Bottom Line Up Front
If you process payments through Dharma Merchant Services and just got a PCI compliance questionnaire in your inbox, take a breath — you’re not in trouble, and for most small businesses, Dharma PCI compliance is far simpler than the intimidating acronym suggests. The questionnaire is a routine annual step that almost every business accepting credit cards has to complete.
Here’s the short version: you’ll fill out a Self-Assessment Questionnaire (SAQ) — a checklist about how you handle card data — and possibly run a quarterly vulnerability scan if you accept payments online. Most small merchants qualify for one of the simplest SAQ types, which means a manageable list of yes/no questions, not a months-long audit. Let’s walk through exactly what it means and what you actually need to do.
What Is PCI Compliance (In Plain English)
PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security rules designed to protect credit card data anywhere it’s stored, processed, or transmitted. If you accept Visa, Mastercard, American Express, or Discover in any form, these rules apply to you.
The standard was created by the major card brands working together through the PCI Security Standards Council (PCI SSC). The Council writes and maintains the rules, but it doesn’t enforce them directly on you. That job falls to your acquirer (your acquiring bank) and your payment processor — in your case, Dharma Merchant Services. That’s why the compliance questionnaire came from them, not from some government agency.
So what happens if you ignore it? A few things, none of them pleasant:
- Non-compliance fees from your processor, often billed monthly until you validate compliance.
- Liability if there’s a breach. If card data is stolen from a non-compliant business, you can be held responsible for the fallout — investigations, fines, and card reissuance costs.
- Loss of card acceptance. In serious cases, a processor can stop letting you accept cards entirely.
Now the good news: the vast majority of small businesses qualify for the simplest SAQ types, especially if you’ve outsourced most of your card handling to compliant tools and terminals (which most of you have). PCI sounds scary, but for a typical small merchant it’s a focused checklist, not an open-ended ordeal.
Do You Need to Be PCI Compliant?
The simple answer: yes. If you accept credit cards in any form — in person, online, or over the phone — PCI compliance applies to you. There’s no minimum size that exempts you.
How “big” of a compliance obligation you have depends on your merchant level, which is assigned based on your annual card transaction volume. There are four merchant levels (1 through 4), and most small businesses fall into Level 4 — the lowest-volume, lowest-burden tier. Your exact level is determined by the card brands and confirmed by your acquirer, so if you’re unsure, ask Dharma directly which level they’ve assigned you.
For Level 4 merchants, your processor typically expects two things each year:
1. A completed SAQ appropriate to how you accept payments.
2. A signed Attestation of Compliance (AOC) — a one-page declaration that you’ve met the requirements.
The questionnaire Dharma sent you is the starting point for both. It’s an annual validation step, not a sign that anything is wrong. Think of it like renewing a business license: routine, expected, and far easier once you understand the form.
Which SAQ Do You Need?
This is the most important question, because picking the right SAQ determines how many questions you’ll answer and how much work is involved. The SAQ you need depends entirely on how you accept payments.
Here’s the plain-language decision tree:
- Use a payment terminal (a Dharma countertop terminal, Clover, or similar standalone device)? You’re likely SAQ B (dial-out terminal) or SAQ B-IP (internet-connected terminal).
- Have an e-commerce site with fully hosted checkout (the customer is redirected to a secure payment page hosted by your provider)? You’re likely SAQ A.
- Have an e-commerce site where you control part of the payment page (iframe, direct-post, or JavaScript-based checkout)? You’re likely SAQ A-EP — a bigger questionnaire.
- Take card payments over the phone using a virtual terminal (typing card numbers into a secure web form)? You’re likely SAQ C-VT.
- Store actual card numbers anywhere — in a spreadsheet, a filing cabinet, a CRM? You need SAQ D, the most demanding type. (Please stop storing card numbers — more on that below.)
| Payment Scenario | Likely SAQ | Complexity |
|---|---|---|
| Standalone dial-out terminal, no electronic storage | SAQ B | Low |
| IP-connected standalone terminal | SAQ B-IP | Low–Medium |
| Fully hosted/redirected online checkout | SAQ A | Low |
| Online checkout you partially control (iframe/direct-post) | SAQ A-EP | Medium–High |
| Virtual terminal (phone/mail orders typed in) | SAQ C-VT | Medium |
| Payment systems connected to the internet, no storage | SAQ C | Medium |
| You store cardholder data electronically | SAQ D | High |
If your eyes glazed over reading that, you’re not alone — and you don’t have to figure it out by hand. PCICompliance.com’s free SAQ Wizard asks you a few simple questions about how you take payments and tells you exactly which SAQ applies to your Dharma PCI compliance obligation. It’s the fastest way to avoid filling out the wrong (and often longer) questionnaire.
How to Complete Your SAQ
Once you know your SAQ type, the form itself is a series of yes/no questions grouped under the standard’s requirements. A “yes” means the control is in place; a “no” means you either need to fix it (remediation) or document a compensating control. The goal is to be honestly able to answer “yes” to every applicable question.
For a simple SAQ A or SAQ B, this might take an hour or two once your documentation is in order. Longer questionnaires like A-EP or D take more time and usually involve your IT staff or a security partner.
Here’s the documentation you’ll typically want to gather first:
- A short description of how card data flows through your business.
- A list of the devices, vendors, and tools you use to accept payments.
- Confirmation that your payment vendors are themselves PCI compliant (request their AOC).
- Your information security policy and a record that staff have been trained.
- Evidence of basics like unique logins, strong passwords, and multi-factor authentication (MFA) where required.
The Quarterly ASV Scan
If your environment includes any internet-facing systems (most online and IP-connected setups do), you’ll also need a quarterly ASV scan. An ASV (Approved Scanning Vendor) runs an automated external vulnerability scan against your public-facing systems to check for known weaknesses. You need a passing scan every quarter — four per year.
Fully hosted setups (think SAQ A or SAQ B dial-out terminals) often don’t require an ASV scan because you don’t operate internet-facing card systems. When in doubt, your SAQ will tell you, or confirm with your processor. PCICompliance.com’s ASV scanning service handles this for you on a quarterly schedule.
Submitting Your SAQ and AOC
Once your SAQ is complete and any required scan has passed, you sign the AOC and submit both to Dharma (often through their compliance portal). That’s your annual validation done — until next year.
What It Costs
Let’s be honest about money, because that’s the question on everyone’s mind. The good news: for most small merchants, ongoing Dharma PCI compliance is an affordable annual expense.
| Item | When You Need It | Budget Guidance |
|---|---|---|
| Compliance platform / SAQ tools | Most merchants | Modest annual cost; some basic tools are free |
| Quarterly ASV scanning | Internet-facing systems | Small recurring fee per year |
| QSA (Qualified Security Assessor) | Level 1 or complex SAQ D | Significant — only for larger/complex merchants |
| Non-compliance fees | If you don’t validate | Recurring monthly charges from your processor |
| Breach liability | If data is stolen while non-compliant | Potentially severe |
A QSA is a credentialed assessor who performs a formal Report on Compliance (ROC). Most small merchants never need one — that’s typically reserved for Level 1 merchants or unusually complex environments. If you’re a Level 4 retailer, you’ll almost certainly self-assess.
The honest bottom line: for the typical small merchant, a full year of compliance — tools plus scanning — costs far less than a single non-compliance fine from your processor, and a tiny fraction of what a real breach would cost you. Compliance isn’t just a box to check; it’s cheap insurance.
Staying Compliant Year-Round
Here’s the part many merchants miss: PCI compliance is not one-and-done. You validate at least annually by completing a fresh SAQ and AOC, and if scans apply, you run them every quarter. Compliance is a point-in-time validation backed by continuous good habits — it can lapse if you let it.
A few practical tips:
- Set calendar reminders for your annual SAQ renewal and each quarterly scan.
- Reassess when things change. Switching payment vendors, launching an online store, adding phone orders, or installing new terminals can all change which SAQ applies — and may require a new assessment.
- Keep your documentation current so next year’s SAQ is a quick update, not a from-scratch scramble.
This is exactly where PCICompliance.com’s compliance dashboard earns its keep — it tracks your SAQ status, schedules your quarterly scans, and reminds you before deadlines so nothing slips through the cracks.
FAQ
I just got the questionnaire and I’m overwhelmed. Where do I start?
Start by identifying which SAQ applies to how you accept payments — that single step determines everything else. The free SAQ Wizard at PCICompliance.com walks you through a few questions and tells you exactly which one you need.
Do I really have to do this if I’m a tiny business?
Yes — there’s no size exemption. But small businesses almost always qualify for the simplest SAQ types, so the actual workload is usually modest, especially if you use compliant terminals or hosted checkout.
What happens if I just ignore it?
Your processor can charge recurring non-compliance fees, and you take on full liability if card data is ever breached. In serious cases, you can lose the ability to accept cards altogether.
Is using a Dharma terminal enough to be compliant?
Using a compliant terminal greatly reduces your scope, but it doesn’t complete your obligation by itself. You still need to fill out the appropriate SAQ and submit your AOC each year.
Should I store customer card numbers for repeat billing?
No — please don’t. Storing card numbers pushes you into the most demanding SAQ (SAQ D) and dramatically raises your risk. Use your processor’s tokenization or vaulting feature instead so you never hold the actual PAN.
What’s the difference between an SAQ and an ASV scan?
The SAQ is your self-assessment questionnaire about your security controls; the ASV scan is an automated external vulnerability check of your internet-facing systems. Some SAQ types require both, and some require only the SAQ.
How long does this take?
For a simple SAQ A or B, often just an hour or two once your documentation is gathered. More complex questionnaires like A-EP or D take longer and usually involve IT or a security partner.
Does completing my SAQ mean I’m permanently secure?
No — compliance is a point-in-time validation backed by ongoing practices, not a permanent guarantee. You re-validate annually, run any required scans quarterly, and reassess whenever your payment setup changes.
Conclusion
PCI compliance has a reputation for being impenetrable, but for the average small merchant on Dharma, it comes down to a clear, repeatable rhythm: identify your SAQ, answer the questions honestly, run any required scans, sign your AOC, and keep it up year over year. Once you’ve done it the first time, each renewal gets easier.
You don’t have to navigate it alone. PCICompliance.com gives you everything you need to achieve and maintain compliance in one place — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress all year so deadlines never sneak up on you. Trusted by thousands of merchants from single-location shops to multi-site enterprises, we pair the right tools with expert support at every step.
Start with the free SAQ Wizard, or talk to our compliance team — and turn that intimidating questionnaire into a checked box.