Do Crypto Payments Need PCI?
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a breath. For most small businesses, PCI compliance is simpler than you think — especially if you’re smart about how you accept payments. The questionnaire looks intimidating, but you’re probably looking at a few hours of work, not weeks. Here’s what you actually need to know about PCI compliance and whether crypto payments change the equation.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) exists to protect credit card data — and it applies to you if you accept Visa, Mastercard, American Express, or Discover payments in any form. The card brands created these security standards through the PCI Security Standards Council, and your payment processor or acquiring bank enforces them by requiring annual compliance validation.
Think of it as the minimum security requirements for handling credit card information. Your processor sends you that compliance questionnaire because the card brands require them to verify that every merchant protects cardholder data properly.
The consequences of non-compliance are real but manageable. Your payment processor can fine you (typically $5-100 per month for small merchants), you face liability if there’s a breach, and in extreme cases, you could lose the ability to accept card payments. But here’s the good news: most small businesses qualify for the simplest SAQ types, which means a straightforward questionnaire rather than a full security audit.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit or debit cards in any form — whether through a terminal, online, over the phone, or even on paper — yes, you need to be PCI compliant. This applies even if you only process one card payment per year.
Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Your merchant level determines how you validate compliance — Level 4 merchants typically complete a self-assessment questionnaire rather than hiring a QSA for a full audit.
When your payment processor sends you that compliance questionnaire, they’re fulfilling their obligation to the card brands. They expect you to complete the appropriate SAQ, possibly run quarterly vulnerability scans, and submit an Attestation of Compliance (AOC) annually. It’s not optional — it’s part of your merchant agreement.
Which SAQ Do You Need?
The Self-Assessment Questionnaire comes in several versions, each designed for different payment scenarios. Here’s how to determine which one applies to your business:
Payment Scenarios and SAQ Types
| How You Accept Payments | Your SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | ~20 | Simple |
| E-commerce with payment fields on your site | SAQ A-EP | ~140 | Moderate |
| Standalone terminal only (no connected systems) | SAQ B | ~40 | Simple |
| Terminal connected to internet/network | SAQ B-IP | ~80 | Moderate |
| Phone/mail orders, no electronic storage | SAQ C-VT | ~80 | Moderate |
| Any electronic card data storage | SAQ D | ~330 | Complex |
If you use a modern payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B (if standalone) or SAQ B-IP (if connected to the internet).
If you have an e-commerce site with hosted checkout — where customers get redirected to PayPal, Stripe, or your payment processor’s page — you’re likely SAQ A, the simplest form with about 20 yes/no questions.
If you take payments over the phone and key them into a virtual terminal without storing card numbers, you’re likely SAQ C-VT.
If you store card numbers electronically in any form — even in QuickBooks or Excel — you’re stuck with SAQ D, the full questionnaire with over 300 requirements. (Seriously, stop storing card numbers. There are better ways.)
Not sure which applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Your SAQ consists of yes/no questions about your security practices. When you answer “yes,” you’re confirming that you’ve implemented that security control. Here’s what the process actually looks like:
The questionnaire format is straightforward. Each requirement asks whether you do something specific — like “Do you change default passwords on payment terminals?” or “Do you have a firewall protecting your payment systems?” Answer honestly; this isn’t a test where you’re trying to get 100%.
Documentation you’ll need includes your network diagram (even a simple one), security policies, and evidence of quarterly ASV scans if required. For SAQ A merchants, you might not need any documentation. For others, you’ll need basic security documentation that you should have anyway.
The quarterly ASV scan sounds technical but isn’t. An Approved Scanning Vendor runs automated scans of your public-facing systems looking for vulnerabilities. You provide your website URL or IP addresses, they scan, and you fix any critical issues they find. Most small businesses pass after addressing a few minor items.
Submitting your compliance package means completing your SAQ, passing your ASV scans if required, and signing the Attestation of Compliance. Your payment processor typically has an online portal where you upload these documents. Some processors work with compliance platforms (like PCICompliance.com) that streamline the entire process.
What It Costs
Let’s talk real numbers for PCI compliance costs:
Compliance platform fees typically range from $100-500 annually for small merchants. This includes access to the right SAQ, guidance through completion, and compliance tracking. Some payment processors include basic compliance tools; others partner with specialized platforms.
Quarterly ASV scanning costs $50-150 per quarter for most small businesses, or $200-600 annually. If you’re SAQ A (redirect only), you might not need scanning at all. Many compliance platforms bundle scanning with their annual fee.
QSA assessments only apply to larger merchants or those with complex environments. If you’re processing millions of transactions annually, budget $10,000-50,000 for a formal assessment. But most small businesses never need a QSA.
Compare these costs to non-compliance fines from your processor ($20-100 monthly is common), potential breach liability (average small business breach costs $120,000), and the catastrophic risk of losing card acceptance privileges. Annual compliance typically costs less than two months of non-compliance fines — and infinitely less than a breach.
Staying Compliant Year-Round
PCI compliance isn’t a checkbox you tick once and forget. Your processor requires annual revalidation, which means completing your SAQ and AOC every twelve months. If you need ASV scans, those run quarterly.
Set up reminders for your annual SAQ due date and quarterly scan windows. Your payment processor usually sends notifications, but don’t rely solely on their reminders. Mark your calendar for 30 days before each deadline.
Changes that trigger reassessment include adding new payment channels, changing processors, implementing new payment software, or significantly modifying your payment environment. Moving from a simple terminal to integrated POS system? Your SAQ type might change from B to B-IP or even D.
Track your compliance status throughout the year. Document security changes, save ASV scan reports, and keep your network diagram updated. When next year’s assessment comes around, you’ll have everything ready. PCICompliance.com’s compliance dashboard automates this tracking, showing your current status, upcoming deadlines, and any action items in one place.
FAQ
Do crypto payments need PCI compliance?
If you only accept cryptocurrency and never touch credit cards, PCI DSS doesn’t apply to crypto transactions. However, most businesses accepting crypto also accept traditional card payments, which means you still need PCI compliance for the card processing side of your business.
What happens if I ignore the compliance questionnaire?
Your payment processor will likely start charging monthly non-compliance fees ($20-100 typically). Continued non-compliance can result in higher processing rates, larger fines, and eventually termination of your merchant account. Getting compliant is easier than finding a new processor.
Can I just answer ‘yes’ to everything on the SAQ?
The SAQ is a legal attestation — falsifying it constitutes fraud. Answer honestly and implement any missing controls or work with your QSA on compensating controls. Getting caught lying on your SAQ during a breach investigation leads to personal liability.
How long does the SAQ take to complete?
SAQ A takes most merchants 30-60 minutes. SAQ B or B-IP typically requires 2-4 hours including documentation gathering. SAQ D can take days or weeks depending on your environment’s complexity — which is why avoiding card data storage is so important.
Do I need to hire a QSA?
Level 4 merchants (most small businesses) can self-assess using the appropriate SAQ. Only Level 1 merchants and service providers typically need a QSA for a Report on Compliance (ROC). If your processor requires a QSA assessment, they’ll tell you explicitly.
What’s the difference between PCI compliance and PA-DSS?
PCI DSS applies to merchants and service providers handling card data. PA-DSS (now transitioning to PCI Software Security Framework) applies to software vendors creating payment applications. As a merchant, you need PCI DSS compliance; your software vendors should have PA-DSS or SSF validation.
Can I reduce my PCI scope?
Absolutely. Using P2PE solutions, tokenization, and hosted payment pages dramatically reduces scope. The less your systems touch real card data, the simpler your compliance. Moving from SAQ D to SAQ A saves thousands in compliance costs.
Do I need PCI compliance for one-time events?
Yes, even temporary card acceptance requires PCI compliance. However, using pre-validated solutions like Square or PayPal for events keeps you in simpler SAQ categories. Your annual compliance covers all card acceptance throughout the year.
Conclusion
PCI compliance sounds overwhelming when that first questionnaire arrives, but for most small businesses, it’s a manageable annual task that protects both your business and your customers. The key is understanding which SAQ applies to your payment setup and using tools that simplify the process. Whether you redirect all payments to PayPal (SAQ A), use a standalone Square terminal (SAQ B), or run a full e-commerce operation, there’s a compliance path designed for your situation.
Don’t let the technical jargon intimidate you — PCI compliance is really about basic security practices that you should implement anyway. Change default passwords, keep software updated, limit access to payment systems, and don’t store card numbers. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team to turn that confusing questionnaire into a completed compliance package.
