No Transactions Yet? Here’s What You Need to Know About PCI Compliance
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re wondering what to do — especially if you haven’t even started processing card payments yet — take a deep breath. For most small businesses, PCI compliance is simpler than you think. The questionnaire sitting in your inbox looks intimidating, but you probably qualify for one of the simpler SAQ types that takes less than an hour to complete. Here’s exactly what you need to know to get compliant and stay that way.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — through an organization called the PCI Security Standards Council. Think of it as a security checklist designed to protect credit card data from theft.
Here’s the key part: if you accept, process, store, or transmit credit card information in any way, these requirements apply to you. It doesn’t matter if you process one transaction a year or one million — the moment you decide to accept card payments, you need to be PCI compliant.
Your payment processor or acquiring bank (the company that handles your card transactions) enforces these requirements. That’s who sent you the compliance questionnaire, and that’s who will follow up if you don’t complete it.
The consequences of non-compliance are real but manageable. Your processor can fine you monthly (typically $25-$100 for small merchants), increase your processing rates, or even terminate your ability to accept cards. If there’s a data breach and you’re not compliant, you could be liable for fraud losses and forensic investigation costs. But here’s the good news: for most small businesses, achieving compliance takes less time than dealing with the consequences of ignoring it.
Do You Need to Be PCI Compliant?
The simple answer: if you plan to accept credit cards in any form — in person, online, over the phone, or through a mobile app — yes, you need to be PCI compliant. This applies even if you haven’t processed your first transaction yet.
Most small businesses are classified as Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news because Level 4 merchants have the simplest compliance requirements — typically just completing an annual Self-Assessment Questionnaire (SAQ) and running quarterly vulnerability scans if you have any systems connected to the internet.
Your payment processor expects you to:
- Complete the appropriate SAQ annually
- Run quarterly ASV scans if required for your SAQ type
- Submit your Attestation of Compliance (AOC) — a form confirming you completed the SAQ
- Fix any security issues identified during the process
That compliance questionnaire they sent? It’s either the SAQ itself or instructions for accessing their compliance portal where you’ll complete it. They’re not trying to catch you off guard — they’re required by the card brands to ensure all their merchants maintain compliance.
Which SAQ Do You Need?
The Self-Assessment Questionnaire comes in several versions, each designed for different payment acceptance scenarios. Here’s how to determine which one applies to you:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity Level |
|---|---|---|---|
| Outsource everything to a third party (PayPal, Square online) | SAQ A | 22 | Simple |
| E-commerce with payment page in iframe (Stripe Elements, many gateways) | SAQ A-EP | 191 | Moderate |
| Standalone terminals only, no electronic storage | SAQ B | 41 | Simple |
| Standalone terminals with IP connection | SAQ B-IP | 82 | Simple to Moderate |
| Payment application connected to internet, no storage | SAQ C | 160 | Moderate |
| Phone or mail orders only, no storage | SAQ C-VT | 83 | Moderate |
| Store card data or complex environments | SAQ D | 329 | Complex |
Let’s break this down with real examples:
- Using Square, Clover, or similar terminals? You’re likely SAQ B or SAQ B-IP depending on whether your terminal connects via phone line or internet
- Running an online store? If you use Shopify Payments, Stripe Checkout, or PayPal where customers leave your site to pay, you’re SAQ A. If the payment form appears on your site (even in an iframe), you’re SAQ A-EP
- Taking orders by phone? If you key them into a virtual terminal without storing card numbers, you’re SAQ C-VT
- Storing credit card numbers? Please stop doing this if possible — you’ll need SAQ D, the most complex questionnaire
Not sure which applies? Use PCICompliance.com’s SAQ Wizard — answer a few simple questions about how you accept payments, and we’ll tell you exactly which SAQ you need.
How to Complete Your SAQ
The SAQ is a series of yes/no questions about your security practices. Each question asks whether you’ve implemented a specific security control. Here’s what completing it actually looks like:
The Questions: They range from simple (“Do you have a firewall?”) to more specific (“Do you change default passwords on all systems?”). Answer “yes” only if you currently meet the requirement — not if you plan to implement it later.
Documentation You’ll Need:
- List of all payment systems and software
- Network diagram (even a simple one)
- Written security policies (basic templates are fine)
- Vendor compliance certificates (from your payment processor or gateway)
The Quarterly ASV Scan: If your SAQ type requires it (anything except SAQ A and SAQ B), you’ll need to run quarterly vulnerability scans of your internet-facing systems. An Approved Scanning Vendor performs these automated scans to check for security weaknesses. They typically take 24-48 hours to complete and cost $200-$400 per year for small businesses.
Submitting Your Compliance:
1. Complete all SAQ questions
2. Fix any items where you answered “no” or schedule compensating controls
3. Run your ASV scan if required and fix any failing vulnerabilities
4. Sign the Attestation of Compliance (AOC)
5. Submit through your processor’s portal or email as instructed
Most small merchants can complete their SAQ in 30-60 minutes once they have the necessary information gathered.
What It Costs
Let’s talk real numbers for small business PCI compliance:
Compliance Platform/Tools: Free to $500/year for small merchants. Basic SAQ tools are often free from your processor. Commercial platforms with guidance and support typically run $200-$500 annually.
ASV Scanning: $200-$400/year for quarterly scans. Some compliance platforms include this; others charge separately. Your processor might provide free scanning for Level 4 merchants.
Professional Help: Most small merchants don’t need a QSA. If you do need consultant help, expect $150-$300/hour for guidance on specific issues. Full QSA assessments start at $15,000 but are only required for Level 1 merchants.
The Cost of Non-Compliance:
- Monthly non-compliance fees: $25-$100
- PCI non-compliance insurance surcharges: $5-$20/month
- If you have a breach while non-compliant: $5,000-$50,000 in fines plus forensic investigation costs
- Potential loss of card acceptance privileges
For most small merchants, annual compliance costs less than three months of non-compliance fees — and infinitely less than dealing with a breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track:
Set Annual Reminders: Your SAQ expires 12 months after completion. Set reminders at 11 months to start the renewal process before your processor starts calling.
Quarterly Scanning: If you need ASV scans, they’re due every 90 days. Missing a scan can invalidate your compliance even if your SAQ is current.
Track What Changes: Moving to a new payment system, adding e-commerce to your brick-and-mortar store, or changing how you handle phone orders can change your SAQ type. Review annually or when your payment processes change.
Stay Organized: Keep your network diagram updated, maintain your security policies, and document any system changes. Next year’s assessment will be much easier if you maintain good records.
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and stores your documentation in one place. You’ll never wonder when your next scan is due or where you filed last year’s AOC.
FAQ
I haven’t processed any transactions yet. Do I really need to worry about PCI?
Yes, if you’ve set up the ability to accept card payments — even if you haven’t used it yet. Your processor requires compliance as soon as you’re approved for card acceptance. The good news is that with no transaction history, you likely qualify for the simplest SAQ types.
What happens if I just ignore the compliance questionnaire?
Your processor will start with reminder emails and phone calls, then move to monthly non-compliance fees ($25-$100 typically). Eventually, they may increase your processing rates or terminate your merchant account. It’s much easier to spend an hour completing the SAQ than dealing with the consequences.
The questionnaire has hundreds of questions. Do I really need to answer all of them?
You only answer the questions in your specific SAQ type. If you’re SAQ A (fully outsourced payments), that’s just 22 questions. Most small merchants don’t face the 300+ question SAQ D unless they’re storing card numbers, which you should avoid if at all possible.
What’s this ASV scan they’re requiring?
An Approved Scanning Vendor scan is an automated security check of your internet-facing systems — website, email server, etc. It looks for vulnerabilities hackers could exploit. The scan runs quarterly, takes about a day, and you’ll get a report showing what (if anything) needs to be fixed.
Can I just hire someone to handle all this for me?
Yes, but most small merchants don’t need to. Compliance consultants charge $150-$300/hour, and a full assessment can cost thousands. For Level 4 merchants, using a guided compliance platform is usually sufficient and much more cost-effective.
My payment processor says I need to be “PCI compliant” but also offers their own program. Should I use it?
Compare their offering to independent platforms. Processor programs are convenient but may lock you in or charge premium prices. Make sure any solution includes ASV scanning (if you need it) and provides the official SAQ forms and AOC that any processor will accept.
What if I fail my ASV scan?
You’ll get a report showing which vulnerabilities need to be fixed. Most are simple issues like outdated software or weak passwords. Fix the identified issues and request a rescan. You have unlimited rescans within your quarterly window to achieve a passing score.
How is PCI compliance different from other security requirements like HIPAA or SOX?
PCI DSS is specific to payment card data protection. While there’s some overlap in security best practices, PCI has its own requirements, forms, and validation process. If you’re subject to multiple regulations, look for common controls you can implement once to satisfy multiple standards.
Conclusion
That PCI compliance questionnaire in your inbox might have seemed overwhelming when it arrived, but now you know it’s manageable — even if you haven’t processed your first card payment yet. Most small businesses need only the simplest SAQ types, which take less than an hour to complete once you understand what’s being asked.
The key is getting started. Determine your SAQ type, gather your basic documentation, and work through the questions methodically. PCI compliance isn’t about perfection — it’s about implementing reasonable security measures to protect your customers’ payment data.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Instead of wondering if you’re doing it right, you’ll have confidence that you’re meeting all requirements and protecting your business from both security threats and compliance fines. Start with the free SAQ Wizard or talk to our compliance team about getting your specific questions answered.
