Host Merchant Services PCI

Bottom Line Up Front

If your payment processor just sent you a compliance questionnaire and the words “PCI” and “SAQ” mean nothing to you, take a breath. For the vast majority of small businesses, Host Merchant PCI compliance is far simpler than it sounds. You almost certainly don’t need to hire a consultant or overhaul your systems.

Most small merchants complete a short self-assessment questionnaire (SAQ), run a quarterly network scan if they have anything internet-facing, and attest that they’re following basic security practices. That’s it. The questionnaire looks intimidating, but once you know which SAQ applies to you — and most businesses qualify for the simplest ones — the whole process is manageable in an afternoon or two. This guide walks you through exactly what to do.

What Is PCI Compliance (In Plain English)

PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security rules designed to protect credit card data. If your business accepts card payments — in a store, online, or over the phone — it applies to you.

The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a group called the PCI Security Standards Council (PCI SSC). But here’s the important part: the card brands don’t chase you down individually. Your acquirer (your bank or payment processor) is the one who enforces compliance. That’s why the questionnaire came from them, not from Visa.

The standard is organized around six control objectives covering 12 requirements — things like protecting stored card data, using firewalls, controlling who has access to systems, and maintaining a security policy. Don’t worry: depending on how you accept payments, most of those 12 requirements may not even apply to you.

What happens if you ignore all this? A few things, none of them fun:

  • Monthly non-compliance fees from your processor until you attest.
  • Financial liability if you suffer a card data breach — this can dwarf any fee.
  • In serious or repeated cases, losing your ability to accept card payments entirely.

The good news, which I’ll keep repeating because merchants don’t believe it at first: most small businesses qualify for the simplest SAQ types, and simple usually means a short questionnaire with no technical heavy lifting.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit cards in any form, yes. There’s no minimum transaction volume that exempts you. A food truck that runs one card a week is subject to PCI, just like a national retailer.

Your obligations scale with your merchant level, which your acquirer assigns based on your annual card transaction volume and risk profile. Levels run from 1 (the largest merchants) down to 4 (the smallest). The overwhelming majority of small businesses are Level 4, which means you self-assess rather than undergoing a formal audit. Confirm your exact level with your acquirer — the thresholds are set by the card brands and can change.

The questionnaire your processor sent you is your annual self-assessment. They sent it because they’re required to verify that the merchants in their portfolio are compliant. Completing it isn’t optional — but for most small merchants, it’s straightforward.

Which SAQ Do You Need?

The SAQ (Self-Assessment Questionnaire) comes in several flavors. The one you need depends entirely on how you accept payments and whether you ever touch or store card numbers. Picking the right one is the single most important step, because it determines how many questions you’ll answer.

Here’s the plain-language decision tree:

  • You use a standalone payment terminal (a countertop card reader that dials out or connects over the internet) → likely SAQ B or SAQ B-IP.
  • You have an e-commerce site with fully hosted checkout where the customer is redirected to your processor’s page (think Stripe Checkout or a Shopify-hosted cart) → likely SAQ A.
  • You take payments through a virtual terminal — typing card numbers into a secure web page, often for phone orders → likely SAQ C-VT.
  • You store card numbers anywhere — in a spreadsheet, a filing cabinet, a CRM → SAQ D (and please stop storing them; more on that below).
Payment Scenario Likely SAQ Complexity
Standalone dial-out terminal, no electronic storage B Low
Standalone internet-connected terminal B-IP Low–Medium
E-commerce, fully hosted/redirected checkout A Low
E-commerce, you partly control the payment page A-EP Medium–High
Virtual terminal (phone orders typed into a web form) C-VT Low–Medium
Internet-connected payment system, no storage C Medium
You store cardholder data electronically D High

Notice how the moment you store card data or control more of the payment page, complexity jumps. That’s the theme of PCI: the less card data you touch, the smaller your Cardholder Data Environment (CDE) and the easier your life.

Not sure which one fits? Our free SAQ Wizard asks you a handful of plain-English questions and tells you exactly which questionnaire applies — no guessing, no jargon.

How to Complete Your SAQ

An SAQ is essentially a checklist of yes/no security questions. The simplest ones (like SAQ A) contain a modest set of questions; SAQ D can run to hundreds. That’s why choosing correctly matters so much.

Each “yes” means you’re confirming that a specific control is in place. For example, a question might ask whether you use unique IDs for each person with computer access, or whether you’ve changed default passwords on your payment equipment. A “yes” you can’t honestly support is a problem — so treat any “no” as a to-do item rather than something to fudge.

Documentation you’ll typically want to gather:

  • A basic network diagram or description of how payments flow (even a simple sketch helps).
  • Your vendor list — who provides your terminals, gateway, or hosting, and confirmation that they’re PCI compliant.
  • Records of who has access to payment systems and how passwords are managed.
  • Your information security policy (yes, even small merchants need a written one — a short, honest policy counts).

The Quarterly ASV Scan

If your environment has anything internet-facing — an e-commerce site, an IP-connected terminal, a virtual terminal — you’ll also need a quarterly ASV scan. An ASV (Approved Scanning Vendor) runs an external vulnerability scan against your public-facing systems four times a year to check for known security holes. A passing scan is part of your attestation.

Some of the simplest scenarios (like SAQ B with dial-out-only terminals) don’t require scanning at all. If yours does, our ASV scanning service handles it for you on schedule.

Once your questionnaire is complete and any required scan passes, you sign an AOC (Attestation of Compliance) — a short document declaring that you’ve completed your assessment — and submit both to your acquirer.

What It Costs

Let’s be honest about money, because merchants fear PCI is a budget sinkhole. For most small businesses, it isn’t.

Cost Item When It Applies Typical Budget
SAQ / compliance platform Every merchant Low annual cost
Quarterly ASV scanning Internet-facing systems Modest per-year cost
QSA engagement Level 1 or complex environments Significant — but rarely needed by small merchants
Non-compliance fees If you don’t attest Recurring monthly charges
Breach liability If card data is stolen Potentially business-ending

Most small merchants only need a compliance platform and, if applicable, ASV scanning — both affordable annual expenses. You’d only need a QSA (Qualified Security Assessor) if you’re a Level 1 merchant undergoing a formal ROC (Report on Compliance), which is uncommon for small businesses.

Now weigh that against the cost of non-compliance: recurring processor fees, and — far worse — your liability if a breach occurs. A single breach can bring forensic investigation costs, card-brand assessments, and reissuance expenses that dwarf years of compliance spending. For nearly every small merchant, annual compliance costs less than the fallout from a single incident. That’s the honest math.

Staying Compliant Year-Round

Here’s the part people miss: PCI compliance isn’t a one-and-done event. Your SAQ is valid for a period and must be renewed at least annually, with ASV scans running quarterly where required. Compliance is point-in-time and continuous — passing once doesn’t mean you’re covered forever.

A few practices keep you on track:

  • Set calendar reminders for your annual SAQ renewal and each quarterly scan.
  • Reassess when things change — a new website, switching processors, adding a virtual terminal, or starting to store data can all change which SAQ applies to you.
  • Never store card numbers unless you truly must. Nothing inflates your scope and cost faster.

This is exactly what our compliance dashboard is built for — it tracks your SAQ status, schedules your scans, flags upcoming deadlines, and keeps your documentation in one place so you’re never scrambling when your acquirer asks for proof.

FAQ

I just got the questionnaire and I’m completely overwhelmed. Where do I start?

Start by identifying how you accept payments, because that determines which SAQ you need. Run our free SAQ Wizard — it asks a few simple questions and points you to the right questionnaire, which is usually much shorter and simpler than you fear.

Do I really have to do this if I only run a few cards a month?

Yes. There’s no transaction minimum that exempts you from PCI — any business that accepts cards is in scope. The upside is that low-volume merchants are almost always Level 4 and qualify for the simplest self-assessment path.

What happens if I just ignore it?

Your processor will typically charge recurring non-compliance fees, and you’ll carry full liability if card data is ever stolen from your business. Persistent non-compliance can ultimately cost you the ability to accept cards.

Do I need to hire a QSA?

Almost certainly not. QSAs are required for Level 1 merchants and complex environments undergoing a formal ROC — most small businesses self-assess with an SAQ and never need one.

What’s the difference between the SAQ and the ASV scan?

The SAQ is your self-assessment questionnaire confirming your security controls; the ASV scan is an external technical scan of your internet-facing systems for known vulnerabilities. Many merchants need both, but some simple setups (like dial-out terminals) need only the SAQ.

Can I make PCI easier on myself?

Absolutely — the biggest lever is reducing your scope. Using hosted checkout pages, tokenization, or point-to-point encryption, and never storing card numbers, all shrink your Cardholder Data Environment and cut the number of requirements that apply to you.

How long is my compliance good for?

Your SAQ and AOC are generally valid for one year and must be renewed annually, with quarterly scans in between where required. Compliance is continuous, so treat it as an ongoing habit rather than a yearly fire drill.

Conclusion

PCI compliance has a fearsome reputation, but for most small merchants it comes down to three things: pick the right SAQ, run a quarterly scan if you have internet-facing systems, and keep good habits year-round. The questionnaire on your desk is far more approachable once you know which path applies to you.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress all year long. We’re an end-to-end platform serving thousands of merchants and service providers — from single-location shops to multi-site enterprises — with self-assessment tools, scanning, remediation guidance, and expert support in one place.

Start with the free SAQ Wizard, or talk to our compliance team. You’ve got this — and we’re here to help you through every step.

Leave a Comment

1,650 PCI scans completed this month