The Bottom Line: PCI Compliance Is Simpler Than You Think
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses that handle deposit payment PCI requirements, compliance is actually straightforward — often just answering a simple questionnaire and running a quarterly security scan. You don’t need to be a security expert, and you probably won’t need to make major changes to how you accept payments.
Here’s the reality: thousands of small businesses complete their PCI compliance every year without hiring consultants or restructuring their operations. This guide will show you exactly what you need to do, step by step.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules that anyone who accepts credit cards must follow. These rules exist for one simple reason: to protect your customers’ credit card information from hackers.
The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through something called the PCI Security Standards Council (PCI SSC). But here’s what matters to you: your payment processor or acquiring bank is the one who enforces these rules and sends you that compliance questionnaire.
Who Needs to Comply?
If you accept credit or debit cards in any form — whether through a physical terminal, online, over the phone, or even manually entering card numbers — you need to be PCI compliant. This includes businesses that:
- Run card payments through a Square or Clover terminal
- Have an online store that accepts credit cards
- Take payments over the phone
- Store customer card information for recurring billing
- Handle corporate deposits via credit card
What Happens If You Don’t Comply?
Your payment processor can (and will) impose fines for non-compliance, typically ranging from $50 to $500 per month. But the real risk comes if there’s a data breach. Without PCI compliance, you could be liable for:
- Fraud losses
- Card reissuance costs
- Forensic investigation fees
- Legal expenses
- Loss of your ability to accept credit cards
The good news? Most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as Amazon or Walmart.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards, yes.
Even if you only process a handful of transactions per month, PCI compliance applies to you. Your merchant level determines how rigorous your compliance requirements are:
- Level 4: Under 20,000 e-commerce transactions OR up to 1 million total transactions annually (most small businesses)
- Level 3: 20,000 to 1 million e-commerce transactions annually
- Level 2: 1 to 6 million total transactions annually
- Level 1: Over 6 million transactions annually
As a Level 4 merchant (which includes the vast majority of small businesses), you typically just need to complete a Self-Assessment Questionnaire (SAQ) and run quarterly security scans if you have an online presence.
Understanding That Compliance Letter
When your payment processor sends you a compliance questionnaire or notification, they’re essentially saying: “It’s time to prove you’re protecting customer card data.” This is usually an annual requirement, though some processors check quarterly.
The letter typically includes:
- Your merchant ID
- Your current compliance status (probably “non-compliant” if it’s your first time)
- A deadline for completion
- Instructions for accessing their compliance portal
- Potential fines if you don’t comply
Don’t panic. This is routine, and completing it is usually simpler than doing your taxes.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) is your primary compliance document. Think of it as a checklist where you answer “yes” or “no” to security questions. There are different versions based on how you accept payments:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Physical terminal only (standalone) | SAQ B | 41 | Easy |
| Physical terminal connected to internet | SAQ B-IP | 82 | Easy-Moderate |
| Manual entry or phone orders | SAQ C-VT | 160 | Moderate |
| Store card data or complex setup | SAQ D | 329+ | Complex |
Common Scenarios
You use Square, Clover, or similar terminals: You’re likely SAQ B (if the terminal is standalone) or SAQ B-IP (if it connects to the internet for processing).
You have a Shopify/WooCommerce store: If customers are redirected to a hosted checkout page, you’re SAQ A. If payment fields appear on your site, you’re SAQ A-EP.
You take orders by phone: You’ll need SAQ C-VT, which includes requirements for call recording systems and employee training.
You save customer cards for recurring billing: This puts you in SAQ D territory — the most complex category. Consider using a tokenization service to reduce your scope.
Finding Your SAQ Type
The easiest way? Use PCICompliance.com’s SAQ Wizard. Answer a few simple questions about how you accept payments, and we’ll tell you exactly which questionnaire applies to your business. No guesswork required.
How to Complete Your SAQ
Once you know your SAQ type, the process is straightforward:
1. Access the Questionnaire
Your payment processor usually provides access through their compliance portal. Some use third-party platforms like Trustwave or SecurityMetrics. You’ll log in with the credentials they provided.
2. Answer the Questions
Each question asks about a specific security practice. For example:
- “Do you change default passwords on payment systems?”
- “Is your payment terminal in a secure location?”
- “Do you have a firewall protecting your network?”
“Yes” means you’re already doing it. The questionnaire isn’t asking you to implement new controls — it’s confirming what you already have in place.
3. Gather Documentation
For most SAQ A and SAQ B merchants, you won’t need extensive documentation. However, you should have:
- Your network diagram (even a simple sketch)
- List of who has access to payment systems
- Any security policies you’ve written
More complex SAQs might require:
- Firewall configuration screenshots
- Employee training records
- Incident response procedures
4. Complete Your ASV Scan
If you have any internet-facing systems (website, email server, etc.), you’ll need a quarterly Approved Scanning Vendor (ASV) scan. This automated scan checks for vulnerabilities hackers could exploit.
The scan typically takes 15-30 minutes to run and costs $50-150 per quarter. Your compliance platform usually includes this service.
5. Submit Your Attestation
Once you’ve answered all questions and passed your ASV scan (if required), you’ll generate an Attestation of Compliance (AOC). This is your official declaration that you meet PCI standards. Submit it through your processor’s portal, and you’re done — for this year.
What It Costs
Let’s talk real numbers for typical small business compliance:
Compliance Platform & Tools
- Basic SAQ completion tools: Free to $30/month
- Full compliance platforms with scanning: $50-200/month
- Enterprise solutions: $500+/month
Quarterly ASV Scanning
- Standalone scanning service: $50-150 per scan
- Usually included with compliance platforms
- Required quarterly (4x per year)
Professional Services (If Needed)
- QSA consultation: $150-500/hour
- Full QSA assessment (only for Level 1): $15,000-50,000
- Remediation assistance: $1,000-5,000
The Cost of Non-Compliance
- Monthly processor fines: $50-500
- Breach-related costs: $50,000-500,000+
- Loss of card acceptance: Priceless (and business-ending)
For most small merchants, annual compliance costs less than $1,000 — often under $500. Compare that to a single month’s non-compliance fine or the catastrophic cost of a breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your deposit payment PCI compliance status resets annually, and certain requirements need quarterly attention.
Annual Requirements
- Complete your SAQ
- Submit your AOC
- Review and update security policies
- Train employees on card handling procedures
Quarterly Requirements
- Run ASV scans (if applicable)
- Review firewall and router rules
- Check for security updates
- Monitor for unauthorized changes
What Triggers Reassessment
Certain changes require you to reassess your compliance:
- Adding new payment channels
- Changing payment processors
- Storing card data when you didn’t before
- Major network or system changes
- Moving to a new location
Making It Easy
Set calendar reminders for:
- Quarterly ASV scans (every 3 months)
- Annual SAQ completion (2 months before due date)
- Security update checks (monthly)
- Employee training refreshers (annually)
PCICompliance.com’s compliance dashboard tracks all these dates automatically and sends reminders when action is needed.
FAQ
Do I need PCI compliance if I only accept a few credit card payments?
Yes. PCI compliance is required regardless of transaction volume. Even one credit card transaction per year means you need to comply. However, with low volume, you’ll be a Level 4 merchant with the simplest requirements.
My payment processor says they’re PCI compliant. Doesn’t that cover me?
No. Your processor’s compliance covers their systems, not yours. You’re responsible for securing your own environment where cards are accepted, even if it’s just a simple terminal or redirect to their payment page.
What’s the difference between an ASV scan and penetration testing?
An ASV scan is an automated vulnerability scan of your external-facing IP addresses, required quarterly for most merchants. Penetration testing is a manual security assessment required annually only for SAQ D merchants and service providers — most small businesses don’t need it.
Can I just say “yes” to all the questions to pass?
Absolutely not. False attestation is considered fraud and can result in severe penalties. Answer honestly — if you can’t answer “yes” to a requirement, implement the necessary control first or work with your QSA on compensating controls.
How long does the SAQ take to complete?
SAQ A typically takes 30-60 minutes. SAQ B takes 1-2 hours. More complex SAQs like C-VT or D can take several hours to several days, depending on your documentation readiness. The first time takes longest — subsequent years are faster.
What if I fail my ASV scan?
Don’t worry — failing initially is common. The scan report shows exactly what vulnerabilities were found. Fix the critical and high-risk issues (usually software updates), then rescan. You can scan as many times as needed until you pass.
Do I need to hire a QSA?
Most small merchants (Level 3 and 4) don’t need a QSA — you can self-assess using the SAQ. Only Level 1 merchants and some Level 2 require a QSA-validated Report on Compliance (ROC). If you’re unsure about your answers, consulting with a QSA for guidance can be helpful but isn’t required.
What happens if I ignore PCI compliance?
Your payment processor will likely start with warning notices, then impose monthly fines. Eventually, they can increase your processing rates, require a cash reserve, or terminate your merchant account entirely. If a breach occurs while non-compliant, you’re liable for all associated costs.
Conclusion
PCI compliance might seem daunting when you first receive that questionnaire, but for most small businesses, it’s a manageable process. Identify your SAQ type, answer the questions honestly, run your quarterly scans if needed, and submit your attestation. The whole process typically takes a few hours per year — a small investment to protect your business and customers.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to determine your requirements in minutes, or talk to our compliance team for personalized guidance. We’ve helped thousands of merchants navigate PCI compliance, and we’re here to make your journey just as smooth.
