Helcim PCI Compliance: What Small Business Owners Actually Need to Know
Here’s what that compliance questionnaire from your payment processor really means — and why it’s probably simpler than you think.
The Bottom Line Up Front
If you just received a PCI compliance questionnaire from Helcim (or any payment processor) and feel overwhelmed, take a deep breath. For most small businesses, achieving Helcim PCI compliance is much simpler than it first appears. You don’t need to be a security expert, you won’t need to hire expensive consultants, and you can probably complete everything in an afternoon. This guide will show you exactly what you need to do, step by step, in plain English.
What Is PCI Compliance (In Plain English)
PCI compliance means following a set of security standards designed to protect credit card data. If you accept credit cards — whether in person, online, or over the phone — these standards apply to you. The rules are called the Payment Card Industry Data Security Standard (PCI DSS), and they exist for one simple reason: to prevent credit card fraud and data breaches.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through an organization called the PCI Security Standards Council. But here’s the important part: your payment processor or acquiring bank — in this case, Helcim — is the one who actually enforces these rules and sends you that compliance questionnaire.
Think of it like this: the card brands make the rules, but your payment processor is the referee who makes sure you follow them.
What Happens If You’re Not Compliant?
Non-compliance isn’t just a paperwork issue. Your payment processor can:
- Fine you monthly (typically $25-$100 for small merchants)
- Increase your processing rates
- Hold you liable for fraud losses if there’s a breach
- Ultimately terminate your ability to accept credit cards
The good news? For most small businesses, compliance is straightforward. You’re probably already doing most of what’s required — you just need to document it properly.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes, you need to be PCI compliant.
It doesn’t matter if you’re a corner coffee shop with one card reader or an online boutique processing thousands of transactions. The moment you accept a credit card payment, PCI DSS applies to you.
Your Merchant Level
PCI compliance requirements are based on your merchant level, which is determined by how many transactions you process annually:
- Level 1: Over 6 million transactions per year
- Level 2: 1 to 6 million transactions per year
- Level 3: 20,000 to 1 million transactions per year
- Level 4: Under 20,000 transactions per year
Most small businesses fall into Level 4, which has the simplest compliance requirements. At this level, you typically just need to complete a Self-Assessment Questionnaire (SAQ) and pass quarterly security scans.
That Questionnaire Helcim Sent You
When Helcim sends you a compliance questionnaire, they’re not trying to make your life difficult. They’re required by the card brands to ensure all their merchants maintain basic security standards. The questionnaire is your opportunity to confirm that you’re handling card data safely.
The questionnaire will typically ask you to:
1. Identify which SAQ type applies to your business
2. Complete the appropriate SAQ
3. Submit an Attestation of Compliance (AOC)
4. If applicable, pass quarterly ASV scans of your systems
Which SAQ Do You Need?
The biggest source of confusion in PCI compliance is figuring out which SAQ applies to your business. There are several types, each with different requirements based on how you accept and process payments.
Here’s a simple breakdown:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Fully outsourced (PayPal, Square online) | SAQ A | 22 | Easiest |
| E-commerce with hosted payment page | SAQ A-EP | 139 | Moderate |
| Standalone terminals only | SAQ B | 41 | Easy |
| Standalone terminals with IP connection | SAQ B-IP | 82 | Easy-Moderate |
| Web-based virtual terminal | SAQ C | 160 | Moderate |
| Phone/mail/fax orders only | SAQ C-VT | 84 | Moderate |
| Any other scenario | SAQ D | 329 | Complex |
Common Scenarios
If you use a payment terminal like Square, Clover, or a traditional credit card machine that connects via phone line or ethernet, you’re likely SAQ B or SAQ B-IP. These are relatively simple questionnaires focused on the physical security of your terminal.
If you have an e-commerce site using Shopify Payments, Stripe Checkout, or similar hosted payment pages where customers are redirected to enter card details, you’re probably SAQ A — the simplest questionnaire with only 22 questions.
If you take payments over the phone and enter them into a web-based virtual terminal, you’ll need SAQ C-VT. This requires a bit more work but is still manageable for most businesses.
If you store card numbers in any form — spreadsheets, customer databases, even written down — you’re in SAQ D territory. This is complex and expensive. Consider changing your processes to avoid storing card data.
not sure which SAQ applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Once you know which SAQ type you need, completing it is straightforward. The questionnaire consists of yes/no questions about your security practices.
What “Yes” Actually Means
When a question asks “Do you restrict physical access to cardholder data?” a “yes” answer means you have actual controls in place. For example:
- Your payment terminal is in a locked office after hours
- Only authorized employees can access the terminal
- You have a process for removing access when employees leave
You’re not just checking boxes — you’re confirming that you actually follow these practices.
Documentation You’ll Need
Before starting your SAQ, gather:
- Network diagram (even a simple sketch for small businesses)
- List of who has access to payment systems
- Vendor agreements for any third-party payment services
- Security policies (even informal ones count)
The Quarterly ASV Scan
If your SAQ type requires it, you’ll need to pass a quarterly vulnerability scan performed by an Approved Scanning Vendor (ASV). This automated scan checks your internet-facing systems for security vulnerabilities.
Don’t panic — for most small businesses, this means scanning:
- Your business website
- Your email server (if you host it)
- Any public IP addresses associated with your business
The scan typically takes a few hours and runs in the background. You’ll receive a report showing any vulnerabilities found. Most issues are minor and can be fixed by applying software updates or adjusting configurations.
Submitting Your Compliance
After completing your SAQ and passing any required scans:
1. Sign the Attestation of Compliance (AOC) — a formal declaration that your answers are accurate
2. Submit both documents through your processor’s compliance portal
3. Keep copies for your records
What It Costs
PCI compliance has both direct and indirect costs. Here’s what to budget:
Direct Compliance Costs
Compliance platform and tools: $50-200/year for small merchants. This typically includes:
- Access to the appropriate SAQ
- Compliance tracking dashboard
- Basic support and guidance
Quarterly ASV scanning: $100-300/year for four quarterly scans. Some compliance platforms include this in their annual fee.
QSA assessment: Only required for Level 1 merchants or if you can’t self-assess. Costs range from $10,000-50,000+ depending on complexity. Most small businesses never need this.
The Cost of Non-Compliance
Non-compliance fees from your processor: $25-100/month is typical for Level 4 merchants. These add up quickly — that’s $300-1,200/year in unnecessary fees.
If you experience a breach while non-compliant, costs skyrocket:
- Forensic investigation: $10,000-100,000+
- Card replacement costs: $3-5 per compromised card
- Regulatory fines: Varies by severity
- Lost business and reputation damage: Incalculable
Bottom line: Annual compliance typically costs less than three months of non-compliance fees — and far less than even a minor breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox. Your compliance status resets annually, and you’ll need to:
- Complete your SAQ every year
- Run ASV scans quarterly (if required)
- Update your assessment if your payment methods change
Setting Up for Success
Create calendar reminders for:
- Annual SAQ due date (usually 12 months from last submission)
- Quarterly scan windows (every 90 days)
- Employee security training (recommended annually)
Changes That Trigger Reassessment
You’ll need to reassess your SAQ type if you:
- Add new payment channels (like starting e-commerce)
- Change payment processors or gateways
- Start storing card data (please don’t)
- Significantly change your network architecture
PCICompliance.com’s compliance dashboard tracks all these dates automatically and sends reminders before deadlines. You can see your compliance status, scan history, and upcoming requirements all in one place.
FAQ
Q: I’m just a small shop with one card reader. Do I really need to worry about this?
Yes, but it’s simpler than you think. With just a standalone terminal, you likely need SAQ B — only 41 questions focused on physical security. Most can be answered in under an hour.
Q: What if I only process a few transactions per month?
Transaction volume doesn’t exempt you from PCI compliance. However, it does make you a Level 4 merchant with the simplest requirements. You still need to complete an SAQ, but it’s manageable.
Q: Can I just ignore this questionnaire from Helcim?
Ignoring it will likely result in monthly non-compliance fees added to your statement. These fees continue until you complete your compliance requirements. It’s much easier and cheaper to just complete the questionnaire.
Q: Do I need to hire a security consultant?
For most small businesses using standard payment methods, no. The SAQs are designed for self-completion. You only need professional help if you’re storing card data or have complex payment environments.
Q: What if I fail my ASV scan?
Failing is common on the first attempt. The scan report will list specific issues to fix. Most are resolved by applying software updates or adjusting firewall settings. You can rescan as often as needed within your quarterly window.
Q: How do I know if I’m storing card data?
Check everywhere: databases, spreadsheets, email, paper files, even post-it notes. If you keep full card numbers anywhere after the transaction is complete, you’re storing card data. This puts you in SAQ D territory — consider tokenization or changing your processes instead.
Q: Is PCI compliance the same as being secure?
PCI compliance is a minimum security standard, not comprehensive protection. Think of it as the foundation. Good security practices go beyond PCI requirements, but compliance is an important first step.
Q: What if my business setup doesn’t match any of the SAQ types?
This is rare but possible. In such cases, you might need to complete SAQ D or work with a QSA to determine appropriate requirements. Contact your processor’s compliance team for guidance.
Conclusion
Helcim PCI compliance might seem daunting when you first receive that questionnaire, but for most small businesses, it’s a manageable process. The key is understanding which SAQ type applies to your specific payment setup and methodically working through the requirements.
Remember, PCI compliance protects both your business and your customers. The hour or two you spend completing your SAQ is far less painful than dealing with a data breach or accumulating monthly non-compliance fees.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to identify your SAQ type in minutes, or talk to our compliance team if you need guidance getting started. We’ve helped thousands of merchants navigate PCI compliance, and we can help you too.
