Encryption Policy Template
Your Payment Processor Just Sent You a PCI Compliance Questionnaire — Don’t Panic
Here’s the truth about PCI compliance: for most small businesses, it’s much simpler than it sounds. That intimidating questionnaire your payment processor just sent? It’s probably asking for an encryption policy template and a handful of other security documents that take less time to complete than your quarterly taxes. If you’re using modern payment tools like Square, Stripe, or Shopify, you’re already doing most of what PCI requires — you just need to document it properly.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to every business that accepts credit cards. Think of it as the card industry’s way of making sure everyone who handles credit card data does it safely.
The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through an organization called the PCI Security Standards Council. But here’s who actually enforces them: your acquirer (the bank that processes your card payments) or your payment processor (companies like Square, Stripe, or your local merchant services provider).
What Happens If You Don’t Comply?
The consequences are real but manageable:
- Your payment processor can fine you (typically $5,000-$100,000 depending on your size)
- If there’s a data breach, you’re liable for fraud losses and investigation costs
- In extreme cases, you could lose the ability to accept credit cards
But here’s the good news: most small businesses qualify for the simplest compliance requirements. If you’re reading this because you just got your first compliance questionnaire, you’re probably looking at a few hours of work, not weeks.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. This includes:
- Running cards through a terminal at your store
- Taking payments on your website
- Accepting cards over the phone
- Storing customer card numbers for recurring billing (please reconsider this one)
Your Merchant Level
Most small businesses are Level 4 merchants — processing fewer than 20,000 e-commerce transactions or up to 1 million total card transactions annually. This means you self-assess your compliance using an SAQ (Self-Assessment Questionnaire) rather than hiring an external auditor.
That Questionnaire They Sent You
Your payment processor sends out compliance questionnaires annually because the card brands require them to verify that their merchants are following security standards. It’s not personal — it’s just part of accepting cards. The questionnaire asks about your encryption policy, how you handle card data, and what security measures you have in place.
Which SAQ Do You Need?
The SAQ you need depends entirely on how you accept payments. Here’s the decision tree in plain English:
| How You Accept Payments | Your SAQ Type | Questions to Answer | Complexity |
|---|---|---|---|
| Redirect to payment provider (PayPal, Stripe Checkout) | SAQ A | 22 questions | Simplest |
| E-commerce with payment fields on your site | SAQ A-EP | 139 questions | Moderate |
| Standalone terminal only (Square Reader, Clover) | SAQ B | 41 questions | Simple |
| Terminal connected to internet | SAQ B-IP | 82 questions | Simple-Moderate |
| Taking cards over phone/mail | SAQ C-VT | 89 questions | Moderate |
| Storing card numbers | SAQ D | 340+ questions | Complex |
Common Scenarios
- Using Shopify or WooCommerce with Stripe? You’re likely SAQ A if customers are redirected to pay, or SAQ A-EP if the payment form appears on your site
- Restaurant with a standalone Clover terminal? That’s SAQ B or SAQ B-IP if it connects to the internet
- Taking phone orders at your florist shop? You need SAQ C-VT
- Storing customer card numbers in a spreadsheet? Please stop immediately — but you need SAQ D
PCICompliance.com offers a free SAQ Wizard that asks a few simple questions about your payment setup and tells you exactly which SAQ applies to your business.
How to Complete Your SAQ
Your SAQ is a yes/no questionnaire about your payment security practices. Here’s what to expect:
What the Questions Look Like
Questions range from simple (“Do you have a firewall?”) to more specific (“Do you encrypt cardholder data at rest?”). When you answer “yes,” you’re confirming that you meet that security requirement. Each “no” answer means you need to either implement that control or explain why it doesn’t apply to you.
Time Investment
- SAQ A: 30-60 minutes
- SAQ B: 1-2 hours
- SAQ A-EP or C-VT: 2-4 hours
- SAQ D: Plan for several days and possibly consultant help
Documentation You’ll Need
Gather these before you start:
- Your network diagram (even a simple sketch works for small businesses)
- List of who has access to payment systems
- Your information security policies (yes, that encryption policy template they’re asking for)
- Evidence of your quarterly ASV scans if you have an e-commerce site
The Quarterly ASV Scan
If you process payments online, you need quarterly vulnerability scans from an Approved Scanning Vendor. These automated scans check your website for security vulnerabilities. They typically cost $100-300 per quarter and take about 30 minutes to set up.
Submitting Your Compliance
Once you complete your SAQ, you’ll also fill out an AOC (Attestation of Compliance) — basically a form saying “yes, we completed our assessment and we’re compliant.” Submit both to your payment processor by their deadline, usually annually.
What It Costs
PCI compliance costs vary by your size and complexity:
Typical Annual Costs
- SAQ completion tools: $150-500/year
- Quarterly ASV scanning: $400-1,200/year (if required)
- Compliance platform (like PCICompliance.com): $300-1,500/year
- QSA assessment (only for large merchants): $10,000-50,000
The Cost of Non-Compliance
Your payment processor can charge:
- Monthly non-compliance fees: $20-100
- Annual non-compliance penalties: $5,000-100,000
- Breach-related costs: $50-90 per compromised card number
- Lost ability to accept cards: priceless (in the worst way)
For most small merchants, annual compliance costs less than a single non-compliance fine. It’s simply good business.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with some quarterly elements:
Annual Requirements
- Complete and submit your SAQ
- Update your security policies (including that encryption policy template)
- Review who has access to payment systems
- Train staff on card data security
Quarterly Requirements
- Run ASV scans if you have e-commerce
- Review your firewall logs
- Check for any changes to your payment environment
What Triggers a New Assessment
- Changing payment processors
- Adding new payment channels (like starting e-commerce)
- Storing card data when you didn’t before
- Growing above your current merchant level threshold
PCICompliance.com’s compliance dashboard sends automatic reminders for all these deadlines and tracks your progress throughout the year.
FAQ
How do I know which merchant level I am?
Your payment processor determines your merchant level based on your annual transaction volume. Most small businesses processing under 20,000 e-commerce transactions or up to 1 million total transactions are Level 4. Your processor can confirm your level.
Can I just ignore this questionnaire?
Technically yes, but it’s expensive. Most processors charge $20-100 monthly for non-compliance, and you assume full liability for any breach. The questionnaire takes less time than dealing with the consequences.
Do I need to hire a QSA?
Only if you’re a Level 1 merchant (over 6 million transactions annually) or if your processor specifically requires it. Most small businesses self-assess using the appropriate SAQ.
What’s the difference between PCI compliance and EMV?
EMV (chip cards) is about fraud prevention at the point of sale. PCI compliance covers all aspects of card data security. You need both — EMV doesn’t make you PCI compliant.
How often do I need to complete an SAQ?
Annually, with quarterly ASV scans if you process payments online. Your payment processor will send reminders, or you can use a compliance platform to track deadlines automatically.
What if I fail my ASV scan?
Don’t panic — most sites fail their first scan. The scan report shows exactly what to fix. Make the changes and rescan. You have 90 days to pass before it affects your compliance status.
Can I just use P2PE and avoid all this?
P2PE (Point-to-Point Encryption) solutions can reduce your scope to SAQ P2PE, which has only 33 questions. But you still need to complete compliance — it just gets much simpler.
Do I really need an encryption policy?
Yes, if your SAQ asks about encryption. The good news: your encryption policy template can be simple. It just needs to document how you protect card data, which modern payment systems do automatically.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most small businesses, it’s a manageable process. If you’re using modern payment tools and following basic security practices, you’re probably already doing most of what’s required — you just need to document it properly.
The key is understanding which SAQ applies to your business and getting organized about completion. That encryption policy template they’re asking for? It’s just one piece of a straightforward puzzle that protects both your business and your customers.
PCICompliance.com makes the entire process simple with our free SAQ Wizard that identifies your exact requirements, integrated ASV scanning for quarterly vulnerability assessments, and a compliance dashboard that tracks everything year-round. Start with our SAQ Wizard to see exactly what you need, or talk to our compliance team if you need guidance. We’ve helped thousands of merchants achieve compliance, and most are surprised by how straightforward it really is.
