How to Document PCI Compliance
Getting Started: Your PCI Compliance Roadmap
That compliance questionnaire from your payment processor looks intimidating, but here’s the truth: how to document PCI compliance is much simpler than you think for most small businesses. If you’re reading this because you just received a confusing email about “maintaining PCI DSS compliance” and have no idea where to start, you’re in the right place. We’ll walk you through exactly what you need to do, step by step.
The vast majority of small merchants can complete their PCI compliance in an afternoon with the right guidance. No expensive consultants, no complex security audits — just straightforward questions about how you handle credit card payments.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to anyone who accepts credit card payments. Think of it as basic security hygiene for handling customer payment information — requirements that help ensure card numbers don’t end up in the wrong hands.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But they don’t enforce compliance directly. Instead, your acquirer (the bank that processes your card payments) or payment processor handles enforcement. That’s who sent you the compliance questionnaire.
Here’s what happens if you ignore that questionnaire:
- Your payment processor can fine you (typically $25-$100 per month for non-compliance)
- If there’s a data breach, you’re liable for fraud losses and forensic investigation costs
- In extreme cases, you could lose the ability to accept credit cards entirely
The good news? Most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as Amazon or Walmart. The process is designed to scale with your risk level.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes.
It doesn’t matter if you:
- Only process a few transactions per month
- Use a simple card reader
- Never touch the actual card numbers yourself
- Only accept payments through PayPal or Square
If credit cards are a payment option for your customers, PCI compliance applies to you.
Your merchant level determines how much documentation you need. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you can self-assess your compliance using a simplified questionnaire called an SAQ (Self-Assessment Questionnaire).
That compliance request from your payment processor? They’re required to verify your compliance annually. The questionnaire they sent is their way of saying, “Show us you’re handling card data safely.” They’re not trying to catch you out — they want you to succeed because non-compliant merchants create risk for everyone.
Which SAQ Do You Need?
The hardest part of PCI compliance is often figuring out which questionnaire applies to your business. There are several SAQ types, each designed for different payment scenarios. Here’s how to determine yours:
| How You Accept Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| E-commerce with fully hosted checkout (PayPal, Stripe Checkout, Shopify) | SAQ A | Simplest (22 questions) | ~15 minutes |
| E-commerce with payment fields on your site (Stripe Elements, Authorize.net) | SAQ A-EP | Simple (139 questions) | ~1-2 hours |
| Standalone terminals only (Square Reader, Clover) | SAQ B | Simple (41 questions) | ~30 minutes |
| Standalone terminals connected to internet | SAQ B-IP | Moderate (82 questions) | ~1 hour |
| Manual card entry (phone/mail orders) | SAQ C-VT | Moderate (80 questions) | ~1 hour |
| Storing card numbers or complex setup | SAQ D | Complex (329 questions) | Professional help recommended |
Quick examples to help you identify:
- Coffee shop with a Square terminal: SAQ B or B-IP
- Online boutique using Shopify: SAQ A
- Restaurant taking phone orders: SAQ C-VT
- Any business storing card numbers (please reconsider this): SAQ D
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need. No guesswork required.
How to Complete Your SAQ
Once you know your SAQ type, the actual completion process is straightforward. Each SAQ is a series of yes/no questions about your security practices. Here’s what to expect:
The questionnaire format:
- Questions are grouped by security topic (network security, access control, etc.)
- Each question requires a yes/no answer
- “Yes” means you meet that requirement
- “No” means you need to fix something or explain why it doesn’t apply
Documentation you’ll need:
- List of all systems that handle card payments
- Your network setup (for anything beyond SAQ A)
- Security policies (many SAQs provide templates)
- Vendor compliance certificates (if using third-party services)
The quarterly vulnerability scan:
Most SAQ types require a quarterly ASV scan (Approved Scanning Vendor scan). This is an automated security scan of your internet-facing systems. Don’t panic — it’s not someone hacking your network. Think of it as a safety check that looks for common vulnerabilities. The scan typically takes 30 minutes to run and costs $50-100 per quarter.
Submitting your compliance:
After completing your SAQ, you’ll generate an AOC (Attestation of Compliance). This is your official declaration that you meet PCI requirements. Submit both documents to your payment processor through their compliance portal or the platform they’ve designated.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you handle it yourself or need help:
Typical annual costs:
- SAQ completion tools: $200-500/year for guided questionnaire platforms
- Quarterly ASV scans: $200-400/year (four scans)
- Compliance management platform: $300-1,000/year for tracking and reminders
- Total for most small merchants: $500-1,500/year
When costs increase:
- If you’re SAQ D, budget for a QSA (Qualified Security Assessor): $5,000-25,000
- Remediation for failed scans: $100-500 per issue
- Rush compliance after missing deadlines: 2-3x normal costs
The cost of non-compliance:
- Monthly processor fines: $25-100 (accumulating until compliant)
- Breach liability: $50-90 per compromised card
- Forensic investigation: $10,000-100,000+
- Lost ability to process cards: devastating to most businesses
Put simply: annual compliance costs less than a single month of non-compliance fines, and far less than any breach scenario.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox. Your payment processor will ask for updated documentation every year, and you need quarterly ASV scans if your SAQ requires them.
Annual compliance cycle:
- Complete your SAQ and submit your AOC
- Schedule quarterly ASV scans (if required)
- Update documentation if your payment setup changes
- Renew compliance before your anniversary date
What triggers a reassessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment providers
- Significant growth in transaction volume
- Starting to store card data (please don’t)
Making it manageable:
Set calendar reminders for:
- Quarterly ASV scans (every 90 days)
- Annual SAQ renewal (30 days before due date)
- Policy reviews (annually)
- Security update checks (monthly)
PCICompliance.com’s compliance dashboard tracks all these dates automatically and sends reminders when action is needed. No more scrambling when your processor sends a warning notice.
FAQ
My payment processor says I’m non-compliant. What do I do?
Don’t panic. Log into their compliance portal and check what’s missing. Usually, it’s an expired SAQ or missed quarterly scan. Complete the missing requirement and submit it immediately to stop any fines.
Do I need PCI compliance if I only use PayPal?
Yes. PayPal is a payment method, not an exemption from PCI compliance. However, if you only use PayPal’s hosted checkout (customers leave your site to pay), you qualify for SAQ A — the simplest questionnaire with just 22 questions.
How long does PCI compliance take?
For most small merchants: SAQ A takes about 15 minutes, SAQ B takes 30 minutes, and SAQ A-EP or C-VT take 1-2 hours. Budget extra time for your first compliance cycle while you’re learning the process.
What’s the difference between PCI compliance and PCI certification?
Small merchants achieve “compliance” by completing their SAQ. Only Level 1 merchants and service providers get “certified” through a QSA audit. If you’re asking this question, you probably just need compliance, not certification.
Can I just say “yes” to all the questions?
Absolutely not. False attestation is considered fraud and could result in massive fines if there’s a breach. Answer honestly — if you can’t say “yes” to a requirement, fix the issue or work with your payment processor on alternatives.
What if I fail my vulnerability scan?
Failed scans are common on the first attempt. Your ASV provides a report showing what failed and how to fix it. Most issues are simple: outdated software, unnecessary services running, or overly permissive firewall rules. Fix the issues and rescan — you’re allowed unlimited rescans.
Do I need to hire a QSA?
Only if you’re a Level 1 merchant or your acquirer specifically requires it. Most small businesses can self-assess using the appropriate SAQ. If you’re SAQ D (storing card data), consider getting professional help even if not required.
My business is too small for all this. Can I skip it?
Size doesn’t matter — accepting cards means accepting PCI requirements. The good news: tiny merchants usually have the simplest payment setups and can complete SAQ A or B in under an hour annually.
Your Next Steps
PCI compliance sounds overwhelming until you realize it’s just answering questions about how you handle payments. For most small businesses, it’s genuinely a few hours of work per year. The key is starting with the right SAQ type and having the right tools to guide you through.
Stop stressing about that compliance notice from your payment processor. You can knock this out today. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to identify your requirements in under 5 minutes, or talk to our compliance team if you need guidance. We’ve helped thousands of merchants just like you turn PCI compliance from a source of anxiety into a simple business routine.
