Illinois PCI Compliance
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most Illinois businesses, PCI compliance is actually much simpler than it sounds. You don’t need to be a security expert or hire expensive consultants — you just need to understand which form applies to your business and answer some straightforward questions about how you handle credit card payments.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card information. If your business accepts Visa, Mastercard, American Express, or Discover — whether in person, online, or over the phone — these requirements apply to you.
The major card brands created these standards through the PCI Security Standards Council (PCI SSC), but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) is responsible for making sure you comply. That’s why you received that compliance questionnaire — your payment processor needs to verify that you’re protecting cardholder data properly.
The Real Consequences of Non-Compliance
Let’s be honest about what happens if you ignore that compliance questionnaire:
- Monthly fines from your payment processor (typically $25-$100 per month for small merchants)
- Liability for fraud losses if card data is compromised at your business
- Higher processing rates as you’re moved to a “non-compliant” pricing tier
- Loss of card acceptance privileges in extreme cases
The good news? Most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as Amazon or Walmart — the requirements scale based on your transaction volume and how you process payments.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. It doesn’t matter if you’re a single-person LLC or a multi-location retailer. The moment you accept that first card payment, PCI compliance requirements kick in.
Understanding Your Merchant Level
Your merchant level determines which specific requirements apply to your business. For most Illinois businesses, you’re likely Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means:
- You complete a Self-Assessment Questionnaire (SAQ) instead of hiring an outside assessor
- You may need quarterly vulnerability scans
- You submit an annual Attestation of Compliance (AOC)
Your payment processor already knows your merchant level based on your processing volume. That questionnaire they sent? It’s asking you to complete the appropriate SAQ for your level and submit it along with any required scans.
What Your Payment Processor Actually Wants
When your payment processor sends that compliance packet, they’re essentially saying: “The card brands require us to verify that you’re protecting cardholder data. Please complete this questionnaire to show you’re following security best practices.”
They’re not trying to catch you doing something wrong — they want you to succeed because non-compliant merchants create risk for everyone in the payment chain.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in several flavors, from dead simple to fairly complex. Here’s how to figure out which one applies to your Illinois business:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity Level |
|---|---|---|---|
| Outsource everything to PayPal, Square, or Stripe (no card data touches your systems) | SAQ A | 22 questions | Simplest |
| E-commerce site with payment fields on your pages (but hosted by payment provider) | SAQ A-EP | 139 questions | Moderate |
| Standalone terminals with dial-up or Ethernet connection | SAQ B | 41 questions | Simple |
| Standalone terminals connected via IP (internet) | SAQ B-IP | 91 questions | Moderate |
| Take payments over the phone or mail order | SAQ C-VT | 85 questions + scans | Moderate |
| Point-of-sale system connected to your network | SAQ C | 160 questions + scans | Complex |
| Store card numbers or have complex payment environment | SAQ D | 329 questions + scans | Most Complex |
Common Scenarios for Illinois Businesses
If you run a small retail shop with a Square terminal that connects via cellular or WiFi but isn’t connected to your business network → You likely need SAQ B.
If you have an e-commerce site using Shopify Payments or WooCommerce with Stripe Checkout where customers are redirected to pay → You likely need SAQ A.
If you take orders over the phone and key them into a virtual terminal → You likely need SAQ C-VT.
Not sure? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire applies — no guesswork required.
How to Complete Your SAQ
Once you know which SAQ you need, the actual completion process is straightforward:
What the Questions Look Like
SAQ questions are yes/no format. For example:
- “Do you have a firewall installed between your internet connection and your payment systems?”
- “Do you change default passwords on payment terminals?”
- “Is cardholder data encrypted when transmitted over public networks?”
“Yes” means you’re already doing it. If you answer “no,” you’ll need to implement that control or explain why it doesn’t apply to your environment.
Documentation You’ll Need
Gather these items before starting your SAQ:
- Network diagram (even a simple sketch of how your payment terminals connect)
- Vendor agreements with your payment processor
- Security policies (if you have them — many SAQ A merchants don’t need formal policies)
- Asset inventory of payment terminals and systems
The Quarterly ASV Scan
If you need SAQ A-EP, C, C-VT, or D, you’ll also need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). Don’t panic — this is just an automated scan of your public-facing IP addresses to check for security vulnerabilities.
The scan typically takes 15-30 minutes to run and costs $50-150 per quarter. Your ASV provides a report showing pass/fail status. If you fail initially (common with first scans), they’ll tell you exactly what to fix.
Submitting Your Compliance Package
Once everything’s complete, you’ll submit:
1. Your completed SAQ
2. The Attestation of Compliance (AOC) — a cover sheet stating you completed the assessment
3. ASV scan reports (if required)
4. Any requested documentation
Most payment processors have an online portal where you upload these documents. Some still accept email or paper submissions.
What It Costs
Let’s talk real numbers for Illinois businesses:
Compliance Platform and Tools
- Basic SAQ completion tools: $100-300/year
- Full compliance platforms with scanning and support: $300-1,200/year
- Enterprise solutions with policy templates and tracking: $2,000+/year
Quarterly ASV Scanning
- Individual scans: $50-150 per scan
- Annual packages: $200-500/year (usually includes all four quarterly scans)
- Bundled with compliance platform: Often included in higher-tier plans
If You Need a QSA
Most small merchants don’t need a Qualified Security Assessor (QSA). But if you’re Level 1 or have complex requirements:
- QSA assessment: $10,000-50,000+ depending on scope
- Pre-assessment gap analysis: $5,000-15,000
The Cost of Non-Compliance
Compare those compliance costs to non-compliance penalties:
- Monthly non-compliance fees: $25-100 (that’s $300-1,200/year in fines alone)
- Breach liability: Average small merchant breach costs $50,000-150,000
- PCI forensic investigation: $10,000-40,000 if you’re breached
- Card brand fines: $5,000-100,000 per month until compliant
For most Illinois small businesses, annual compliance costs less than three months of non-compliance fines — and far less than a single data breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components.
Annual Requirements
- Complete and submit your SAQ every 12 months
- Review and update security policies (if you have them)
- Verify that your payment environment hasn’t changed
Quarterly Requirements
- Run ASV scans (if required for your SAQ type)
- Review scan results and fix any failures
- Keep scan reports for your records
What Triggers a New Assessment
You’ll need to reassess your compliance if you:
- Change payment processors or add new payment methods
- Upgrade your point-of-sale system
- Start storing cardholder data (please don’t)
- Experience significant growth in transaction volume
- Add new locations or sales channels
Making It Manageable
Set calendar reminders for:
- Quarterly ASV scans (if required)
- Annual SAQ due date
- Payment processor compliance deadlines
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending you reminders before deadlines and keeping your compliance documents organized in one place.
FAQ
Do I really need to do this if I’m a tiny business?
Yes, even single-person businesses need to comply if they accept cards. The good news is that very small merchants typically qualify for the simplest SAQ types with just 20-40 questions. Your payment processor may also offer simplified compliance programs for micro-merchants.
What happens if I just ignore the compliance questionnaire?
Your payment processor will likely start charging monthly non-compliance fees ($25-100 typically) and may increase your processing rates. Eventually, they could suspend your ability to accept cards. It’s much easier and cheaper to just complete the questionnaire.
Can I just say “yes” to all the questions to pass?
Falsifying your SAQ is fraud and makes you fully liable for any breaches. If cardholder data is compromised and investigators find you lied on your SAQ, you’ll face significant fines and lose your merchant account. Answer honestly — it’s better to fail initially and fix issues than to lie.
Do I need to hire a security consultant?
Most small merchants don’t need outside help for basic SAQ completion. If you’re SAQ A or B, you can likely handle it yourself with a good compliance platform. Only consider consultants if you’re failing scans repeatedly or need SAQ C or D.
How long does the SAQ take to complete?
SAQ A takes about 30 minutes, SAQ B about an hour, and SAQ C-VT/C about 2-3 hours. SAQ D can take days or weeks depending on your environment. The first time takes longest — subsequent years are faster since you know what to expect.
What if I fail my ASV scan?
Failing your first scan is completely normal — most businesses do. Your ASV provides a detailed report showing exactly what failed and how to fix it. Common issues include outdated SSL certificates or unnecessary services running. Fix the issues and rescan (usually free within 30 days).
Is PCI compliance the same as being secure?
PCI compliance is a baseline, not comprehensive security. Meeting PCI requirements helps protect cardholder data, but you should also consider general cybersecurity best practices like employee training, backup systems, and cyber insurance.
Can I just switch to cash-only to avoid this?
While that would eliminate PCI requirements, you’d likely lose 30-50% or more of your sales. Most customers expect to pay by card. The hour or two spent on compliance is a small price for accepting electronic payments.
Conclusion
PCI compliance might seem intimidating when that first questionnaire arrives, but for most Illinois businesses, it’s a manageable process. Figure out which SAQ applies to your payment setup, answer the questions honestly, fix any gaps, and submit your documentation. The whole process typically takes a few hours spread over a couple of weeks.
Remember, your payment processor wants you to succeed. They’re not trying to catch you out — they just need to verify that you’re taking reasonable steps to protect cardholder data. And those steps? They’re mostly common-sense security practices you should be doing anyway.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to identify your requirements in under 5 minutes, or talk to our compliance team if you need guidance on your specific situation.
Don’t let PCI compliance stress you out. With the right tools and a clear understanding of what’s required, you can check this box and get back to running your business — knowing you’re protecting both your customers’ data and your own liability.
