a laptop computer sitting on top of a wooden desk

Do I Need a WAF for PCI?

by

Do I Need a WAF for PCI? Your Complete Guide to PCI Compliance

Let’s address the question you’re asking right away: if you’re a small business owner wondering “do I need WAF PCI compliance?”, you’re likely overthinking it. Most small merchants don’t need a Web Application Firewall (WAF) at all — PCI compliance is typically much simpler than that. This guide will help you understand what you actually need to do about that compliance questionnaire sitting in your inbox.

Here’s the bottom line: if you accept credit cards, you need to be PCI compliant. But for most small businesses, compliance means filling out a simple questionnaire once a year and running quarterly security scans on your website. It’s not the complex, expensive nightmare you might have heard about. Take a deep breath — we’ll walk you through exactly what you need to do.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created to protect credit card information. Think of it as basic security hygiene for businesses that handle card payments — like washing your hands in the food service industry.

The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through an organization called the PCI Security Standards Council. But here’s who actually enforces them: your payment processor or acquiring bank. That’s who sent you the compliance questionnaire, and that’s who can fine you if you don’t comply.

The consequences of non-compliance are real but manageable. Your payment processor can:

  • Issue monthly fines (typically $20-100 for small merchants)
  • Hold you liable for fraud losses if there’s a breach
  • Ultimately terminate your ability to accept credit cards

But here’s the good news: the vast majority of small businesses qualify for the simplest compliance requirements. You’re not building Fort Knox — you’re installing a decent lock on your door.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:

  • Swiping cards through a terminal
  • Taking payments on your website
  • Accepting cards over the phone
  • Processing cards through a mobile app
  • Even manually entering card numbers into a virtual terminal

Your merchant level determines how complex your compliance requirements are. Most small businesses are Level 4 merchants (processing less than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you can self-assess using an SAQ (Self-Assessment Questionnaire) instead of hiring an expensive auditor.

That questionnaire your payment processor sent? It’s their way of saying “prove to us you’re protecting cardholder data.” They’re required to collect this from you annually, and they’ll keep asking (and eventually start fining) until you complete it.

Which SAQ Do You Need?

The SAQ type you need depends entirely on how you accept and process payments. Think of it like choosing the right tax form — pick the one that matches your situation:

How You Accept Payments SAQ Type Complexity Questions to Answer
Redirect to payment provider (PayPal, Square) SAQ A Easiest 22 questions
E-commerce with payment fields on your site SAQ A-EP Easy 191 questions
Standalone terminals only (no connected systems) SAQ B Easy 41 questions
Terminals connected to your network SAQ B-IP Moderate 93 questions
Taking cards by phone/mail with virtual terminal SAQ C-VT Moderate 125 questions
Paper forms or old-school imprinters SAQ C Moderate 160 questions
Storing card data or complex processing SAQ D Complex 329 questions

Let’s make this even clearer with real examples:

You likely need SAQ A if:

  • You use Shopify’s checkout
  • Customers pay through PayPal
  • You redirect to Stripe Checkout
  • You never see or touch the actual card number

You likely need SAQ B or B-IP if:

  • You have a Square terminal
  • You use Clover or similar point-of-sale systems
  • You swipe/chip cards in person
  • Your terminal connects to the internet

You likely need SAQ C-VT if:

  • You take orders by phone and type cards into a web-based system
  • You use a virtual terminal from your processor
  • Your staff enters card numbers into any computer

You likely need SAQ D if:

  • You store customer card numbers (please stop doing this)
  • You have custom payment processing software
  • Card data flows through your servers

Not sure which one? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire to use — no guessing required.

How to Complete Your SAQ

Your SAQ is just a questionnaire with yes/no questions about your security practices. Here’s what to expect:

What it looks like: Each question asks about a specific security control. For example: “Do you change default passwords on payment terminals?” or “Is your payment page served over HTTPS?”

How long it takes: SAQ A takes about 30 minutes. SAQ B takes 1-2 hours. More complex SAQs can take several hours, but remember — most small businesses don’t need those.

What ‘yes’ means: You’re confirming that you actually do what the question asks. If you answer ‘no’ to a required question, you’ll need to either fix the issue or explain your compensating control.

Documentation you’ll need:

  • Your network diagram (even a simple sketch works for small merchants)
  • List of who has access to payment systems
  • Your information security policy (we provide templates)
  • Results from your quarterly vulnerability scans

Speaking of scans — if you have any web presence at all, you’ll need quarterly ASV scans. An Approved Scanning Vendor checks your website for security vulnerabilities four times per year. It’s automated, takes about 15 minutes to set up, and runs in the background.

Once complete, you’ll submit:
1. Your completed SAQ
2. The Attestation of Compliance (AOC) — basically your signature saying it’s all true
3. Passing ASV scan results (if required)
4. Any requested documentation

What It Costs

Let’s talk real numbers for small businesses:

Compliance platform and tools:

  • SAQ completion software: $15-50/month
  • Includes questionnaire, templates, and guidance
  • Some payment processors provide basic tools free

Quarterly ASV scanning:

  • $20-40 per scan (so $80-160/year)
  • Required for most merchants with websites
  • Some compliance platforms include this

If you need a QSA:

  • Only required for Level 1 merchants (very high volume)
  • Small businesses almost never need this
  • Would cost $15,000-50,000 (but again, you probably don’t need it)

The cost of NON-compliance:

  • Monthly fines: $20-100 (common for Level 4 merchants)
  • Breach liability: potentially thousands in fraud losses
  • Loss of card processing: priceless (your business needs to accept cards)

Here’s the truth: for most small merchants, annual compliance costs less than two months of non-compliance fines. It’s not a profit center for your payment processor — they genuinely want you to secure your business.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done deal. It’s an annual requirement with quarterly check-ins:

Annual requirements:

  • Complete your SAQ once per year
  • Update your security policies
  • Review who has access to payment systems
  • Train staff on security procedures

Quarterly requirements:

  • Run ASV scans (if you have a website)
  • Review scan results and fix any failures
  • Keep documentation of passing scans

What triggers a reassessment:

  • Changing payment processors
  • Adding new payment channels (like starting e-commerce)
  • Significantly increasing transaction volume
  • Changing how you handle card data

Set calendar reminders for your quarterly scans and annual SAQ due date. Your payment processor will remind you too (usually right before they start fining). PCICompliance.com’s dashboard tracks all these dates automatically and sends you friendly reminders well in advance.

FAQ

I’m just a small business. Do I really need to worry about this?

Yes, but it’s not as bad as you think. Every business that accepts cards needs to be PCI compliant, regardless of size. The good news is that small businesses have simpler requirements. You’re looking at a few hours per year, not a full-time compliance job.

What happens if I just ignore the compliance questionnaire?

Your payment processor will start with reminder emails, then move to monthly fines (typically $20-100), and eventually could terminate your merchant account. It’s much easier to just complete the questionnaire than to find a new payment processor.

Do I need to hire a consultant or can I do this myself?

Most small businesses can absolutely handle PCI compliance themselves. If you’re SAQ A or B, it’s straightforward enough to do on your own. Compliance platforms like PCICompliance.com provide all the guidance you need without consultant fees.

I use Square/PayPal/Stripe. Am I already compliant?

Using a PCI-compliant payment provider handles their part, but you still have responsibilities. You need to complete your annual SAQ confirming you’re using them properly. Think of it like renting a secure building — the building is secure, but you still need to lock your office door.

What’s the difference between PCI compliance and EMV compliance?

EMV refers to chip card technology, while PCI DSS covers all aspects of card data security. You can be EMV-compliant (accepting chip cards) but still need to complete PCI requirements. They’re complementary, not alternatives.

How do I know if I’m storing card data?

Check anywhere you might save customer information: databases, spreadsheets, email, paper files, even voicemail systems. If you can see a full card number anywhere in your business systems, you’re storing card data. The best practice? Don’t store it unless absolutely necessary.

My website is secure. Why do I need quarterly scans?

Security isn’t a point-in-time achievement — new vulnerabilities are discovered constantly. Quarterly ASV scans ensure your website stays secure as new threats emerge. It’s like getting regular oil changes versus waiting for your engine to fail.

Can I just say ‘yes’ to all the questions to pass?

Absolutely not. False attestation is fraud and can result in massive fines and personal liability if there’s a breach. Answer honestly — if something’s not in place, either fix it or work with your processor on a remediation plan.

Conclusion

PCI compliance might seem overwhelming when that first questionnaire arrives, but now you know the truth: for most small businesses, it’s a manageable annual task that protects both you and your customers. You don’t need a WAF, you don’t need expensive consultants, and you definitely don’t need to panic.

Start by identifying which SAQ type fits your payment processing setup. Complete the questionnaire honestly, set up your quarterly scans if needed, and submit everything to your payment processor. Then mark your calendar for next year and get back to running your business.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Why spend hours figuring this out yourself when we can guide you through the entire process? Start with our free SAQ Wizard and see just how straightforward PCI compliance can be for your business.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP