Understanding PCI Compliance: Your Business Just Got a Questionnaire — Now What?
Relax. That PCI compliance questionnaire sitting in your inbox looks intimidating, but for most small businesses, compliance is actually straightforward. You don’t need a security degree or a massive IT budget — you just need to understand which requirements apply to your specific payment setup. Most businesses that accept cards the simple way (think Square terminal or Shopify checkout) can complete their compliance in an afternoon. Let’s break down exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. Think of it as the minimum security baseline for anyone who touches credit card data. The card brands formed the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. That’s your payment processor’s job.
Your acquirer (the bank or payment company that processes your card transactions) is required by the card brands to ensure all their merchants maintain PCI compliance. That’s why you received that questionnaire — they’re making sure you’re protecting cardholder data properly. It’s not optional. If you accept credit cards, you must be PCI compliant.
The consequences of non-compliance are real but manageable. Your payment processor can fine you (typically $5,000 to $100,000 per month for ongoing non-compliance), you become liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept cards entirely. But here’s the good news: achieving compliance isn’t nearly as hard as those consequences make it sound.
Most small businesses qualify for the simplest SAQ (Self-Assessment Questionnaire) types, which means you’re answering a handful of yes/no questions about your payment setup, not implementing enterprise-grade security controls. The whole process exists to prevent data breaches — and the simpler your payment acceptance method, the simpler your compliance requirements.
Do You Need to Be PCI Compliant?
Simple answer: if you accept, process, store, or transmit credit card data in any form, you need to be PCI compliant. This includes:
- Running credit cards through a terminal or point-of-sale system
- Taking payments on your website
- Accepting cards over the phone
- Storing customer card numbers (even in a locked filing cabinet)
- Having employees who can access payment systems
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total Visa transactions annually). Level 4 merchants complete a self-assessment questionnaire and quarterly vulnerability scans — no on-site assessment required.
Your payment processor expects you to complete an annual self-assessment, submit an Attestation of Compliance (AOC), and if you have any internet-facing systems, pass quarterly ASV scans. That questionnaire they sent is your starting point. They’re not trying to trip you up — they genuinely need to verify you’re protecting cardholder data so they can report compliance to the card brands.
Which SAQ Do You Need?
The key to PCI compliance is identifying the right SAQ for your business. There are different SAQs for different payment scenarios, and choosing the right one makes all the difference between a 30-minute exercise and a multi-day project.
Here’s how to identify yours based on how you accept payments:
The SAQ Decision Tree in Plain Language
If you only use standalone payment terminals (like Square, Clover, or traditional terminals) that connect via phone line or cellular, you’re likely SAQ B (standalone terminals) or SAQ B-IP (if they connect via internet to your payment processor).
If you have an e-commerce website but redirect customers to a hosted payment page (PayPal, Square Checkout, Stripe Checkout), you’re likely SAQ A — the simplest questionnaire with only 22 requirements.
If you take payments over the phone but don’t record calls or store card numbers, you’re likely SAQ C-VT (virtual terminal).
If you have an e-commerce site where you control the checkout page (even if you don’t store cards), you’re in SAQ A-EP or SAQ D territory — significantly more complex.
If you store card numbers anywhere — in files, databases, or even paper — you’re SAQ D, the full questionnaire with over 200 requirements. Seriously consider whether you need to store that data.
| Payment Scenario | Likely SAQ Type | Number of Requirements | Complexity |
|---|---|---|---|
| PayPal or Stripe Checkout only | SAQ A | 22 | Simple – 30 minutes |
| Square or Clover terminal | SAQ B or B-IP | 41 | Easy – 1 hour |
| Phone payments, no recording | SAQ C-VT | 85 | Moderate – 2-3 hours |
| E-commerce with own checkout | SAQ A-EP | 191 | Complex – Multiple days |
| Storing card numbers | SAQ D | 250+ | Very complex – Weeks |
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.
How to Complete Your SAQ
Once you know your SAQ type, the actual questionnaire is straightforward. Each requirement is a yes/no question about your security practices. Here’s what to expect:
The format is consistent: Each question asks if you’ve implemented a specific security control. For example, “Do you change default passwords on payment terminals?” If you answer “yes,” you’re stating that control is in place. If you answer “no,” you’ll need to explain why or fix it before you can be compliant.
Documentation you’ll need:
- List of all payment terminals or software
- Network diagram (even a simple one) if you process e-commerce
- Security policies (many SAQs provide templates)
- Vendor compliance documentation (your payment provider’s AOC)
The quarterly ASV scan is required if you have any internet-facing systems — even just a website. An Approved Scanning Vendor runs automated scans to check for vulnerabilities. It’s not invasive — think of it as a security checkup for your public-facing systems. The scan typically takes 20-30 minutes to run and you’ll get a report showing any issues to fix.
Submitting your compliance involves:
1. Completing all SAQ questions
2. Passing your ASV scan (if required)
3. Having an authorized officer sign the Attestation of Compliance
4. Submitting everything to your acquirer via their portal
Most payment processors have online portals where you upload your documents. Some integrate directly with compliance platforms like PCICompliance.com, making submission automatic.
What It Costs
PCI compliance costs vary by complexity, but for most small merchants, it’s less than you’d spend on business insurance:
Compliance platforms and SAQ tools typically run $100-300 annually for Level 4 merchants. This includes the questionnaire wizard, policy templates, and submission tracking. Think of it as TurboTax for PCI compliance — you could do it manually, but why would you?
Quarterly ASV scanning costs $30-100 per scan, or around $200-400 annually. Some compliance platforms include this in their annual fee. Your payment processor might also provide it free or at a discount.
If you need a QSA (only for complex SAQ D scenarios or if you’re a larger merchant), expect $10,000-50,000 for a formal assessment. But remember — most small businesses never need this.
The cost of NON-compliance far exceeds these amounts:
- Monthly fines from your processor: $5,000-100,000
- Breach liability: Average small business breach costs $150,000+
- Lost ability to process cards: Devastating for most businesses
- Increased transaction fees: Non-compliant merchants pay higher rates
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s genuinely one of the best ROI security investments you can make.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track:
Set up your compliance calendar:
- Annual SAQ due date (your processor sets this)
- Quarterly ASV scans (every 90 days)
- Security awareness training for staff who handle cards
- Review and update security policies
Changes that trigger reassessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or gateways
- Starting to store card data
- Major network or system changes
Track your compliance status with automated reminders. When your processor asks for updated compliance (and they will), you’ll have everything ready. PCICompliance.com’s compliance dashboard shows your status at a glance — current SAQ, scan results, and upcoming deadlines all in one place.
The key is making compliance part of your routine, not a last-minute scramble. Spend an hour each quarter reviewing your setup, run your scans on schedule, and update your annual SAQ before it expires. It’s genuinely less work than doing your business taxes.
Frequently Asked Questions
What happens if I ignore the PCI questionnaire my processor sent?
Ignoring it doesn’t make it go away. Your processor will send increasingly urgent reminders, then start fining you (typically $19-100 per month initially, escalating to thousands). Eventually, they may increase your transaction rates or terminate your merchant account. It’s much easier to just complete the questionnaire — most merchants need less than an hour.
I only process a few cards per month. Do I still need to comply?
Yes, transaction volume doesn’t exempt you from PCI requirements. Even if you process just one card annually, that cardholder’s data needs protection. The good news is your low volume means you’re definitely a Level 4 merchant with the simplest compliance requirements.
Can’t I just say “yes” to all the questions?
Technically you could, but you’re legally attesting those statements are true. If there’s a breach and investigation reveals you lied on your SAQ, you face personal liability, fines, and potential criminal charges for fraud. Answer honestly — it’s better to fix a few items than to falsely claim compliance.
What’s the difference between PCI compliance and being secure?
PCI DSS represents minimum security standards — the baseline every merchant must meet. True security goes beyond compliance. Think of PCI like passing your driver’s test — it proves you know the rules, but good drivers do more than the minimum. Complete your PCI requirements, then consider additional security measures based on your risk.
My payment provider says they’re PCI compliant. Doesn’t that cover me?
No, their compliance covers their systems, not yours. You’re still responsible for your piece — how you handle cards, protect passwords, and secure your network. However, using PCI-compliant providers does reduce your scope. That’s why redirecting to PayPal is SAQ A (simple) while hosting your own checkout is SAQ D (complex).
How do I know if I’m storing credit card data?
Search your systems for common indicators: spreadsheets with customer payment info, email archives with card numbers, CRM notes fields, or paper order forms. If you find card numbers anywhere — computers, filing cabinets, or even sticky notes — you’re storing card data and need to either secure it properly or (better) stop storing it entirely.
Moving Forward with Confidence
PCI compliance sounds overwhelming until you understand what actually applies to your business. Most merchants discover they need a simple SAQ that takes under an hour to complete. The questionnaire your processor sent isn’t a test you can fail — it’s a checklist to ensure you’re protecting your customers’ payment data.
Start by identifying your correct SAQ type using the payment scenarios above. Complete the questionnaire honestly, fix any gaps you discover, and submit your compliance on time. Set up quarterly scans if you need them, mark your calendar for next year’s renewal, and get back to running your business.
PCICompliance.com makes the entire process manageable with our free SAQ Wizard that identifies exactly which questionnaire you need, ASV scanning services for your quarterly vulnerability scans, and a compliance dashboard that tracks your progress year-round. Whether you’re completing your first SAQ or maintaining ongoing compliance, we provide the tools and guidance to protect your business and your customers’ card data. Start with our free SAQ Wizard to identify your requirements, or contact our compliance team for personalized guidance through your PCI journey.