Bottom Line Up Front
If you just got a Payline PCI compliance questionnaire from your payment processor and your stomach dropped — take a breath. For the vast majority of small businesses, PCI compliance is far simpler than the intimidating acronyms suggest.
Here’s the short version: Payline is your payment processor, and like every processor, they’re required to make sure their merchants meet PCI DSS (the Payment Card Industry Data Security Standard). That questionnaire they sent you is called a Self-Assessment Questionnaire (SAQ), and depending on how you accept cards, you may only need to answer a small set of straightforward yes/no questions. Many small merchants finish in an afternoon.
This guide walks you through what PCI compliance actually means, which SAQ applies to you, how to complete it, what it costs, and how to stay compliant year-round — in plain English, no jargon left unexplained.
What Is PCI Compliance (In Plain English)
PCI DSS is a set of security rules designed to protect credit card data. If your business accepts cards in any form — in person, online, or over the phone — these rules apply to you. The goal is simple: keep cardholder data from being stolen.
The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a body called the PCI Security Standards Council (PCI SSC). The council writes and maintains the rules, but it doesn’t enforce them directly against you. That job falls to your acquirer (your acquiring bank) and your payment processor — in this case, Payline.
That’s why the questionnaire came from Payline and not from some government agency. Your processor is contractually obligated to confirm you’re compliant, so they pass that requirement down to you.
What happens if you ignore it?
Non-compliance carries real consequences, but they’re usually financial and contractual rather than legal:
- Monthly non-compliance fees from your processor until you validate.
- Liability if you suffer a breach — fines, forensic investigation costs, and card reissuance charges can be steep.
- Loss of your ability to accept cards in serious or repeated cases.
The good news: most small businesses qualify for the simplest SAQ types, and getting compliant is usually quicker and cheaper than people fear.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit or debit cards, yes. There’s no minimum transaction count that exempts you. Whether you process two cards a month or two thousand, the standard applies.
Your merchant level
The card brands sort merchants into four levels (1–4) based on annual transaction volume and risk. Most small and mid-size businesses fall into Level 4, the lowest-risk tier, which generally means you can self-assess with an SAQ rather than hiring an outside assessor.
Levels are assigned by the card brands through your acquirer, and the specific thresholds vary by brand and can change over time. Confirm your level directly with Payline — they’ll tell you exactly where you stand and what validation they expect.
Why they sent you a questionnaire
That compliance questionnaire is Payline’s way of collecting your annual attestation. It’s not a trap or an audit — it’s a standard part of being a merchant. Completing it tells your processor (and the card brands) that you’ve reviewed your security controls and confirmed you meet the applicable requirements.
Which SAQ Do You Need?
There are several SAQ types, and the right one depends entirely on how you accept cards. The more of the payment process you outsource to compliant third parties, the simpler your SAQ — this is the single biggest lever for reducing your effort.
Here’s the plain-language decision tree:
| Your payment scenario | Likely SAQ | Complexity |
|---|---|---|
| Online store with fully hosted checkout (Shopify, Stripe Checkout, redirect to processor) | SAQ A | Lowest |
| Online store where your page partially controls payment (iframe, direct-post, JavaScript like Stripe Elements) | SAQ A-EP | Moderate |
| Standalone dial-out terminal, no electronic card storage | SAQ B | Low |
| Standalone internet-connected (IP) terminal | SAQ B-IP | Low–Moderate |
| Virtual terminal only — you key in phone/mail orders on a secure web page | SAQ C-VT | Low–Moderate |
| Payment software connected to the internet, no electronic storage | SAQ C | Moderate |
| You store card numbers electronically, or nothing else fits | SAQ D | Highest |
A few common real-world examples:
- Using a Square or Clover terminal in your shop? You’re likely SAQ B-IP (or B if it’s dial-out).
- Running a Shopify store with hosted checkout? Likely SAQ A.
- Taking orders over the phone and keying them into a virtual terminal? Likely SAQ C-VT.
- Storing card numbers in a spreadsheet or CRM? That puts you in SAQ D territory — and honestly, please stop. Storing PANs (Primary Account Numbers) dramatically increases your risk and obligations.
If you’re not certain which one fits, PCICompliance.com’s free SAQ Wizard asks a few simple questions about how you take payments and tells you exactly which SAQ you need. It’s the fastest way to remove the guesswork.
How to Complete Your SAQ
An SAQ is a list of yes/no questions about your security controls. The simplest types (like SAQ A) contain a relatively short set of questions; the most comprehensive (SAQ D) contains many more. The number of questions changes between revisions of the standard, so don’t anchor on a specific count.
For the simpler SAQs, many merchants finish in an hour or two. For more involved environments, plan for a few days of gathering documentation.
What “yes” actually means
Each question asks whether a specific control is in place. Answering “yes” means you genuinely meet that requirement — for example, that you use unique user IDs, enforce strong passwords, keep your systems patched, or restrict who can access payment systems. If you can’t honestly answer yes, that’s a gap to remediate before you attest.
Documentation you’ll likely need
Depending on your SAQ, gather items such as:
- A list of where and how you accept payments
- Confirmation that any third-party providers (your gateway, processor, hosting) are PCI compliant — ask for their AOC
- Your information security policies
- Records that you change vendor-default passwords and apply security updates
- For internet-facing systems, your quarterly ASV scan results
The quarterly ASV scan
If your environment includes external-facing systems (most e-commerce and IP-connected setups), the current standard requires a quarterly ASV scan — an external vulnerability scan performed by an Approved Scanning Vendor. The scan checks your public-facing systems for known weaknesses and produces a passing report you submit with your SAQ.
PCICompliance.com’s ASV scanning service handles these scans on the required cadence, so you’re not scrambling to find a vendor each quarter.
Submitting your SAQ and AOC
Once your questionnaire is complete, you’ll sign an AOC (Attestation of Compliance) — a formal statement that your answers are accurate — and submit both to Payline through whatever channel they specify. That completes your validation for the period.
What It Costs
Costs vary by business size and complexity, but here’s a realistic picture:
| Item | Typical budget consideration |
|---|---|
| Compliance platform / SAQ tools | Often modest monthly or annual fee; some free tools exist |
| Quarterly ASV scanning | Recurring annual cost, scaled to number of IP addresses |
| QSA (Qualified Security Assessor) | Only for Level 1 / ROC-required entities — significant cost |
| Non-compliance fees | Monthly charges from your processor until you validate |
| Breach liability | Forensics, fines, card reissuance — potentially business-ending |
Most Level 4 small merchants never need a QSA. A QSA performs the formal ROC (Report on Compliance) typically required for Level 1 merchants. If you’re self-assessing, you handle the SAQ yourself — often with platform support — and pay only for tooling and scanning.
The honest bottom line: for most small merchants, a full year of compliance tooling and ASV scanning costs less than a single breach fine. Compliance is the inexpensive option.
Staying Compliant Year-Round
Here’s the part people miss: PCI compliance isn’t a one-and-done task. You validate at least annually, and if you have external-facing systems, you run ASV scans quarterly. Compliance is point-in-time when you attest, but the controls must be maintained continuously.
A few things that should trigger a fresh look at your compliance:
- Switching payment providers or adding a new payment method
- Launching or significantly redesigning your e-commerce checkout
- Adding new systems that touch cardholder data
- Major changes to your network or how staff access payment systems
Set reminders so your annual SAQ and quarterly scans never lapse — a missed scan can put you out of compliance even if nothing else changed. PCICompliance.com’s compliance dashboard tracks your SAQ status, scan schedule, and upcoming deadlines in one place, so you’re never caught off guard when Payline asks for your next attestation.
FAQ
Is PCI compliance a law?
No — PCI DSS is a contractual requirement enforced by the card brands through your acquirer and processor, not a government law. That said, failing to comply can lead to processor fines, increased breach liability, and loss of card acceptance, so it carries real teeth.
I’m a tiny business with only a few card sales a month. Do I really have to do this?
Yes. There’s no transaction minimum that exempts you — if you accept cards at all, PCI applies. The upside is that very small merchants almost always qualify for the simplest SAQ types, which take little time to complete.
What’s the difference between an SAQ and an AOC?
The SAQ is the questionnaire where you confirm your security controls; the AOC (Attestation of Compliance) is the signed statement certifying your answers are accurate. You typically submit both to your processor together.
Do I need a quarterly ASV scan?
Only if your environment includes external-facing systems — common for e-commerce and IP-connected terminals. If your SAQ requires it, the current standard mandates a passing scan from an Approved Scanning Vendor each quarter. Fully outsourced setups (like SAQ A) often have lighter scanning obligations — confirm based on your SAQ.
What happens if I just ignore the questionnaire?
Your processor will typically charge monthly non-compliance fees and may eventually restrict or terminate your ability to accept cards. You also lose key protections if a breach occurs, leaving you exposed to forensic and reissuance costs.
Can I just store card numbers if I encrypt them?
You can store the PAN only if it’s rendered unreadable per the current standard (strong cryptography, truncation, tokenization, or hashing) — but you should avoid storing it at all if possible. You may never store Sensitive Authentication Data (full track data, CVV/CVC codes, or PINs) after authorization. Storing card data pushes you into the most demanding SAQ D and raises your risk significantly.
How do I know which SAQ I qualify for?
It depends entirely on how you accept and handle cards. The fastest way to be sure is PCICompliance.com’s free SAQ Wizard, which identifies the right questionnaire from a few simple questions.
Does being PCI compliant mean I can’t be breached?
No — no control set eliminates risk entirely. PCI compliance substantially reduces your risk and demonstrates due diligence, but security is ongoing risk reduction, not a guarantee. Maintaining your controls year-round is what keeps that protection meaningful.
Conclusion
That questionnaire from Payline isn’t a crisis — it’s a routine part of accepting card payments, and for most small businesses it’s far more manageable than it first appears. Figure out how you accept cards, identify your SAQ, gather your documentation, run any required scans, and attest. Then keep your controls in place and revalidate each year.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance in one place. We’re an end-to-end platform serving thousands of merchants and service providers, from single-location retailers to multi-site enterprises. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round — backed by remediation guidance and expert support whenever you get stuck.
Start with the free SAQ Wizard, or talk to our compliance team — and turn that intimidating questionnaire into a checked box.