Massachusetts PCI Compliance
If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. Here’s the bottom line: for most small businesses in Massachusetts, PCI compliance is much simpler than it sounds. You probably qualify for one of the streamlined self-assessment questionnaires that take just a few hours to complete annually. This guide will walk you through exactly what you need to do, in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. If your business accepts credit or debit cards — whether in person, online, or over the phone — these requirements apply to you. It doesn’t matter if you process one transaction or one million.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through an organization called the PCI Security Standards Council. While they created the rules, your acquirer (the bank or payment processor that handles your card transactions) is the one who enforces them and sends you that annual compliance questionnaire.
Here’s what happens if you don’t comply: Your payment processor can fine you anywhere from $5,000 to $100,000 per month. If there’s a data breach and you weren’t compliant, you could be liable for fraud losses and remediation costs. In extreme cases, you could lose your ability to accept card payments entirely.
But here’s the good news: Most small businesses qualify for the simplest compliance paths. If you’re using modern payment tools like Square, Stripe, or PayPal, much of the heavy lifting is already done for you. Your main job is documenting that you’re following basic security practices — which you’re probably already doing.
Do You Need to Be PCI Compliant?
The simple answer: If you accept credit cards in any form, yes, you need to be PCI compliant.
This includes:
- Running cards through a terminal at your counter
- Taking payments through your website
- Accepting card numbers over the phone
- Processing mail-order payments
- Using a mobile card reader attached to your phone
Your merchant level determines how extensive your compliance requirements are. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news — Level 4 merchants have the simplest compliance requirements.
Your payment processor expects you to:
- Complete an annual Self-Assessment Questionnaire (SAQ)
- Pass quarterly vulnerability scans if you have any systems connected to the internet
- Submit an Attestation of Compliance (AOC) confirming you’ve met the requirements
That compliance questionnaire they sent you? It’s their way of collecting this documentation. They’re required by the card brands to verify that all their merchants are compliant. Ignoring it won’t make it go away — it will just trigger those monthly non-compliance fees.
Which SAQ Do You Need?
The PCI Security Standards Council offers different SAQ types based on how you handle card data. Think of it like tax forms — there’s a simple version for straightforward situations and more complex versions for complicated setups.
Here’s how to determine which one you need:
| How You Accept Payments | Your SAQ Type | Complexity | Questions to Answer |
|---|---|---|---|
| E-commerce with fully hosted checkout (Shopify, Square Online, WooCommerce with Stripe Checkout) | SAQ A | Simplest | ~20 questions |
| E-commerce with payment fields on your site (Stripe Elements, Authorize.net Accept.js) | SAQ A-EP | Simple | ~130 questions |
| Standalone terminal (Square Terminal, Clover Flex) with no electronic storage | SAQ B | Simple | ~40 questions |
| Terminal connected to internet (most modern terminals) | SAQ B-IP | Moderate | ~80 questions |
| Taking card numbers by phone/mail into virtual terminal | SAQ C-VT | Moderate | ~80 questions |
| Point-of-sale system that stores or transmits card data | SAQ D | Complex | ~320 questions |
| Any system that stores card numbers | SAQ D | Complex | ~320 questions |
Warning signs you might be SAQ D:
- You save card numbers in spreadsheets, databases, or files
- Your point-of-sale system stores full card numbers (not just last 4 digits)
- You have an old system that doesn’t use tokenization or P2PE
If you’re unsure, PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire applies to your business.
How to Complete Your SAQ
Once you know which SAQ type you need, here’s what to expect:
The questionnaire format: Each SAQ contains yes/no questions about your security practices. For example, “Do you have a firewall protecting your payment systems?” When you answer “yes,” you’re confirming that control is in place. “No” means you need to implement that control or explain why it doesn’t apply.
Time investment:
- SAQ A: 1-2 hours
- SAQ A-EP, B, B-IP, C-VT: 2-4 hours
- SAQ D: Multiple days (and you probably need help)
Documentation you’ll need:
- Your payment processor’s merchant ID
- Network diagram (for SAQ B-IP and higher)
- Firewall configuration (for SAQ B-IP and higher)
- Security policies (templates are usually acceptable for small businesses)
- ASV scan reports (if required)
The quarterly ASV scan: If you have any systems connected to the internet (including your e-commerce site), you need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). These automated scans check for security vulnerabilities in your public-facing systems. They typically take 24-48 hours to complete and cost $50-150 per scan.
Submitting your compliance package:
1. Complete your SAQ
2. Run and pass your ASV scan (if required)
3. Fill out the Attestation of Compliance
4. Submit everything through your processor’s compliance portal
Most processors give you 30-90 days to complete this process after they send the initial questionnaire.
What It Costs
Let’s talk real numbers for Massachusetts small businesses:
Compliance platform fees: $200-500 annually for SAQ completion tools, compliance tracking, and support. PCICompliance.com includes all SAQ types, unlimited submissions, and compliance dashboard access.
ASV scanning: $200-600 annually for quarterly scans. Some compliance platforms (including ours) bundle this with their annual fee.
Professional help:
- Basic guidance from compliance platform: Usually included
- QSA consultation for complex situations: $150-300/hour
- Full QSA assessment (only for Level 1 merchants): $10,000-50,000
The cost of non-compliance:
- Monthly processor fines: $5,000-100,000
- Breach-related costs if non-compliant: $50,000-500,000+
- Loss of card processing privileges: Devastating for most businesses
For most Level 4 merchants, you’re looking at $300-700 annually to maintain compliance. Compare that to even one month of non-compliance fines, and it’s clearly worth the investment.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track:
Annual requirements:
- Complete and submit your SAQ
- Review and update security policies
- Train staff on payment security
Quarterly requirements:
- ASV scans (if applicable)
- Review of firewall rules (for SAQ B-IP and above)
Ongoing best practices:
- Never store card numbers unless absolutely necessary
- Keep payment software and terminals updated
- Change default passwords on all payment equipment
- Limit access to payment systems to only those who need it
When you need to reassess:
- You change payment processors
- You add new payment channels (like adding e-commerce to a retail store)
- You change how you process payments (switching from terminal to POS system)
- Your transaction volume significantly increases
Set calendar reminders for 30 days before each quarterly scan and 60 days before your annual assessment due date. PCICompliance.com’s compliance dashboard tracks all these dates automatically and sends reminders when action is needed.
FAQ
What’s the difference between PCI compliance and other security standards?
PCI DSS specifically protects payment card data. While other standards like HIPAA (healthcare) or SOX (financial reporting) might apply to your business, PCI is required for anyone accepting card payments. The requirements often overlap with general security best practices, so achieving PCI compliance improves your overall security posture.
Can I just use PayPal or Square and avoid PCI compliance?
No, but these services can significantly reduce your compliance burden. Using payment facilitators like PayPal, Square, or Stripe typically qualifies you for SAQ A or B — the simplest questionnaire types. You still need to complete annual compliance validation, but it’s much easier than if you were handling card data directly.
What if I only process a few transactions per month?
Transaction volume doesn’t exempt you from PCI compliance — even one transaction triggers the requirement. However, lower volume does mean you’re likely a Level 4 merchant with simpler requirements. The card brands don’t care if you process one payment or one million; they care that every payment is processed securely.
How do I know if I’m storing card data?
Check these common locations: databases, spreadsheets, email systems, phone recordings, paper files, and backup systems. If you can see full 16-digit card numbers anywhere in your systems, you’re storing card data. Modern payment systems should only show masked numbers (like **1234) and use tokenization for any stored payment methods.
What happens during an ASV scan?
An ASV scan is an automated security check of your internet-facing systems. The scanner looks for known vulnerabilities, outdated software, and security misconfigurations. You’ll receive a report showing any findings, which must be remediated before you can achieve a passing scan.
Can I complete PCI compliance myself or do I need a consultant?
Most small businesses can complete SAQ A, B, or B-IP themselves using a compliance platform like PCICompliance.com. You might need professional help if you’re SAQ D, have failed ASV scans you can’t remediate, or if your processor requires specific documentation beyond the standard SAQ.
What if my payment processor has never asked about PCI compliance?
Some processors are more diligent than others about enforcement, but the requirement still applies. Being proactive protects you from future fines and reduces your liability in case of a breach. Don’t wait for them to ask — the fines often begin immediately once they start enforcement.
How long do I have to keep PCI compliance records?
The current standard requires maintaining records for at least 12 months. This includes completed SAQs, ASV scan reports, and AOCs. Keep digital copies organized by year — you may need them if switching processors or if there’s ever a security incident.
Conclusion
PCI compliance might seem daunting when that first questionnaire arrives, but for most Massachusetts businesses, it’s a manageable annual task. If you’re using modern payment tools and following basic security practices, you’re already doing most of what’s required. The key is documenting your compliance properly and staying on top of the annual and quarterly requirements.
The biggest mistake small businesses make is ignoring PCI compliance hoping it will go away. It won’t — and the fines can quickly exceed a year’s revenue for some small merchants. Taking a few hours annually to complete your requirements protects your business, your customers, and your ability to accept card payments.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Instead of juggling multiple vendors and deadlines, you get one platform that guides you through each requirement and keeps you compliant year after year. Start with our free SAQ Wizard to identify your requirements in under 5 minutes, or talk to our compliance team about your specific situation.
