You Got a PCI Compliance Questionnaire — Now What?
If you just received a compliance questionnaire from your payment processor with terms like “SAQ” and “ASV scan,” take a deep breath. For most small businesses, PCI compliance is much simpler than it first appears. You don’t need a security degree or an IT department — you just need to understand what applies to your business and complete the right questionnaire. Most merchants can achieve compliance in an afternoon, not months.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business accepting credit cards. The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through the PCI Security Standards Council to protect cardholder data from theft.
Here’s what matters: if you accept credit cards, you need to be PCI compliant. Your acquirer (the bank or payment processor that handles your card transactions) enforces these requirements. They’re the ones who sent you that compliance questionnaire.
The consequences of non-compliance are real but manageable. Your payment processor can fine you monthly — typically $20-$100 for small merchants. If there’s a data breach and you weren’t compliant, you become liable for fraud losses and forensic investigation costs. In extreme cases, you could lose your ability to accept credit cards entirely.
But here’s the good news: most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as Amazon or Walmart. The Self-Assessment Questionnaire (SAQ) you received is likely one of the shorter versions designed specifically for small merchants.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. This includes:
- Physical card readers and terminals
- Online payments through your website
- Phone orders where customers read you their card number
- Mobile card readers attached to phones or tablets
- Even manual card imprinters (though please upgrade from those)
Your merchant level determines how often you need to validate compliance. Most small businesses processing fewer than 6 million transactions annually are Level 4 merchants. This means you self-assess annually using an SAQ rather than hiring an expensive third-party assessor.
When your payment processor sends that compliance questionnaire, they’re fulfilling their obligation to the card brands. They need proof that their merchants protect cardholder data. The questionnaire isn’t busywork — it’s your processor protecting both of you from liability.
Which SAQ Do You Need?
The SAQ comes in several versions, each designed for different payment scenarios. Here’s how to determine which one applies to your business:
| Your Payment Scenario | Your SAQ Type | Questions to Answer | Complexity |
|---|---|---|---|
| Redirect to PayPal, Stripe Checkout, or similar | SAQ A | 22 questions | Simplest |
| Physical terminal with no electronic storage | SAQ B | 41 questions | Simple |
| Terminal with IP connection | SAQ B-IP | 82 questions | Moderate |
| Take cards over phone using virtual terminal | SAQ C-VT | 88 questions | Moderate |
| E-commerce with payment fields on your site | SAQ A-EP | 191 questions | Complex |
| Store card numbers electronically | SAQ D | 329 questions | Most Complex |
If you use Square, Clover, or similar terminals, you likely need SAQ B or B-IP depending on how the terminal connects to the internet.
If you have an e-commerce site using Shopify Payments, WooCommerce with Stripe Checkout, or any solution where customers leave your site to pay, you qualify for SAQ A — the simplest form.
If you take payments over the phone using your processor’s virtual terminal (not storing numbers yourself), you need SAQ C-VT.
If you store card numbers in any electronic format — spreadsheets, databases, even email — you’re stuck with SAQ D. Consider stopping this practice immediately to simplify your compliance.
PCICompliance.com offers a free SAQ Wizard that asks a few simple questions about how you accept payments and tells you exactly which questionnaire applies. No guessing required.
How to Complete Your SAQ
Your SAQ consists of yes/no questions about your security practices. When you answer “yes,” you’re confirming that you follow that specific security requirement. Here’s what to expect:
The questionnaire format is straightforward. Each question asks about a specific security control: “Do you change default passwords on payment terminals?” or “Is your wireless network encrypted?” Answer honestly — false answers can create liability if there’s ever a breach.
Documentation you’ll need varies by SAQ type but typically includes:
- Network diagram (can be hand-drawn for simple setups)
- Policies for handling card data
- Employee security training records
- Vendor agreements if you use third-party services
Quarterly ASV scans are required if your business has any internet-facing systems. An Approved Scanning Vendor runs automated scans looking for vulnerabilities like outdated software or SNMP vulnerability PCI compliance issues. Schedule these quarterly — your compliance dashboard should remind you.
Once complete, you’ll generate an Attestation of Compliance (AOC) — a formal declaration that you’ve met all requirements. Submit this along with your completed SAQ and most recent ASV scan results to your payment processor.
What It Costs
PCI compliance costs vary based on your needs, but for most small businesses, the investment is minimal compared to the risk:
Compliance platforms that guide you through the SAQ process typically cost $10-30 per month for small merchants. These tools make completing your questionnaire much easier than working through PDFs.
ASV scanning services run $20-50 per quarter for basic scans. Some compliance platforms include this in their monthly fee. If you have a complex network, expect higher costs for more IP addresses.
QSA assessments only apply to larger merchants. If you’re processing millions of transactions annually, budget $15,000-50,000 for a formal assessment. Most small businesses never need this.
Non-compliance costs add up quickly. Monthly fines from your processor start around $20 but can reach $100. If there’s a breach while you’re non-compliant, you’re looking at forensic investigation fees starting at $10,000, plus liability for any fraud losses. One breach can cost more than a decade of compliance.
For most Level 4 merchants, annual compliance costs less than $500 — significantly less than a single non-compliance fine from your processor.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track:
Set up a compliance calendar with reminders for:
- Annual SAQ completion (usually on your merchant account anniversary)
- Quarterly ASV scans (every 90 days)
- Employee security training (annually for anyone handling cards)
- Review of any service provider changes
Changes that trigger reassessment include:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or terminals
- Starting to store card data electronically
- Significant network changes affecting payment systems
Track your compliance status throughout the year. When your processor asks for updated documentation, you should have everything ready. PCICompliance.com’s dashboard shows your compliance timeline, upcoming deadlines, and any missing requirements at a glance.
FAQ
What happens if I don’t complete my SAQ?
Your payment processor will start charging monthly non-compliance fees, typically $20-100. These continue until you submit your completed SAQ and AOC. If you remain non-compliant long enough, your processor may increase your transaction rates or terminate your merchant account entirely.
Can I just answer “yes” to everything on the SAQ?
Technically yes, but this creates significant liability. If there’s a breach and investigation reveals you falsely attested to security controls you didn’t have, you become liable for all associated costs and potential legal action.
Do I need to hire a security consultant?
Most small merchants don’t need outside help. SAQ A and B are designed for non-technical users to complete independently. If you need SAQ D or process millions of transactions, consider professional assistance.
What’s the difference between PCI compliance and PA-DSS?
PCI DSS applies to merchants and service providers handling card data. PA-DSS applies to software vendors creating payment applications. As a merchant, you need to ensure any payment software you use is PA-DSS validated, but you don’t need PA-DSS certification yourself.
How do I know if my e-commerce setup qualifies for SAQ A?
You qualify for SAQ A if customers are redirected away from your website to complete payment. If payment fields appear on your site (even in an iframe), you need SAQ A-EP instead. When in doubt, use the SAQ Wizard.
What if I only process a few transactions per month?
Transaction volume doesn’t exempt you from PCI requirements. Even one transaction per year requires compliance. However, your merchant level (and thus validation requirements) depends on annual volume.
Can I use the same SAQ for multiple business locations?
If all locations use identical payment setups and security controls, you can submit one SAQ covering all locations. If payment methods differ between locations, you may need separate assessments.
What should I do if I fail my ASV scan?
First, don’t panic — failing vulnerabilities are common and usually easy to fix. Your scan report will detail each issue and its severity. Work with your IT support to patch vulnerabilities, then request a rescan. You have time to fix issues before they impact your compliance status.
Your Next Steps
PCI compliance might seem overwhelming at first glance, but you’ve already taken the hardest step — starting to understand what’s required. Most small businesses can achieve compliance in a few hours with the right guidance.
Start by identifying your SAQ type using PCICompliance.com’s free SAQ Wizard. Answer a few questions about how you accept payments, and we’ll tell you exactly which questionnaire applies to your business. Our platform then guides you through each requirement with plain-English explanations and practical examples.
Once you know your SAQ type, PCICompliance.com provides everything needed for ongoing compliance — ASV scanning for your quarterly requirements, a compliance dashboard tracking your progress, and expert support when you have questions. Whether you’re completing your first SAQ or maintaining year-round compliance, we make the process straightforward and stress-free. Begin with our SAQ Wizard or contact our compliance team to discuss your specific needs.