Evidence Collection Checklist
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and your heart started racing, take a deep breath. For most small businesses, PCI compliance is much simpler than it sounds. You don’t need to be a security expert or hire expensive consultants. With the right guidance and a clear evidence collection checklist, you can complete your compliance requirements in a few hours and protect your business from fines and liability.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts credit card payments. Think of it as a security checklist created by the major card brands — Visa, Mastercard, American Express, and Discover — through an organization called the PCI Security Standards Council (PCI SSC).
Your acquirer (the bank or payment processor that handles your card transactions) enforces these requirements. They’re the ones who sent you that compliance questionnaire, and they’re required to verify that every merchant they work with meets the security standards.
The consequences of non-compliance are real but manageable. Your payment processor can fine you monthly (typically $20-100 for small merchants), you face liability if there’s a data breach, and in extreme cases, you could lose the ability to accept credit cards. The good news? Most small businesses qualify for the simplest compliance requirements, and meeting them is straightforward once you know what’s expected.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form — in-person, online, or over the phone — yes, you need to be PCI compliant.
Most small businesses are Level 4 merchants, which means you process fewer than 20,000 e-commerce transactions or up to 1 million total card transactions annually. This is good news because Level 4 merchants have the simplest compliance requirements — typically just completing a self-assessment questionnaire and running quarterly security scans.
Your payment processor expects you to:
- Complete an annual Self-Assessment Questionnaire (SAQ)
- Submit an Attestation of Compliance (AOC) — basically your signature saying you’ve met the requirements
- Run quarterly vulnerability scans if you have any internet-facing systems
- Keep documentation showing you maintain these security measures
That compliance questionnaire they sent? It’s their way of tracking that you’ve done these things. Ignore it, and you’ll start seeing monthly non-compliance fees on your merchant statement.
Which SAQ Do You Need?
The PCI world has different SAQs for different payment scenarios. Here’s how to determine which one applies to your business:
| How You Accept Payments | Your SAQ Type | Complexity Level | Typical Questions |
|---|---|---|---|
| Fully outsourced (PayPal, Square online) | SAQ A | Simplest | ~20 questions |
| E-commerce with hosted checkout (Stripe, Authorize.net redirect) | SAQ A-EP | Simple | ~140 questions |
| Standalone terminals (Square Reader, Clover) | SAQ B or B-IP | Moderate | ~40 questions |
| Virtual terminal only (keying in cards) | SAQ C-VT | Moderate | ~80 questions |
| Integrated POS or storing card data | SAQ D | Complex | ~340 questions |
If you use a payment terminal like Square, Clover, or a traditional credit card machine that connects via phone line or internet, you’re likely SAQ B (dial-up) or SAQ B-IP (internet-connected).
If you have an e-commerce site using Shopify Payments, WooCommerce with Stripe Checkout, or any solution where customers are redirected to a hosted payment page, you’re likely SAQ A or SAQ A-EP.
If you take payments over the phone and enter them into a web-based virtual terminal, you’re likely SAQ C-VT.
If you store card numbers in any form — in a spreadsheet, database, or filing cabinet — you’re SAQ D, and you should seriously consider stopping this practice. Storing card data dramatically increases your compliance burden and liability.
Not sure which applies? PCICompliance.com’s SAQ Wizard walks you through a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Your SAQ is essentially a security checklist with yes/no questions. Here’s what the process looks like:
The questionnaire itself varies from 20 to 340 questions depending on your SAQ type. For most small merchants (SAQ A, B, or C-VT), you’re looking at 20-80 questions that ask things like:
- Do you have a firewall protecting your payment systems?
- Do you change default passwords on payment terminals?
- Do you limit access to payment areas to authorized staff?
“Yes” means you actually do it, not that you plan to or think it’s a good idea. If you answer “no” to a required control, you’ll need to implement it or document a compensating control that achieves the same security goal.
Documentation you’ll need includes:
- Your network diagram (even if it’s just “payment terminal connects to internet router”)
- Firewall configuration or router settings
- Password policies or procedures
- Staff training records on handling card data
- Incident response procedures (what you do if there’s a breach)
Quarterly ASV scans are required if you have any internet-facing systems — even just a website or email server. An Approved Scanning Vendor runs automated security scans of your external IP addresses looking for vulnerabilities. These typically take 30 minutes to set up and run automatically each quarter.
Submitting your completed SAQ involves:
1. Answering all questions honestly
2. Implementing any missing controls
3. Signing the Attestation of Compliance (AOC)
4. Submitting everything through your processor’s compliance portal
What It Costs
Let’s talk real numbers for small business PCI compliance:
Compliance platforms and SAQ tools typically run $100-500 annually for small merchants. This includes access to the questionnaire, guidance on answering questions, and document storage.
Quarterly ASV scanning costs $200-400 per year for most small businesses with a single IP address to scan. Some compliance platforms bundle this with their SAQ tools.
If you need a QSA (Qualified Security Assessor), you’re looking at $5,000-50,000+ for a formal assessment. Good news: this only applies to larger merchants or those with complex payment environments. Level 4 merchants almost never need a QSA.
The cost of NON-compliance hits harder:
- Monthly non-compliance fees: $20-100
- Breach liability: $50-90 per compromised card
- Forensic investigation costs: $10,000-100,000+
- Lost ability to process cards: priceless (and business-ending)
Honest assessment? For most small merchants, annual compliance costs less than three months of non-compliance fees — and far less than dealing with even a small data breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done exercise — it’s an annual requirement with quarterly checkpoints. Here’s how to stay on track:
Set up annual reminders for:
- SAQ renewal (same time each year)
- Quarterly ASV scans (every 90 days)
- Security awareness training for staff
- Password changes on payment systems
- Firewall rule reviews
Track what triggers a new assessment:
- Changing payment processors
- Adding new payment channels (like adding e-commerce to a retail store)
- Implementing new payment software
- Significantly increasing transaction volume
Use a compliance dashboard to monitor your status year-round. PCICompliance.com’s dashboard shows upcoming deadlines, scan results, and tracks your documentation in one place. No more scrambling to find last year’s network diagram or wondering when your next scan is due.
FAQ
Q: I only process a few transactions per month. Do I still need to comply?
A: Yes, PCI DSS applies to any business that accepts credit cards, regardless of volume. Even one transaction per year means you need to comply. The good news is that your low volume puts you in the simplest merchant level with the easiest requirements.
Q: Can I just tell my processor I’m compliant without doing the work?
A: This is called “checking the box” compliance, and it’s risky. If you have a breach, you’re fully liable for false attestation. Plus, the actual compliance work for small merchants is usually easier than trying to fake it.
Q: What if I can’t answer “yes” to all the SAQ questions?
A: First, see if the question truly applies to your environment — many SAQs include “not applicable” options. If it does apply, you’ll need to implement the missing control or document a compensating control. Most missing controls for small merchants are simple fixes like enabling firewall logging or documenting procedures you already follow.
Q: Do I need to hire a security consultant?
A: Most small merchants don’t need outside help beyond a good compliance platform. If you’re SAQ A, B, or C-VT, the requirements are straightforward enough to handle yourself. Only consider a consultant if you’re SAQ D or facing complex SAQ P2PE.
Q: What’s the difference between PCI compliance and being “PCI certified”?
A: There’s no such thing as “PCI certification” for merchants — that’s a common misconception. You achieve and maintain PCI compliance by completing your annual assessment and meeting the ongoing requirements. Only service providers can become “PCI DSS validated.”
Q: How long does the SAQ take to complete?
A: For SAQ A (simplest): 30-60 minutes. For SAQ B: 1-2 hours. For SAQ C-VT: 2-4 hours. SAQ D can take days or weeks depending on your environment. Most of the time goes into gathering documentation, not answering questions.
Q: What if my payment processor hasn’t asked for compliance?
A: Some processors are more aggressive about enforcement than others, but the requirement still applies. Start compliance now to avoid surprise fees later. Plus, the security measures actually protect your business — compliance is just verification that you’re doing them.
Q: Can I use last year’s answers for this year’s SAQ?
A: While your answers might be similar, you need to verify that nothing has changed and that all controls are still in place. Think of it as an annual checkup — you’re confirming your security measures are still working, not just copying last year’s responses.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but it’s genuinely manageable for most small businesses. Your evidence collection checklist is simpler than you think: determine your SAQ type, gather basic documentation about your payment setup, answer straightforward yes/no questions, and run quarterly scans if you have internet-facing systems.
The security measures PCI requires — like using firewalls, changing default passwords, and limiting access to payment systems — are practices that protect your business regardless of compliance requirements. Think of PCI not as a burden, but as a framework that helps you avoid becoming the next data breach headline.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You don’t need to become a security expert or navigate compliance alone. Start with our free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team for guidance specific to your business. We’ve helped thousands of merchants just like you turn that intimidating compliance questionnaire into a manageable annual routine.
