Sage Payments PCI Compliance: A Small Business Guide to Getting (and Staying) Compliant
If you’ve landed here because your payment processor just sent you a PCI compliance questionnaire and you’re not sure what to do with it, take a deep breath. For most small businesses using modern payment solutions, Sage PCI compliance is simpler than you think. You don’t need to be a security expert, and you probably won’t need to hire expensive consultants. This guide will walk you through exactly what you need to do, in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security requirements created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) to protect credit card data. The card brands formed the PCI Security Standards Council to manage these standards, but it’s your payment processor or acquiring bank that actually enforces them.
Here’s the simple truth: if you accept credit cards in any form — in person, online, or over the phone — you need to be PCI compliant. This applies whether you process one transaction a month or thousands per day.
Your payment processor (the company that handles your credit card transactions) is required by the card brands to ensure all their merchants are compliant. That’s why they sent you that questionnaire. They’re not trying to make your life difficult — they’re protecting both of you from the very real costs of a data breach.
The consequences of non-compliance are serious but straightforward. Your processor can fine you (typically $5,000-$100,000), you’ll be liable for costs if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards. The good news? For most small businesses, achieving compliance takes a few hours per year, not the massive undertaking you might fear.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards, yes. It doesn’t matter if you’re a Fortune 500 company or a food truck — the requirement applies to everyone who handles payment cards.
Most small businesses fall into Merchant Level 4, which means you process fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. This is good news because Level 4 merchants have the simplest compliance requirements — typically just completing an annual self-assessment questionnaire (SAQ) and quarterly vulnerability scans if you have any internet-facing systems.
Your payment processor expects you to complete an annual compliance validation, which usually means:
- Filling out the appropriate SAQ
- Running quarterly ASV scans if required
- Signing an Attestation of Compliance (AOC)
- Submitting everything through their compliance portal
That questionnaire they sent you? It’s their way of starting this process. They’re required to verify your compliance status annually, and many will automatically charge non-compliance fees if you don’t respond.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in several versions, each designed for different payment scenarios. Here’s how to determine which one applies to your business:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Outsource everything (PayPal, Square online) | SAQ A | 22 | Easiest |
| E-commerce with payment page redirect | SAQ A-EP | 191 | Moderate |
| Standalone terminals with no electronic storage | SAQ B | 41 | Easy |
| Standalone terminals with IP connection | SAQ B-IP | 82 | Easy-Moderate |
| Manual key entry or virtual terminal | SAQ C-VT | 85 | Moderate |
| Any electronic storage of card data | SAQ D | 329 | Most Complex |
If you use a modern payment terminal from providers like Square, Clover, or your bank, you’re likely SAQ B or SAQ B-IP. The difference depends on whether your terminal connects via phone line (B) or internet (B-IP).
If you have an e-commerce site using hosted checkout pages (Shopify Payments, Stripe Checkout, WooCommerce with hosted payment forms), you’re probably SAQ A — the simplest questionnaire with just 22 questions.
If you take payments over the phone using a virtual terminal or web-based portal, you’ll complete SAQ C-VT. This applies even if you never write down card numbers.
If you store card numbers electronically — in spreadsheets, databases, or even unencrypted email — you’re looking at SAQ D with its 329 questions. This is where PCI compliance gets genuinely complex and expensive. If this is you, your first priority should be finding ways to stop storing card data.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no technical knowledge required.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is more straightforward than you might expect. The questionnaires consist of yes/no questions about your security practices. Here’s what to expect:
The questions look like this: “Do you have a firewall?” or “Are passwords changed every 90 days?” Answer honestly — the goal is understanding your actual security posture, not checking boxes.
When you answer “yes,” you’re confirming that control is in place. When you answer “no,” you’ll need to either implement that control or explain why it doesn’t apply to your environment. Many questions won’t apply — for instance, SAQ A merchants can mark all network security questions as “N/A” because they don’t handle card data on their systems.
Documentation you’ll need:
- Your network diagram (even a simple sketch works for small merchants)
- Written security policies (templates are fine to start)
- Vendor compliance certificates (from your payment processor)
- ASV scan results if you have any internet-facing systems
About those quarterly ASV scans: If your business has any internet-facing IP addresses (website, email server, remote access), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor. This automated scan checks for security vulnerabilities and typically takes 24-48 hours. You’ll need four consecutive passing scans for full compliance.
Once everything is complete, you’ll sign the Attestation of Compliance (AOC) — a formal declaration that you’ve completed the assessment honestly and accurately. Submit this along with your SAQ and scan results through your processor’s compliance portal, and you’re done for the year.
What It Costs
PCI compliance costs vary based on your size and complexity, but for most small businesses, the numbers are reasonable:
Compliance platforms and SAQ tools typically run $15-50 per month for small merchants. This includes access to the questionnaire, policy templates, and basic support. Some payment processors include this in their merchant accounts.
Quarterly ASV scanning costs $50-150 per IP address per quarter. Many compliance platforms bundle this with their SAQ tools. If you don’t have any internet-facing systems, you can skip this cost entirely.
If you need a QSA (only required for Level 1 merchants or if your processor specifically demands it), expect $15,000-50,000 for a formal assessment. The vast majority of small businesses will never need this.
Here’s the reality check: the cost of non-compliance far exceeds the cost of compliance. Processor fines start at $5,000 and increase monthly. If you suffer a breach while non-compliant, you’re looking at forensic investigation costs ($10,000+), card replacement fees, fraudulent transaction liability, and potential lawsuits. Annual compliance for most small merchants costs less than a single non-compliance fine.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity — it’s an annual requirement with quarterly components. Here’s how to stay on track:
Set up your compliance calendar:
- Annual SAQ completion (same time each year)
- Quarterly ASV scans (if required)
- Annual policy reviews and updates
- Employee security training
Your compliance status resets annually, so even if you completed everything perfectly last year, you’ll need to do it again. The good news? It gets easier each time as you understand the requirements and have your documentation ready.
Watch for changes that affect compliance:
- New payment channels (adding e-commerce to a retail store)
- New payment providers or processors
- Changes to how you handle card data
- Business growth that changes your merchant level
PCICompliance.com’s compliance dashboard tracks all these dates and sends automatic reminders. You’ll never miss a quarterly scan or annual assessment deadline, and you can see your compliance status at a glance year-round.
Frequently Asked Questions
What happens if I ignore PCI compliance?
Your payment processor will likely start charging monthly non-compliance fees ($25-100 typically). More seriously, if you experience a breach while non-compliant, you’ll be fully liable for all costs and could lose your ability to accept credit cards.
Do I need PCI compliance if I only use PayPal or Square?
Yes, you still need to complete PCI compliance validation. However, services like these typically qualify you for SAQ A, the simplest questionnaire with only 22 questions.
How long does the SAQ take to complete?
For most small merchants, expect 2-4 hours for your first SAQ, including gathering documentation. Subsequent years take less time as you’ll already have policies and procedures in place.
What’s the difference between SAQ and ROC?
An SAQ (Self-Assessment Questionnaire) is completed by the merchant themselves. A ROC (Report on Compliance) requires an onsite assessment by a QSA and is typically only required for Level 1 merchants processing over 6 million transactions annually.
Can I just say “yes” to all the questions?
Never falsify your compliance status. Besides being unethical, it leaves you fully liable in case of a breach. The questionnaires are designed to help you identify and fix security gaps, not trick you.
Do I need to hire a consultant?
Most small merchants can complete their SAQ without professional help. Consider a consultant only if you’re SAQ D, having trouble with repeated scan failures, or if your processor specifically requires QSA involvement.
What if my business is seasonal?
You still need year-round compliance even if you only process transactions seasonally. The requirements apply to any business that has the ability to accept cards, not just those actively processing.
How do I know if I’m storing card data?
Search your computers for files containing test card numbers (4111111111111111 for Visa, 5500000000000004 for Mastercard). Check email folders, spreadsheets, and databases. If you find any, you’re storing card data and need to address it immediately.
Making PCI Compliance Manageable
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most small businesses, it’s a manageable process that protects both you and your customers. The key is understanding which requirements actually apply to your business and tackling them systematically.
Start by identifying your SAQ type — this immediately tells you the scope of what you’re dealing with. Use modern payment solutions that minimize your PCI scope, complete your annual assessment honestly, and maintain any required quarterly scans. That’s really all there is to it for most merchants.
PCICompliance.com makes this entire process simpler with our free SAQ Wizard that identifies your exact requirements, ASV scanning service for quarterly vulnerability scans, and compliance dashboard that tracks everything year-round. Whether you’re completing your first SAQ or maintaining ongoing compliance, we provide the tools, templates, and support to make PCI compliance straightforward and stress-free. Start with our free SAQ Wizard to identify your requirements, or contact our compliance team for personalized guidance on your path to PCI compliance.
