The Truth About PCI Compliance for Small Businesses
You just received an email from your payment processor with “PCI Compliance” in the subject line. Maybe it mentions something about an SAQ or quarterly scans. Perhaps there’s a deadline and warnings about fines. Your first thought: “What is this, and why are they asking me for it now?”
Here’s the reassuring news: for most small businesses, Chargify PCI compliance is simpler than you think. If you’re using modern payment tools like Square terminals or Stripe for your website, you’re already doing most of what’s required. This guide will walk you through exactly what you need to know and do — in plain English, without the jargon that makes compliance sound scarier than it is.
What Is PCI Compliance (In Plain English)
PCI compliance means following security rules designed to protect credit card information. These rules, called the Payment Card Data Security Standard (PCI DSS), apply to every business that accepts credit cards — from coffee shops to online stores to medical offices.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through an organization called the PCI Security Standards Council. But here’s the important part: your payment processor or acquiring bank is who actually enforces these rules and sends you those compliance questionnaires.
Think of it this way: the card brands made the rules, but your payment processor is the referee. They’re required to ensure all their merchants follow the standards, which is why you’re getting these emails.
What Happens If You Don’t Comply?
Non-compliance isn’t just about paperwork — it has real consequences:
- Monthly fines from your payment processor (typically $20-$100 per month for small merchants)
- Liability for fraud losses if card data gets compromised
- Higher processing fees as non-compliant merchants are considered higher risk
- Loss of card processing privileges in extreme cases (rare but possible)
The Good News
Most small businesses qualify for the simplest compliance requirements. If you’re using modern payment systems and following basic security practices, you’re probably already doing 80% of what’s required. The compliance process is mostly about documenting what you’re already doing.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:
- Running cards through a terminal
- Taking payments on your website
- Processing phone orders
- Storing card numbers for recurring billing
- Even just passing card data through your systems
Understanding Merchant Levels
Your merchant level determines how complex your compliance requirements are. For most readers of this guide, you’re likely a Level 4 merchant — processing fewer than 20,000 transactions per year. Here’s the breakdown:
| Merchant Level | Annual Transaction Volume | Compliance Requirements |
|---|---|---|
| Level 1 | Over 6 million | Full assessment by QSA |
| Level 2 | 1-6 million | Annual self-assessment |
| Level 3 | 20,000-1 million | Annual self-assessment |
| Level 4 | Under 20,000 | Annual self-assessment |
Level 4 merchants have the simplest requirements: complete an annual self-assessment questionnaire (SAQ) and possibly quarterly vulnerability scans.
What Your Payment Processor Expects
That email you received? Your payment processor is required to collect proof of compliance from all their merchants. They typically want:
- A completed SAQ (Self-Assessment Questionnaire)
- An AOC (Attestation of Compliance) — basically your signature saying the SAQ is accurate
- Proof of quarterly ASV scans if you have any systems connected to the internet
- Documentation of compliance stored in their portal
The questionnaire they sent is your starting point. It’s their way of saying “prove to us you’re protecting card data properly.”
Which SAQ Do You Need?
The most confusing part of PCI compliance is figuring out which SAQ applies to your business. There are different questionnaires based on how you handle card payments. Here’s a plain-English guide:
The SAQ Decision Tree
| How You Take Payments | Your SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Terminal only, no electronic storage | SAQ B | 41 | Easy |
| Terminal only, connected to internet | SAQ B-IP | 82 | Easy-Moderate |
| Manual entry (phone/mail orders) | SAQ C-VT | 160 | Moderate |
| Store card data electronically | SAQ D | 329 | Complex |
Real-World Examples
SAQ A — You use Shopify with their hosted checkout, or your website has a “Pay with PayPal” button that redirects customers away from your site. You never see or touch card numbers.
SAQ B or B-IP — You run a retail store with a Square terminal or restaurant with Clover devices. The terminal handles everything, and you never store card numbers electronically.
SAQ C-VT — You take orders over the phone and type card numbers into a virtual terminal or payment gateway. You don’t store the numbers after processing.
SAQ D — You store card numbers in your database or point-of-sale system. (If this is you, seriously consider stopping — it’s the hardest path to compliance.)
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire to use.
How to Complete Your SAQ
Once you know which SAQ you need, the process is straightforward but requires attention to detail.
What the Questionnaire Looks Like
Your SAQ is a series of yes/no questions about your security practices. For example:
- “Do you have a firewall protecting systems that process card payments?”
- “Do you change default passwords on payment systems?”
- “Do you have a process for managing user access?”
Here’s the key: answering “yes” means you actually do these things, not that you think they’re a good idea. You’ll need to be able to prove your answers if asked.
Documentation You’ll Need
Before starting your SAQ, gather:
- Network diagram (even a simple one showing how payments flow)
- Security policies (can be basic for small businesses)
- Vendor agreements showing who handles your payments
- ASV scan reports from your last four quarters (if required)
- User access lists showing who can access payment systems
The Quarterly ASV Scan
If you have any systems connected to the internet (even just a payment page), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. Don’t panic — this sounds more technical than it is:
1. Sign up with an ASV provider (like PCICompliance.com)
2. Enter your website URL or IP addresses
3. The scanner checks for security vulnerabilities
4. You fix any critical issues found
5. Get a passing scan report
6. Repeat every 90 days
Most small business websites pass on the first try. Common issues are outdated software or weak SSL certificates — things your web developer can fix quickly.
Submitting Your Compliance
After completing your SAQ:
1. Review all answers for accuracy
2. Complete the Attestation of Compliance (AOC) — a formal declaration that your answers are correct
3. Upload to your payment processor’s compliance portal
4. Save copies for your records
5. Set calendar reminders for next year
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your size and complexity:
Typical Annual Costs for Small Merchants
Compliance Platform/Tools: $100-$500/year
- SAQ completion wizard
- Compliance tracking dashboard
- Document storage
- Remediation guidance
ASV Scanning: $200-$400/year
- Four quarterly scans
- Unlimited rescans to achieve passing
- Scan reports for compliance
Professional Help (if needed): $1,000-$5,000
- Only for complex situations
- Most Level 4 merchants don’t need this
The Cost of NON-Compliance
Compare those costs to non-compliance penalties:
- Monthly fines: $20-$100 (that’s $240-$1,200 per year)
- Breach costs: Average $150 per compromised card
- Lost business: Customers don’t trust businesses that lose their data
- Higher processing rates: Non-compliant = higher risk = higher fees
For most small merchants, annual compliance costs less than just six months of non-compliance fines. It’s genuinely cheaper to comply.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity — it’s an annual requirement with quarterly checkpoints.
Your Compliance Calendar
- Annually: Complete and submit your SAQ
- Quarterly: Run ASV scans (if required)
- Ongoing: Maintain security practices you attested to
- As needed: Update your compliance if your payment methods change
What Triggers a New Assessment
Major changes require reassessing your compliance:
- Adding e-commerce to a retail-only business
- Changing payment processors or methods
- Starting to store card numbers
- Significant network or system changes
Making It Manageable
The key to stress-free compliance is good tracking:
- Set calendar reminders 30 days before deadlines
- Keep all compliance documents in one place
- Use a compliance dashboard to track progress
- Address any security issues as they arise, not at renewal time
PCICompliance.com’s compliance dashboard shows everything in one place: when your next SAQ is due, your scan history, any outstanding items, and your current compliance status. No more scrambling when your processor sends reminder emails.
Frequently Asked Questions
I only process a few cards per month. Do I really need to comply?
Yes, even if you only process one transaction per year, you need to maintain PCI compliance. The good news is that low-volume merchants typically have the simplest requirements — often just the 22-question SAQ A if you use hosted payment pages.
What’s the difference between PCI compliance and being PCI certified?
Merchants achieve PCI compliance by completing their annual requirements. Only service providers and solutions can be “PCI certified” or “PCI validated.” As a merchant, you’re compliant, not certified — don’t let vendors confuse you with this terminology.
My payment processor says they handle PCI compliance. Do I still need to do anything?
Your processor handles their own compliance, but you’re still responsible for your part. Even if they provide secure payment processing, you need to complete an SAQ confirming you’re not undermining that security on your end. Think of it as a shared responsibility.
How do I know if I’m storing card numbers?
Check these common places: spreadsheets, email, customer databases, accounting software, and paper files. If you find card numbers anywhere except your payment terminal or processor’s system, you’re storing them. The easiest path to compliance is to stop storing them entirely.
What if I fail my ASV scan?
Failing is normal on the first attempt — most failures are minor issues your IT person can fix in an hour. You get unlimited rescans with most ASV services. Common fixes include updating software, installing security patches, or adjusting firewall settings. You only need one passing scan per quarter.
Can I just ignore this and hope it goes away?
Ignoring PCI requirements won’t make them disappear. Your processor will escalate from reminder emails to fines to potentially terminating your merchant account. The time spent avoiding compliance is usually more than just completing it — and much more expensive.
What if I only accept cards occasionally at events or fundraisers?
Even occasional card acceptance requires PCI compliance. The good news: if you use a mobile reader from Square, PayPal, or similar providers, you likely qualify for SAQ B — just 41 yes/no questions. It takes about 30 minutes to complete.
Do I need to hire a QSA to help me?
Most small merchants don’t need a QSA. If you’re a Level 4 merchant (under 20,000 transactions annually), you can self-assess using the appropriate SAQ. QSAs are typically only required for Level 1 merchants or when your acquirer specifically mandates it due to previous security incidents.
Taking the First Step
PCI compliance might seem overwhelming when you first encounter it, but remember: thousands of small businesses just like yours complete their requirements every year without drama. If you can run a business, you can handle PCI compliance.
The key is to start. Open that email from your payment processor. Use the SAQ decision tree above to identify which questionnaire you need. Set aside an hour to gather your documentation. Then work through the questions one by one.
PCICompliance.com makes the entire process manageable with our free SAQ Wizard that identifies exactly which questionnaire you need, ASV scanning services for your quarterly vulnerability scans, and a compliance dashboard that tracks everything in one place. Whether you need help figuring out where to start or managing ongoing compliance year after year, we provide the tools and guidance to keep you compliant and your payment processing uninterrupted. Start with our free SAQ Wizard to identify your requirements, or reach out to our compliance team for personalized guidance.