What You Actually Need to Know About PCI Compliance
If you just received a PCI compliance questionnaire from your payment processor, take a breath. For most small businesses, PCI compliance is much simpler than it sounds. You don’t need to be a security expert or hire expensive consultants. You just need to answer some questions about how you handle credit card payments, run a vulnerability scan on your website (if you have one), and submit the forms. That’s it.
Your Nevada PCI compliance requirements are the same as anywhere else in the United States — the Payment Card Industry Data Security Standard (PCI DSS) is a global standard that applies equally whether you’re in Las Vegas, Reno, or Carson City. What matters isn’t your location but how you accept card payments. Let’s walk through exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI compliance means following security rules designed to protect credit card information. If you accept Visa, Mastercard, American Express, or Discover — whether through a terminal, online, or over the phone — these rules apply to you.
The major card brands created these standards together through an organization called the PCI Security Standards Council (PCI SSC). While the council writes the rules, your payment processor or acquiring bank enforces them. That’s why they sent you that questionnaire — they’re required to verify that everyone who accepts card payments follows these security standards.
What Happens If You Don’t Comply?
Your payment processor can (and will) fine you for non-compliance — typically $20 to $100 per month until you complete your requirements. If there’s a data breach and you weren’t compliant, you could face:
- Fines ranging from thousands to hundreds of thousands of dollars
- Liability for fraudulent charges
- Loss of your ability to accept credit cards
The Good News
Most small merchants qualify for the simplest compliance requirements. If you use modern payment tools like Square, Clover, or Stripe, you’ve already outsourced most of the security heavy lifting. Your compliance process might take just an hour or two per year.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes.
It doesn’t matter if you’re a sole proprietor selling at farmers markets or a multi-location retailer. The moment you accept a credit card payment, you’re required to be PCI compliant.
Your Merchant Level
PCI groups merchants into four levels based on annual transaction volume:
- Level 4: Less than 20,000 transactions per year (most small businesses)
- Level 3: 20,000 to 1 million transactions
- Level 2: 1 to 6 million transactions
- Level 1: Over 6 million transactions
As a Level 4 merchant (which you likely are), you complete a Self-Assessment Questionnaire (SAQ) instead of hiring an assessor. Think of it as TurboTax for PCI compliance — you answer questions about your payment setup, and it generates your compliance documentation.
What Your Payment Processor Expects
When your processor sends that annual compliance questionnaire, they want:
1. A completed SAQ (the right type for your business)
2. An Attestation of Compliance (AOC) — basically your signature saying the answers are accurate
3. Proof of quarterly vulnerability scans (if you process payments online)
4. Sometimes a network diagram or other documentation
Miss their deadline, and those monthly non-compliance fees start hitting your merchant statement.
Which SAQ Do You Need?
The biggest confusion in PCI compliance is figuring out which SAQ applies to your business. There are different versions based on how you accept payments. Here’s the plain-English guide:
| How You Accept Payments | Your SAQ Type | Number of Questions | Difficulty |
|---|---|---|---|
| Payment page fully hosted by others (PayPal, Square Online) | SAQ A | 22 | Easy |
| E-commerce site with embedded payment fields | SAQ A-EP | 191 | Moderate |
| Standalone terminals with dial-up/cellular | SAQ B | 41 | Easy |
| Standalone terminals on your network | SAQ B-IP | 82 | Easy-Moderate |
| Virtual terminal or phone orders | SAQ C-VT | 88 | Moderate |
| Payment application connected to internet | SAQ C | 160 | Moderate-Hard |
| Storing card numbers or complex setup | SAQ D | 329 | Hard |
Common Scenarios
If you use a countertop terminal (like Square Terminal or Clover Flex): You likely need SAQ B if it connects via cellular/dial-up, or SAQ B-IP if it uses your WiFi or ethernet.
If you have an online store: Using Shopify’s checkout, WooCommerce with Stripe Checkout, or similar? That’s typically SAQ A. If payment fields appear on your own website (even if hosted by Stripe Elements), that’s SAQ A-EP.
If you take orders by phone: Using a virtual terminal from your processor? That’s SAQ C-VT. Typing card numbers into your regular point-of-sale system? Unfortunately, that might push you to SAQ C or D.
If you store card numbers in any form — spreadsheets, customer database, even written down — you’re looking at SAQ D, the full questionnaire. Time to stop storing card data and simplify your life.
Not sure? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which form you need — no payment industry jargon required.
How to Complete Your SAQ
Once you know which SAQ you need, the process is straightforward:
What the Questions Look Like
SAQs contain yes/no questions like:
- “Do you have a firewall protecting your payment systems?”
- “Do you change default passwords on payment terminals?”
- “Is your payment processing area restricted to authorized personnel?”
Answering “yes” means you’ve implemented that security control. “No” means you either need to implement it or explain why it doesn’t apply to your business (called a compensating control).
Documentation You’ll Need
Before starting your SAQ, gather:
- List of all payment terminals and their models
- Your network diagram (if payments touch your network)
- Security policies (even simple ones count)
- Vendor agreements showing they’re PCI compliant
- ASV scan reports (for online merchants)
The Quarterly Scan Requirement
If you process payments online — even just redirecting to PayPal — you need quarterly ASV (Approved Scanning Vendor) scans. These automated scans check your website for vulnerabilities. Don’t panic: most small business sites pass on the first try. If issues are found, they’re usually simple fixes like updating WordPress or removing old files.
Schedule your first scan as soon as possible. You need four passing quarterly scans to be fully compliant, so starting today means you’ll have clean scans in time for next year’s assessment.
Submitting Your Compliance Package
After completing your SAQ:
1. Generate your Attestation of Compliance (AOC) — this comes from the SAQ tool
2. Compile your ASV scan reports (if required)
3. Submit everything through your processor’s compliance portal
4. Save copies for your records
Most processors accept submissions through online portals, making the process paperless and quick.
What It Costs
PCI compliance costs vary based on your complexity, but for most small merchants:
Compliance Tools and Platforms
- SAQ completion tools: $100-300/year
- Compliance management platforms: $200-600/year
- Many processors include basic tools with your merchant account
ASV Scanning Services
- Quarterly scans: $40-100 per scan (or $150-400/year)
- Some compliance platforms include scanning
- PCICompliance.com bundles scanning with our compliance platform
If You Need Professional Help
- QSA consultation: $150-500/hour (rarely needed for small merchants)
- Full QSA assessment: $15,000-50,000 (only for Level 1 merchants)
- Most Level 4 merchants never need a QSA
The Cost of Non-Compliance
- Monthly processor fees: $20-100 until you comply
- Breach fines: $5,000-100,000 depending on severity
- Lost processing privileges: Priceless — try running a business that can’t accept cards
For perspective: Annual compliance for a typical small merchant costs less than a single month of non-compliance fees. It’s also far less than the smallest breach fine you’d face if something goes wrong.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done exercise. Your processor will ask for updated documentation every year, and you need quarterly scans if you process online.
Annual Requirements
- Complete your SAQ questionnaire
- Update your network documentation
- Review and update security policies
- Train staff on payment security
- Submit fresh attestation to your processor
Quarterly Requirements
- Run ASV scans (online merchants only)
- Review scan results and fix any issues
- Save passing scan reports for your annual submission
When Things Change
Certain changes require immediate attention:
- Adding new payment channels (like starting e-commerce)
- Changing payment providers
- Upgrading your point-of-sale system
- Moving to a new location
- Starting to store card data (please don’t)
Set calendar reminders for your quarterly scans and annual assessment. Better yet, use a compliance platform that tracks deadlines and sends alerts. PCICompliance.com’s dashboard shows exactly what’s due when, so you never miss a requirement.
FAQ
Q: My processor says I need PCI compliance but I barely process any cards. Do I really need to do this?
Yes, even if you process just one card payment per year, you’re required to be PCI compliant. The good news is that your low volume means you qualify for the simplest requirements — likely just a short SAQ and no scanning.
Q: I only use Square (or PayPal, or similar). Am I automatically compliant?
Not quite. While Square handles most security requirements for you, you still need to complete an SAQ about your part of the process. It’s usually the simplest form (SAQ A or B), but you do need to submit it to avoid fees.
Q: What’s this vulnerability scan? My website is just a basic WordPress site.
The ASV scan is an automated security check that looks for common vulnerabilities like outdated software or misconfigurations. Most WordPress sites pass after basic updates. The scan runs from outside your network and doesn’t affect your site’s operation.
Q: Can I just ignore this? What’s the worst that could happen?
Your processor will start charging monthly non-compliance fees immediately — usually $20-100 per month. If there’s ever a breach, you could face fines starting at $5,000 plus liability for any fraud. Worst case, you lose the ability to accept credit cards entirely.
Q: I don’t understand these technical questions. Do I need to hire an IT consultant?
For most small businesses, no. The questions seem technical but usually have simple answers. “Do you have a firewall?” Yes, your internet router has one. “Do you use encryption?” Yes, your payment terminal handles that. If you truly get stuck, a few hours with an IT consultant beats monthly non-compliance fees.
Q: How do I know if I’m storing credit card data?
Search your computers for files containing test credit card numbers like 4111111111111111. Check old spreadsheets, customer databases, and email. If you find card numbers anywhere — even old ones — you’re storing card data and need to address it immediately.
Q: My business partner handles IT and they say PCI is a scam. Is it?
PCI DSS is definitely not a scam — it’s a legitimate security standard created by Visa, Mastercard, Discover, and Amex. Your merchant agreement requires compliance. While some vendors do overcharge for compliance services, the requirement itself is real and enforceable.
Q: I submitted my SAQ last year. Am I done?
No, PCI compliance is annual. You need to complete a fresh SAQ every year, run quarterly scans if you process online, and submit updated documentation to your processor. Mark your calendar for next year or use a platform that sends reminders.
Moving Forward with Confidence
Nevada PCI compliance doesn’t have to be overwhelming. For most businesses, it’s a few hours of work per year that protects both you and your customers. Start by identifying which SAQ applies to your payment setup — that single step demystifies the entire process.
Remember, you’re not alone in this. Thousands of Nevada businesses complete PCI compliance every year, from small boutiques in Las Vegas to restaurants in Reno to online retailers across the state. The process is standardized, well-documented, and genuinely achievable.
PCICompliance.com simplifies your journey to compliance with tools designed for real businesses, not security experts. Our free SAQ Wizard identifies exactly which questionnaire you need in minutes. Our ASV scanning service handles your quarterly vulnerability scans automatically. And our compliance dashboard tracks everything in one place, sending reminders before deadlines and keeping your documentation organized year-round.
Start with our free SAQ Wizard to identify your requirements, or reach out to our compliance team for guidance. With the right tools and a clear path forward, you’ll complete your PCI compliance requirements confidently — and get back to running your business.