The Good News About PCI Compliance (It’s Simpler Than You Think)
Let’s start with what matters: if you’re a small business accepting credit cards through HoneyBook or any other platform, HoneyBook PCI compliance is likely much simpler than the scary questionnaire sitting in your inbox suggests. Most small businesses can achieve compliance in an afternoon with the right guidance. You don’t need a security team, you don’t need expensive consultants, and you definitely don’t need to panic.
That compliance questionnaire from your payment processor? It’s not a test you can fail — it’s a checklist to confirm you’re handling credit card data safely. For most HoneyBook users processing payments through integrated gateways, you’re looking at the simplest compliance path available. Take a breath. We’ll walk through exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist that anyone who touches credit card data must follow. The PCI Security Standards Council maintains these standards, but it’s your payment processor or acquiring bank who actually enforces them and sends you that annual questionnaire.
Here’s what PCI compliance really means: if you accept credit cards, you need to protect that data. The standard exists because card data breaches hurt everyone — cardholders lose money, businesses face liability, and the payment system loses trust. Your compliance shows you’re doing your part to keep the payment ecosystem secure.
The consequences of non-compliance are real but manageable. Your payment processor can fine you (typically $5,000 to $100,000 depending on your size), you’re liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards. But here’s the thing — compliance isn’t hard for most small businesses. The standard recognizes that a freelance photographer using HoneyBook needs different requirements than Target or Amazon.
The relief you’re looking for: most small businesses qualify for simplified Self-Assessment Questionnaires (SAQs) with as few as 22 yes/no questions. You’re not facing the 300+ requirements that large retailers deal with. Your path to compliance is probably a two-hour project, not a six-month ordeal.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you process one payment a year or thousands — the moment you accept that first credit card payment, PCI DSS applies to you. This includes online payments, phone orders, invoiced payments, and even those occasional checks where someone writes their card number (please make them stop doing that).
Your merchant level determines how you demonstrate compliance. Most small businesses fall into Level 4 (processing fewer than 20,000 Visa transactions annually). Don’t worry about counting transactions across all card brands — Visa’s thresholds are what matter for merchant level classification. Level 4 merchants complete a self-assessment questionnaire annually and run quarterly vulnerability scans. That’s it. No on-site audits, no QSA involvement, no extensive documentation.
Your payment processor expects three things from you: an annual Self-Assessment Questionnaire (SAQ), quarterly ASV scans if you have any internet-facing systems, and an Attestation of Compliance (AOC) confirming you’ve completed your assessment. They send that compliance questionnaire because the card brands require them to verify every merchant’s compliance status annually. It’s not personal — it’s process.
That questionnaire sitting in your inbox has a deadline because your processor needs to report your compliance status to the card brands. Miss the deadline and you’ll see monthly non-compliance fees on your statement (usually $19.95 to $100 per month). Complete it on time and you’re good for another year. The questionnaire isn’t going away, but it also isn’t as scary as it looks.
Which SAQ Do You Need?
The SAQ type you need depends entirely on how you accept and process credit card payments. Here’s the decision tree in plain language that actually makes sense:
If you never touch, see, or store credit card numbers and customers enter their payment information directly on a payment page hosted by your processor (like Stripe Checkout, PayPal, or Square’s hosted pages), you’re looking at SAQ A — just 22 questions about your payment setup.
Using a standalone terminal that connects directly to your processor over a phone line or cellular connection? That’s SAQ B territory — 41 questions focused on the physical security of your terminal. If that terminal connects through your internet connection, you’ll need SAQ B-IP instead, which adds some network security questions.
Taking payments over the phone where you hear and enter card numbers? You’ll complete SAQ C-VT with questions about how you protect those phone conversations and the systems you use to enter the card data. If you’re entering those numbers into a virtual terminal in your web browser, make sure it’s a proper virtual terminal from your processor, not a standard e-commerce site.
Here’s a quick reference for common HoneyBook payment scenarios:
| Payment Method | How It Works | SAQ Type | Questions | Complexity |
|---|---|---|---|---|
| HoneyBook Payments (integrated) | Clients enter card info directly in HoneyBook | SAQ A | 22 | Simple |
| Stripe integration with hosted checkout | Redirects to Stripe’s payment page | SAQ A | 22 | Simple |
| Phone payments into virtual terminal | You type card numbers into processor’s web terminal | SAQ C-VT | 83 | Moderate |
| Storing card numbers (even in emails) | Card data saved anywhere in your systems | SAQ D | 300+ | Complex |
Can’t figure out which one applies? Use PCICompliance.com’s SAQ Wizard — answer a few questions about how you accept payments and we’ll identify exactly which questionnaire you need. No guessing, no reading through pages of eligibility criteria.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your payment security practices. “Yes” means you’ve implemented that security control. “No” means you haven’t (and you’ll need to fix it or explain why it doesn’t apply). Here’s what you’re actually agreeing to when you check “yes”:
For SAQ A, you’re confirming things like: you don’t store card numbers anywhere, your website has a valid SSL certificate, and you’ve documented who can make changes to your payment pages. These are mostly common-sense security practices you’re probably already following.
Documentation you’ll need varies by SAQ type but typically includes: a list of any systems that handle payments, your process for adding or removing payment acceptance, and evidence of your quarterly vulnerability scans. Don’t overthink this — for SAQ A, your “documentation” might be a one-page description of how HoneyBook handles your payments.
The quarterly ASV scan requirement trips up many small merchants. If you have any internet-facing systems (website, email server, customer portal), you need these scans every 90 days. An Approved Scanning Vendor runs automated security tests against your public IP addresses and provides a passing scan report. Schedule these quarterly — set calendar reminders now.
Submitting your completed SAQ involves three steps: fill out the questionnaire honestly, complete the Attestation of Compliance (it’s a formal signature page), and submit both documents to your payment processor through their compliance portal. Keep copies for your records — you’ll need them for reference next year.
What It Costs
Let’s talk real numbers. Compliance platforms that guide you through your SAQ typically cost $100-300 per year for small merchants. These tools make the questionnaire process much easier with built-in help text and compliance tracking. Worth it if you value your time over money.
Quarterly ASV scanning runs about $200-400 per year depending on how many IP addresses you need scanned. Some compliance platforms bundle this with their SAQ tools. If you truly have no internet-facing systems (rare these days), you might not need this at all.
You only need a QSA if you’re processing over 1 million transactions annually or if your processor specifically requires it due to a breach. QSA assessments start around $10,000 and go up from there. But again — most small businesses never need this level of assessment.
The cost of non-compliance hits harder than doing it right. Monthly non-compliance fees from your processor range from $19.95 to $100. Annual fines for continued non-compliance can reach $5,000 to $100,000. If you have a breach while non-compliant, you’re liable for fraud losses, forensic investigation costs, and card reissuance fees. One breach can easily cost a small business $50,000 or more.
Here’s the honest assessment: for most small merchants, annual compliance costs less than $500 — basically the cost of a single chargeback or one month of non-compliance fees. It’s not a profit center for processors; it’s a checkbox they need to tick for the card brands.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done deal — it’s an annual requirement with quarterly checkpoints. Your SAQ expires after one year, and those ASV scans need to happen every 90 days. Miss these deadlines and those non-compliance fees start hitting your merchant statement.
Set up your compliance calendar now. Annual SAQ renewal, quarterly ASV scans, and any required security training for staff who handle card data. Most compliance platforms send automatic reminders, but don’t rely solely on those — put the dates in your business calendar too.
Certain changes trigger immediate compliance review: switching payment processors, adding new payment channels (like a new e-commerce site), or starting to store card numbers (don’t do this). Major business changes like mergers or adding locations also require compliance updates. When in doubt, check with your processor.
PCICompliance.com’s compliance dashboard tracks all these requirements in one place. You’ll see upcoming deadlines, scan results, and compliance status at a glance. No more scrambling when that annual questionnaire arrives — you’re already ready.
FAQ
I’m just a freelancer using HoneyBook. Do I really need PCI compliance?
Yes, if you accept credit card payments through HoneyBook or any other method, you need to maintain PCI compliance. The good news is that as a freelancer using HoneyBook’s integrated payment processing, you likely qualify for SAQ A — the simplest questionnaire with just 22 questions.
What happens if I ignore the compliance questionnaire from my processor?
Initially, you’ll see monthly non-compliance fees on your statements (typically $19.95 to $100 per month). Continued non-compliance can lead to larger fines, increased transaction fees, or even termination of your merchant account.
I don’t store any credit card numbers. Why do I still need compliance?
PCI compliance covers the entire payment process, not just storage. Even if card numbers only pass through your systems momentarily (like when clients enter them on your payment page), you need to ensure that process is secure.
How often do I need to complete PCI compliance requirements?
You need to complete your SAQ annually and run ASV vulnerability scans quarterly (every 90 days) if you have any internet-facing systems. Mark these dates in your calendar when you complete your first assessment.
My payment processor says I need SAQ A-EP, but I think I qualify for SAQ A. Who’s right?
Your processor makes the final determination on which SAQ type you must complete. If you believe you qualify for a simpler SAQ, provide documentation showing how your payment setup meets those eligibility requirements.
Can I just say “yes” to all the questions to pass?
Only answer “yes” to requirements you’ve actually implemented. False attestation is considered fraud and makes you fully liable for any breaches or card data compromises.
I failed my ASV scan. Now what?
Don’t panic — failing your first scan is common. The scan report identifies specific vulnerabilities to fix. Address the critical and high-risk findings, then request a rescan.
Do I need to hire a security consultant for PCI compliance?
Most small businesses using standard payment setups don’t need consultants. SAQ A and B are straightforward enough to complete yourself, especially with guidance from compliance platforms like PCICompliance.com.
Your Next Steps
PCI compliance feels overwhelming when that first questionnaire arrives, but now you know it’s manageable. Most HoneyBook users accepting payments through standard integrations face just 22 questions on SAQ A. That’s an afternoon of work, not a compliance nightmare.
Start by identifying which SAQ type applies to your payment setup. PCICompliance.com’s free SAQ Wizard walks you through this determination in minutes — no expertise required. Once you know your SAQ type, you can use our platform to complete the questionnaire with built-in guidance, schedule your ASV scans, and track compliance year-round. Our compliance team is here when you need help, whether you’re completing your first SAQ or updating your annual assessment. Don’t let that questionnaire intimidate you — take the first step with our SAQ Wizard and see how straightforward HoneyBook PCI compliance really is.