You Just Got a PCI Compliance Questionnaire — Don’t Panic
Here’s the truth: Nigeria PCI compliance is probably simpler than you think. If you’re a small business owner who just received a confusing compliance questionnaire from your payment processor, take a breath. Most businesses like yours can complete their PCI requirements in an afternoon.
Yes, the questionnaire looks intimidating. Yes, the acronyms (PCI DSS, SAQ, AOC) sound like alphabet soup. But for the vast majority of small merchants, achieving PCI compliance involves answering some straightforward questions about how you handle credit card payments and running a basic security scan of your website.
This guide will walk you through exactly what you need to do, in plain English, without the technical jargon that makes compliance seem impossible.
What Is PCI Compliance (In Plain English)
PCI compliance means following security standards designed to protect credit card data. If you accept Visa, Mastercard, American Express, or Discover cards — whether in your store, online, or over the phone — these rules apply to you.
The card brands created these standards through something called the PCI Security Standards Council (PCI SSC). Think of it as the credit card industry’s way of making sure everyone who touches card data keeps it safe. Your payment processor or acquiring bank enforces these rules because they’re responsible if something goes wrong in their merchant network.
What Happens If You’re Not Compliant?
Your payment processor can:
- Fine you monthly (typically ₦20,000-₦200,000 for small merchants)
- Hold you liable for fraud losses if there’s a breach
- Terminate your ability to accept credit cards
The good news? Most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as major retailers processing millions of transactions.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit or debit cards in any form, yes.
It doesn’t matter if you:
- Only process a few transactions per month
- Use a modern payment terminal
- Never actually see the card numbers
- Only accept payments online
If you accept cards, you need to be PCI compliant.
Your Merchant Level
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually).
Level 4 merchants typically just need to:
- Complete a Self-Assessment Questionnaire (SAQ)
- Pass quarterly network scans if you have a website
- Attest that you’re following the requirements
Why Your Processor Sent That Questionnaire
Your payment processor sends an annual compliance questionnaire because the card brands require them to verify that their merchants are following PCI standards. It’s not personal — it’s regulatory. They need to show that everyone in their network maintains basic security standards.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Here’s the decision tree in plain language:
| How You Accept Payments | Your SAQ Type | Questions to Answer | Complexity |
|---|---|---|---|
| Redirect to payment page (PayPal, Stripe Checkout) | SAQ A | 22 questions | Easiest |
| Payment form on your site (Stripe Elements, Square Web Payments) | SAQ A-EP | 139 questions | Moderate |
| Standalone terminal (Square Reader, Clover Flex) | SAQ B | 41 questions | Easy |
| Terminal connected to internet | SAQ B-IP | 82 questions | Easy-Moderate |
| Taking payments over phone | SAQ C-VT | 80 questions | Moderate |
| Storing card numbers (please stop!) | SAQ D | 326 questions | Complex |
Common Scenarios
If you run a physical store: You probably use a payment terminal like Square, Clover, or a traditional bank terminal. If it’s a standalone device not connected to your computer, you need SAQ B. If it connects to the internet for processing, you need SAQ B-IP.
If you have an e-commerce site: Using Shopify Payments, WooCommerce with Stripe Checkout, or similar hosted checkout? You need SAQ A. If customers enter card details on your website (even if you don’t store them), you need SAQ A-EP.
If you take orders over the phone: Whether it’s delivery orders or service calls, phone orders require SAQ C-VT.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Here’s what to expect:
What the Questions Look Like
Questions range from simple (“Do you have a firewall?”) to more specific (“Do you change default passwords on all systems?”). Answer honestly — “yes” means you’re actually doing the thing, not that you plan to.
Time Investment
- SAQ A: 30-60 minutes
- SAQ B: 1-2 hours
- SAQ A-EP or C-VT: 2-4 hours
- SAQ D: Multiple days (you probably need help)
Documentation You’ll Need
Gather these before you start:
- Your network/Wi-Fi password policy
- List of who has access to payment systems
- Your payment processor agreements
- Any security policies you’ve written down
The Quarterly ASV Scan
If you have any internet-facing systems (website, email server, etc.), you need quarterly vulnerability scans from an Approved Scanning Vendor (ASV).
The scan:
- Checks for security vulnerabilities
- Takes about 15 minutes to set up
- Runs automatically
- Costs ₦8,000-₦40,000 per quarter
You’ll get a report showing any issues found. Most small business sites pass on the first try. If not, the report tells you exactly what to fix.
Submitting Your Compliance
Once you complete your SAQ and pass your ASV scan (if required), you’ll sign an Attestation of Compliance (AOC). This is your formal declaration that you’ve met the requirements. Submit it to your payment processor through their portal or email it to their compliance team.
What It Costs
Let’s be honest about the real costs:
Compliance Tools and Platforms
- Basic SAQ completion tools: ₦0-₦20,000/year
- Full compliance platforms with scanning: ₦40,000-₦160,000/year
- Enterprise solutions: ₦400,000+/year
ASV Scanning
- Quarterly scans: ₦8,000-₦40,000 per scan
- Annual packages: ₦32,000-₦120,000/year
Professional Help (If Needed)
- Compliance consultant: ₦80,000-₦200,000 for initial setup
- QSA assessment (only for larger merchants): ₦800,000-₦4,000,000
The Cost of Non-Compliance
- Monthly non-compliance fees: ₦20,000-₦200,000
- Breach liability: Potentially millions in fraud losses
- Lost ability to accept cards: Priceless (in the worst way)
Reality check: Most small merchants spend less on annual compliance than they’d pay in a single month of non-compliance fees.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Here’s what ongoing compliance looks like:
Annual Requirements
- Complete your SAQ every year
- Update it if your payment methods change
- Renew your attestation with your processor
Quarterly Requirements
- Run ASV scans every 90 days (if applicable)
- Review and fix any vulnerabilities found
- Keep scan reports for your records
What Triggers a New Assessment
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or terminals
- Storing card data when you didn’t before
- Growing beyond your current merchant level thresholds
Making It Manageable
Set calendar reminders for:
- Quarterly scan dates
- Annual SAQ renewal
- Policy review dates
PCICompliance.com’s dashboard tracks all these dates automatically and sends reminders when action is needed.
Frequently Asked Questions
Do I need PCI compliance if I only process a few cards per month?
Yes. PCI compliance applies to anyone who accepts payment cards, regardless of transaction volume. The good news is that low-volume merchants usually qualify for the simplest SAQ types.
What if I use Square/Shopify/PayPal for everything?
You still need to complete an SAQ, but it’s usually the simplest one (SAQ A). These providers handle most of the security heavy lifting, but you’re responsible for your piece of the payment process.
Can I just ignore the compliance questionnaire?
Don’t. Your processor will start charging non-compliance fees, typically ₦20,000-₦40,000 monthly. Eventually, they can terminate your merchant account, leaving you unable to accept cards.
How do I know if I’m storing card data?
Check your systems for saved card numbers, even in spreadsheets or customer notes. If you can see full card numbers anywhere after a transaction completes, you’re storing card data and need to stop.
What’s the difference between PCI compliance and EMV?
EMV (chip cards) is about the physical card technology. PCI compliance covers all aspects of card data security, including but not limited to EMV transactions.
Do I need to hire a security consultant?
Most small merchants don’t. If you qualify for SAQ A, B, or B-IP, you can typically handle compliance yourself with the right tools and guidance.
What if I fail my vulnerability scan?
Don’t panic. The scan report shows exactly what needs fixing, usually simple updates or configuration changes. Fix the issues and rescan — most merchants pass after addressing the findings.
How often do the requirements change?
The PCI Security Standards Council updates the standards periodically, but changes rarely affect small merchants dramatically. Focus on maintaining good security practices rather than worrying about version changes.
Your Next Steps
PCI compliance doesn’t have to be overwhelming. For most Nigeria businesses, it’s a straightforward process that protects both you and your customers. The key is understanding which requirements apply to your specific situation and tackling them systematically.
Start with PCICompliance.com’s free SAQ Wizard to identify exactly which questionnaire you need. Our platform then walks you through each requirement in plain English, handles your quarterly ASV scans automatically, and keeps your compliance documentation organized year-round. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and expert guidance to make PCI compliance manageable.
Don’t let that compliance questionnaire intimidate you. With the right approach and tools, you can achieve PCI compliance quickly and maintain it without the headaches. Take the first step with our SAQ Wizard or reach out to our compliance team for personalized guidance.