Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses, PCI compliance is far simpler than it sounds. You probably qualify for one of the easier self-assessment questionnaires, and achieving compliance typically takes just a few hours of your time. Think of it as basic security hygiene for your business — like locking your doors and setting an alarm, but for credit card data.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — through an organization called the PCI Security Standards Council. If you accept credit cards in any form, these requirements apply to you.
Your acquirer (the bank or payment processor that handles your card transactions) enforces these requirements. They’re the ones who sent you that compliance questionnaire. They need to prove to the card brands that all their merchants are following basic security practices.
The consequences of non-compliance are real but manageable. Your payment processor can fine you monthly until you comply — typically $25-$100 per month for small merchants. If there’s a data breach and you weren’t compliant, you could face much larger fines and liability for fraud losses. In extreme cases, you could lose the ability to accept credit cards entirely.
Here’s the good news: most small businesses fall into merchant level 4 (processing fewer than 1 million transactions annually), which means you can self-assess your compliance using a simplified questionnaire called an SAQ (Self-Assessment Questionnaire). No external auditor required.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form — in-store, online, over the phone, or through a mobile app — then yes, you need to be PCI compliant.
Your merchant level depends on your annual transaction volume:
- Level 4: Under 20,000 e-commerce transactions OR under 1 million total transactions
- Level 3: 20,000 to 1 million e-commerce transactions
- Level 2: 1 to 6 million total transactions
- Level 1: Over 6 million transactions
Most small and medium businesses are Level 4, which is exactly where you want to be — it means simplified compliance requirements.
Your payment processor expects you to complete an annual self-assessment and submit your AOC (Attestation of Compliance) — essentially your signed statement that you’ve met the requirements. Many also require quarterly vulnerability scans if you have any internet-facing systems.
That questionnaire they sent? It’s their way of tracking your compliance status. Ignore it and you’ll start seeing monthly non-compliance fees on your merchant statements.
Which SAQ Do You Need?
The PCI world has nine different SAQ types, but most small businesses fit into one of four categories:
| Your Payment Scenario | Your SAQ Type | Complexity |
|---|---|---|
| Use payment terminals only (Square, Clover, standalone) | SAQ B or B-IP | Easy (20-40 questions) |
| E-commerce with hosted checkout (PayPal, Stripe Checkout) | SAQ A | Easiest (22 questions) |
| E-commerce with payment form on your site | SAQ A-EP | Moderate (190 questions) |
| Take payments over the phone | SAQ C-VT | Moderate (80 questions) |
| Store card numbers (please reconsider) | SAQ D | Complex (300+ questions) |
Let’s break these down:
SAQ A is for e-commerce merchants who fully outsource payment processing. If customers enter their card details on PayPal, Square, or Stripe’s hosted payment page (not on your website), you qualify. This is the holy grail of PCI compliance — just 22 yes/no questions.
SAQ B covers merchants using standalone payment terminals that connect via phone line or cellular. SAQ B-IP is the same but for terminals using internet connections. If you swipe cards on a Square reader or Clover terminal, this is likely you.
SAQ C-VT applies when you take card numbers over the phone. Even if you immediately enter them into a virtual terminal, you’re hearing and handling card data, which requires more security controls.
SAQ A-EP is for e-commerce merchants with payment forms embedded on their website. If customers type card numbers on your site (even if the form submits directly to your processor), you need the enhanced controls.
SAQ D is the full assessment for merchants who store, process, or transmit card data on their systems. Unless you have a very specific business need, avoid storing card numbers — it dramatically increases your compliance burden.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about how you accept payments and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Each “yes” means you’ve implemented that specific control. Here’s what to expect:
The questionnaire starts with basic questions like “Do you have a firewall?” and “Are passwords required?” For SAQ A merchants, that’s essentially it — 22 questions you can usually answer “yes” to if you’re using a reputable payment provider.
For more complex SAQs, you’ll see questions about:
- Network security: firewall configurations, WiFi encryption
- Access controls: unique user IDs, password requirements
- Physical security: locks on doors, visitor logs
- Policies: incident response plans, security awareness training
You’ll need to gather some basic documentation:
- Your network diagram (can be hand-drawn for simple setups)
- Firewall/router configuration settings
- User access lists
- Any security policies you’ve written
If your SAQ requires it, you’ll also need quarterly ASV scans. An Approved Scanning Vendor runs automated security scans of your internet-facing systems looking for vulnerabilities. Schedule these every 90 days — they typically take 24-48 hours to complete and cost $50-150 per scan.
Once complete, you’ll sign your Attestation of Compliance and submit it to your acquirer. Keep copies of everything — you’ll need them for next year’s assessment.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you handle it yourself or use a service:
Compliance platforms (like PCICompliance.com) typically charge $150-500 annually for small merchants. This includes your SAQ tools, ASV scanning, and compliance tracking dashboard.
ASV scanning runs $200-600 annually when purchased separately. Most compliance platforms include this in their package.
QSA assessment only applies if you’re SAQ D or a Level 1 merchant. Budget $15,000-50,000 for a formal assessment. Good news: most small businesses never need this.
Non-compliance costs add up quickly. Monthly fines range from $25-100 for small merchants, but can reach $5,000+ for larger businesses. A data breach without compliance? You’re looking at forensic investigation costs ($20,000+), card replacement fees, fraud losses, and potential lawsuits.
Put simply: annual compliance typically costs less than three months of non-compliance fines. It’s also far cheaper than dealing with even a minor security incident.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your acquirer expects annual re-certification, and if you need ASV scans, those happen quarterly.
Set calendar reminders for:
- Annual SAQ (same month each year)
- Quarterly ASV scans (every 90 days)
- Security updates (monthly for critical systems)
- Password changes (every 90 days minimum)
Certain changes trigger a reassessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors
- Implementing new payment software
- Significant network changes
Make someone in your organization the “PCI person” — they own the calendar, track the requirements, and ensure nothing falls through the cracks. For many small businesses, this is the office manager or IT contact.
PCICompliance.com’s compliance dashboard automates this tracking. You’ll get reminders before scans are due, alerts if vulnerabilities need attention, and a clear compliance status you can share with your acquirer.
FAQ
What happens if I just ignore the PCI questionnaire?
Your acquirer will start charging monthly non-compliance fees — typically $25-100 for small merchants. These continue until you comply. Worse, if there’s a breach and you’re non-compliant, you face full liability for fraud losses and investigation costs.
Do I need PCI compliance if I only accept PayPal or Square?
Yes, but your compliance burden is minimal. Using fully hosted payment providers typically qualifies you for SAQ A — the simplest questionnaire with just 22 questions. You still need to complete it annually.
What’s the difference between PCI compliance and being “PCI certified”?
There’s no such thing as “PCI certification” for merchants — you’re either compliant or non-compliant. Only service providers and solutions can be “certified” or “validated.” Merchants demonstrate compliance through their SAQ and AOC.
Can I just have my web developer handle PCI compliance?
Your developer can help with technical requirements, but PCI compliance is ultimately your responsibility as the merchant. Many technical controls are straightforward, but you need to understand what you’re attesting to when you sign that AOC.
What if I fail my vulnerability scan?
Don’t panic — failing your first scan is common. The ASV report shows exactly what needs fixing, usually outdated software or unnecessary services. Fix the issues and rescan. You need one clean scan per quarter to maintain compliance.
Do I need to be compliant if I’m a nonprofit or government agency?
If you accept credit card payments, yes. PCI DSS applies regardless of your organization type. The good news is that many nonprofits qualify for simplified SAQ types based on their payment methods.
How do I know which payment processor is my acquirer?
Check your merchant statement — your acquirer is the company that deposits card payments into your bank account. Common acquirers include First Data, Chase Paymentech, and Wells Fargo Merchant Services. If you use Square or Stripe, they handle acquiring too.
What’s the difference between SAQ A and SAQ A-EP?
SAQ A is for merchants who fully redirect to a hosted payment page — customers never enter card data on your website. SAQ A-EP is for embedded payment forms where customers type card numbers on your site, even if the data goes directly to your processor. SAQ A has 22 questions; SAQ A-EP has 190.
Conclusion
PCI compliance might seem daunting when that first questionnaire arrives, but for most businesses, it’s surprisingly manageable. Identify your SAQ type, spend a few hours completing the questionnaire, schedule your scans if needed, and you’re done for the year. The peace of mind — knowing you’re protecting your customers’ card data and your business from liability — is worth the effort.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team about getting your business compliant quickly and keeping it that way.