The Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses accepting credit cards, Leadpages PCI compliance is actually straightforward — typically just answering a series of yes/no questions about how you handle card payments. The vast majority of small merchants complete their annual compliance requirements in under an hour, without needing expensive consultants or making major changes to their business.
Here’s what you actually need to know: PCI compliance is required if you accept credit cards, your payment processor expects you to complete it annually, and the process is designed to protect both you and your customers from card fraud. Most importantly, the level of compliance you need depends on how you accept payments — and if you’re using modern payment tools, you’re probably already doing most things right.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard — it’s a set of security requirements created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) to protect credit card data. Think of it as a security checklist that ensures businesses handling card payments are taking reasonable precautions to prevent data breaches.
The standard is maintained by the PCI Security Standards Council, but it’s your acquirer (the bank that processes your credit card transactions) or payment processor who enforces it. When Square, Stripe, or your local bank sends you that compliance questionnaire, they’re not trying to make your life difficult — they’re required by the card brands to ensure all their merchants meet these security standards.
Why This Matters to You
The consequences of non-compliance range from annoying to business-ending:
- Monthly fines from your processor (typically $25-$100 for small merchants)
- Liability for fraud if card data is compromised
- Increased transaction fees as a “non-compliant” merchant
- Loss of card acceptance privileges in extreme cases
The good news? Most small businesses qualify for the simplest compliance paths. You’re not held to the same standards as Amazon or Walmart — the requirements scale with your size and how you handle card data.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. This includes:
- Swiping cards through a terminal
- Taking payments online
- Accepting cards over the phone
- Mobile card readers
- Even if you only process one transaction per year
Your merchant level determines how much documentation you need. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you can self-assess your compliance using a Self-Assessment Questionnaire (SAQ) instead of hiring an expensive auditor.
What Your Payment Processor Expects
When your processor sends that compliance questionnaire, they’re asking you to:
1. Complete the appropriate SAQ for your business
2. Run quarterly vulnerability scans if you have e-commerce
3. Submit an Attestation of Compliance (AOC) confirming you meet the requirements
4. Maintain compliance throughout the year
That questionnaire sitting in your inbox? It’s your processor’s way of saying “please confirm you’re protecting card data properly.” They need this documentation to satisfy their own compliance obligations to the card brands.
Which SAQ Do You Need?
The SAQ you complete depends entirely on how you accept and process card payments. There are different questionnaires for different scenarios, ranging from 22 questions to over 300. Here’s the plain-English guide:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Outsource everything to PayPal, Stripe Checkout, or similar | SAQ A | 22 | Very Simple |
| E-commerce with payment form on your website | SAQ A-EP | 139 | Moderate |
| Physical terminal only (no e-commerce) | SAQ B | 41 | Simple |
| Physical terminal with IP connection | SAQ B-IP | 82 | Simple |
| Taking payments over phone/mail | SAQ C-VT | 160 | Moderate |
| Any electronic storage of card numbers | SAQ D | 329+ | Complex |
Common Scenarios
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B (standalone terminal) or SAQ B-IP (internet-connected terminal). These are straightforward questionnaires focusing on physical security of the device.
If you have an e-commerce site using Shopify Payments, WooCommerce with Stripe Checkout, or similar hosted payment pages where customers enter card details on the payment provider’s page (not yours), you qualify for SAQ A — the simplest form with only 22 questions.
If you take payments over the phone and enter them into a virtual terminal or payment software, you’ll complete SAQ C-VT. This assumes you’re not recording calls or writing down card numbers.
If you store card numbers in any electronic form — spreadsheets, databases, even customer management software — you’re looking at SAQ D, the full questionnaire. This is where PCI compliance gets genuinely complex and expensive.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Once you know which SAQ applies, the actual completion process is straightforward. The questionnaire consists of yes/no questions about your payment security practices. Here’s what to expect:
What the Questions Look Like
Each question asks about a specific security control. For example:
- “Do you review security policies at least annually?”
- “Is access to payment terminals restricted to authorized personnel?”
- “Do you use firewall protection on computers that access payment systems?”
When you answer “yes,” you’re confirming that control is in place. If you answer “no,” you’ll need to either implement that control or explain why it doesn’t apply to your business.
Documentation You’ll Need
Gather these items before starting:
- Network diagram (even a simple sketch) if you process e-commerce
- List of payment applications you use
- Security policies (even basic ones count)
- Vendor agreements for payment processing
- Your most recent vulnerability scan results (if applicable)
For Level 4 merchants, you typically don’t need to submit this documentation — just have it available in case someone asks.
The Quarterly ASV Scan
If you have any internet-facing systems (website, email server, etc.), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks for security holes in your public-facing systems. It’s not as scary as it sounds — the scan runs automatically, and most properly maintained websites pass without issues.
Submitting Your Compliance
After completing your SAQ:
1. Generate your Attestation of Compliance (AOC)
2. Submit both documents to your payment processor
3. Schedule your quarterly scans (if required)
4. Mark your calendar for next year’s assessment
Most processors have online portals where you upload these documents. Some integrate directly with compliance platforms like PCICompliance.com for automatic submission.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your setup:
Compliance Platform and Tools
- SAQ completion tools: $100-$300 annually
- Compliance management platforms: $200-$500 annually
- Expert guidance and support: Often included with platforms
Quarterly ASV Scanning
- Basic scanning service: $200-$400 annually (all four quarters)
- Scanning with remediation support: $300-$600 annually
- Many compliance platforms include scanning in their annual fee
If You Need Professional Help
- QSA consultation (rarely needed for small merchants): $150-$500 per hour
- Full QSA assessment (only for Level 1 merchants): $10,000-$50,000+
- Remediation assistance: $1,000-$5,000 depending on issues
The Cost of NON-Compliance
- Monthly processor fines: $25-$100 (compounds quickly)
- Breach liability: $50-$90 per compromised card
- Forensic investigation: $10,000+ if you’re breached
- Lost ability to accept cards: Devastating for most businesses
Reality check: For most Level 4 merchants, annual compliance costs less than three months of non-compliance fines. It’s genuinely cheaper to comply than to ignore it.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done exercise — it’s an annual requirement with some ongoing obligations. Here’s how to stay on track without stress:
Annual Requirements
- Complete your SAQ every 12 months
- Update your attestation if anything significant changes
- Review and update security policies annually
- Maintain documentation of your compliance efforts
Quarterly Requirements
- Run ASV scans every 90 days (if applicable)
- Review scan results and fix any failures
- Keep passing scan reports for your records
When to Reassess
Certain changes trigger the need for immediate review:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or software
- Storing card data when you didn’t before
- Significant network or system changes
PCICompliance.com’s compliance dashboard tracks all these dates for you, sending reminders before deadlines and maintaining your compliance history in one place. No spreadsheets, no missed deadlines, no scrambling when your processor asks for documentation.
Frequently Asked Questions
What happens if I ignore PCI compliance?
Your payment processor will likely start with reminder notices, then move to monthly fines (typically $25-$100 for small merchants). Eventually, they may increase your transaction rates or terminate your ability to accept cards. If you experience a breach while non-compliant, you’re liable for all associated costs, including fraud losses and forensic investigation fees.
Do I need PCI compliance if I only use PayPal or Square?
Yes, you still need to complete PCI compliance even when using third-party processors. However, you’ll qualify for the simplest SAQ types since these providers handle all the card data. You’re essentially confirming that you’re not doing anything to compromise the security they provide.
How long does SAQ completion take?
For SAQ A (the simplest), expect 20-30 minutes if you have your information ready. SAQ B types typically take 30-60 minutes. The more complex SAQ C-VT might take 2-3 hours including documentation gathering. SAQ D requires significant time and often professional assistance.
What’s the difference between PCI compliance and PCI certification?
Technically, only service providers become “certified” — merchants achieve “compliance.” When people say “PCI certification” for merchants, they mean completing your SAQ and maintaining compliance. There’s no certificate to hang on your wall, just documentation that you’ve met the requirements.
Can I just say “yes” to all the questions?
The SAQ is a legal attestation — falsifying it constitutes fraud. More practically, if you’re breached and investigations reveal you weren’t actually compliant, you’re liable for all costs. Answer honestly and fix any gaps rather than hoping nothing happens.
Do I need to hire a QSA?
Level 4 merchants (most small businesses) can self-assess using the SAQ — no QSA needed. You only need a QSA if you’re a Level 1 merchant, your acquirer specifically requires it, or you want professional guidance. Many merchants use compliance platforms instead of hiring assessors.
What if I fail my vulnerability scan?
Don’t panic — failing the first scan is common. The ASV report will detail what needs fixing (usually software updates or configuration changes). Fix the issues, rescan, and repeat until you pass. You need one clean scan per quarter, not a perfect record.
Is PCI compliance required by law?
PCI DSS isn’t a law — it’s a contractual requirement from the card brands enforced through your merchant agreement. However, many states have laws requiring reasonable security measures for sensitive data, and PCI compliance helps satisfy these obligations.
Take Control of Your PCI Compliance Today
PCI compliance might seem daunting when that first questionnaire arrives, but you’ve seen it’s really about answering straightforward questions about how you handle card payments. For most small businesses, it’s a once-a-year task that takes less time than doing your taxes — and it’s far less complicated.
The key is using the right tools and getting started. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Instead of juggling spreadsheets and calendar reminders, you’ll have one clear view of your compliance status with automatic alerts before any deadline.
Whether you’re completing your first SAQ or you’ve been putting off compliance for years, start with our free SAQ Wizard to identify your requirements in minutes. If you need more help, our compliance team is ready to guide you through the process. Don’t let another month of non-compliance fines stack up — take control of your Leadpages PCI compliance today.