Calendly PCI Compliance
Bottom Line Up Front
If you’re a small business owner who just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed — take a deep breath. For most small businesses, Calendly PCI compliance is simpler than it sounds. You probably qualify for one of the easier self-assessment questionnaires (SAQs), and with the right guidance, you can complete your compliance requirements in an afternoon. Here’s what you actually need to know to protect your business and keep accepting card payments.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules that every business accepting credit cards must follow. These rules exist for one simple reason: to protect your customers’ credit card information from hackers and data thieves.
The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through an organization called the PCI Security Standards Council (PCI SSC). While the card brands created the rules, it’s your payment processor or acquiring bank that enforces them. That’s why you received that compliance questionnaire — your processor needs to verify you’re following the rules.
Here’s what happens if you ignore PCI compliance:
- Your payment processor can fine you (typically $5,000-$100,000 per month)
- If there’s a data breach, you’re liable for fraud losses and investigation costs
- Your processor can terminate your ability to accept credit cards
- You could face lawsuits from affected customers
The good news? Most small businesses qualify for the simplest compliance levels. You don’t need a team of security experts or expensive technology. You just need to answer some questions honestly and implement basic security practices you should be doing anyway.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you:
- Run a small online store
- Accept payments at a farmer’s market using Square
- Take card numbers over the phone
- Email invoices with payment links
- Use a virtual terminal for occasional transactions
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a self-assessment questionnaire rather than hiring an external assessor.
When your payment processor sends that annual compliance questionnaire, they’re not trying to make your life difficult. They’re required by the card brands to verify every merchant in their portfolio maintains compliance. The questionnaire helps them (and you) identify which security requirements apply to your specific payment setup.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) you need depends entirely on how you accept payments. Think of SAQs as different checklists — simpler payment methods get shorter checklists.
Here’s your roadmap to finding the right SAQ:
| How You Accept Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| Redirect to payment page (PayPal, Stripe Checkout) | SAQ A | Easiest (22 questions) | 12-15 apply to most |
| Payment form on your site (Stripe Elements, Square Web SDK) | SAQ A-EP | Easy (139 questions) | 30-50 typically apply |
| Standalone terminal (Square Reader, Clover Mini) | SAQ B | Easy (41 questions) | Most apply |
| Terminal + phone payments | SAQ B-IP | Moderate (82 questions) | 60-70 apply |
| Virtual terminal only (web browser login) | SAQ C-VT | Moderate (80 questions) | Most apply |
| Store card numbers (please don’t) | SAQ D | Hard (300+ questions) | All apply |
Let’s decode these scenarios:
SAQ A: You never touch card data. Customers click “Pay Now” and land on PayPal, Stripe, or another processor’s page. Your website never sees the card number.
SAQ A-EP: Your website has a payment form, but it uses a hosted fields solution where the card number goes directly to your processor’s servers, not yours.
SAQ B or B-IP: You use physical terminals or card readers. B is for standalone devices only. B-IP adds requirements if you also process card-not-present transactions.
SAQ C-VT: You manually enter card numbers into a virtual terminal through your web browser, but you don’t store them.
SAQ D: The “everything” questionnaire for merchants who store card data or have complex payment environments. If this is you, consider eliminating storage to qualify for an easier SAQ.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ you need — no guesswork required.
How to Complete Your SAQ
Your SAQ is essentially a security checklist presented as yes/no questions. Here’s what to expect:
What the questionnaire looks like: Each question addresses a specific security control. For example: “Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks?”
What ‘yes’ really means: When you answer “yes,” you’re stating that control is fully in place. For that transmission question, “yes” means your website uses HTTPS/TLS encryption for all payment pages.
Documentation you might need:
- Network diagram (even a simple sketch works for small merchants)
- List of people who have access to payment systems
- Written security policies (templates are usually acceptable)
- Evidence of quarterly vulnerability scans
- Inventory of payment-related systems
The quarterly ASV scan: If you have any internet-facing systems (like a website), you need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). The scan checks for security holes hackers could exploit. It’s automated, typically costs $50-150 per quarter, and usually takes 24-48 hours to complete. Schedule your first scan before starting your SAQ — you’ll need a passing scan to complete compliance.
Submitting your compliance:
1. Complete all applicable SAQ questions
2. Run and pass your ASV scan (if required)
3. Fill out the Attestation of Compliance (AOC) — a summary form
4. Submit everything to your payment processor
Most SAQs take 2-4 hours to complete once you have your documentation ready. The scanner setup adds another hour.
What It Costs
PCI compliance costs vary based on your SAQ type and payment volume, but here’s what to budget:
Compliance platform and tools:
- Self-service platforms: $100-500 annually
- Guided compliance with support: $300-1,500 annually
- Enterprise solutions with dedicated help: $2,000+ annually
Quarterly ASV scanning:
- Basic scanning: $200-600 annually (4 scans)
- Scanning with remediation help: $400-1,000 annually
- Unlimited scanning packages: $1,000+ annually
If you need a QSA (usually only for Level 1-2 merchants):
- Remote assessment: $15,000-30,000
- Onsite assessment: $25,000-75,000+
The cost of NON-compliance:
- Monthly fines from processor: $5,000-100,000
- Breach recovery costs: $50-250 per compromised card
- Forensic investigation: $20,000-100,000+
- Lost ability to process cards: priceless
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. Think of it as insurance that costs a fraction of what it protects.
Staying Compliant Year-Round
PCI compliance isn’t a “one and done” checkbox. Your processor will ask for updated documentation every year, and you need quarterly scans if you have any web presence.
Set these reminders now:
- Annual SAQ due date (same time each year)
- Quarterly ASV scan dates (every 90 days)
- Security update checks (monthly)
- Employee security training (annually)
- Password changes (every 90 days for payment systems)
What triggers a reassessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or gateways
- Significant network changes
- New locations or business expansion
- Data breach or security incident
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and maintains your compliance history in one place. No more scrambling when your processor asks for last year’s AOC.
FAQ
What happens if I just ignore the compliance questionnaire?
Your payment processor will start with reminder notices, then move to monthly non-compliance fees (typically $20-100 for small merchants). Eventually, they can increase your processing rates, hold your funds, or terminate your merchant account entirely. It’s much easier to just complete the questionnaire.
Can I just say “yes” to everything on the SAQ?
Falsifying your SAQ is considered fraud and makes you fully liable for any breach losses. Answer honestly — if you answer “no” to requirements, you can often implement compensating controls or change your setup to achieve compliance. Your attestation is a legal document.
Do I really need those quarterly scans if I’m just a small business?
If you have any web presence where customers can make payments or submit information, yes. The scans find vulnerabilities before hackers do. Skip them and you’re not only non-compliant but genuinely at risk. The good news: most small business sites pass after fixing a few minor issues.
What if I fail my vulnerability scan?
Don’t panic — most merchants fail their first scan due to outdated software or minor configuration issues. You get a detailed report showing what to fix. Update your software, have your web host apply patches, then rescan. Most issues are resolved within a week.
How is PCI compliance different from GDPR or other privacy laws?
PCI DSS specifically protects payment card data, while GDPR and privacy laws cover personal information broadly. They overlap but aren’t the same. PCI focuses on technical security controls; privacy laws focus on consent and data rights. You might need to comply with both.
Can my payment processor help me with compliance?
Many processors offer basic compliance support, but they can’t complete your SAQ for you — that’s your responsibility as the merchant. They can tell you which SAQ type you need and recommend approved scanning vendors. Some processors partner with compliance platforms for discounted rates.
What if I only accept payments once in a while?
PCI compliance applies even if you process just one transaction per year. However, businesses with very low volume often qualify for the simplest SAQ types. Consider using fully hosted payment solutions (like PayPal or Stripe Checkout) to minimize your compliance scope.
Is PCI compliance the same as being “secure”?
PCI compliance is a minimum security standard — think of it as the foundation, not the ceiling. Compliance reduces risk significantly but doesn’t guarantee you won’t be breached. Smart merchants go beyond PCI requirements with additional security measures like cyber insurance and employee security training.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but now you understand what it actually requires. For most small businesses, it’s a matter of identifying your correct SAQ type, answering questions about your current setup, and running quarterly security scans. The entire process typically takes less time than preparing your business tax returns — and protects you from far greater financial risk.
Remember, PCI compliance isn’t just about checking boxes for your payment processor. It’s about protecting your customers’ payment information and your business from the devastating costs of a data breach. The requirements exist because these threats are real, but following them doesn’t require an IT department or security expertise.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll never miss a deadline or scramble for documentation again. Start with the free SAQ Wizard to identify your requirements in under five minutes, or talk to our compliance team for personalized guidance. We’ve helped thousands of merchants just like you turn PCI compliance from a dreaded annual task into a simple part of running a secure business.
