PayJunction PCI Compliance

Bottom Line Up Front

If you just received a PayJunction PCI compliance request and your stomach dropped, take a breath. For the overwhelming majority of small businesses, PCI compliance is far simpler than the jargon-filled email made it sound.

Here’s the short version: PayJunction is your payment processor, and like every processor, they’re required to confirm that the merchants they serve handle credit card data securely. The “compliance questionnaire” they sent is a Self-Assessment Questionnaire (SAQ) — usually a yes/no checklist. Most small merchants qualify for one of the shorter SAQ types, can complete it in an afternoon, and only need an inexpensive quarterly scan on top of it.

This guide walks you through exactly what PCI means, whether it applies to you (spoiler: it does if you take cards), which questionnaire you need, what it costs, and how to stay compliant year after year — in plain English.

What Is PCI Compliance (In Plain English)

PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security rules designed to protect credit and debit card data anywhere it’s stored, processed, or transmitted. If you accept card payments — swipe, dip, tap, online, or over the phone — it applies to you.

The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a body called the PCI Security Standards Council (PCI SSC). The Council writes and maintains the rules, but it doesn’t chase down individual merchants. That job falls to your acquirer and payment processor — in your case, PayJunction. They’re contractually required to make sure their merchants attest to compliance, which is why that questionnaire landed in your inbox.

So what happens if you ignore it? A few unpleasant things:

  • Non-compliance fees from your processor, often charged monthly until you submit your paperwork.
  • Liability if you suffer a breach — fines, forensic investigation costs, and card reissuance charges can be severe.
  • Loss of your ability to accept cards in the worst cases, which can shut a business down.

The good news, and it’s genuinely good news: most small businesses qualify for the simplest SAQ types, especially if you’ve outsourced the heavy lifting to a modern payment terminal or hosted checkout. You likely touch far less card data than you think.

Do You Need to Be PCI Compliant?

The simple answer: yes. If your business accepts credit cards in any form, PCI DSS applies. There’s no minimum transaction count that exempts you — even one card payment a year puts you in scope.

What varies is your merchant level, which determines how you validate compliance. Card brands assign levels (1 through 4) based primarily on your annual transaction volume and risk. Most small businesses are Level 4 — the lowest-volume tier, which uses the self-assessment process rather than a full external audit.

> Confirm your level with PayJunction or your acquirer. Thresholds are set by the card brands and can change, so don’t assume — ask.

Your processor expects two things from a Level 4 merchant: a completed SAQ (the questionnaire), an accompanying Attestation of Compliance (AOC) where you formally sign off, and — if you have any internet-facing systems — a passing quarterly ASV scan.

That questionnaire PayJunction sent is the kickoff to all of this. It’s not a trap or a test designed to fail you. It’s the mechanism by which you self-attest that you’re handling card data responsibly.

Which SAQ Do You Need?

This is the single most important decision, because the right SAQ can mean the difference between a dozen questions and several hundred. The type you need depends entirely on how you accept payments.

Here’s the plain-language decision tree:

  • Use a standalone payment terminal (dial-out or IP-connected) and store no card data electronically? → likely SAQ B or SAQ B-IP.
  • Run an e-commerce site with fully hosted checkout where the payment page lives entirely on your provider’s servers? → likely SAQ A.
  • Your website controls part of the payment page (a redirect, iframe, or direct-post setup)? → likely SAQ A-EP.
  • Take card payments by phone or mail using a virtual terminal in your browser? → likely SAQ C-VT.
  • Store actual card numbers in a spreadsheet, CRM, or filing cabinet? → SAQ D (and please stop storing them — more on that below).
Payment Scenario Likely SAQ Complexity
Standalone dial-out terminal, no e-storage SAQ B Low
IP-connected standalone terminal SAQ B-IP Low–Medium
Fully hosted/redirected e-commerce checkout SAQ A Low
Website partially controls payment page SAQ A-EP Medium–High
Virtual terminal (phone/mail orders) SAQ C-VT Low–Medium
Internet-connected POS, no e-storage SAQ C Medium
Any electronic storage of card data SAQ D High

If you’re not sure which row you fall into — and plenty of business owners aren’t — that’s exactly what our free SAQ Wizard is for. Answer a few simple questions about how you take payments and it tells you precisely which SAQ applies, so you don’t waste time on the wrong (and longer) questionnaire.

How to Complete Your SAQ

The questionnaire is essentially a structured checklist of security controls drawn from PCI DSS’s six control objectives and twelve requirements — things like maintaining a firewall, using strong access controls, and keeping software patched. Each item is a yes/no question.

For the shorter SAQs (A, B, B-IP, C-VT), a prepared merchant can often complete the whole thing in a single sitting. The key word is prepared — gather your documentation first.

Here’s what “yes” actually means in practice, and what you’ll want on hand:

Question Theme What “Yes” Requires Documentation
Strong passwords & access Unique logins, no shared accounts, MFA where required User/account list
Vendor defaults changed Default passwords on devices changed Device config notes
Card data not stored You don’t keep PANs or SAD after authorization Process description
Software kept current Patches and updates applied Patch records
Security policy exists A written information security policy The policy document

A critical rule to internalize: Sensitive Authentication Data (SAD) — full track data, the CVV/CVC code on the back of the card, and PINs — must never be stored after a transaction is authorized. Ever. And the full PAN (the card number) must be rendered unreadable wherever it’s stored. The simplest way to satisfy this? Don’t store card data at all — let your terminal or gateway handle it.

The Quarterly ASV Scan

If your environment includes any internet-facing systems (most e-commerce and IP-connected setups), the current standard requires a quarterly ASV scan — an external vulnerability scan performed by an Approved Scanning Vendor. The scan probes your public-facing systems for known weaknesses and produces a pass/fail report.

This isn’t optional where it applies, and it must be done every quarter — not just once. PCICompliance.com’s ASV scanning service handles this for you on a recurring schedule, so you’re never caught off guard at attestation time.

Once your SAQ is complete and your scan (if required) passes, you sign the AOC and submit both to PayJunction through their compliance portal. That’s your validation for the year.

What It Costs

Let’s talk real numbers — qualitatively, since pricing varies.

Cost Item Typical Budget When It Applies
SAQ tools / compliance platform Modest annual fee All merchants
Quarterly ASV scanning Low recurring cost Internet-facing systems
QSA-led assessment (ROC) Significant Level 1 / large merchants only
Non-compliance fees Monthly until resolved If you skip it
Breach response & fines Potentially business-ending After an incident

For a typical Level 4 small merchant, annual compliance is an affordable line item — often comparable to a modest software subscription plus a scanning fee. You only need a QSA (Qualified Security Assessor) if you’re a large, high-volume merchant required to produce a full Report on Compliance (ROC), which most small businesses never are.

Here’s the honest assessment: for the vast majority of small merchants, a full year of compliance costs a small fraction of a single breach fine. PCI compliance is point-in-time and ongoing — it reduces risk, it doesn’t eliminate it — but it’s one of the highest-return investments a small business can make in its own survival.

Staying Compliant Year-Round

The most common mistake merchants make is treating PCI as a one-and-done task. It isn’t. Compliance is validated at least annually, with ASV scans every quarter. Miss a scan or let your attestation lapse and you can slip out of good standing without realizing it.

A few things trigger the need to reassess sooner:

  • Changing how you accept payments (adding e-commerce, switching terminals).
  • New systems that touch card data.
  • A change in your merchant level as your volume grows.

The simplest way to stay on track is to put it on autopilot. PCICompliance.com’s compliance dashboard tracks your SAQ status, schedules your quarterly scans, flags upcoming deadlines, and keeps your documentation in one place — so renewal season is a quick review rather than a scramble.

The single biggest lever for making all of this easier? Scope reduction. The less card data you touch, the fewer requirements apply. Using a hosted checkout, tokenization, or a P2PE-validated terminal can shrink your Cardholder Data Environment (CDE) dramatically — sometimes from hundreds of requirements down to a couple dozen.

FAQ

I just got the PayJunction PCI questionnaire and I’m overwhelmed. Where do I start?

Start by identifying which SAQ applies to you — that determines everything else. Use the free SAQ Wizard to pinpoint the right one, and you’ll likely find it’s far shorter than you feared.

What happens if I just ignore it?

Your processor will typically charge monthly non-compliance fees, and you’ll carry significantly more liability if a breach occurs. In serious cases, you can lose the ability to accept cards entirely. It’s always cheaper and easier to complete the SAQ.

Do I really need PCI compliance if I only run a few card transactions a year?

Yes. There’s no transaction minimum that exempts you — accepting even one card payment puts you in scope. The upside is that low-volume merchants almost always qualify for the simplest SAQ.

Can I just store customer card numbers to make repeat billing easier?

Please don’t. Storing card numbers pushes you into SAQ D with far more requirements, and storing SAD (like CVV) after authorization is never permitted. Use your processor’s tokenization features instead — they store the data securely so you don’t have to.

What’s the difference between the SAQ and the ASV scan?

The SAQ is your self-assessment questionnaire confirming your security controls; the ASV scan is an external vulnerability scan of your internet-facing systems. Many merchants need both, completed annually and quarterly respectively.

Do I need to hire a QSA?

Almost certainly not if you’re a small business. QSAs and full ROC assessments are required for the largest, highest-volume merchants. Most small merchants self-assess with an SAQ — confirm your level with PayJunction to be sure.

How long is my compliance good for?

Your SAQ and AOC are valid for one year, but ASV scans must be passed every quarter if they apply to you. Compliance is continuous, not a one-time certificate.

Conclusion

PCI compliance has a fearsome reputation, but for most small merchants working with a processor like PayJunction, it comes down to a manageable process: identify your SAQ, answer the questions honestly, run a quarterly scan if you have internet-facing systems, and keep it up year after year. Compliance is point-in-time and ongoing — it meaningfully reduces your risk rather than guaranteeing perfect security, and that risk reduction is worth far more than it costs.

You don’t have to figure it out alone. PCICompliance.com is an end-to-end compliance platform serving thousands of merchants and service providers, from single-location shops to multi-site enterprises. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress all year long — with remediation guidance and expert support whenever you need it.

Start with the free SAQ Wizard or talk to our compliance team today — and turn that intimidating PayJunction PCI request into a checked box.

Leave a Comment

1,650 PCI scans completed this month