Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling that familiar mix of confusion and dread — take a breath. For most small businesses, PCI compliance is far simpler than the intimidating acronyms suggest. If you’re using Instapage or a similar landing-page builder to capture leads and route payments through a hosted checkout or payment gateway, your Instapage PCI compliance obligations are often among the lightest the standard allows.
Here’s the short version: you accept card payments, so PCI applies to you. You’ll likely complete a self-assessment questionnaire (an SAQ), possibly run a quarterly scan, and attest that you’re meeting the requirements. Most small merchants qualify for the simplest validation path. Let’s walk through exactly what that means.
What Is PCI Compliance (In Plain English)
PCI DSS — the Payment Card Industry Data Security Standard — is a set of security rules designed to protect credit card data anywhere it’s processed, transmitted, or stored. If your business accepts cards in any form, it applies to you.
The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a body called the PCI Security Standards Council (PCI SSC). The Council writes and maintains the rules, but it doesn’t enforce them directly. That job falls to your acquirer (also called your acquiring bank or payment processor) — the company that deposits card payments into your bank account.
That’s why the questionnaire landed in your inbox. Your processor is contractually obligated to confirm that the merchants they serve are meeting PCI requirements, and they pass that obligation down to you.
So what happens if you ignore it? A few things, none of them pleasant:
- Monthly non-compliance fees from your processor until you validate.
- Liability if you suffer a breach — fines, forensic investigation costs, and card reissuance charges can be steep.
- Loss of your ability to accept cards in worst-case scenarios.
The good news: if you’ve structured your payment flow well — using a hosted checkout or gateway rather than handling raw card numbers yourself — you almost certainly qualify for one of the simplest SAQ types. That’s the single biggest factor in how much work this is.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes. Card-present, card-not-present, online, over the phone, recurring billing — it all counts.
Your merchant level determines how you validate. Levels run from 1 (the largest, highest-volume merchants) to 4 (the smallest). Your level is assigned by the card brands and communicated through your acquirer, based primarily on your annual transaction volume.
The vast majority of small businesses are Level 4 merchants. That matters because Level 4 merchants typically validate through self-assessment rather than a full audit by an outside assessor. Confirm your level with your acquirer — don’t assume — but if you’re a small shop or a lead-gen site routing payments through a gateway, you’re very likely Level 4.
The questionnaire your processor sent is your invitation to validate. It’s not a trap or a sales pitch — it’s the standard annual check-in confirming you’ve met the requirements that apply to your specific setup.
Which SAQ Do You Need?
The SAQ (Self-Assessment Questionnaire) comes in several flavors, each tailored to how you accept payments. The trick is that the less your own systems touch actual card data, the simpler your SAQ. This is the heart of scope reduction — and it’s your best friend.
Here’s the plain-language decision tree:
- You use a payment terminal (standalone card reader, dial-out or IP-connected) → likely SAQ B or SAQ B-IP.
- You have an e-commerce or landing page with fully hosted checkout — the customer is redirected to your gateway, or payment is handled entirely by an iframe/hosted form from a compliant third party → likely SAQ A.
- You build landing pages in Instapage and route payment to a hosted gateway → typically SAQ A, because the cardholder data never touches your own servers. (If your page directly handles or transmits card fields, you may fall into SAQ A-EP — more on confirming this below.)
- You take card payments over the phone using a virtual terminal → likely SAQ C-VT.
- You store card numbers anywhere (please don’t) → SAQ D, the most demanding path.
| Payment Scenario | Likely SAQ | Complexity |
|---|---|---|
| Fully hosted/redirect checkout (Instapage → gateway) | A | Lowest |
| Landing page partially controls the payment page | A-EP | Moderate |
| Standalone dial-out terminal | B | Low |
| IP-connected standalone terminal | B-IP | Low–Moderate |
| Virtual terminal (phone orders) | C-VT | Moderate |
| Internet-connected payment system, no storage | C | Moderate–High |
| Any electronic storage of card data | D | Highest |
If your Instapage funnel hands payment off cleanly to a compliant gateway, you’re in the best possible position. The key question is whether your page ever touches the actual card fields. If you’re not sure — and honestly, many people aren’t — that’s exactly what our free SAQ Wizard is for. Answer a few plain questions about how you take payments and it tells you precisely which SAQ applies.
How to Complete Your SAQ
An SAQ is a structured set of yes/no questions about your security controls, organized around the 12 requirements of the standard. Depending on which SAQ you need, it might be a short list or a more substantial document — the simpler SAQs (like A) ask far fewer questions than SAQ D.
When a question asks whether you’ve implemented a control, “yes” means you’ve actually done it — not that you intend to. For example:
- Do you use unique IDs and strong authentication for system access? “Yes” means every user has their own login and multi-factor authentication (MFA) is in place where required.
- Are vendor default passwords changed? “Yes” means no device or app is still running on its factory password.
- Is access to systems restricted by business need? “Yes” means role-based access control — people can only reach what their job requires.
Documentation you’ll likely gather includes a basic network or data-flow diagram, your list of third-party service providers (your gateway, hosting provider, etc.) and their compliance status, your information security policy, and records of any access controls or logging you have.
The Quarterly ASV Scan
If your payment environment includes external-facing systems (most online setups do), you’ll need a quarterly ASV scan — an external vulnerability scan run by an Approved Scanning Vendor. The scan checks your internet-facing systems for known weaknesses and produces a passing report you submit alongside your SAQ.
Some of the simplest SAQ A scenarios may not require an ASV scan because you don’t operate the systems handling card data — but confirm this requirement with your acquirer, since it depends on your exact setup. Our ASV scanning service handles these scans on the required cadence so you don’t have to track it manually.
Submitting Your SAQ and AOC
Once your SAQ is complete, you’ll sign an AOC — the Attestation of Compliance — a formal statement that you’ve met the requirements. You submit both (plus any ASV scan report) to your acquirer through whatever portal they specify. That’s your annual validation complete.
What It Costs
Let’s be honest about money, because the fear of cost is often worse than the reality.
| Cost Component | When It Applies | Typical Range |
|---|---|---|
| Compliance platform / SAQ tools | Most self-assessing merchants | Modest annual subscription |
| Quarterly ASV scanning | External-facing systems | Per-scan or annual bundle |
| QSA-led assessment (ROC) | Level 1 / complex environments | Significant — usually only larger merchants |
| Non-compliance fees | If you don’t validate | Recurring monthly charges from processor |
| Breach liability | If you’re compromised | Potentially business-ending |
For a small Level 4 merchant on SAQ A or B, your real annual cost is typically a compliance tool subscription plus ASV scanning where required — a manageable line item. A full QSA engagement and ROC (Report on Compliance) generally only applies to Level 1 merchants or complex environments, so most small businesses never need one.
Here’s the honest assessment: for most small merchants, a year of compliance costs a fraction of a single breach fine or the cumulative non-compliance fees a processor will levy. Compliance is the cheap option.
Staying Compliant Year-Round
PCI compliance is point-in-time and continuous — not a one-and-done checkbox. You validate at least annually, run quarterly ASV scans where required, and maintain your controls every day in between.
A few practical habits keep you on track:
- Set calendar reminders for your annual SAQ renewal and each quarterly scan.
- Reassess when your environment changes — switching payment providers, adding online checkout, changing how you store or transmit data, or significantly altering your network can change which SAQ applies and what controls you need.
- Keep your documentation current — an outdated network diagram is a common stumbling block at renewal.
Tracking all of this manually is where small businesses slip. Our compliance dashboard keeps your SAQ status, scan schedule, and renewal dates in one place, so nothing quietly lapses and lands you back in non-compliance fees.
FAQ
I just got the questionnaire and I’m overwhelmed. Where do I start?
Start by identifying which SAQ applies to you — that single decision determines everything else. Use the free SAQ Wizard to answer a few questions about how you accept payments, and you’ll know your path in minutes.
Do I really have to do this if I’m a tiny business?
Yes — PCI applies regardless of size if you accept cards. The reassuring part is that small businesses almost always qualify for the simplest SAQ types, so the actual workload is usually light compared to what the term “compliance” implies.
What’s the difference between an SAQ and an AOC?
The SAQ is the questionnaire where you confirm your security controls; the AOC is the signed attestation summarizing that you’ve met the requirements. You typically submit both to your acquirer together.
Do I need a QSA?
Most small, self-assessing merchants don’t. A QSA is generally required for Level 1 merchants or complex environments that undergo a full ROC — confirm your level with your acquirer, but if you’re Level 4, self-assessment is the norm.
What does the ASV scan actually check?
An ASV scan is an automated external test of your internet-facing systems looking for known vulnerabilities. It produces a passing report you submit with your SAQ, and it must be run on a quarterly cadence where applicable.
Can I just store card numbers to make recurring billing easier?
Please don’t. Storing card data pushes you into SAQ D with far more requirements, and Sensitive Authentication Data must never be stored after authorization. Use tokenization through your gateway instead — it handles recurring billing while keeping the real card data out of your hands.
What happens if I ignore the questionnaire?
Your processor will typically begin charging monthly non-compliance fees, and you carry full liability if a breach occurs. Validating is almost always cheaper and far less stressful than the alternative.
How long does completing an SAQ actually take?
For the simplest SAQs, often just an afternoon once you’ve gathered your documentation. More complex environments take longer, but guided tools dramatically reduce the time and guesswork.
Conclusion
PCI compliance has a fearsome reputation, but for most small businesses — especially those routing payments through hosted checkouts and gateways — it’s a navigable annual process, not an ordeal. Identify your SAQ, gather a bit of documentation, run your scan if required, and attest. The hardest part is usually just knowing where to begin.
That’s where we come in. PCICompliance.com is an end-to-end compliance platform trusted by thousands of merchants and service providers, from single-location shops to multi-site enterprises. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round so nothing slips through the cracks. Start with the free SAQ Wizard, or talk to our compliance team — and turn that intimidating questionnaire into a checked box.