Understanding PCI Compliance When You Accept Credit Cards
Bottom line up front: If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a deep breath. For most small businesses, PCI compliance is far simpler than it sounds. You probably qualify for one of the easier self-assessment questionnaires that takes an hour or two to complete annually. The scariest part is often just understanding what you’re being asked to do — which is exactly what we’ll cover here. Whether you’re using a reverse proxy PCI solution or a simple card terminal, this guide will help you understand exactly what’s required.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. Think of it as a security checklist designed to protect credit card data from theft. If you accept credit cards in any form — whether through a physical terminal, online checkout, or over the phone — these requirements apply to your business.
The card brands created the PCI Security Standards Council (PCI SSC) to manage these standards, but it’s actually your acquirer (the bank or payment processor that handles your card transactions) who enforces them. That’s why you received the compliance questionnaire from them, not from Visa or Mastercard directly.
Here’s what happens if you don’t comply: Your payment processor can fine you (typically $5,000-$100,000 per month of non-compliance), you’ll be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards entirely. But here’s the good news: most small businesses qualify for the simplest compliance paths, which are designed to be manageable without a security team.
Do You Need to Be PCI Compliant?
The simple answer: If you accept credit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you process one transaction per month or thousands per day. The moment you accept a credit card payment, you’re handling cardholder data (CHD) and the PCI DSS requirements apply.
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants typically complete a Self-Assessment Questionnaire (SAQ) annually and run quarterly vulnerability scans. You don’t need an onsite assessment from a QSA unless your acquirer specifically requires it.
Your payment processor expects you to complete an annual self-assessment, submit quarterly ASV scans if you have any internet-facing systems, and maintain compliance year-round. That questionnaire they sent you is your starting point — it’s their way of saying “prove to us that you’re protecting card data properly.”
Which SAQ Do You Need?
The PCI SSC offers different SAQ types based on how you accept and process payments. Think of it like tax forms — you don’t fill out the complex business return if you’re filing as an individual. Here’s how to determine which SAQ applies to your business:
| How You Accept Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| E-commerce with fully hosted checkout (PayPal, Stripe Checkout) | SAQ A | Simplest | 22 questions |
| E-commerce with payment fields on your site (even if tokenized) | SAQ A-EP | Simple | 139 questions |
| Physical terminal only, no electronic storage | SAQ B | Simple | 41 questions |
| Physical terminal with IP connection | SAQ B-IP | Moderate | 93 questions |
| Virtual terminal or phone orders | SAQ C-VT | Moderate | 84 questions |
| Any electronic storage of card numbers | SAQ D | Complex | 326 questions |
If you use a standalone payment terminal (like Square, Clover, or a traditional credit card machine), you’re likely SAQ B or SAQ B-IP. The difference depends on whether your terminal connects via phone line (SAQ B) or internet (SAQ B-IP).
If you have an e-commerce site where customers are redirected to a hosted payment page (think Shopify checkout or PayPal), you qualify for SAQ A — the simplest option with just 22 yes/no questions.
If you take payments over the phone using a virtual terminal or web-based system, you’ll complete SAQ C-VT. This applies even if you’re typing card numbers into a payment processor’s website.
If you store card numbers electronically (in a database, spreadsheet, or even email), you’re in SAQ D territory. This is the most complex path — and honestly, unless you have a very good reason and proper encryption, you should stop storing card data immediately.
PCICompliance.com offers a free SAQ Wizard that asks you a few simple questions about your payment setup and tells you exactly which questionnaire applies. It takes about two minutes and removes all the guesswork.
How to Complete Your SAQ
Your Self-Assessment Questionnaire is essentially a security checklist in yes/no format. Each question asks whether you’ve implemented a specific security control. “Yes” means you’re doing it, “No” means you’re not (and need to fix it), and “N/A” means it doesn’t apply to your payment setup.
For example, SAQ A might ask: “Are all payment pages encrypted with TLS?” If you’re using Stripe Checkout or PayPal, the answer is yes — they handle the encryption for you. Document this by noting which payment provider you use.
You’ll need to gather some basic documentation:
- A simple network diagram (this can be hand-drawn) showing your payment terminals or computers
- Your encryption and data retention policies (we provide templates)
- Evidence of your quarterly ASV scans if you have any internet-facing systems
- Contact information for your payment processor and any third-party service providers
The quarterly ASV scan sounds technical but it’s actually straightforward. An Approved Scanning Vendor runs an automated security scan of your public-facing IP addresses looking for vulnerabilities. If you’re SAQ A (fully outsourced e-commerce), you might not need scans at all. If you do need them, services like PCICompliance.com include ASV scanning — you just provide your IP addresses and we handle the rest.
After completing your questionnaire, you’ll generate an Attestation of Compliance (AOC). This is your official declaration that you’ve completed the assessment and meet the requirements. Submit both the SAQ and AOC to your payment processor by their deadline.
What It Costs
PCI compliance costs vary based on your SAQ type and whether you need additional services:
Compliance platforms and SAQ tools typically run $200-500 annually for small merchants. This includes access to the questionnaire, guidance on answering questions, and compliance tracking. Many payment processors include basic tools with your merchant account.
Quarterly ASV scanning costs $100-300 per year when purchased separately. If you need scans (SAQ A-EP, B-IP, C-VT, or D), budget for this as a recurring expense. Many compliance platforms bundle scanning with their annual fee.
QSA services are only required if you’re a Level 1 merchant or if your acquirer specifically demands it. A full Report on Compliance (ROC) assessment can cost $15,000-50,000. But remember — most small businesses never need this.
The cost of non-compliance far exceeds compliance costs. Payment processors typically fine non-compliant merchants $5,000-100,000 per month. If you experience a breach while non-compliant, you’re liable for fraud losses, forensic investigation costs (often $100,000+), and potential lawsuits. Your cyber insurance likely won’t cover breaches resulting from non-compliance either.
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. Think of it as business insurance that actually prevents problems rather than just paying for them afterward.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your SAQ expires annually, and if you need ASV scans, they’re due quarterly. Mark these dates in your calendar now:
- Annual SAQ due date (check your processor’s requirements)
- Quarterly ASV scan windows (every 90 days)
- Annual review of service providers and payment processes
Set up reminders 30 days before each deadline. Your payment processor might send reminders, but don’t count on it. Taking ownership of your compliance calendar prevents last-minute scrambles and potential fines.
Certain changes trigger the need for a new assessment:
- Adding new payment channels (like starting to accept phone orders)
- Changing payment processors or terminals
- Implementing new e-commerce platforms
- Starting to store card data (please reconsider this)
PCICompliance.com’s compliance dashboard tracks all your deadlines, stores your documentation, and sends automatic reminders. You can see your compliance status at a glance and share reports with your payment processor instantly.
FAQ
My payment processor says I need to be PCI compliant by next month. Is that enough time?
For most small businesses, absolutely. If you qualify for SAQ A or B, you can complete your assessment in an afternoon. The main time factor is scheduling your ASV scan if required — start that process immediately as it can take a few days to get results.
I only process a few transactions per month. Do I really need to comply?
Yes, transaction volume doesn’t exempt you from PCI requirements. However, lower volume means you’re likely a Level 4 merchant with simpler requirements — just an annual SAQ and possibly quarterly scans.
What happens if I answer “No” to a question on the SAQ?
You’ll need to implement that security control before you can submit a compliant SAQ. Some controls have approved compensating measures if the standard approach doesn’t fit your environment. Focus on fixing the “No” answers — they represent real security gaps.
I use Square/PayPal/Stripe for everything. What’s my SAQ type?
If customers never enter card details on your website (they’re redirected to your payment provider’s site), you’re SAQ A. If you use their JavaScript libraries to display payment fields on your site, you’re likely SAQ A-EP. Using just their physical terminals? That’s SAQ B or B-IP.
Can I just say “Yes” to everything and submit it?
Falsifying your SAQ is fraud and breach of contract with your acquirer. If you’re breached, investigators will verify your answers. False attestation means you’re liable for all fraud losses plus face additional penalties. Answer honestly — it’s always cheaper to fix issues than to lie about them.
Do I need to hire a security consultant?
Most small businesses don’t need outside help beyond a good compliance platform. If you’re SAQ D or struggling with technical requirements, a consultant can help. But for SAQ A or B merchants, the questions are straightforward enough to answer yourself.
What’s the difference between PCI compliance and cyber insurance?
PCI compliance is preventing breaches through security controls. Cyber insurance helps pay for breach costs. Most cyber policies require PCI compliance for coverage to be valid — they’re complementary, not alternatives. Think seatbelts versus auto insurance.
My business uses a reverse proxy for web security. Does this affect my SAQ type?
Using a reverse proxy PCI configuration (like Cloudflare or similar WAF services) doesn’t change your SAQ type, but it can help you meet certain requirements more easily. You still need to assess based on how you accept payments, but the reverse proxy helps satisfy requirements around protecting public-facing web applications.
Conclusion
PCI compliance sounds intimidating when that first questionnaire arrives from your payment processor, but for most small businesses, it’s surprisingly manageable. You’re likely looking at a simple SAQ with straightforward yes/no questions that you can complete in an afternoon. The key is understanding which questionnaire applies to your specific payment setup and staying on top of the annual and quarterly requirements.
Remember, PCI compliance isn’t just about avoiding fines — it’s about protecting your customers’ payment data and your business from the devastating costs of a breach. The requirements exist because credit card fraud is a real threat, but following them doesn’t require a computer science degree or a massive security budget.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll never miss a deadline or wonder about your compliance status again. Start with the free SAQ Wizard to identify your requirements in under two minutes, or talk to our compliance team if you need guidance on your specific situation. We’ve helped thousands of businesses just like yours navigate PCI requirements successfully, and we’re here to make your compliance journey as smooth as possible.