Booksy PCI Compliance
You just opened an email from your payment processor with the subject line “Action Required: PCI Compliance Questionnaire” and your heart sank. What is PCI compliance? Why are they asking for this? How much is it going to cost? Take a deep breath — for most small businesses using modern payment solutions like Booksy, PCI compliance is simpler than you think. This guide will walk you through exactly what you need to know and do, without the jargon or complexity.
What Is PCI Compliance (In Plain English)
PCI compliance means following security standards designed to protect credit card information. If you accept credit cards in any form — whether through a terminal, online, or over the phone — these standards apply to you. The good news? The requirements scale to your business size and how you handle payments.
PCI DSS (Payment Card Industry Data Security Standard) was created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — through an organization called the PCI Security Standards Council. Think of it as a universal security checklist that ensures everyone handling credit cards maintains minimum protections.
Your payment processor or acquiring bank enforces these standards. They’re the ones who sent you that compliance questionnaire, and they’re required by the card brands to verify that their merchants maintain compliance. It’s not optional — it’s part of your merchant agreement.
What happens if you ignore it? Non-compliance can result in monthly fines from your processor (typically $20-100 per month for small merchants), but that’s just the beginning. If card data gets compromised and you weren’t compliant, you could face breach liability costs, forensic investigation fees, and potentially lose your ability to accept credit cards entirely. One data breach can cost a small business tens of thousands of dollars — far more than maintaining compliance.
Here’s the relief: most small businesses qualify for the simplest compliance requirements. If you’re using modern payment tools that keep card data away from your systems, you’re already doing most of the heavy lifting.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards, yes. It doesn’t matter if you process one transaction or thousands, whether you’re a sole proprietor or have multiple locations. The moment you accept a credit card payment, PCI DSS applies to your business.
Your merchant level determines how you demonstrate compliance. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants typically complete a self-assessment questionnaire (SAQ) rather than undergoing a formal audit.
Your payment processor expects you to:
- Complete the appropriate SAQ annually
- Pass quarterly vulnerability scans if you have any internet-facing systems
- Submit an Attestation of Compliance (AOC) confirming you meet the requirements
- Fix any security issues identified during the process
That compliance questionnaire they sent? It’s their way of collecting this documentation. They need it to prove to the card brands that their merchants are maintaining security standards. Miss the deadline, and you’ll likely see compliance fees on your next statement.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept and process payments. Here’s a plain-language guide to determining which one applies to you:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Card numbers go directly to processor (Stripe, PayPal, Square online) | SAQ A | 22 | Simple |
| E-commerce with some card data touching your server | SAQ A-EP | 139 | Moderate |
| Standalone terminals only (Square Reader, Clover) | SAQ B | 41 | Simple |
| Terminals connected to your network | SAQ B-IP | 93 | Moderate |
| Taking cards over phone/mail, no storage | SAQ C-VT | 85 | Moderate |
| Any other scenario | SAQ C | 160 | Complex |
| Storing card numbers (please don’t) | SAQ D | 329 | Very Complex |
Most common scenarios:
If you use Square, Clover, or similar standalone terminals that connect directly to the processor via cellular or phone line, you’re likely SAQ B. These devices handle all the card processing without your computer systems ever seeing the data.
If you have an e-commerce website using hosted checkout (where customers are redirected to Stripe, PayPal, or similar), you qualify for SAQ A — the simplest questionnaire with just 22 yes/no questions.
If you take payments over the phone but immediately enter them into a virtual terminal without writing them down or storing them, you’re looking at SAQ C-VT.
Not sure which applies? Use PCICompliance.com’s free SAQ Wizard — answer a few questions about your payment setup, and we’ll identify exactly which SAQ you need.
How to Complete Your SAQ
The SAQ is a series of yes/no questions about your security practices. Each “yes” means you have that security control in place. Here’s what to expect:
Time investment: SAQ A takes most merchants 30-60 minutes. SAQ B might take 1-2 hours. The more complex ones (C, D) can take several hours or days, especially if you need to implement missing controls.
The questions ask about things like:
- Do you have a firewall? (Your router probably counts)
- Do you change default passwords? (You should)
- Do you restrict access to card data? (If you can’t see it, that’s a yes)
- Do you have antivirus software? (Windows Defender counts)
Documentation you’ll need:
- Network diagram (can be hand-drawn for simple setups)
- List of who has access to payment systems
- Any written security policies (templates are available)
- Results from your quarterly vulnerability scans
About those scans: If you have any internet-facing systems (website, email server, etc.), you need quarterly ASV (Approved Scanning Vendor) scans. These automated scans check for vulnerabilities hackers might exploit. They typically cost $150-300 per year for small businesses and take about 15 minutes to set up.
Once you complete the questionnaire, you’ll generate an Attestation of Compliance (AOC) — a formal declaration that you meet the requirements. Submit both the SAQ and AOC to your payment processor by their deadline.
What It Costs
Let’s talk real numbers for small businesses:
Compliance tools and platforms: Free to $500/year for Level 4 merchants. Basic SAQ tools are often free, while comprehensive platforms with scanning and support run $30-50/month.
ASV scanning: $150-300/year for quarterly scans. Some compliance platforms include this in their package.
Professional help: Most small merchants don’t need a QSA. If you do need expert guidance, expect $150-300/hour for consultation.
The cost of NON-compliance:
- Monthly non-compliance fees: $20-100
- Breach-related fines: $5,000-50,000
- Forensic investigation: $10,000+
- Lost business and reputation damage: Incalculable
Put it in perspective: Annual compliance for a small merchant costs less than a single month’s non-compliance fee from your processor. It’s not an expense — it’s insurance.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your processor will ask for updated documentation every year, and you need quarterly scans if applicable. Here’s how to stay on track:
Set calendar reminders for:
- Annual SAQ due date (usually on your anniversary date with the processor)
- Quarterly ASV scan windows
- Security update checks
- Password changes
Know what triggers a reassessment:
- Changing payment processors or methods
- Adding new locations or sales channels
- Implementing new software that touches payments
- Significant changes to your network
Track your compliance status throughout the year. Document any security improvements you make. When next year’s questionnaire arrives, you’ll be ready instead of scrambling.
PCICompliance.com’s compliance dashboard automates this tracking, sending reminders before deadlines and maintaining your documentation in one place. No more searching through emails for last year’s AOC.
FAQ
I’m just a small business – do these requirements really apply to me?
Yes, but don’t panic. If you accept credit cards, PCI DSS applies regardless of your business size. The good news is that requirements scale to your transaction volume and payment methods. Most small businesses complete a simple SAQ in under an hour annually.
What’s the difference between PCI compliance and EMV compliance?
PCI compliance covers overall card data security, while EMV refers to chip card acceptance. You need both. EMV helps prevent counterfeit fraud at the point of sale, while PCI protects cardholder data throughout your business.
Can I just ignore this questionnaire from my processor?
Technically yes, but it’s expensive and risky. Processors typically charge $20-100 monthly for non-compliance. More importantly, if card data gets compromised, you’ll face significant liability without compliance documentation.
Do I need to hire someone to help me?
Most small merchants using modern payment tools can complete compliance requirements themselves. If you’re SAQ A or B, you likely don’t need professional help. For more complex scenarios or if you’re unsure, a few hours of expert guidance can save headaches.
I use Square/PayPal/Stripe – aren’t they PCI compliant for me?
They’re compliant for their part, but you still have responsibilities. Even with these providers, you need to complete an SAQ confirming you’re not undermining their security. It’s usually the simple SAQ A, but it’s still required.
What if I fail a vulnerability scan?
Don’t panic. The scan report shows exactly what needs fixing, usually common issues like outdated software. Fix the items marked as failures and rescan — you can scan as many times as needed within your quarterly window.
How do I know if I’m storing card data?
Check anywhere you might save customer information: computers, paper files, spreadsheets, email. If you see full card numbers anywhere, you’re storing card data. The easiest fix? Stop storing it and qualify for a simpler SAQ.
Is PCI compliance the same as being “secure”?
PCI compliance is a security baseline, not comprehensive protection. Think of it as locking your doors — necessary but not sufficient. Good security includes PCI compliance plus regular updates, staff training, and common sense.
Making PCI Compliance Manageable
PCI compliance sounds intimidating, but for most small businesses, it’s straightforward. If you’re using modern payment tools that keep card data out of your hands, you’re already doing the hard part. The rest is just documenting what you’re doing and fixing any gaps.
Start by identifying your SAQ type — that determines everything else. Complete the questionnaire honestly, fix any “no” answers that need to become “yes,” and submit your documentation on time. Set up reminders for next year, and you’re done until then.
Remember, the cost and effort of compliance are minimal compared to the devastating impact of a data breach. This isn’t bureaucracy for its own sake — these standards exist because card fraud is real and damages real businesses every day.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard identifies exactly which questionnaire you need in minutes. Our ASV scanning service handles your quarterly vulnerability scans automatically. Our compliance dashboard tracks your progress, stores your documentation, and reminds you of upcoming deadlines. Everything you need for PCI compliance in one place, designed for business owners who have better things to do than become security experts. Start with our free SAQ Wizard and see how simple compliance can be, or reach out to our compliance team for guidance tailored to your specific situation.
