ B might ask: “Are payment terminals attended during operating hours?” or “Do you train staff not to write down card numbers?”
Here’s what “yes” actually means: you can honestly confirm you follow that security practice. You don’t need perfect, enterprise-grade security — you need reasonable practices for your business size. For most questions in the simpler SAQs, you’re probably already compliant through common sense business practices.
Documentation you’ll need:
- A simple network diagram (even a hand drawing works for small merchants)
- Your payment processing agreement
- Any security policies you have (even informal ones)
- Training records (can be as simple as a sign-off sheet)
If you have an e-commerce presence, you’ll also need quarterly ASV scans. An Approved Scanning Vendor runs automated security scans of your website to check for vulnerabilities. Don’t panic — this isn’t someone hacking your site. It’s more like a safety inspection that looks for common security issues. The scan takes about 15-30 minutes to run, and most sites pass on the first try. If issues are found, they’re usually simple fixes like updating software or adjusting server settings.
After completing your SAQ, you’ll sign an Attestation of Compliance (AOC) — basically a formal declaration that you completed the assessment honestly. Submit both documents to your payment processor through their compliance portal or email, and you’re done for the year.
What It Costs
Let’s talk real numbers. For most small businesses in Belgium, PCI compliance costs fall into these ranges:
Compliance platform and tools: €10-30 per month for a service that guides you through your SAQ, stores your documentation, and sends renewal reminders. Some payment processors include basic compliance tools with your merchant account.
Quarterly ASV scanning: €20-50 per scan, or €80-200 annually. Many compliance platforms include scanning in their monthly fee. If you don’t have e-commerce, you don’t need scans at all.
If you need a QSA: Only the largest merchants (Level 1) need a Qualified Security Assessor to perform an onsite assessment. This costs €10,000-50,000+ depending on complexity. If you’re reading this guide, you almost certainly don’t need a QSA.
Compare these costs to non-compliance: monthly fines from your processor (€50-500), potential breach penalties (€5,000-50,000+), plus the catastrophic cost of losing the ability to accept cards. For most small merchants, annual compliance costs less than a single month of non-compliance fines.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly touchpoints if you have e-commerce. Your compliance anniversary is typically 12 months from when you first submitted your SAQ, though your processor might set a specific annual deadline.
Set reminders for:
- Annual SAQ renewal (2 weeks before your deadline)
- Quarterly ASV scans if required (every 90 days)
- Staff training refreshers (annually or when you hire new employees)
- Review of any payment process changes
What triggers a new assessment: If you significantly change how you accept payments — like adding e-commerce to a brick-and-mortar store, starting to take phone orders, or switching payment processors — you might need to complete a different SAQ type. Minor changes like adding a new terminal or changing your website design typically don’t require a new assessment.
PCICompliance.com’s compliance dashboard tracks all these dates for you, sending automated reminders before deadlines and maintaining a complete compliance history. No more scrambling to remember when you last ran a scan or where you filed your AOC.
Frequently Asked Questions
What’s the difference between PCI compliance in Belgium versus other EU countries?
PCI DSS is a global standard that applies the same way across all countries. Belgium doesn’t have additional requirements beyond PCI DSS, though you must also comply with GDPR for protecting cardholder data privacy. The requirements, SAQ types, and validation process are identical whether you’re in Brussels, Amsterdam, or Berlin.
My payment processor says I’m “PCI compliant” because I use their services. Do I still need to complete an SAQ?
Yes, you still need to complete an SAQ. Your processor’s compliance covers their systems, not your business practices. Even if they handle all the technical security, you’re responsible for physical security, staff training, and proper procedures at your location.
I only process a handful of card transactions per month. Do I really need to comply?
Yes, PCI compliance applies regardless of transaction volume. There’s no minimum threshold — if you accept even one card payment per year, you need to comply. The good news is that low-volume merchants typically qualify for the simplest SAQ types.
What if I can’t pass my ASV scan?
Most scan failures are due to outdated software or minor configuration issues. Your ASV report will list specific vulnerabilities with remediation instructions. Common fixes include updating WordPress plugins, installing security patches, or adjusting firewall settings. If you’re not technical, your web developer can usually resolve scan failures in an hour or two.
Can I just use PayPal or Stripe to avoid PCI compliance?
Using hosted payment pages from PayPal, Stripe, or similar providers significantly reduces your PCI scope, but doesn’t eliminate it. You’ll qualify for SAQ A (the simplest form), but you still need to complete annual compliance validation. Think of it as outsourcing the hard parts while remaining responsible for the basics.
How do I know if I’m storing card data that I shouldn’t be?
Search your systems for anything that looks like a credit card number (16 digits). Check email archives, spreadsheets, customer databases, and paper files. If you find card numbers anywhere except your payment terminal or processor’s system, you’re likely storing data you shouldn’t. The safest approach: never write down, screenshot, or save card numbers anywhere.
What happens if I just ignore PCI compliance?
Your payment processor will eventually notice. They’ll start with warning emails, then monthly non-compliance fees (typically €50-200), and eventually may freeze or terminate your merchant account. If a breach occurs while you’re non-compliant, you face significant fines and liability for fraud losses.
I’m switching payment processors. Do I need to complete PCI compliance again?
Yes, your new processor will require fresh compliance validation. However, if you’re staying with the same SAQ type and recently completed your assessment, you can often reuse most of your answers. Keep your previous SAQ handy — it makes the process much faster.
Moving Forward with Confidence
PCI compliance might seem overwhelming when that first questionnaire arrives, but now you understand what’s actually required. For most small businesses in Belgium, it’s a matter of completing the right SAQ once a year — a process that takes a few hours at most. You’re not aiming for Pentagon-level security; you’re following reasonable practices to protect your customers’ payment data.
The key is identifying which SAQ fits your payment methods, answering the questions honestly, and maintaining simple security practices throughout the year. Modern payment tools make much of this automatic — if you’re using reputable processors and current technology, you’re already following most PCI requirements without realizing it.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard eliminates the guesswork of choosing the right questionnaire. Our guided SAQ completion walks you through each question in plain English. For businesses needing ASV scans, our scanning service handles the technical requirements and helps fix any issues found. And our compliance dashboard keeps track of all your deadlines, documents, and renewal dates in one place. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and support to make PCI compliance straightforward and stress-free. Start with our free SAQ Wizard to identify your requirements, or reach out to our compliance team for personalized guidance.