Redis PCI Compliance
Bottom Line Up Front
If you just received a PCI compliance questionnaire and your heart sank — take a deep breath. For most small businesses, PCI compliance is far simpler than it sounds. You probably don’t need to hire expensive consultants or overhaul your entire payment system. In fact, if you use modern payment terminals or hosted checkout pages, you might already meet most requirements. This guide will walk you through exactly what PCI compliance means for your business and how to complete that questionnaire without the confusion.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business accepting credit card payments. Think of it as a security checklist created by the major card brands — Visa, Mastercard, American Express, and Discover — to protect customer card data.
The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) enforces compliance. They’re the ones who sent you that questionnaire.
Why does this matter to you? Three reasons:
1. Fines: Your payment processor can charge monthly non-compliance fees, typically $25-100 per month
2. Liability: If card data gets stolen from your business and you’re not compliant, you could face tens of thousands in breach costs
3. Card acceptance: In extreme cases, you could lose the ability to accept credit cards altogether
Here’s the good news: The PCI Security Standards Council recognizes that a corner coffee shop faces different risks than Amazon. That’s why they created different SAQ (Self-Assessment Questionnaire) types. Most small businesses qualify for the simplest versions, which can be completed in an afternoon.
Do You Need to Be PCI Compliant?
The simple answer: If you accept credit cards in any form — in-store, online, over the phone, or even just once a year at a fundraiser — then yes, you need to be PCI compliant.
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). At Level 4, you typically just need to:
- Complete the appropriate SAQ annually
- Run quarterly vulnerability scans if you have any internet-facing systems
- Keep your Attestation of Compliance (AOC) on file
That compliance questionnaire your payment processor sent? It’s their way of ensuring you meet these requirements. They’re required to verify that their merchants maintain compliance — it’s not them being difficult, it’s them following their own PCI obligations.
Which SAQ Do You Need?
The biggest source of confusion in PCI compliance is figuring out which SAQ applies to your business. Let’s simplify this:
| How You Accept Payments | Your SAQ Type | Complexity | Questions to Answer |
|---|---|---|---|
| Fully outsourced (PayPal, Square online, Stripe Checkout where customer never enters card data on your site) | SAQ A | Simplest | 22 questions |
| E-commerce with direct post (Customer enters card data on your site but it goes directly to processor) | SAQ A-EP | Simple | 191 questions |
| Standalone terminal (Square reader, Clover terminal, no connection to other systems) | SAQ B | Simple | 41 questions |
| Terminal connected to internet (Cloud-based POS, terminal that settles over internet) | SAQ B-IP | Moderate | 82 questions |
| Take cards over phone (Call center, phone orders, no electronic storage) | SAQ C-VT | Moderate | 85 questions + policies |
| Other payment channels (Mail order, face-to-face with connected systems) | SAQ C | Complex | 139 questions |
| Store card data (Not recommended!) or complex environments | SAQ D | Most Complex | 329 questions |
Common scenarios to help you identify your type:
- Restaurant with a Clover terminal: SAQ B or B-IP (depending on how it connects)
- Shopify store: SAQ A (Shopify handles all card data)
- WooCommerce with Stripe Elements: SAQ A-EP (card fields hosted by Stripe but embedded on your site)
- Medical office taking payments over phone: SAQ C-VT
- Any business storing card numbers: SAQ D (please consider tokenization instead!)
Still unsure? PCICompliance.com’s SAQ Wizard walks you through a few simple questions about your payment setup and tells you exactly which SAQ applies — no guesswork required.
How to Complete Your SAQ
Once you know your SAQ type, completing it is straightforward. Each question asks about a specific security control, and you answer Yes, No, or N/A. Here’s what those really mean:
- Yes: You have implemented this security control
- No: You haven’t implemented it (you’ll need to fix this or explain why)
- N/A: This control doesn’t apply to your environment
What you’ll need to gather:
- Your payment flow documentation (or just know how you accept payments)
- Network diagram (for SAQ C and D — can be hand-drawn for small businesses)
- Security policies (for higher-level SAQs — templates are available)
- List of any systems that handle card data
The quarterly ASV scan deserves special mention. If you have any systems accessible from the internet (even just a website), you’ll need an Approved Scanning Vendor to scan for vulnerabilities every 90 days. This automated scan typically takes 30 minutes to run and costs $50-150 per scan. Your ASV will help you fix any critical issues found.
After completing your SAQ, you’ll sign an Attestation of Compliance (AOC) — basically a formal declaration that you’ve answered honestly and meet the requirements. Submit both documents to your payment processor and keep copies for your records.
What It Costs
Let’s talk real numbers. PCI compliance costs vary by business size and SAQ type:
Typical annual costs for small businesses:
- Compliance platform/tools: $150-500 per year (includes SAQ wizard, policy templates, guidance)
- ASV scanning (if required): $200-600 per year for four quarterly scans
- Total for most Level 4 merchants: $350-1,100 per year
If you need professional help:
- Consultant for SAQ assistance: $1,000-3,000 one-time
- QSA for on-site assessment: $15,000-50,000 (only required for Level 1 merchants)
The cost of NON-compliance:
- Monthly fees from processor: $25-100 per month ($300-1,200 per year)
- If you have a breach while non-compliant: $50,000-500,000 in fines and costs
- Lost business: Potentially permanent loss of card acceptance ability
Being compliant typically costs less than the non-compliance fees alone — and it’s a fraction of what a single breach could cost.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with some ongoing obligations:
Annual requirements:
- Complete your SAQ
- Update your security policies (if applicable)
- Train staff on security procedures
Quarterly requirements:
- ASV vulnerability scans (if you have external-facing systems)
- Review of user access (for larger merchants)
What triggers a reassessment:
- Changing payment processors
- Adding new payment channels (like starting e-commerce)
- Significant changes to your network or systems
- Moving to a different payment technology
Set calendar reminders for these deadlines — missing them can result in non-compliance fees. PCICompliance.com’s compliance dashboard tracks all these dates automatically and sends you reminders before each deadline.
Frequently Asked Questions
What happens if I just ignore PCI compliance?
Ignoring PCI compliance is risky and expensive. Your payment processor will likely start charging monthly non-compliance fees immediately. More seriously, if cardholder data gets compromised and you’re not compliant, you could face fines up to $500,000 and lose your ability to accept credit cards.
Do I need PCI compliance if I only process a few transactions per year?
Yes, PCI compliance applies to any business that accepts credit cards, regardless of volume. The good news is that very small merchants usually qualify for the simplest SAQ types, making compliance relatively quick and inexpensive.
Can I just pay the non-compliance fee instead of becoming compliant?
While technically you can pay the fees, this is short-sighted. Non-compliance fees add up quickly, and you’re still liable for breach costs. Plus, many processors will eventually terminate non-compliant merchants.
What’s the difference between PCI compliance and EMV compliance?
EMV refers to chip card technology, while PCI compliance covers overall payment security. You can be EMV-compliant but not PCI-compliant. Both are important, but PCI compliance is mandatory for all merchants accepting cards.
How do I know if I’m storing card data?
Check your systems for any saved credit card numbers, including in emails, spreadsheets, or customer databases. If you can see a full card number anywhere in your systems after a transaction completes, you’re storing card data and need SAQ D.
My payment processor says I’m compliant — do I need to do anything?
Some processors include basic compliance services, but you’re ultimately responsible. Verify what they’re actually providing — you may still need to complete your SAQ or schedule ASV scans.
How often do the PCI requirements change?
The PCI Security Standards Council updates requirements periodically to address new threats. Major updates happen every few years, with minor clarifications more frequently. Staying with a compliance platform ensures you’re always working with current requirements.
What if I fail my ASV scan?
Don’t panic — failing vulnerabilities are common on first scans. Your ASV provides a report detailing what needs fixing. Address any failing vulnerabilities (usually software updates or configuration changes) and request a rescan.
Moving Forward with Confidence
PCI compliance might seem overwhelming at first glance, but for most small businesses, it’s a manageable process that protects both you and your customers. The key is identifying your correct SAQ type and methodically working through the requirements.
Start by using PCICompliance.com’s free SAQ Wizard to identify exactly which questionnaire applies to your payment setup. Our platform then guides you through each requirement with plain-English explanations and practical examples. Need ASV scanning? We handle that too, with automated scheduling and clear remediation guidance for any issues found. Our compliance dashboard tracks your progress, stores your documentation, and reminds you when annual updates or quarterly scans are due. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and support to make PCI compliance straightforward and stress-free. Take the first step with our SAQ Wizard, or reach out to our compliance team for personalized guidance.
