CDN Impact on PCI Compliance: What Your Small Business Needs to Know
Relax. If you just opened an email from your payment processor about PCI compliance and your first thought was “What on earth is this?”, you’re not alone. Here’s the truth: for most small businesses, PCI compliance is much simpler than it sounds. You don’t need a computer science degree or a security team. You just need to know which form to fill out and what questions they’re really asking. Let’s demystify CDN PCI compliance and get you back to running your business.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that apply to anyone who accepts credit cards. Think of it as basic security hygiene for handling customer payment information — like washing your hands in the food service industry, but for credit card data.
The major card brands (Visa, Mastercard, American Express, Discover) created these standards through the PCI Security Standards Council (PCI SSC). They don’t enforce the rules directly — your acquirer (the bank or payment processor that handles your card transactions) does that. When your processor sends you compliance paperwork, they’re essentially saying: “The card brands require us to verify you’re following basic security practices.”
Here’s what happens if you ignore those compliance emails:
- Your payment processor can fine you (typically $5,000 to $100,000 depending on your size)
- If there’s a data breach, you’re personally liable for fraud losses
- Your processor can terminate your ability to accept cards
- You might face breach investigation costs that bankrupt small businesses
The good news: Most small businesses qualify for the simplest compliance requirements. You’re probably looking at a questionnaire that takes 30-60 minutes once a year, not the complex assessment you might fear.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form — in person, online, over the phone, or even just occasionally — yes, you need to be PCI compliant.
Your merchant level determines how much documentation you need:
- Level 4 (under 20,000 transactions/year): Most small businesses fall here
- Level 3 (20,000 – 1 million transactions/year): Growing businesses
- Level 2 (1-6 million transactions/year): Larger operations
- Level 1 (over 6 million transactions/year): Enterprise merchants
As a Level 4 merchant (which you probably are), your payment processor expects:
1. An annual self-assessment questionnaire (SAQ)
2. Quarterly network vulnerability scans (if you have any internet-facing systems)
3. An Attestation of Compliance (AOC) — basically your signature saying you completed the assessment
That compliance questionnaire your processor sent? It’s their way of collecting these requirements. They need it for their own compliance — they can’t process cards for non-compliant merchants.
Which SAQ Do You Need?
The scariest part of PCI compliance is often figuring out which Self-Assessment Questionnaire applies to your business. There are different SAQs based on how you accept and process cards. Here’s the plain-English guide:
| How You Take Payments | SAQ Type | Complexity | Questions |
|---|---|---|---|
| Redirect to payment processor (PayPal, Square checkout) | SAQ A | Simplest | ~20 questions |
| E-commerce with payment fields on your site | SAQ A-EP | Simple | ~140 questions |
| Standalone terminals only (no computer connection) | SAQ B | Simple | ~40 questions |
| Terminals connected to internet/network | SAQ B-IP | Moderate | ~80 questions |
| Virtual terminal or phone orders | SAQ C-VT | Moderate | ~80 questions |
| Computer-based POS or mixed methods | SAQ C | Complex | ~140 questions |
| Store card data (please don’t) | SAQ D | Very Complex | ~330 questions |
Quick scenarios to help you identify yours:
- Restaurant with a Clover terminal: Likely SAQ B-IP
- Shopify store: SAQ A (Shopify handles everything)
- WooCommerce with Stripe Elements: SAQ A-EP (payment fields on your site)
- Take orders by phone, type into virtual terminal: SAQ C-VT
- Old POS system that stores card numbers: SAQ D (and time for an upgrade)
Not sure? PCICompliance.com’s SAQ Wizard asks you 5-6 simple questions about your payment setup and tells you exactly which SAQ applies.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. The questionnaire contains yes/no questions about your security practices. Here’s what to expect:
What the questions look like:
- “Do you have a firewall?”
- “Do you change default passwords?”
- “Is your payment terminal in a secure location?”
When they ask if you do something, “yes” means:
- You actually do it (not just plan to)
- You can show evidence if asked
- It’s your normal business practice
Documentation you’ll need:
- List of all payment terminals and software
- Network diagram (even a simple sketch works for small merchants)
- Written policies (can be one-page documents for small businesses)
- Scan reports from your ASV if required
The quarterly ASV scan applies if you have any internet-facing systems (website, email server, etc.). An Approved Scanning Vendor runs automated security scans of your external IP addresses. It’s like a safety inspection for your internet presence — checking for known vulnerabilities hackers could exploit. Schedule these quarterly; they usually take 1-2 business days to complete.
Submitting your compliance:
1. Complete all SAQ questions
2. Fix any “no” answers that are required controls
3. Sign the Attestation of Compliance (AOC)
4. Submit through your processor’s portal or PCICompliance.com
5. Save your confirmation — you’ll need it next year
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your size and complexity:
Compliance platforms and tools:
- SAQ completion tools: $100-300/year
- Compliance management platforms: $200-1,000/year
- PCICompliance.com bundles: Starting at $189/year
Quarterly ASV scanning:
- Individual scans: $50-150 each
- Annual packages: $200-400/year
- Often included with compliance platforms
If you need a QSA (only for complex environments or Level 1 merchants):
- Initial assessment: $15,000-50,000
- Annual reassessment: $10,000-30,000
The cost of NON-compliance:
- Monthly non-compliance fees: $20-300
- Initial fines: $5,000-25,000
- Breach-related fines: $50,000-500,000
- Forensic investigation: $20,000-100,000
- Lost ability to process cards: Devastating
Reality check: For most small merchants, annual compliance costs less than a single month’s non-compliance fee from your processor.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your processor will ask for updated documentation every year, and you need quarterly scans if applicable. Here’s how to stay on track:
Annual requirements:
- Complete your SAQ (same type unless your payment methods changed)
- Update any policies or procedures
- Verify all “yes” answers are still accurate
- Submit fresh attestation
Quarterly requirements:
- ASV vulnerability scans (if required for your SAQ type)
- Review and remediate any findings
- Keep passing scan reports for your records
What triggers a reassessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or terminals
- Storing card data when you didn’t before
- Growing into a higher merchant level
Setting yourself up for success:
- Calendar reminders 30 days before deadlines
- Keep all compliance documents in one folder
- Document your payment environment with photos/diagrams
- Use PCICompliance.com’s compliance dashboard for automatic tracking and alerts
Frequently Asked Questions
What happens if I just ignore the compliance requirements?
Your payment processor will start with reminder emails, then monthly non-compliance fees ($20-300), and eventually larger fines. Worst case, they’ll terminate your merchant account, meaning you can’t accept cards at all. It’s much easier to spend an hour completing your SAQ.
Do I need PCI compliance if I only process a few cards per month?
Yes. PCI compliance applies to anyone who accepts even one credit card transaction. The good news is that with low volume, you’ll qualify for the simplest requirements.
What’s the difference between PCI compliance and EMV?
EMV (chip cards) is about the physical security of card-present transactions. PCI compliance covers all aspects of payment security — physical, network, and procedural. You need both.
Can my payment processor just handle this for me?
Your processor handles their own compliance but can’t complete your requirements. Some processors offer managed compliance programs where they guide you through the process. You’re still responsible for answering the questions about your specific environment.
What if I fail my vulnerability scan?
First, don’t panic. The ASV will provide a report showing what failed and how to fix it. Common issues include outdated SSL certificates or unpatched software. Fix the issues and request a rescan — most problems are resolved within a few days.
Do I need to hire a security consultant?
Most small businesses don’t. If you’re SAQ A or B, you can handle it yourself. For more complex environments (SAQ C or D), consider getting help, but start with your payment processor’s resources or a compliance platform before hiring expensive consultants.
Is PCI compliance the same as being “secure”?
PCI compliance is a baseline — it ensures you’re following fundamental security practices. True security might require additional measures based on your specific risks, but compliance is an excellent starting point.
How do I know if I’m storing card data?
Check your POS system, databases, spreadsheets, email, and paper files. If you can see full card numbers anywhere after the transaction completes, you’re storing card data. Modern payment systems shouldn’t store this data — if yours does, it’s time for an upgrade.
Moving Forward with Confidence
PCI compliance might have seemed overwhelming when you opened that first email from your processor, but now you know the truth: for most small businesses, it’s a manageable annual task that protects both you and your customers. You don’t need to become a security expert or hire expensive consultants. You just need to identify your SAQ type, answer some straightforward questions about your payment practices, and maintain basic security hygiene.
The key is starting now rather than waiting for those non-compliance fees to pile up. PCICompliance.com makes the entire process manageable with our free SAQ Wizard that identifies exactly which questionnaire applies to your business. Our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard keeps you on track throughout the year. Whether you need help determining your SAQ type or want ongoing compliance management, our platform and support team guide you through every step. Take five minutes to try our SAQ Wizard or speak with our compliance team — you’ll be surprised how straightforward achieving PCI compliance can be.
