The Bottom Line Up Front
Here’s what you need to know: Connecticut PCI compliance isn’t special or different from PCI compliance anywhere else — and for most small businesses, it’s much simpler than it sounds. If you accept credit cards in your Connecticut business (whether in Hartford, New Haven, or anywhere else in the state), you need to complete an annual self-assessment questionnaire and possibly run quarterly security scans. The good news? Most small merchants can complete the simplest questionnaires in under an hour.
Your payment processor sent you that compliance questionnaire because the credit card brands require it — not because they’re trying to make your life difficult. They need confirmation that you’re handling credit card data safely, and once you understand what they’re asking for, you’ll likely find you’re already doing most of it.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major credit card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist that ensures everyone who touches credit card data handles it safely.
The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquiring bank or payment processor — the company that handles your credit card transactions — enforces the requirements. That’s who sent you the compliance questionnaire.
Here’s what happens if you don’t comply:
- Your processor can fine you (typically $5,000 to $100,000 per month)
- If there’s a data breach, you’re liable for the costs
- You could lose the ability to accept credit cards entirely
- You might face higher processing fees
But here’s the crucial point: most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as Target or Amazon. The PCI standards recognize that a small shop with a payment terminal faces different risks than a major e-commerce site.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:
- Swiping, inserting, or tapping cards at a terminal
- Taking payments through your website
- Accepting payments over the phone
- Processing mail order payments
- Using mobile card readers
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a self-assessment questionnaire — you don’t need an outside auditor.
Here’s what your payment processor expects:
- Complete the appropriate SAQ (Self-Assessment Questionnaire) annually
- Run quarterly vulnerability scans if you have any internet-facing systems
- Submit your AOC (Attestation of Compliance) — a form saying you completed the assessment
- Fix any security issues the scans identify
That compliance questionnaire they sent? It’s your annual reminder to complete these requirements. They’re not picking on you — every merchant gets the same request.
Which SAQ Do You Need?
The hardest part of PCI compliance is often figuring out which questionnaire applies to your business. Here’s a plain-language guide:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Payment page hosted entirely by another company (PayPal, Square Online) | SAQ A | 22 | Easiest |
| E-commerce site that redirects to payment processor | SAQ A-EP | 191 | Moderate |
| Standalone terminal with dial-up or Ethernet | SAQ B | 41 | Easy |
| Standalone terminal with IP connection | SAQ B-IP | 82 | Easy-Moderate |
| Virtual terminal (type card numbers into a web page) | SAQ C-VT | 80 | Moderate |
| Taking payments over the phone or mail | SAQ C | 160 | Moderate |
| Point-of-sale system or storing card data | SAQ D | 329 | Complex |
Common scenarios for Connecticut businesses:
- Restaurant with a Clover terminal: Likely SAQ B-IP
- Retail shop with Square Reader: Likely SAQ B or B-IP
- Service business taking phone payments: SAQ C-VT if using virtual terminal, SAQ C if using regular terminal
- E-commerce with Shopify Payments: SAQ A
- Doctor’s office storing card numbers: SAQ D (and you should stop storing them)
Not sure which one fits? Use PCICompliance.com’s SAQ Wizard — answer a few simple questions about how you accept payments, and we’ll tell you exactly which SAQ applies.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. The questionnaire contains yes/no questions about your security practices. Here’s what to expect:
What “yes” means in practice:
- “Do you restrict physical access to cardholder data?” → Yes = your payment terminal is in a secure location, not sitting unattended in a public area
- “Do you use unique passwords?” → Yes = you’re not using “password123” for everything
- “Do you install security patches?” → Yes = you run Windows Update or let your devices auto-update
Documentation you’ll need:
- List of who has access to your payment systems
- Your network setup (for anything beyond the simplest SAQs)
- Copies of your security policies (templates are fine for small businesses)
- Results from your quarterly scans
The quarterly ASV scan is required if you have any systems connected to the internet. An Approved Scanning Vendor runs automated security checks on your network from the outside, looking for vulnerabilities hackers might exploit. It’s not invasive — think of it as someone checking if your doors and windows are locked. Schedule it quarterly, fix any critical issues it finds, and keep the passing scan reports.
After completing the questionnaire and getting passing scans, you’ll sign the Attestation of Compliance — a one-page form confirming you completed the assessment — and submit everything to your payment processor.
What It Costs
Let’s talk real numbers for PCI compliance:
Compliance platforms and tools:
- Basic SAQ tools: Free to $30/month
- Full compliance platforms: $50-200/month
- Enterprise solutions: $500+/month
Quarterly ASV scanning:
- Basic scanning: $30-50 per scan
- Managed scanning with support: $50-100 per scan
- Bundle deals (annual): $200-400 for all four scans
If you need a QSA (only for Level 1 merchants or service providers):
- Annual assessment: $15,000-50,000+
- But remember: most small businesses never need this
The cost of NON-compliance:
- Monthly fines from processor: $5,000-100,000
- Breach liability: $50-90 per compromised card
- Forensic investigation: $20,000-100,000
- Lost ability to process cards: priceless
For most Level 4 merchants, annual compliance costs less than $1,000 — often less than $500. Compare that to a single month’s non-compliance fine, and it’s clearly worth doing right.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your processor will send that questionnaire every year, and you need quarterly scans if required. Here’s how to stay on track:
Set up your compliance calendar:
- Annual SAQ due date (usually your anniversary date with the processor)
- Quarterly scan windows (every 90 days)
- Annual security training refresher
- Policy review dates
What triggers a reassessment:
- Changing how you accept payments (adding e-commerce, for example)
- Switching payment processors or systems
- Starting to store cardholder data (please don’t)
- Major network changes
Making it manageable: Use a compliance platform like PCICompliance.com that sends automatic reminders, tracks your scan history, and stores your documentation. Trying to track everything in spreadsheets or calendar reminders gets messy fast.
FAQ
My payment processor is threatening to fine me. How much time do I have?
Most processors send warning letters 30-60 days before fines begin. If you’ve received a warning, you typically have 30 days to show progress toward compliance. Start immediately — even submitting a partially completed SAQ shows good faith.
I only process a few transactions per month. Do I really need to do this?
Yes. PCI compliance applies to any business that accepts credit cards, regardless of volume. The good news is that your low volume means simpler requirements — likely just an SAQ A or B.
Can I just say “yes” to everything on the questionnaire?
Absolutely not. False attestation is considered fraud and can result in immediate termination of your merchant account. Answer honestly — if you must answer “no” to something, create a plan to fix it.
What’s the difference between PCI compliance and being PCI certified?
Merchants achieve PCI compliance by completing their assessment. Only service providers and certain solution providers become “certified” through more rigorous validation. As a merchant, you’re seeking compliance, not certification.
I use Square/PayPal/Stripe. Am I automatically compliant?
Not automatically, but these providers make it much easier. You still need to complete an annual SAQ (usually the simple SAQ A), but the payment provider handles most of the security heavy lifting.
Do I need to hire a QSA?
Level 4 merchants (most small businesses) complete self-assessments — no QSA required. Only Level 1 merchants and service providers typically need a QSA to perform an outside assessment.
What happens if I fail a vulnerability scan?
You have 30 days to fix any failing vulnerabilities and rescan. Most failures are for outdated software or unnecessary services — usually fixable with updates or configuration changes.
Is PCI compliance required by law?
PCI DSS isn’t a law but a contractual requirement. However, many states have laws requiring notification of breaches and reasonable security measures. PCI compliance helps you meet these legal obligations.
Moving Forward with Confidence
Connecticut PCI compliance might have seemed overwhelming when that questionnaire arrived, but now you understand what’s actually required. For most small businesses, it’s a matter of confirming the security practices you already follow and running some basic scans.
The key is starting now rather than waiting for fines or deadlines. Use PCICompliance.com’s free SAQ Wizard to identify exactly which questionnaire you need — it takes just minutes and removes the guesswork. Our platform then walks you through each question in plain English, handles your quarterly ASV scans automatically, and keeps all your compliance documentation in one secure place. Whether you’re a single-location retailer in Stamford or a growing business with multiple Connecticut locations, we make PCI compliance manageable with clear guidance, automated reminders, and real human support when you need it. Don’t let that compliance questionnaire sit on your desk any longer — start with our free SAQ Wizard today and see how simple compliance can be.