Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and your heart sank, take a breath. For most small businesses, PCI compliance is simpler than you think — especially if you use modern payment terminals or hosted checkout pages. You’re probably looking at a straightforward self-assessment that takes a couple hours once a year, not the complex audit you might be imagining. This guide will walk you through exactly what you need to do, in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business that accepts credit card payments. Think of it as the basic security checklist the card brands created to protect customer card data — and by extension, protect your business from the devastating costs of a data breach.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But here’s who actually enforces them: your acquirer (the bank that processes your card payments) or your payment processor (like Square, Stripe, or PayPal). That’s why they sent you that compliance questionnaire — they’re required to verify that all their merchants follow these security standards.
What happens if you ignore it? Your processor can fine you monthly non-compliance fees (typically $20-100/month), increase your processing rates, or even terminate your ability to accept cards. If you have a breach while non-compliant, you’re personally liable for the costs — which can easily reach six figures for even a small business. The good news: achieving compliance is usually much easier than merchants expect, especially if you’re already using modern payment tools.
Most small businesses qualify for the simplest SAQ (Self-Assessment Questionnaire) types, which means you’re answering a series of yes/no questions about your payment setup, not hiring expensive auditors. If you use payment terminals that don’t connect to your computers, or if customers enter their card details directly on a hosted payment page, you’re already doing most things right.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form — in person, online, over the phone, or even just occasionally — yes, you need to be PCI compliant. This includes debit cards with a Visa or Mastercard logo. It doesn’t matter if you process one transaction a year or thousands daily.
Your merchant level determines how you prove compliance. Most small businesses are Level 4 merchants (processing under 20,000 e-commerce transactions or under 1 million total transactions annually). Level 4 merchants complete a self-assessment questionnaire — you don’t need an outside auditor. Only the largest merchants need formal assessments by a QSA.
Your payment processor expects you to complete an annual self-assessment questionnaire, pass quarterly vulnerability scans if you have any internet-connected systems, and maintain compliance throughout the year. The questionnaire they sent (often labeled “PCI Compliance Notice” or “Annual Security Assessment”) is their way of collecting your annual attestation.
That questionnaire isn’t optional. Your merchant agreement requires PCI compliance, and processors actively track who’s compliant. Ignoring it won’t make it go away — you’ll just start seeing monthly non-compliance fees on your statements.
Which SAQ Do You Need?
The biggest confusion in PCI compliance is figuring out which SAQ applies to your business. Here’s the decision tree in plain language:
If you use a standalone payment terminal (like Square Terminal, Clover, or a traditional credit card machine) that isn’t connected to your computer systems, you likely need SAQ B. This is one of the simplest forms with just 41 questions.
If you have an e-commerce site where customers are redirected to a hosted payment page (like PayPal, Square Checkout, or Stripe Checkout) to enter their card details, you likely need SAQ A. This is the absolute simplest with only 22 questions.
If you take payments where customers call you with their card number, you likely need SAQ C-VT. This applies even if it’s just occasionally for phone orders.
If you have any system that stores card numbers electronically — even in spreadsheets or your email — you need SAQ D, the most comprehensive questionnaire. This is where compliance gets complex and expensive. The solution? Stop storing card numbers and qualify for a simpler SAQ.
| Payment Scenario | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to PayPal/Stripe/etc for online payments | SAQ A | 22 | Easiest |
| Standalone terminal not connected to other systems | SAQ B | 41 | Easy |
| Terminal connected to internet through your computer | SAQ B-IP | 91 | Moderate |
| Taking payments over the phone | SAQ C-VT | 80 | Moderate |
| Any electronic storage of card numbers | SAQ D | 329 | Complex |
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about how you accept payments and tells you exactly which questionnaire you need — no guessing required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your payment security practices. When a question asks “Do you have a firewall?” and you answer “Yes,” you’re attesting that you actually have one configured properly — not just that you think you might have one somewhere.
Here’s what the process looks like:
First, gather some basic documentation. You’ll need to know what payment devices or software you use, whether you have any computers that connect to payment systems, and your network setup if applicable. For most small merchants using standalone terminals or hosted checkout, this takes just minutes.
Next, work through the questionnaire. Read each question carefully — they’re written in security-speak but usually boil down to simple practices. “Do you change vendor default passwords?” means did you change the password that came with your payment terminal or router. Most questions for simpler SAQs are about basic security hygiene you’re probably already doing.
If your SAQ requires it, you’ll need to complete quarterly ASV scans. These are automated vulnerability scans of your internet-facing systems (like your website or email server). You don’t run these yourself — you hire an Approved Scanning Vendor to do it. The scan checks for known security vulnerabilities and gives you a pass/fail report. Most hosting providers keep their systems patched, so passing is usually straightforward.
Finally, submit your completed SAQ along with your AOC (Attestation of Compliance) to your processor. The AOC is basically your signature page saying “yes, we completed this honestly.” Some processors have their own portal for submission, while others accept the standard PCI forms.
What It Costs
For most small merchants, annual PCI compliance costs between $100-300. Here’s the breakdown:
Compliance platforms and SAQ tools typically charge $10-25/month. These help you determine your SAQ type, guide you through the questions, and store your documentation. Some processors include basic tools for free.
Quarterly ASV scanning runs $30-50 per quarter if you need it (SAQs A and B don’t require scanning). Some compliance platforms include scanning in their monthly fee. You need four passing scans per year from a PCI-approved vendor.
QSA assessments only apply to larger merchants (Level 1-2). If you’re reading this guide, you probably don’t need one. These formal audits start around $15,000 annually.
The cost of non-compliance hits harder than the cost of compliance. Monthly non-compliance fees from your processor range from $20-100. If you have a breach while non-compliant, you’re looking at forensic investigation costs ($10,000+), card replacement costs ($3-5 per compromised card), regulatory fines, and potential lawsuits. One small breach can cost more than a lifetime of compliance fees.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with ongoing obligations. Your SAQ is valid for one year from submission, then you need to re-attest. If you need quarterly scans, you must pass one every 90 days.
Set calendar reminders for:
- Annual SAQ due date (usually the anniversary of your last submission)
- Quarterly scan windows if required
- Password changes for payment systems
- Security update checks for payment software
Any significant change to how you accept payments triggers a reassessment. Adding a new e-commerce platform, changing payment terminals, or starting to take phone orders might move you to a different SAQ type. When in doubt, re-run the SAQ wizard to confirm you’re still using the right form.
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends reminder emails, and stores your compliance history. No more scrambling when your processor asks for last year’s AOC or wondering when your next scan is due.
FAQ
What’s the difference between PCI compliance and PCI certification?
Technically, merchants become PCI compliant, not certified. Only payment applications and security vendors get “certified.” But everyone uses these terms interchangeably, and your processor might ask for your “PCI certificate” when they mean your AOC (Attestation of Compliance).
Can I just check ‘yes’ to all questions on my SAQ?
No — this is attestation fraud and can result in personal liability if there’s a breach. Answer honestly based on your actual security practices. If you need to answer ‘no’ to required controls, fix the issue or work with your QSA on compensating controls.
Do I need PCI compliance if I only process a few transactions?
Yes. PCI DSS applies to all merchants regardless of transaction volume. Even one transaction per year means you need to comply, though you’ll qualify for the simplest merchant level (Level 4).
What if I don’t have an IT department?
Most small merchants don’t. The simpler SAQ types (A, B) are designed for non-technical users. Your payment provider often offers basic guidance, and compliance platforms provide step-by-step help through the process.
How long does the SAQ take to complete?
SAQ A takes most merchants 30-60 minutes. SAQ B typically takes 1-2 hours. SAQ C-VT might take 2-4 hours including documentation gathering. SAQ D is complex enough that you’ll want professional help.
What’s an ASV scan and do I need one?
An Approved Scanning Vendor scan is an automated security scan of your internet-facing systems. You need quarterly ASV scans if you have any systems connected to the internet that handle card data. SAQs A and B typically don’t require scanning.
Can I lose my ability to accept credit cards?
Yes, but processors rarely take this extreme step. They’d rather collect non-compliance fees than lose you as a customer. However, after a breach or repeated non-compliance, they can and will terminate your merchant account.
Is PCI compliance the same as being secure?
PCI compliance is a minimum security standard, not comprehensive security. Think of it like passing your driver’s test — it proves basic competence, not that you’ll never have an accident. Smart merchants go beyond PCI requirements for true security.
Conclusion
That PCI compliance questionnaire might have seemed overwhelming when it landed in your inbox, but now you know what you’re dealing with. For most small businesses, it’s just a matter of identifying which simple SAQ fits your payment setup, answering some straightforward questions about your security practices, and possibly scheduling quarterly scans.
The key is to start now rather than letting those non-compliance fees pile up. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You can complete most SAQs in an afternoon and sleep better knowing you’re protecting your customers’ card data and your business from breach liability. Start with the free SAQ Wizard or talk to our compliance team if you need guidance on your specific situation.
