Do Gift Cards Need PCI?
The short answer is yes — if your business accepts credit or debit cards in any way, you need to be PCI compliant. But before you panic, here’s the good news: for most small businesses, achieving PCI compliance is simpler than you think. That compliance questionnaire sitting in your inbox might look intimidating, but you’re probably looking at just a few hours of work, not weeks of complex security implementations.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security rules created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through their joint organization, the PCI Security Standards Council. Think of it as the basic security hygiene every business needs to follow when handling credit card information.
Who enforces these rules? Your payment processor or acquiring bank — the company that handles your card transactions. They’re required by the card brands to ensure all their merchants maintain compliance. That’s why they sent you that questionnaire.
The consequences of non-compliance are real but manageable. Your processor can impose monthly fines (typically $20-100 for small merchants), you could face liability if there’s a data breach, and in extreme cases, you might lose the ability to accept card payments. But here’s what they don’t tell you upfront: most small businesses can achieve compliance in an afternoon.
The entire system exists for one reason: to protect cardholder data (CHD) — the card numbers, expiration dates, and security codes your customers trust you with. Even if you never store this data, if it passes through your business in any way, you’re in scope for PCI compliance.
Do You Need to Be PCI Compliant?
If you accept credit cards, debit cards, or any payment cards bearing the logos of the major card brands, you need to be PCI compliant. It doesn’t matter if you process one transaction a year or thousands per day. The moment you accept plastic, you’re in the game.
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news — Level 4 merchants typically complete a simple self-assessment questionnaire (SAQ) rather than hiring expensive auditors.
Your payment processor expects three things from you:
1. Complete the appropriate SAQ annually
2. Pass quarterly vulnerability scans if you have any internet-facing systems
3. Submit your Attestation of Compliance (AOC) — basically your signature saying you’ve done the work
That compliance questionnaire they sent? It’s their way of collecting this documentation. They’re not trying to trip you up — they’re required by the card brands to verify every merchant maintains at least basic security standards.
Which SAQ Do You Need?
The PCI Security Standards Council publishes nine different SAQs, but most small merchants only need to worry about four. Here’s how to figure out which one applies to you:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Fully outsourced (PayPal, Square online) | SAQ A | 22 | Easiest |
| E-commerce with payment page redirect | SAQ A-EP | 191 | Moderate |
| Terminal only (Square Reader, Clover) | SAQ B | 41 | Easy |
| Terminal with IP connection | SAQ B-IP | 82 | Easy-Moderate |
| Manual card entry (phone/mail orders) | SAQ C-VT | 160 | Moderate |
| Storing card data (please reconsider) | SAQ D | 329 | Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely looking at SAQ B or B-IP. The difference? SAQ B is for standalone terminals that dial out over a phone line. SAQ B-IP is for terminals connected to your internet or internal network.
If you have an e-commerce site using hosted checkout (where customers get redirected to pay on Shopify, Stripe Checkout, or PayPal), you qualify for SAQ A — the shortest questionnaire with just 22 yes/no questions.
If you take payments over the phone and enter card numbers into a virtual terminal or web form, you need SAQ C-VT. This one’s longer because phone payments introduce more risk — there’s no chip or encryption protecting the card data as you type it in.
If you store card numbers in any form — even in a locked filing cabinet — you need the full SAQ D with 329 questions. Seriously consider whether you need to store cards. Most businesses don’t, and eliminating storage drops you to a much simpler SAQ type.
Not sure which one fits? PCICompliance.com’s free SAQ Wizard walks you through a few simple questions about your payment setup and tells you exactly which questionnaire you need. No guessing, no reading through pages of eligibility criteria.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Don’t overthink it — “yes” means you’re doing what the question asks, “no” means you’re not. If you answer “no” to any question, you’ll need to either implement that control or explain why it doesn’t apply to your business.
Here’s what a typical question looks like:
“Are all individual user accesses to cardholder data reviewed and confirmed as appropriate?”
In plain English: Do you check who has access to credit card information and make sure they actually need it? For most small businesses using modern payment systems, the answer is often “Not Applicable” because you don’t store or have access to full card numbers.
Documentation you’ll need:
- A simple network diagram (even a hand-drawn sketch works for small merchants)
- Your acceptable use policy (can be one page saying “don’t share passwords”)
- Incident response plan (who to call if something goes wrong)
- Evidence of your quarterly vulnerability scans (if required)
The quarterly ASV scan sounds scarier than it is. An Approved Scanning Vendor (ASV) runs automated security scans of any systems accessible from the internet — typically your website or email server. The scan looks for known vulnerabilities and produces a pass/fail report. If you fail, they tell you what to fix. Most issues are simple updates or configuration changes your IT person can handle in minutes.
Once you’ve answered all questions and gathered your documentation, you’ll sign the Attestation of Compliance (AOC). This is your official declaration that you’ve completed the assessment accurately. Submit it to your payment processor through their compliance portal, and you’re done — until next year.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your setup, but here’s what most small merchants spend:
Compliance platform and tools: $100-500 annually for SAQ management software that walks you through the questions, stores your documentation, and tracks your compliance status. Some payment processors include basic tools for free.
Quarterly ASV scanning: $200-400 per year for four quarterly scans. PCICompliance.com bundles scanning with our platform, but standalone ASV services charge $50-100 per scan. Remember, you only need scans if you have internet-facing systems that handle card data.
QSA assessment: Only required for Level 1 merchants (over 6 million transactions annually) or if your processor specifically demands it. Budget $10,000-50,000 for a full Report on Compliance (ROC). But again, most small merchants never need this.
Now consider the cost of non-compliance: Monthly fines from your processor start around $20 but can escalate to $100 or more. Get breached while non-compliant? You’re looking at forensic investigation costs ($10,000+), card replacement fees, and potential lawsuits. One small breach can cost more than a decade of compliance.
Bottom line: Annual PCI compliance for most small merchants costs less than a single month of non-compliance fines. It’s not a profit center for your processor — it’s risk management for everyone involved.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor will ask for updated documentation every year, and if you need ASV scans, those happen quarterly. But don’t worry — once you’ve done it once, renewal takes a fraction of the time.
Set up these reminders:
- Annual SAQ due date (usually 12 months from your last submission)
- Quarterly ASV scan windows (every 90 days)
- Security update schedules for your payment systems
- Password change reminders (every 90 days for systems touching card data)
Changes that trigger a reassessment:
- Adding new payment channels (like starting to accept phone orders)
- Changing payment processors or systems
- Significant network changes
- Starting to store card data (please don’t)
PCICompliance.com’s compliance dashboard tracks all these dates for you, sending reminders before deadlines and keeping your documentation organized year after year. No more scrambling when your processor sends that annual reminder.
FAQ
I’m just a small business. Do I really need to do all this?
Yes, but it’s simpler than you think. Most small businesses complete SAQ A or B in under two hours. The questions are straightforward, and modern payment systems handle most security requirements automatically.
What happens if I don’t complete my PCI compliance?
Your payment processor will likely charge monthly non-compliance fees starting at $20-40. More seriously, if you suffer a breach while non-compliant, you could face liability for fraud losses and investigation costs.
How often do I need to renew my PCI compliance?
Annually for your SAQ and AOC. If you need ASV scans, those happen quarterly (every 90 days).
Can I just say “yes” to all the questions?
Only if it’s true. False attestation is considered fraud and could result in immediate termination of your merchant account and personal liability.
Do I need to hire a security consultant?
Most small merchants don’t. If you’re using modern payment systems and qualify for SAQ A or B, you can handle it yourself or with basic IT support.
What’s the difference between PCI compliance and EMV compliance?
EMV refers to chip card acceptance. PCI DSS covers overall payment security. You need both, but they’re separate requirements with different purposes.
My payment processor says they handle PCI compliance for me. Is that true?
They handle their own compliance, and their systems might reduce your scope, but you still have responsibilities. At minimum, you need to complete an annual SAQ confirming you’re using their systems properly.
What if I only accept payments occasionally, like at an annual fundraiser?
The frequency doesn’t matter — if you accept cards at all, you need PCI compliance. The good news is your SAQ will likely be one of the simpler types.
Conclusion
That compliance questionnaire in your inbox isn’t the mountain it appears to be. For most small businesses, PCI compliance means spending a couple hours annually answering straightforward questions about your payment setup. You’re probably already doing most of what’s required — the SAQ just documents it.
The key is identifying which SAQ type fits your business. Get this right, and you’ll save hours of unnecessary work. PCICompliance.com’s free SAQ Wizard takes the guesswork out of this critical first step. Answer a few simple questions about how you accept payments, and we’ll tell you exactly which questionnaire you need.
From there, our platform walks you through each requirement in plain English, handles your quarterly ASV scans if needed, and tracks your compliance status year-round. No more surprise processor fees or scrambling when renewal time comes. Start with our free SAQ Wizard to see just how manageable PCI compliance can be for your business, or reach out to our compliance team if you need guidance getting started.
