a padlock on top of a circuit board

Revel Systems PCI

by

Revel Systems PCI Compliance Guide: What You Actually Need to Know

Your Payment Processor Sent You a PCI Questionnaire. Now What?

First, take a breath. If you’re a small business using Revel PCI compliance requirements probably seem overwhelming, but here’s the truth: for most merchants, achieving compliance is simpler than you think. That questionnaire your payment processor just sent? It’s not a test designed to fail you — it’s a checklist to confirm you’re protecting customer card data the way you likely already are.

You don’t need to become a security expert. You don’t need to hire expensive consultants (usually). And you definitely don’t need to panic. What you do need is a clear understanding of what PCI compliance actually means for your business and a straightforward path to get there. That’s exactly what this guide provides.

What Is PCI Compliance (In Plain English)

PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a set of security rules created by the major card brands (Visa, Mastercard, American Express, Discover, JCB) to protect credit card information. If you accept card payments — whether through a terminal, online, or over the phone — these rules apply to you.

The card brands created an organization called the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquiring bank or payment processor (the company that handles your card transactions) enforces compliance. That’s who sent you the questionnaire, and that’s who you’ll submit your compliance documentation to.

Why This Matters to Your Business

Non-compliance isn’t just about following rules — it has real consequences:

  • Fines from your payment processor (typically $5,000-$100,000 per month)
  • Liability for fraud losses if card data is compromised
  • Increased processing fees or even loss of your ability to accept cards
  • Breach costs that can devastate a small business (average breach cost exceeds $150,000)

But here’s the good news: most small businesses qualify for the simplest compliance requirements. If you’re using modern payment systems and following basic security practices, you’re probably already doing most of what PCI requires.

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit cards, yes.

It doesn’t matter if you process one transaction or one million. It doesn’t matter if you’re a food truck or a Fortune 500 company. Accept cards? You need to be compliant.

Your Merchant Level

Your merchant level determines how you demonstrate compliance:

Annual Visa Transactions Merchant Level What You Need
Over 6 million Level 1 Annual onsite assessment by a QSA
1-6 million Level 2 Annual SAQ, quarterly scans
20,000-1 million Level 3 Annual SAQ, quarterly scans
Under 20,000 Level 4 Annual SAQ, may need quarterly scans

Most small businesses fall into Level 4, which means you complete a Self-Assessment Questionnaire (SAQ) annually. That questionnaire your processor sent? That’s your SAQ.

What Your Payment Processor Expects

Your payment processor needs proof that you’re protecting card data. They require:
1. A completed SAQ (the questionnaire they sent)
2. An Attestation of Compliance (AOC) (basically your signature saying the SAQ is accurate)
3. Possibly quarterly vulnerability scans by an Approved Scanning Vendor (ASV)
4. Proof of compliance by their deadline (usually annually)

Miss their deadline, and those monthly non-compliance fees start immediately.

Which SAQ Do You Need?

The key to simple compliance is identifying the right SAQ. There are different versions based on how you handle card data. Let’s decode which one applies to you:

SAQ Decision Guide

How You Accept Payments Your SAQ Type Number of Questions
Outsourced entirely (PayPal, Square online) SAQ A 22
E-commerce with payment page redirect SAQ A-EP 191
Terminal only, no electronic storage SAQ B 41
Terminal only with IP connection SAQ B-IP 82
Payment application, no storage SAQ C 160
Phone/mail/fax only, no storage SAQ C-VT 81
Store card data or complex setup SAQ D 329

Common Scenarios

Using Revel POS with integrated payments? You’re likely SAQ B-IP if your terminals connect via internet, or SAQ B if they use phone lines.

Taking orders over the phone? If you don’t store card numbers (and you shouldn’t), you’re SAQ C-VT.

E-commerce with Stripe or PayPal? Usually SAQ A — the simplest form with just 22 questions.

Not sure? PCICompliance.com’s free SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ you need. No guessing, no compliance jargon — just clear answers.

How to Complete Your SAQ

Once you know which SAQ you need, completion is straightforward. Here’s what to expect:

What the Questions Look Like

SAQ questions are yes/no format. For example:

  • “Do you have a firewall between the internet and your payment system?”
  • “Do you change default passwords on payment terminals?”
  • “Is antivirus software installed and updated?”

“Yes” means you’re doing it. Not planning to do it, not mostly doing it — actually doing it. Be honest. This isn’t about passing a test; it’s about protecting your business.

Documentation You’ll Need

Gather these before starting:

  • Network diagram (even a simple sketch of how your terminals connect)
  • Vendor agreements with payment service providers
  • Security policies (even informal ones count)
  • User access lists showing who can access payment systems
  • Scan reports if you’ve done vulnerability scanning

The Quarterly ASV Scan

If your SAQ type requires it, you’ll need quarterly vulnerability scans by an Approved Scanning Vendor (ASV). Don’t let the technical name scare you — it’s an automated scan that checks your website and payment systems for security vulnerabilities.

The scan typically:

  • Takes 15-30 minutes to run
  • Costs $50-150 per quarter
  • Identifies issues you need to fix
  • Provides a passing report for your compliance package

PCICompliance.com includes ASV scanning with our compliance platform — schedule it once, and we’ll handle the quarterly reminders and reports.

Submitting Your Compliance Package

Once complete, you’ll submit:
1. Your completed SAQ
2. The Attestation of Compliance (AOC)
3. ASV scan reports (if required)
4. Any additional documentation your processor requests

Most processors accept uploads through their merchant portal. Keep copies for your records — you’ll need them next year.

What It Costs

Let’s talk real numbers. PCI compliance costs vary, but here’s what to budget:

Compliance Platform Costs

  • SAQ completion tools: $20-50/month
  • Compliance management platforms: $50-200/month
  • PCICompliance.com: Starting at $39/month (includes SAQ tools, scanning, and support)

ASV Scanning

  • Standalone ASV scans: $50-150 per quarter
  • Bundled with platform: Often included (as with PCICompliance.com)

If You Need a QSA

  • Level 1 merchants only: $15,000-50,000 annually
  • Most small businesses: Not required

The Cost of NON-Compliance

  • Monthly processor fines: $5,000-100,000
  • Increased transaction fees: 0.5-1% higher
  • Breach costs: Average $150,000+
  • Lost business: Immeasurable

Reality check: Annual compliance for most small merchants costs less than a single month’s non-compliance fine. It’s not an expense — it’s insurance.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox. Your processor will ask for updated documentation annually, and certain requirements need attention year-round:

Annual Requirements

  • Complete your SAQ before your renewal date
  • Update your AOC
  • Review and update security policies
  • Confirm vendor compliance status

Quarterly Requirements

  • Run ASV scans (if required)
  • Review scan results and fix any findings
  • Keep scan reports for your records

Ongoing Best Practices

  • Update passwords when employees leave
  • Install security patches on payment systems
  • Monitor for suspicious activity
  • Train staff on card data security

When Changes Trigger Reassessment

You’ll need to reassess your compliance if you:

  • Change payment processors or methods
  • Add new locations or payment channels
  • Start storing card data (please don’t)
  • Experience a security incident

PCICompliance.com’s compliance dashboard tracks all these requirements in one place. Set it up once, and we’ll remind you when action is needed. No more scrambling when your processor’s deadline approaches.

FAQ

Q: My payment processor says I’m non-compliant. What do I do?

Start immediately. Log into your processor’s portal, download the SAQ they’re requiring, and begin the assessment. Most processors give you 30-60 days to comply before fines begin. PCICompliance.com can fast-track your compliance — many merchants complete their requirements in under 48 hours.

Q: I only process a few transactions. Do I really need this?

Yes. PCI compliance applies to any business accepting cards, regardless of volume. The good news: with low volume, you qualify for the simplest requirements and your compliance costs will be minimal.

Q: What’s the difference between SAQ A and SAQ A-EP?

SAQ A is for merchants who fully outsource payment processing — the customer never enters card data on your website. SAQ A-EP is for e-commerce merchants who partially outsource — customers enter data on your site, but it goes directly to a third-party processor. SAQ A has 22 questions; SAQ A-EP has 191.

Q: Can I just ignore this?

Technically yes, but it’s expensive. Non-compliance fines start at $5,000 per month, your processing rates will increase, and if card data is compromised, you’re liable for all fraud losses and breach costs. Compliance is far cheaper than non-compliance.

Q: Do I need to hire a QSA?

Probably not. Only Level 1 merchants (processing over 6 million transactions annually) require a QSA assessment. Most businesses self-assess using an SAQ. If you’re unsure, your payment processor will tell you exactly what they require.

Q: How often do I need to do this?

Annually for your SAQ and AOC, quarterly for ASV scans (if required). Your payment processor will send reminders, but don’t wait — set up your own tracking to avoid last-minute scrambles and non-compliance fines.

Q: What if I fail my ASV scan?

Don’t panic. Failed scans are common on the first attempt. The scan report shows exactly what needs fixing — usually outdated software or security settings. Fix the issues and rescan. Most problems are resolved within a few days.

Q: Is PCI compliance the same as being secure?

PCI compliance is a security baseline, not comprehensive protection. Think of it as the minimum required to accept cards safely. Smart merchants go beyond compliance with additional security measures, but compliance is your essential starting point.

Your Next Steps

PCI compliance doesn’t have to be overwhelming. You now understand what that questionnaire means, which SAQ you likely need, and what it takes to comply. The sooner you start, the sooner you can check this off your list and get back to running your business.

PCICompliance.com makes the entire process manageable. Our free SAQ Wizard identifies your exact requirements in minutes. Our compliance platform guides you through each question with plain-English help. Our ASV scanning service handles your quarterly scans automatically. And our compliance dashboard ensures you never miss a deadline again.

Start with our free SAQ Wizard — answer a few simple questions about how you accept payments, and we’ll tell you exactly which path to compliance is right for your business. Or talk to our compliance team if you need guidance. We’ve helped thousands of merchants achieve compliance quickly and affordably. Yours can be next.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP