Do I Need a QSA? Understanding PCI Compliance for Small Businesses

Here’s What You Actually Need to Know

Let’s start with good news: if you’re a small business owner who just received a PCI compliance questionnaire, you probably don’t need a QSA. For most small merchants, PCI compliance is simpler and less expensive than you’ve been led to believe. You can likely handle it yourself with the right tools and a few hours of your time.

That questionnaire from your payment processor isn’t a trap — it’s a standard requirement that millions of businesses complete every year. And despite what some compliance companies might tell you, you don’t need to hire expensive consultants or security assessors unless you’re processing millions of transactions annually.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business accepting credit card payments. Think of it as a security checklist created by the major card brands — Visa, Mastercard, American Express, and Discover — to protect customer card data.

The card brands created the PCI Security Standards Council to manage these standards, but it’s your payment processor or acquiring bank who actually enforces them. They’re the ones who sent you that questionnaire, and they’re the ones who’ll apply fines if you don’t comply.

What Happens If You Don’t Comply?

Non-compliance has real consequences:

• Monthly fines from your processor (typically $5-100 for small merchants)
• If there’s a breach, you’re liable for fraud losses and card replacement costs
• Your processor can terminate your merchant account, meaning you can’t accept cards
• Data breach notification costs average $740,000 for small businesses

The good news? Most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as Amazon or Target.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you:

• Run a small online store
• Have a single card terminal at your retail location
• Only take payments over the phone
• Process one transaction or one million

Understanding Your Merchant Level

Your merchant level determines how much documentation you need to provide:

• Level 4: Under 20,000 e-commerce transactions OR under 1 million total transactions annually (that’s you)
• Level 3: 20,000-1 million e-commerce transactions annually
• Level 2: 1-6 million transactions annually
• Level 1: Over 6 million transactions annually

Most small businesses are Level 4, which means you complete a Self-Assessment Questionnaire (SAQ) instead of hiring a QSA for a full assessment.

What Your Payment Processor Expects

Your processor wants three things:
1. A completed SAQ (the questionnaire they sent you)
2. Quarterly vulnerability scans if you have any internet-facing systems
3. An Attestation of Compliance (AOC) — basically your signature saying you completed the requirements

That questionnaire they sent? It’s one of several SAQ types, and choosing the right one is crucial for keeping things simple.

Which SAQ Do You Need?

The key to simple compliance is selecting the correct SAQ. Each type has different requirements based on how you accept and process payments.

The SAQ Decision Tree

Here’s how to determine which SAQ applies to your business:

How You Accept Payments	Your SAQ Type	Number of Questions	Complexity
Fully outsourced (PayPal, Square online)	SAQ A	22	Easiest
E-commerce with payment form on your site	SAQ A-EP	191	Moderate
Standalone terminals only	SAQ B	41	Easy
Terminals connected to internet	SAQ B-IP	82	Easy-Moderate
Phone/mail orders, no storage	SAQ C-VT	80	Moderate
Any card data storage	SAQ D	329+	Complex

Common Scenarios

If you use Square, PayPal, or similar:
You’re likely SAQ A — the simplest form with only 22 questions. Your customers are redirected to the payment provider’s site to enter card details.

If you have a standalone terminal:
You qualify for SAQ B if it’s truly standalone (dial-up or cellular) or SAQ B-IP if it connects through your internet.

If you take orders over the phone:
You need SAQ C-VT if you enter card details directly into a virtual terminal. This assumes you never write down or save card numbers.

If you store card numbers:
You’re stuck with SAQ D — the full questionnaire. Consider switching to tokenization to reduce your scope.

PCICompliance.com offers a free SAQ Wizard that asks a few simple questions about your payment setup and tells you exactly which form you need. It takes about two minutes and eliminates the guesswork.

How to Complete Your SAQ

Once you know which SAQ applies, completing it is straightforward. The questionnaire consists of yes/no questions about your security practices.

What the Questions Look Like

Each question addresses a specific security control. For example:

• “Do you have a firewall protecting your payment systems?”
• “Do you change default passwords on all devices?”
• “Is antivirus software installed and updated?”

When you answer “yes,” you’re confirming that control is in place. Some questions might not apply to your business — you can mark these as “N/A” with a brief explanation.

Documentation You’ll Need

Gather these before you start:

• Network diagram (even a simple sketch works for small merchants)
• List of any systems that handle card data
• Your security policies (many SAQ tools provide templates)
• Vendor compliance documentation (from your payment processor or terminal provider)

The Quarterly ASV Scan

If you have any internet-facing systems (including your business website), you need quarterly vulnerability scans from an Approved Scanning Vendor. This automated scan checks for security holes hackers might exploit.

Don’t panic — this sounds more technical than it is. The ASV scan:

• Runs automatically once you provide your IP addresses
• Takes about 15-30 minutes
• Costs around $200-300 per year
• Provides a report showing any vulnerabilities to fix

Submitting Your Compliance Package

Once complete, you’ll submit:
1. Your completed SAQ
2. The Attestation of Compliance (AOC) — generated automatically by most SAQ tools
3. Passing ASV scan reports (if required)
4. Any additional documentation your processor requests

Most processors accept uploads through their merchant portal. Some still require mailed paper copies — check their requirements.

What It Costs

Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and chosen approach:

Compliance Platform and Tools

• SAQ completion tools: $100-500 annually
• Full compliance platforms (like PCICompliance.com): $200-1,200 annually
• Free option: Download SAQ forms from PCI SSC website (but no guidance)

Quarterly ASV Scanning

• Standalone ASV service: $50-100 per quarter
• Bundled with compliance platform: Often included
• Required for: Any merchant with internet-facing systems

If You Actually Need a QSA

You only need a Qualified Security Assessor if:

• You’re a Level 1 merchant (over 6 million transactions)
• You’ve had a breach
• Your acquirer specifically requires it

QSA assessments cost $10,000-50,000+ depending on complexity. But remember — most small merchants never need this.

The Cost of Non-Compliance

Consider what you’re avoiding:

• Monthly non-compliance fees: $5-100
• Breach liability: Average $740,000 for small businesses
• Loss of card acceptance: Priceless (literally — you can’t run your business)

For most small merchants, annual compliance costs less than two months of non-compliance fees.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components.

Your Compliance Calendar

Mark these dates:

• Annual: SAQ submission anniversary
• Quarterly: ASV scan due dates (every 90 days)
• As needed: Update assessment if payment methods change

Set calendar reminders two weeks before each deadline. Your processor may also send reminders, but don’t count on it.

What Triggers a New Assessment

You’ll need to reassess if you:

• Change payment processors
• Add new payment channels (like starting e-commerce)
• Begin storing card data (please don’t)
• Experience significant growth in transaction volume
• Have a security incident

Tracking Your Compliance Status

A compliance management platform tracks all deadlines, stores documentation, and provides audit trails. PCICompliance.com’s dashboard shows:

• Current compliance status
• Upcoming deadlines
• Required actions
• Historical compliance records

This becomes invaluable when your processor asks for proof of compliance or you switch providers.

FAQ

Q: My processor says I need PCI compliance but I only process 10 transactions per month. Do small merchants really need to comply?

Yes, transaction volume doesn’t matter for whether you need to comply — only for which merchant level you fall under. Even one transaction per year requires PCI compliance. The good news is you’re definitely Level 4, qualifying for the simplest requirements.

Q: What’s the difference between a QSA and an ASV?

A QSA (Qualified Security Assessor) conducts on-site assessments for large merchants. An ASV (Approved Scanning Vendor) provides automated vulnerability scans of your internet-facing systems. Most small merchants need ASV scans but never need a QSA.

Q: I use Square for everything. Do I still need to do this?

Yes, but you qualify for SAQ A — the simplest form with just 22 questions. Square handles the complex PCI and, but you still need to confirm you’re not doing anything to compromise that security (like writing down card numbers).

Q: Can I just ignore this questionnaire from my processor?

Technically yes, but it’s expensive. Most processors charge $20-100 monthly for non-compliance, and you assume full liability for any breach. Completing your SAQ takes a few hours per year and costs less than the fines.

Q: How do I know if I’m storing card data?

Search your computers for spreadsheets, documents, or databases containing credit card numbers. Check your email for order confirmations with full card numbers. If you find any, you’re storing card data and need to either delete it immediately or complete SAQ D.

Q: What if I fail a question on the SAQ?

You have two options: fix the issue or implement a compensating control. For example, if you can’t install antivirus on a payment terminal, documenting that it’s a closed system with no ability to install software may suffice. Most SAQ tools guide you through this process.

Q: Do I need to hire a consultant to help with PCI compliance?

Most small merchants don’t need consultants. A good compliance platform provides all the guidance you need. Only consider consultants if you’re SAQ D, have complex payment flows, or failed a previous assessment.

Q: How long does PCI compliance take?

For SAQ A merchants, expect 1-2 hours. SAQ B takes 2-4 hours. More complex SAQs may require 1-2 days of effort, especially the first year. Quarterly ASV scans run automatically and take minutes to review.

Moving Forward with Confidence

PCI compliance sounds intimidating, but for most small businesses, it’s a manageable annual task. You don’t need a QSA, you don’t need expensive consultants, and you definitely don’t need to panic about that questionnaire from your processor.

The key is choosing the right SAQ type and using tools that guide you through the process. With PCICompliance.com, you get everything needed for compliance in one platform — our free SAQ Wizard identifies your exact requirements, our integrated ASV scanning handles quarterly scans automatically, and our compliance dashboard keeps you on track throughout the year. Start with our SAQ Wizard to see just how simple your path to compliance really is, or reach out to our support team for a quick conversation about your specific situation.

Remember: millions of small businesses maintain PCI compliance every year. With the right approach and tools, you can join them — protecting your customers’ data and your business in the process.