System Asset Inventory Template
You Just Got a PCI compliance letter — Don’t Panic
If you’re reading this, you probably just received an email from your payment processor with subject lines like “ACTION REQUIRED: PCI Compliance” or “Complete Your Annual Compliance Questionnaire.” Maybe it mentioned something about an asset inventory template PCI requirement, and now you’re wondering what that means and whether you need one.
Here’s the bottom line: PCI compliance is simpler than it sounds for most small businesses. Yes, you need to complete that questionnaire. No, it’s not as complicated as it looks. And yes, we’ll walk you through exactly what you need to do — including whether you need to track your system assets.
Most small merchants can achieve compliance in an afternoon. The key is understanding which requirements actually apply to your business. Let’s start with the basics and work our way through everything you need to know.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security requirements created by the major card brands (Visa, Mastercard, Amex, Discover, JCB) to protect credit card data. If you accept card payments — whether through a terminal, online, or over the phone — these requirements apply to you.
The card brands created an organization called the PCI Security Standards Council (PCI SSC) to manage these standards, but they don’t enforce them directly. Your acquirer (the bank or payment processor that handles your card transactions) is responsible for making sure you comply. That’s why they sent you that questionnaire.
What Happens If You Don’t Comply?
Non-compliance isn’t just a paperwork issue. Your payment processor can:
- Charge monthly non-compliance fees (typically $20-100/month)
- Pass along fines from the card brands (starting at $5,000)
- Hold you liable for fraud losses if there’s a breach
- Terminate your ability to accept card payments entirely
The good news? Most small businesses qualify for the simplest compliance requirements. You don’t need a team of security experts or expensive consultants. You just need to understand which questionnaire applies to your business and answer the questions honestly.
Do You Need to Be PCI Compliant?
The simple answer: If you accept credit cards in any form, yes, you need to be PCI compliant.
It doesn’t matter if you:
- Only process a few transactions per month
- Use a “secure” payment system
- Never store card numbers
- Only accept payments through a third-party processor
If your business touches credit card data at any point — even if it’s just through a payment terminal — PCI DSS applies to you.
Your Merchant Level
PCI groups merchants into four levels based on annual transaction volume:
| Merchant Level | Annual Visa Transactions | What It Means For You |
|---|---|---|
| Level 1 | Over 6 million | Full annual assessment by QSA |
| Level 2 | 1 to 6 million | Annual self-assessment |
| Level 3 | 20,000 to 1 million | Annual self-assessment |
| Level 4 | Under 20,000 | Annual self-assessment |
Most small businesses are Level 4 merchants, which means you can complete a self-assessment questionnaire (SAQ) instead of hiring an expensive assessor. That questionnaire your processor sent? That’s your SAQ.
Which SAQ Do You Need?
The most confusing part of PCI compliance is figuring out which Self-Assessment Questionnaire applies to your business. There are different SAQ types, each with different requirements based on how you accept payments.
Here’s a plain-English guide to the most common scenarios:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Simple |
| E-commerce with payment fields on your site | SAQ A-EP | 139 | Moderate |
| Standalone terminal with dial-up/ethernet | SAQ B | 41 | Simple |
| Standalone terminal with IP connection | SAQ B-IP | 82 | Simple |
| Manual card entry (virtual terminal) | SAQ C-VT | 80 | Moderate |
| Store/process card data on your systems | SAQ D | 329 | Complex |
Real-World Examples
SAQ A: You run a Shopify store, WooCommerce site using Stripe Checkout, or any setup where customers are redirected away from your website to enter card details.
SAQ B or B-IP: You have a restaurant with a Clover terminal, a retail store with a Square reader, or any standalone payment device that connects via phone line (B) or internet (B-IP).
SAQ C-VT: You take orders over the phone and enter card details into a web-based virtual terminal, or your staff keys in card numbers for phone/mail orders.
SAQ D: You store card numbers in your database, point-of-sale system, or even in spreadsheets. (If this is you, please consider changing your setup — SAQ D is complex and expensive.)
Not sure which one applies? Use PCICompliance.com’s free SAQ Wizard — answer a few simple questions about your payment setup, and we’ll tell you exactly which questionnaire you need.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is straightforward. Each questionnaire contains yes/no questions about your security practices. Here’s what to expect:
The Questions
SAQ questions cover security basics like:
- Do you have a firewall protecting your payment systems?
- Do you change default passwords on payment devices?
- Do you restrict access to cardholder data?
- Do you have antivirus software installed?
Important: Answer honestly. “Yes” means you actually do the thing the question asks about, not that you plan to do it someday. If you answer “no” to any question, you’ll need to either implement that control or explain why it doesn’t apply to your environment.
Documentation You’ll Need
Depending on your SAQ type, you might need:
- Network diagram (for SAQ B-IP and above)
- Asset inventory (list of systems that handle card data)
- Security policies (can be simple documents)
- ASV scan results (required quarterly for most SAQ types)
For most Level 4 merchants, these documents can be simple. Your network diagram might be a one-page sketch. Your asset inventory might list three devices. The key is having something documented.
The Quarterly ASV Scan
If you accept payments online or have any internet-facing systems, you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This isn’t as scary as it sounds:
- The ASV scans your public-facing systems for vulnerabilities
- You get a report showing any issues found
- You fix critical vulnerabilities and rescan
- Once you pass, you submit the report with your SAQ
Most small businesses pass their ASV scans without major issues. Common fixes include updating software, removing unnecessary services, or adjusting firewall rules.
Submitting Your Compliance
After completing your SAQ and passing your ASV scans (if required), you’ll:
1. Complete the Attestation of Compliance (AOC) — a summary document
2. Submit both to your payment processor
3. Store copies for your records
4. Set a reminder for next year
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your merchant level and SAQ type:
Typical Annual Costs for Small Merchants
Compliance Platform/Tools: $200-500/year
- SAQ wizard and questionnaire tools
- Compliance tracking dashboard
- Document storage and management
- Remediation guidance
ASV Scanning: $100-300/year
- Required quarterly for most merchants
- Usually bundled with compliance platforms
- Includes unlimited rescans
Professional Help (if needed): $500-2,000
- Only necessary for complex environments
- Most Level 4 merchants don’t need this
The Cost of Non-Compliance
Compare those costs to non-compliance:
- Monthly fees from processor: $20-100/month ($240-1,200/year)
- Initial fines: Starting at $5,000
- Breach liability: Average small merchant breach costs $50,000+
- Lost business: If your processor terminates your account
For most small merchants, annual PCI compliance costs less than three months of non-compliance fees — and far less than a single breach incident.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your processor expects you to:
- Complete your SAQ annually
- Run ASV scans quarterly (if required)
- Maintain the security controls you attested to
- Update your assessment if your payment environment changes
Key Compliance Triggers
You’ll need to reassess your compliance if you:
- Change payment processors or add new payment methods
- Start storing card data (please don’t)
- Significantly change your payment infrastructure
- Experience a security incident
Making It Easy
Set up a simple system:
1. Calendar reminders for quarterly scans and annual SAQ
2. Document folder for policies and evidence
3. Contact list for your payment processor’s compliance team
4. Dashboard access to track your compliance status
PCICompliance.com’s compliance dashboard handles all of this automatically — tracking deadlines, storing documents, and alerting you when action is needed.
FAQ
Q: Do I really need to do this if I only process a few cards per month?
A: Yes, PCI DSS applies regardless of transaction volume. The good news is that low-volume merchants usually qualify for the simplest SAQ types, which take less than an hour to complete.
Q: What if I only use PayPal or Square — aren’t they handling security?
A: While payment facilitators like Square and PayPal handle most security controls, you’re still responsible for your part. This usually means completing SAQ A (the simplest one) and following basic security practices like using strong passwords.
Q: How often do I need to complete my SAQ?
A: Annually. Your payment processor will typically send reminders, but it’s your responsibility to track the deadline. Set a calendar reminder as soon as you submit this year’s assessment.
Q: What’s an ASV scan and do I need one?
A: An Approved Scanning Vendor (ASV) scan checks your internet-facing systems for vulnerabilities. You need quarterly ASV scans if you have any systems accessible from the internet that are part of your payment process. This includes e-commerce websites but not standalone terminals.
Q: Can I just check “yes” to everything to pass?
A: Absolutely not. False attestation is fraud and can result in severe penalties. Answer honestly — if you can’t answer “yes” to a question, either implement that control or work with your processor to understand if it applies to your environment.
Q: What if I fail my ASV scan?
A: Don’t panic — failing initially is common. The scan report will list specific vulnerabilities to fix. Address the critical ones (usually software updates or configuration changes), then request a rescan. Most vendors include unlimited rescans.
Q: Do I need to hire a QSA?
A: Level 4 merchants (under 20,000 transactions annually) typically don’t need a QSA — you can self-assess. Only Level 1 merchants and some Level 2 merchants require formal QSA assessments. If you’re reading this guide, you probably don’t need one.
Q: What counts as “storing” card data?
A: Any retention of card numbers beyond the immediate transaction — in databases, files, emails, or even written notes. If you can retrieve a customer’s full card number after their transaction completes, you’re storing card data and subject to the strictest requirements.
Making PCI Compliance Simple
That compliance questionnaire from your payment processor might have seemed overwhelming when it first arrived. But now you understand what it is, why it matters, and most importantly — that you can handle this.
For most small businesses, PCI compliance means spending an afternoon answering questions about your payment setup, running quarterly scans if you process online, and maintaining basic security practices you should be doing anyway. It’s not about perfection; it’s about protecting your customers’ card data and your business from liability.
The key is getting started. Identify which SAQ applies to your business. Set aside a few hours to work through the questions. Get your ASV scans scheduled if needed. Document what you need to document. Submit your compliance package. Then put it on your calendar for next year.
PCICompliance.com makes this entire process manageable. Our free SAQ Wizard eliminates the guesswork of choosing the right questionnaire. Our ASV scanning service handles your quarterly vulnerability scans with automated scheduling and clear remediation guidance. Our compliance dashboard tracks everything in one place — deadlines, documents, scan results, and attestations. Whether you’re completing your first SAQ or maintaining ongoing compliance, we provide the tools and support to keep your business secure and your payment processor happy. Start with our free SAQ Wizard to identify your requirements, or contact our compliance team for personalized guidance.
