Annual Compliance Tasks Checklist
The Good News First
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed — take a deep breath. For most small businesses, PCI compliance is much simpler than it sounds. Your annual compliance checklist probably involves answering a straightforward questionnaire, running a quarterly security scan, and clicking submit. That’s it. No security consultants, no expensive audits, no complex technical implementations. This guide will show you exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that apply to anyone who accepts credit card payments. Think of it as the credit card industry’s way of making sure businesses protect their customers’ card information.
The major card brands — Visa, Mastercard, American Express, and Discover — created these rules through an organization called the PCI Security Standards Council. But here’s what matters to you: your payment processor or acquiring bank is the one who enforces these rules and sends you that compliance questionnaire.
Why should you care? Three big reasons:
1. Fines: Your processor can charge you monthly non-compliance fees (typically $20-100/month)
2. Liability: If there’s a data breach and you’re not compliant, you could be liable for fraud losses
3. Card processing: In extreme cases, you could lose the ability to accept credit cards
But here’s the good news that compliance companies don’t always tell you: most small businesses qualify for the simplest compliance requirements. If you’re using modern payment tools like Square, Stripe, or a standalone terminal, you’re already doing most of what PCI requires.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. It doesn’t matter if you’re a food truck, an online boutique, or a consulting firm that takes payments over the phone. Accept cards = need PCI compliance.
Your merchant level determines how much compliance work you’ll need to do. For context, here’s how it breaks down:
| Merchant Level | Annual Visa Transactions | What’s Required |
|---|---|---|
| Level 1 | Over 6 million | Full annual audit by QSA |
| Level 2 | 1-6 million | Annual self-assessment |
| Level 3 | 20,000-1 million | Annual self-assessment |
| Level 4 | Under 20,000 | Annual self-assessment |
Most small businesses are Level 4 merchants, which means you complete a self-assessment questionnaire (SAQ) once a year and run quarterly security scans if you have a website. No external auditor needed.
That compliance questionnaire your processor sent? It’s their way of making sure you’re following the rules. They’re required to collect it annually, and they’ll keep sending reminders (and possibly start charging fees) until you complete it.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Here’s how to figure out which one applies to you:
| How You Accept Payments | Your SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Payment page completely hosted by processor (PayPal, Square Checkout) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site (Stripe Elements, Authorize.net) | SAQ A-EP | 191 | Moderate |
| Standalone terminal with no electronic storage | SAQ B | 41 | Easy |
| Standalone terminal connected to internet | SAQ B-IP | 82 | Easy |
| Virtual terminal or phone orders | SAQ C-VT | 160 | Moderate |
| Any electronic storage of card numbers | SAQ D | 329 | Complex |
Quick Decision Guide:
If you use a payment terminal (Square Reader, Clover, Ingenico):
- Terminal connects via phone line only → SAQ B
- Terminal connects to internet → SAQ B-IP
If you have an e-commerce website:
- Customers leave your site to pay (PayPal, Square) → SAQ A
- Payment form embedded on your site (Stripe, Braintree) → SAQ A-EP
If you take payments over the phone:
- Using virtual terminal only → SAQ C-VT
- Writing down card numbers (please stop!) → SAQ D
Not sure? PCICompliance.com’s free SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is straightforward. The questionnaire consists of yes/no questions about your security practices. Here’s what to expect:
What the questions look like:
- “Do you have a firewall?”
- “Do you change default passwords?”
- “Do you limit access to card data?”
For most small merchants using modern payment tools, you’ll answer “yes” to most questions because your payment provider handles the security for you. When you answer “no,” you’ll need to fix that item or explain why it doesn’t apply.
Documentation you’ll need:
- Your payment processor agreement
- Network diagram (for SAQ C-VT and D only)
- Security policies (templates available for most requirements)
- Scan reports from your Approved Scanning Vendor (ASV)
About those quarterly scans: If you have any internet-facing systems (website, email server, etc.), you need quarterly ASV scans. These automated scans check for security vulnerabilities. You’ll schedule one every three months, fix any critical issues found, and save the passing scan report. Most scans take about 15 minutes to run and cost $50-150 per quarter.
Submitting your compliance:
1. Complete your SAQ questionnaire
2. Fix any items where you answered “no”
3. Sign the Attestation of Compliance (AOC)
4. Upload to your processor’s compliance portal
5. Set a reminder for next year
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your size and complexity:
For most small businesses (SAQ A, B, B-IP):
- Compliance platform/tools: $100-300/year
- Quarterly ASV scanning: $200-600/year
- Total annual cost: $300-900
For moderate complexity (SAQ A-EP, C-VT):
- Compliance platform: $300-600/year
- Quarterly ASV scanning: $200-600/year
- Possible consulting help: $500-2,000
- Total annual cost: $1,000-3,200
If you need a QSA (SAQ D, Level 1-2 merchants):
- QSA assessment: $10,000-50,000+
- Remediation costs: Varies widely
- Ongoing compliance tools: $1,000-5,000/year
The cost of NON-compliance:
- Monthly non-compliance fees: $20-100
- Data breach costs: $50-150 per compromised card
- Forensic investigation: $10,000-100,000+
- Lost ability to process cards: Priceless
Here’s the bottom line: for most small merchants, annual PCI compliance costs less than the fines you’d pay for just six months of non-compliance. And it’s a tiny fraction of what a single data breach would cost.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your processor expects you to maintain compliance throughout the year and re-certify annually. Here’s your annual compliance checklist:
Quarterly tasks:
- Run ASV vulnerability scans (if required)
- Review scan results and fix critical issues
- Save passing scan reports
Annual tasks:
- Complete your SAQ questionnaire
- Update security policies if needed
- Train staff on card data security
- Submit AOC to your processor
- Update your compliance certificate
Ongoing requirements:
- Install security updates promptly
- Change passwords regularly
- Limit access to card data
- Monitor for suspicious activity
What triggers a new assessment:
- Changing payment processors
- Adding new payment channels
- Significant network changes
- Moving to a different SAQ type
Set calendar reminders for your quarterly scans and annual assessment due date. Better yet, use PCICompliance.com’s compliance dashboard to track all your requirements, get automatic reminders, and store your documentation in one place.
FAQ
Q: What happens if I ignore PCI compliance?
In the short term, your payment processor will start charging monthly non-compliance fees (typically $20-100). Long term, you could face much larger fines if there’s a breach, and you might lose the ability to accept credit cards. It’s simply not worth the risk when compliance for small merchants is relatively straightforward.
Q: Do I need to hire a security consultant?
For most small businesses using SAQ A, B, or B-IP — no. These questionnaires are designed for self-completion. If you’re SAQ D or a larger merchant, you might benefit from professional help, but start with the self-assessment and see how far you get.
Q: How long does the SAQ take to complete?
SAQ A takes about 30 minutes. SAQ B and B-IP take 1-2 hours. SAQ A-EP and C-VT might take 3-4 hours including gathering documentation. SAQ D is complex and typically requires IT involvement over several days or weeks.
Q: What’s the difference between PCI compliance and EMV?
EMV (chip cards) is about fraud prevention at the point of sale. PCI compliance is about protecting card data everywhere in your business. You need both — EMV terminals help reduce fraud, while PCI compliance protects stored and transmitted card data.
Q: Can I just say “yes” to all the questions?
Technically yes, but that would be fraud. If there’s a breach and investigators find you lied on your SAQ, you’ll face significant liability. Answer honestly — it’s better to fix a few security gaps than to lie about them.
Q: Do I need PCI compliance if I only use PayPal or Square?
Yes, you still need to complete an SAQ (usually the simple SAQ A). While these providers handle most of the security, you’re still responsible for your part — like password security and physical access to devices.
Q: How often do I need ASV scans?
If required for your SAQ type, you need passing scans every quarter (four times per year). You can run scans more frequently if you want, but you must have at least four passing scans per year, no more than 90 days apart.
Q: What if I fail my ASV scan?
Don’t panic — failing scans are common, especially the first time. The scan report will list the vulnerabilities found. Fix the critical and high-risk issues, then rescan. Most scanning vendors include free rescans, and their support teams can help interpret the results.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most small businesses, it’s a manageable annual task. Identify your SAQ type, answer the questions honestly, run your quarterly scans if needed, and submit your attestation. That’s your essential annual compliance checklist.
The key is starting now rather than waiting for non-compliance fees to pile up. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team to get your annual compliance on track today.
Remember: thousands of small businesses complete PCI compliance every day. With the right tools and guidance, you can too. Your customers’ card data — and your business — are worth protecting.
