Bottom Line Up Front
If you use Boulevard to run your salon, spa, or med-spa and you accept credit cards through it, you’re a card-accepting merchant — which means Boulevard PCI compliance is something your payment processor expects from you. Take a breath, because here’s the reassuring part: for the vast majority of small businesses running Boulevard, PCI compliance is far simpler than the official paperwork makes it sound.
In most cases, you’ll complete a short self-assessment questionnaire (an SAQ), possibly run a quarterly security scan, and attest that you’re handling card data responsibly. Because Boulevard handles the heavy lifting of payment processing for you, you’re likely eligible for one of the simplest SAQ types. This guide walks you through exactly what the questionnaire means, why you got it, and what to actually do about it.
What Is PCI Compliance (In Plain English)
PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security rules designed to protect credit and debit card data — the card number, expiration date, and the sensitive codes on the card — from theft and fraud. If your business accepts card payments in any form, the standard applies to you.
The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a body called the PCI Security Standards Council (PCI SSC). The Council writes and maintains the rules, but it doesn’t police individual merchants directly. Enforcement happens through your acquirer (also called your acquiring bank or payment processor) — the company that deposits your card sales into your bank account. That’s why the compliance questionnaire showed up from them, not from a government agency.
So what happens if you ignore it? A few things, none of them fun:
- Non-compliance fines passed down from your processor, often as monthly charges.
- Liability if there’s a breach — if card data is stolen and you weren’t compliant, you can be held responsible for fraud losses, forensic investigation costs, and card-brand penalties.
- Loss of your ability to accept cards in the worst cases, which for most businesses is existential.
The good news, and it’s genuinely good news: most small businesses qualify for the simplest SAQ types, and Boulevard’s payment setup is built to keep your scope small. PCI compliance is about reducing risk, not achieving some impossible state of perfect security — and the lightest-lift paths are designed for businesses exactly like yours.
Do You Need to Be PCI Compliant?
The simple answer: yes. If you accept credit cards — in person, online, over the phone, or all three — PCI compliance applies. There’s no minimum transaction count that exempts you.
Your merchant level
The card brands sort merchants into four levels (1 through 4) based on annual card transaction volume and risk. Your acquirer assigns your level, and the overwhelming majority of small businesses land at Level 4 — the lowest-volume, lowest-burden tier. Level 4 merchants almost always validate compliance with a self-assessment rather than a full external audit.
Don’t assume your level — confirm it with your acquirer. The exact transaction thresholds are set by each card brand and can change, so your processor is the authoritative source.
Why you got that questionnaire
The compliance questionnaire your processor sent you is their way of confirming that you, the merchant, are meeting your security obligations. They’re required to track this across their entire merchant portfolio. The questionnaire is the SAQ — a self-assessment that documents how you handle card data and what protections you have in place. Completing it (and any required scan) is how you demonstrate compliance and avoid those non-compliance fees.
Which SAQ Do You Need?
There are several SAQ types, and the right one depends entirely on how you accept and handle card data. The less your own systems ever touch raw card numbers, the simpler your SAQ. Here’s the plain-language decision tree.
| Payment Scenario | Likely SAQ | Complexity |
|---|---|---|
| E-commerce / online booking with fully hosted checkout (card page hosted by your provider) | SAQ A | Lowest |
| Online checkout where your site partially controls the payment page (iframe/redirect with merchant involvement) | SAQ A-EP | Moderate |
| Standalone dial-out payment terminal, no electronic card storage | SAQ B | Low |
| Standalone IP-connected payment terminal (e.g. a countertop card reader) | SAQ B-IP | Low–Moderate |
| Card payments keyed into a virtual terminal (e.g. taking a card over the phone) | SAQ C-VT | Moderate |
| Internet-connected payment systems, no electronic storage | SAQ C | Moderate–High |
| You store card numbers electronically, or none of the above fits | SAQ D | Highest |
For a typical Boulevard merchant, the picture usually looks like this:
- If clients book and pay through Boulevard’s hosted online checkout, you’re likely SAQ A — the simplest path, because the card data flows through Boulevard’s systems, not yours.
- If you take payments in person using Boulevard’s card readers, your scenario typically resembles SAQ B-IP.
- If your staff occasionally key in a card number over the phone through a virtual terminal, that can pull you toward SAQ C-VT.
And one firm piece of advice: if you’re storing card numbers anywhere — in a spreadsheet, a client note, a filing cabinet of imprints — please stop. Storing the PAN (the full card number) electronically, and especially storing sensitive authentication data like the CVV after a transaction, dramatically expands your obligations and your risk. The current standard prohibits storing sensitive authentication data after authorization, full stop.
Not sure which one fits? Our free SAQ Wizard asks a few plain questions about how you take payments and tells you exactly which SAQ you need — no guesswork.
How to Complete Your SAQ
The SAQ looks intimidating at first — it’s a structured questionnaire mapped to the 12 requirements of PCI DSS — but the simpler SAQ types are short and approachable. For a low-complexity SAQ, many small merchants finish in an afternoon or two once they have their information together.
The questions are largely yes/no. Each “yes” means you actually do this thing — you’re not just checking a box. For example, confirming you use strong, unique passwords and multi-factor authentication (MFA) for accounts that touch the payment environment means those controls are genuinely in place.
Documentation you’ll want on hand
- A basic description of how card payments flow through your business
- Your list of payment devices or service providers (including Boulevard)
- Evidence of access controls — who can log in, and that MFA is enabled
- Your information security policy (even a short, plain one counts)
- Confirmation that you aren’t storing prohibited card data
The quarterly ASV scan
If your environment has any internet-facing systems in scope, the standard requires a quarterly ASV scan — an external vulnerability scan run by an Approved Scanning Vendor (ASV). The scan checks your public-facing systems for known weaknesses and produces a passing report you submit alongside your SAQ. Our ASV scanning service handles this for you on the required quarterly cadence so you never miss one.
Once your SAQ is complete and any required scan passes, you sign the AOC (Attestation of Compliance) — your formal statement that you’ve completed the assessment — and submit both to your acquirer.
What It Costs
Honest budgeting helps, so here are realistic ranges. Actual figures vary by provider and your environment, so treat these as planning guidance.
| Item | Who Needs It | Typical Budget |
|---|---|---|
| Compliance platform / SAQ tool | Most small merchants | Low annual cost; some basic tools are free |
| Quarterly ASV scanning | Merchants with internet-facing systems in scope | Modest annual fee |
| QSA assessment (full ROC) | Generally Level 1, or complex environments | Significant — usually for larger merchants only |
Most small Boulevard merchants will not need a QSA (Qualified Security Assessor) — that’s typically reserved for Level 1 merchants or complex environments validating via a full ROC (Report on Compliance). If you’re Level 4 with a simple setup, you’re self-assessing, and your costs stay low.
Now weigh that against the cost of non-compliance: monthly processor fines, and — far worse — breach liability. A single card-data breach can bring forensic investigation costs, card-brand assessments, and remediation expenses that dwarf years of routine compliance spend. For most small merchants, annual compliance costs a small fraction of what a single breach would.
Staying Compliant Year-Round
Here’s the part people miss: PCI compliance is not a one-time task. It’s validated at least annually, with quarterly ASV scans where required, and the controls are meant to be maintained continuously in between.
A few habits keep you on track:
- Set reminders for your annual SAQ renewal and quarterly scans.
- Revisit your assessment when something changes — a new payment method, a new online checkout, new staff with access, or a new third-party tool can all change your scope and which SAQ applies.
- Keep documentation current so next year’s renewal is a quick refresh, not a scramble.
Our compliance dashboard tracks all of this year-round — your SAQ status, scan schedule, and renewal dates in one place — so nothing slips through the cracks.
FAQ
I just got the questionnaire and I’m overwhelmed. Where do I start?
Start by identifying how you accept payments, because that determines which SAQ you need. Run the free SAQ Wizard, and you’ll know your exact path within minutes — most small Boulevard merchants land on one of the simplest questionnaires.
Does Boulevard make me automatically PCI compliant?
No single platform makes you compliant — PCI compliance is shared between you and your providers. Boulevard handles the security of its own payment systems, which reduces your scope, but you’re still responsible for completing your SAQ, maintaining access controls, and not storing prohibited card data.
What’s my merchant level, and how do I find out?
Your acquirer assigns your level based on annual transaction volume, and most small businesses are Level 4. Don’t guess — ask your processor directly, since thresholds are card-brand-specific and can change.
Do I really need the quarterly scan?
You need a quarterly ASV scan only if your in-scope environment includes internet-facing systems, which depends on your SAQ type. The simplest SAQ A merchants often don’t, while others do — our team can confirm whether yours applies.
What happens if I just ignore it?
Your processor will typically charge monthly non-compliance fees, and you’ll carry full liability if a breach occurs. Ignoring it doesn’t make the obligation go away — it just makes it more expensive and riskier.
Can I store a client’s card number for future bookings?
You should not store full card numbers yourself. Instead, use tokenization through your payment provider, which replaces the card number with a meaningless token — this keeps recurring payments convenient while keeping the actual card data out of your systems and your scope.
How long is my compliance good for?
Compliance is point-in-time and validated at least annually, with quarterly scans in between where required. You’ll renew your SAQ each year and reassess sooner if your payment setup changes.
Do I need to hire a QSA?
Most small, low-volume merchants self-assess and don’t need a QSA at all. QSAs are generally for Level 1 merchants or complex environments completing a full ROC.
Conclusion
PCI compliance has a fearsome reputation, but for a small business running Boulevard, the reality is usually manageable: confirm your merchant level, complete the right SAQ, run a scan if you need one, and keep your controls in place year-round. The key is matching your effort to your actual risk — and because Boulevard keeps card data largely out of your hands, your Boulevard PCI compliance path is likely one of the lighter ones.
You don’t have to navigate it alone. PCICompliance.com gives you everything you need to achieve and maintain compliance in one place — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress all year. We serve thousands of merchants and service providers, from single-location shops to multi-site enterprises, with SAQ guidance, scanning, remediation help, and expert support throughout.
Start with the free SAQ Wizard, or talk to our compliance team — and turn that intimidating questionnaire into a checked box.