Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and your stomach dropped — take a breath. For most small businesses in South Carolina, PCI compliance is far simpler than the intimidating paperwork suggests.
Here’s the truth: if you accept credit cards, you’re required to validate PCI compliance. But the vast majority of small merchants qualify for the simplest self-assessment forms, which you can complete yourself in an afternoon — no auditor required. This guide walks you through exactly what South Carolina PCI compliance means for your business, which questionnaire applies to you, and how to get it done without the headache.
You don’t need to become a security expert. You just need to know which path you’re on.
What Is PCI Compliance (In Plain English)
PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security rules designed to protect your customers’ credit card information from theft and fraud. If your business accepts cards in any form — in person, online, or over the phone — these rules apply to you.
The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through an organization called the PCI Security Standards Council (PCI SSC). But here’s the important part: the council writes the rules, while your acquiring bank (also called your acquirer or payment processor) is the one who actually enforces them. That’s why the questionnaire came from them, not from some government agency.
PCI DSS is built around 6 control objectives that cover 12 requirements — things like protecting stored card data, using strong access controls, and monitoring your network. The good news for small merchants: you often only have to address a small slice of those requirements, depending on how you handle payments.
What happens if you ignore it?
Non-compliance isn’t a criminal matter, but it carries real teeth:
- Monthly non-compliance fees from your processor (these add up fast).
- Liability if you suffer a breach — fines, forensic investigation costs, and card-reissuance charges can be devastating.
- Loss of your ability to accept cards in the worst cases, which can shut a business down.
The reassuring news? Most small businesses qualify for the simplest SAQ (Self-Assessment Questionnaire) types and can validate compliance with minimal cost and effort.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes. There’s no minimum transaction volume that exempts you. A one-location coffee shop and a national retailer are both subject to PCI DSS — they just validate it differently.
Understanding your merchant level
The card brands sort merchants into four levels (1 through 4) based primarily on your annual card transaction volume. Your acquirer assigns your level — so if you’re unsure, ask them directly.
| Merchant Level | Who It Typically Applies To | Validation |
|---|---|---|
| Level 1 | Highest-volume merchants | Annual ROC by a QSA or ISA |
| Levels 2–3 | Mid-volume merchants | Usually SAQ + scans |
| Level 4 | Most small businesses | SAQ + scans (if applicable) |
Specific transaction thresholds vary by card brand and can change, so always confirm your level with your acquirer rather than assuming. If you’re a typical small South Carolina merchant, you’re almost certainly Level 4 — the simplest tier.
Why they sent you that questionnaire
The form your processor sent is their way of asking you to validate your PCI compliance — to confirm you’ve met the security requirements that apply to how you accept payments. It’s an annual obligation. They need it on file, and if you don’t return it, you’ll likely start seeing non-compliance fees on your statements.
Which SAQ Do You Need?
The SAQ is the questionnaire you fill out to validate compliance. There are several types, and the right one depends entirely on how you accept and handle card data. Choosing the correct SAQ is the single most important step — it determines how many requirements you’re responsible for.
Here’s the plain-language decision tree:
| Your Payment Scenario | Likely SAQ | Complexity |
|---|---|---|
| Standalone dial-out terminal, no electronic card storage | SAQ B | Low |
| Standalone IP-connected terminal (Square, Clover, etc.) | SAQ B-IP | Low |
| E-commerce with fully hosted checkout (Shopify, Stripe Checkout, PayPal) | SAQ A | Low |
| E-commerce where your site partially controls the payment page (iframe/direct-post) | SAQ A-EP | Medium |
| Virtual terminal only — card payments keyed in via a browser | SAQ C-VT | Low–Medium |
| Payment systems connected to the internet, no electronic storage | SAQ C | Medium |
| You store card numbers electronically (please stop) | SAQ D | High |
A few notes:
- If you use a payment terminal like Square or Clover, you’re most likely SAQ B or B-IP. These are among the shortest forms.
- If you run an online store with hosted checkout — where customers are redirected to your processor’s secure page — you’re likely SAQ A, the simplest e-commerce path.
- If you take payments over the phone and key them into a web-based virtual terminal, you’re typically SAQ C-VT.
- If you store full card numbers anywhere in your systems, you’ve landed in SAQ D — the most demanding form. The best fix is almost always to stop storing card data and let your processor or a tokenization provider handle it.
Not sure which one fits? Our free SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which SAQ you need — no guessing.
How to Complete Your SAQ
The SAQ is essentially a checklist of yes/no questions about your security controls. The simplest forms (like SAQ A and B) are short and can often be completed in an hour or two. The more complex forms take longer because more requirements apply.
When a question asks if you’ve implemented a control, answering “yes” means you’ve actually done it — not that you intend to. For example, a question about changing default passwords means every device and account in your payment environment uses a unique, strong password. A question about restricting access means only authorized staff can touch payment systems.
Documentation you’ll want on hand
- A simple description of how card payments flow through your business.
- A list of your payment devices or your e-commerce/hosting setup.
- Confirmation that your payment vendors are PCI compliant (their AOC — Attestation of Compliance).
- Records of who has access to payment systems and how passwords are managed.
The quarterly ASV scan
If your payment environment has any external-facing systems (like an e-commerce site or an IP-connected terminal on your network), you’ll need a quarterly ASV scan. An ASV (Approved Scanning Vendor) runs an external vulnerability scan against your internet-facing systems four times a year and confirms there are no significant exposures.
Fully outsourced merchants on SAQ A with no in-scope systems may not need scanning — but confirm with your acquirer. Our ASV scanning service handles this for you on a recurring schedule, so you never miss a quarter.
Submitting your results
Once your SAQ is complete, you’ll sign an AOC (Attestation of Compliance) — a formal statement that you’ve met the applicable requirements. You submit both to your acquirer (often through their compliance portal). That completes your annual validation.
What It Costs
Honest talk: for most small merchants, PCI compliance is an affordable annual expense — and dramatically cheaper than the cost of a breach.
| Cost Item | Typical Situation |
|---|---|
| Compliance platform / SAQ tools | Modest annual or monthly subscription |
| Quarterly ASV scanning | Budget for a recurring quarterly service |
| QSA (only for Level 1 / ROC) | Significant — but rarely needed by small merchants |
| Non-compliance fees | Ongoing monthly charges from your processor |
| Breach liability | Can reach tens of thousands or far more |
Most small businesses never need to hire a QSA (Qualified Security Assessor) — that’s typically reserved for Level 1 merchants undergoing a full ROC (Report on Compliance). If you’re self-assessing with an SAQ, your costs are limited to a compliance tool and (where required) ASV scanning.
The math is simple: annual compliance for a small merchant costs a fraction of a single processor non-compliance penalty — let alone the cost of a breach. Compliance is the bargain here.
Staying Compliant Year-Round
PCI compliance is not a one-and-done task. It’s validated at least annually, with quarterly ASV scans where applicable. Just as importantly, compliance is point-in-time — passing your SAQ today doesn’t mean you’re protected forever. Security has to be maintained continuously.
What triggers a fresh look
- Changing how you accept payments (e.g., adding an online store).
- Switching processors or payment software.
- Adding new payment terminals or systems.
- Any significant change to your network.
Any of these can change which SAQ applies to you, so reassess when your setup changes.
Keeping yourself on track
The easiest way to stay compliant is to stop relying on memory. Set reminders for your annual SAQ renewal and your quarterly scans. Better yet, our compliance dashboard tracks your progress year-round, flags upcoming deadlines, and keeps your documentation in one place — so renewal season is never a scramble.
FAQ
I’m a tiny business. Do I really have to do this?
Yes — there’s no size exemption under PCI DSS. But the smallest merchants usually qualify for the simplest SAQ types, which are short and self-completed. The obligation is real, but the effort is often modest.
What if I just ignore the questionnaire?
Your processor will typically start charging monthly non-compliance fees, and you’ll carry full liability if a breach occurs. Ignoring it costs more than completing it — and can ultimately threaten your ability to accept cards.
I use Square (or Clover/Stripe). Aren’t they handling compliance for me?
They handle their part, but you’re still responsible for your environment and for validating compliance. Using a compliant provider greatly simplifies your SAQ — but you still need to complete and submit one.
Do I need a quarterly ASV scan?
Only if your payment environment includes external-facing systems, such as an e-commerce site or an IP-connected terminal on your network. Fully outsourced SAQ A merchants often don’t — but confirm with your acquirer, and we can run the scans if you do.
What’s the difference between an SAQ and a ROC?
An SAQ is a self-assessment you complete yourself; a ROC is a formal assessment performed by a QSA, typically required only for the highest-volume Level 1 merchants. Most small businesses will only ever deal with an SAQ.
Can I store card numbers if I encrypt them?
You can, but you shouldn’t — storing card data pushes you into the most demanding SAQ D and dramatically increases your risk and obligations. Sensitive Authentication Data like the CVV can never be stored after authorization. The smarter path is tokenization so you never hold the actual card numbers.
How do I know if I’m filling out the right SAQ?
Choosing the wrong SAQ is the most common mistake we see, and it can invalidate your whole assessment. Use our free SAQ Wizard — it asks a few questions about how you take payments and identifies the correct form for you.
Does compliance ever expire?
Validation is required at least annually, with quarterly scans where applicable. Compliance is point-in-time, so you re-validate each year and maintain your controls continuously in between.
The Bottom Line
PCI compliance has a scary reputation, but for most South Carolina small businesses, it comes down to a few clear steps: identify the right SAQ, answer the questions honestly, run any required scans, and submit your attestation each year. You don’t need to be a security engineer — you just need the right path and a way to stay on track.
That’s exactly what we built. PCICompliance.com is an end-to-end compliance platform serving thousands of merchants and service providers — from single-location retailers to multi-site enterprises — with everything in one place: SAQ guidance, ASV scanning, remediation support, and year-round tracking. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard keeps your progress and deadlines organized all year.
Start with the free SAQ Wizard, or talk to our compliance team — and turn that intimidating questionnaire into a quick, confident “done.”