Bottom Line Up Front
If you accept card payments through Fattmerchant (now Stax) and you just got a PCI compliance questionnaire in your inbox, take a breath. For the vast majority of small businesses, Fattmerchant PCI compliance is far simpler than the paperwork makes it look.
Here’s the short version: PCI compliance is a set of security rules for any business that takes credit cards. Your payment processor — in this case Stax — is required to make sure you follow them. Most small merchants qualify for the simplest self-assessment questionnaires (SAQs), which you can complete yourself in an afternoon once you know which one applies. You probably won’t need an auditor, and you almost certainly won’t need to overhaul your business.
This guide walks you through exactly what PCI means, whether it applies to you (spoiler: it does if you take cards), which SAQ you need, how to complete it, and what it costs. No jargon you don’t need.
What Is PCI Compliance (In Plain English)
PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security requirements designed to protect cardholder data — your customers’ card numbers and the sensitive details on those cards — from being stolen or misused.
If your business accepts credit or debit cards in any way, PCI DSS applies to you. That’s true whether you swipe cards on a terminal, take orders over the phone, or sell online.
Who created it and who enforces it
The major card brands (Visa, Mastercard, American Express, Discover, and JCB) created the PCI Security Standards Council (PCI SSC) to maintain the standard. But the card brands don’t enforce it directly with you — your acquirer (your payment processor, like Stax) does. That’s why the questionnaire came from them and not from “PCI.”
What happens if you ignore it
Non-compliance has real consequences:
- Monthly non-compliance fees from your processor until you validate
- Liability if you suffer a breach — fines, forensic investigation costs, and card reissuance charges
- In serious cases, losing your ability to accept cards altogether
The good news
Most small businesses qualify for the simplest SAQ types, which involve a short questionnaire and — for some — a quarterly network scan. The heavy-duty assessments are reserved for large merchants and companies that store card data. If you’ve outsourced most of your card handling (and most small businesses have), your obligations are modest.
Do You Need to Be PCI Compliant?
Yes — if you accept credit cards in any form, you need to be PCI compliant. There’s no minimum transaction count that exempts you. A one-location coffee shop and a national retailer both fall under PCI DSS; they just validate differently.
Your merchant level
Your merchant level (1 through 4) is assigned by the card brands and your acquirer based primarily on your annual card transaction volume. Most small and mid-size businesses are Level 4 — the level with the simplest validation path, typically a self-assessment rather than a full audit.
Don’t guess at your level. Confirm it directly with Stax, since it determines exactly what you’re required to do.
Why Stax sent you a questionnaire
The questionnaire you received is your Self-Assessment Questionnaire (SAQ) — your processor’s way of confirming you meet the requirements that apply to your business. Stax is contractually obligated to collect this from you. Completing it isn’t optional, but for most merchants it’s straightforward once you’ve identified the right one.
Which SAQ Do You Need?
There are several SAQ types, and the right one depends entirely on how you accept and handle card data. Choosing correctly matters: pick a more complex SAQ than you need and you create unnecessary work; pick one that doesn’t match your setup and your validation isn’t valid.
Here’s the plain-language version:
| Your payment scenario | Likely SAQ | Complexity |
|---|---|---|
| Standalone dial-out terminal, no electronic card storage | SAQ B | Low |
| Standalone IP-connected terminal (Stax terminal on your network) | SAQ B-IP | Low–Medium |
| E-commerce with fully hosted checkout (redirect to Stax/processor page) | SAQ A | Low |
| E-commerce where your site touches the payment page (iframe/direct-post) | SAQ A-EP | Medium–High |
| Card payments by phone via a virtual terminal only | SAQ C-VT | Low–Medium |
| Payment application connected to the internet, no card storage | SAQ C | Medium |
| You store card numbers electronically (please stop) | SAQ D | High |
A few real-world examples:
- A retail shop using a Stax countertop terminal that connects over the internet is typically SAQ B-IP.
- An online store with a hosted checkout where customers are redirected to a payment page is usually SAQ A.
- An office that keys in phone orders through a virtual terminal in a browser is generally SAQ C-VT.
- Anyone storing full card numbers in a spreadsheet, CRM, or filing cabinet lands in SAQ D — and should stop storing them.
> Not sure which one fits? PCICompliance.com’s free SAQ Wizard asks a few simple questions about how you take payments and tells you exactly which SAQ applies — no guesswork.
How to Complete Your SAQ
The SAQ is a questionnaire of yes/no questions mapped to the relevant PCI requirements. The simplest SAQs are short; the more complex ones (like SAQ D) are considerably longer. For a Level 4 merchant on SAQ A or B, completing it is usually a matter of a few hours, not weeks.
What “yes” actually means
Each question asks whether you have a specific control in place — for example, whether you use unique IDs and strong passwords for system access (Requirement 8), or whether you’ve changed vendor-default passwords on your equipment (Requirement 2). Answering “yes” means you genuinely do this, and you can show it if asked. Don’t check “yes” hoping it’s true — that defeats the purpose and exposes you if there’s ever a breach.
Documentation to gather
Depending on your SAQ, you may need:
- A list of your payment systems and how cards flow through them
- Evidence that default passwords have been changed on terminals and devices
- Your information security policy (even a simple one)
- Confirmation that Sensitive Authentication Data (SAD) — full track data, CVV/CVC codes, PINs — is never stored after authorization
The quarterly ASV scan
If your environment has internet-facing systems — most e-commerce setups and IP-connected terminals do — the standard requires a quarterly external vulnerability scan performed by an Approved Scanning Vendor (ASV). The scan checks your public-facing systems for known weaknesses and produces a passing report you submit alongside your SAQ.
Purely standalone, dial-out terminal setups (SAQ B) generally don’t require an ASV scan. When in doubt, your SAQ type tells you — and PCICompliance.com’s ASV scanning service can handle the quarterly scans for you.
Submitting your SAQ and AOC
Once your SAQ is complete and any required scan has passed, you sign an Attestation of Compliance (AOC) — a formal statement that the information is accurate — and submit both to Stax. That’s your validation for the year.
What It Costs
Honest budgeting for a small merchant looks like this:
| Item | Typical range | Who needs it |
|---|---|---|
| Compliance platform / SAQ tools | Low annual fee (sometimes bundled by your processor) | All merchants |
| Quarterly ASV scanning | Modest annual cost | Merchants with internet-facing systems |
| QSA-led assessment (ROC) | Significantly higher | Generally Level 1 merchants only |
| Non-compliance | Monthly fees + breach liability | The expensive option |
Most Level 4 merchants never need a QSA — that’s for the largest merchants undergoing a full Report on Compliance (ROC). Your costs are typically limited to a compliance tool and, where required, quarterly scanning.
Compare that to the cost of non-compliance: ongoing monthly fees from your processor, plus the potential for breach-related fines, forensic investigation costs, and card reissuance liability if cardholder data is stolen on your watch. For nearly every small merchant, a year of compliance costs less than a single breach-related penalty. Compliance isn’t a fee — it’s cheap insurance.
Staying Compliant Year-Round
Here’s the part people miss: PCI compliance isn’t a one-time task. You validate at least annually, and if your environment has internet-facing systems, you run ASV scans every quarter. Compliance is a point-in-time validation backed by continuous good practices — passing once doesn’t mean you’re done.
A few things that trigger a new look at your compliance:
- Switching processors, terminals, or your e-commerce platform
- Adding a new way to accept payments (e.g., launching online sales)
- Changing how or where card data flows through your business
The practical move is to set reminders for your annual SAQ renewal and your quarterly scans so nothing lapses. A missed scan or expired attestation can put you back into non-compliance fees even if your security hasn’t changed.
This is where PCICompliance.com’s compliance dashboard earns its keep — it tracks your SAQ status, scan schedule, and renewal dates in one place so you’re never caught off guard by a deadline.
FAQ
I just got the questionnaire and I’m overwhelmed. Where do I start?
Start by identifying which SAQ applies to you — everything else flows from that. Use a tool like the free SAQ Wizard to pin it down, then gather the documentation that specific SAQ asks for. You almost certainly don’t need to do everything in PCI DSS, just the parts relevant to your setup.
Do I really need to be compliant if I only process a handful of cards?
Yes. There’s no transaction minimum that exempts a business from PCI DSS — if you accept cards, it applies. The good news is that low-volume merchants are typically Level 4 with the simplest validation requirements.
Can I just check “yes” to everything to get it done?
No — and please don’t. The SAQ is an attestation that you genuinely have those controls in place, and falsely attesting exposes you to serious liability if a breach occurs. Answer honestly; if you can’t answer “yes,” that’s a gap to fix, not to hide.
What’s the difference between the SAQ and the ASV scan?
The SAQ is the questionnaire confirming your security controls; the ASV scan is a quarterly automated test of your internet-facing systems for vulnerabilities. Some SAQ types require both, while simpler ones (like SAQ B) require only the questionnaire. Your SAQ type tells you which applies.
What if I store customer card numbers for repeat billing?
Storing full card numbers puts you in SAQ D with far more requirements — and more risk. The better path is to use tokenization through your processor, which replaces stored card numbers with non-sensitive tokens and dramatically shrinks your compliance scope. Talk to Stax about tokenized recurring billing.
Do I need to hire a QSA?
Almost certainly not. Qualified Security Assessors (QSAs) are required for larger entities undergoing a full Report on Compliance — typically Level 1 merchants. Small businesses self-assess with an SAQ. Confirm your level with your acquirer if you’re unsure.
How often do I have to do this?
Validation happens at least once a year, and ASV scans (if your SAQ requires them) happen every quarter. Major changes to how you take payments can also trigger a fresh assessment outside that schedule.
What happens if I just ignore the questionnaire?
Your processor will typically charge monthly non-compliance fees, and you’ll carry full liability if a breach occurs. Ignoring it costs more than completing it — and completing it is more straightforward than most merchants expect.
Conclusion
PCI compliance has a scary reputation, but for the typical small business taking payments through Fattmerchant (Stax), it usually comes down to identifying the right SAQ, answering it honestly, running a quarterly scan if your setup requires one, and keeping an eye on your annual renewal. That’s a manageable list — not the impenetrable audit people fear.
The biggest favors you can do yourself are choosing the correct SAQ and reducing your scope wherever possible through hosted checkout pages, tokenization, and avoiding card storage entirely. Every card number you don’t touch is a requirement you don’t have to meet.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. As an end-to-end platform serving thousands of merchants and service providers — from single-location shops to multi-site enterprises — we pair the right tools with expert support so you’re never doing this alone. Start with the free SAQ Wizard, or talk to our compliance team to get pointed in the right direction.