A wooden block spelling cybersec on a table

Sellfy PCI Compliance

by

Sellfy PCI Compliance

Let’s Cut Through the Confusion

You just received a PCI compliance questionnaire from your payment processor, and suddenly you’re drowning in acronyms like SAQ, ASV, and ROC. Take a breath. For most small businesses accepting credit cards — especially those using modern payment tools — PCI compliance is simpler than the industry jargon makes it sound. You don’t need a computer science degree or a security team to get compliant. You just need to understand what applies to your specific situation and complete the right questionnaire.

Here’s the reality: if you’re using payment services like Stripe, Square, or PayPal for your online store, you’re already doing most of what PCI requires. The compliance process is mostly about documenting what you’re doing and checking a few boxes. This guide will show you exactly what you need to do, in plain English, without the technical overwhelm.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB — through something called the PCI Security Standards Council. Think of it as a security checklist that anyone who touches credit card information needs to follow.

The standard exists for one simple reason: to protect credit card data from theft. Every business that accepts, processes, stores, or transmits credit card information must comply with PCI DSS. Yes, that includes your small online shop or brick-and-mortar store.

Your acquirer (that’s your payment processor or the bank that handles your credit card transactions) is the one who enforces these requirements. They’re the ones who sent you that compliance questionnaire, and they’re required by the card brands to ensure all their merchants are compliant.

What Happens If You Don’t Comply?

Non-compliance isn’t just a slap on the wrist. Your payment processor can:

  • Charge monthly non-compliance fees (typically $20-$100/month)
  • Fine you for violations (ranging from hundreds to thousands of dollars)
  • Increase your transaction rates
  • Terminate your ability to accept credit cards entirely

If there’s a data breach and you’re not compliant, you could be liable for:

  • Forensic investigation costs
  • Card replacement fees
  • Fraudulent charges
  • Legal costs
  • Damage to your reputation

The Good News

Here’s what the scary compliance letters don’t tell you: most small businesses qualify for the simplest compliance requirements. If you’re using modern payment tools and following basic security practices, you’re probably 90% of the way there already. The compliance process is mostly about proving what you’re already doing right.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you:

  • Only process a few transactions a month
  • Use a third-party processor
  • Never actually see the card numbers
  • Only accept payments online
  • Think you’re too small to matter

The PCI standards apply to every business that accepts payment cards, regardless of size or transaction volume.

Your Merchant Level

The card brands categorize merchants into levels based on annual transaction volume:

  • Level 1: Over 6 million transactions annually
  • Level 2: 1 to 6 million transactions annually
  • Level 3: 20,000 to 1 million transactions annually
  • Level 4: Under 20,000 transactions annually

Most small businesses fall into Level 4, which has the simplest compliance requirements. You’ll complete a self-assessment questionnaire (SAQ) rather than hiring an external assessor.

What Your Payment Processor Expects

That compliance questionnaire your processor sent? They need you to:
1. Determine which SAQ type applies to your business
2. Complete the questionnaire honestly
3. Fix any security gaps you identify
4. Submit your Attestation of Compliance (AOC)
5. Run quarterly vulnerability scans if required

They’ll check in annually (sometimes quarterly) to ensure you’re maintaining compliance.

Which SAQ Do You Need?

The Self-Assessment Questionnaire (SAQ) is the heart of PCI compliance for small merchants. There are different SAQ types based on how you accept and process payments. Here’s how to figure out which one applies to you:

How You Accept Payments SAQ Type Number of Questions Complexity
Fully outsourced online (Stripe Checkout, PayPal, etc.) SAQ A 22 Easiest
E-commerce with direct post (Stripe Elements, Square Web) SAQ A-EP 191 Moderate
Standalone terminals only (Square Reader, Clover) SAQ B 41 Easy
Standalone terminals with IP connection SAQ B-IP 82 Easy-Moderate
Phone/mail orders, no electronic storage SAQ C-VT 85 Moderate
Electronic storage or processing SAQ D 329 Complex

Breaking It Down

SAQ A – The simplest option. You qualify if your online store fully redirects to a third-party payment page (think PayPal, Stripe Checkout, or similar services where customers leave your site to enter card details).

SAQ A-EP – For e-commerce sites where the payment form is embedded on your site but card details go directly to the payment processor. If you use Stripe Elements, Square’s web payments, or similar tools, this is likely you.

SAQ B or B-IP – For businesses using standalone payment terminals. SAQ B is for dial-up terminals (increasingly rare), while B-IP covers internet-connected devices like Square readers or Clover stations.

SAQ C-VT – If you take payments over the phone or mail and enter them into a virtual terminal (web-based payment form), this applies to you.

SAQ D – The most complex option. If you store card numbers electronically, process payments through your own servers, or have a complex payment environment, you’re here.

> Not sure which one? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ to complete — no guesswork required.

How to Complete Your SAQ

Once you know which SAQ type applies, the actual completion process is straightforward:

What the Questionnaire Looks Like

Each SAQ is a series of yes/no questions about your security practices. For example:

  • “Do you have a firewall protecting your payment systems?”
  • “Do you change default passwords on payment devices?”
  • “Is antivirus software installed and updated?”

For each question, you’ll mark:

  • Yes – You’re doing this
  • No – You’re not doing this
  • N/A – This doesn’t apply to your environment

Important: “Yes” means you’re actually doing it, not that you plan to or think it’s a good idea. Be honest — this isn’t a test where you’re trying to get 100%. It’s a tool to identify security gaps.

Documentation You’ll Need

Gather these items before starting:

  • Network diagram (even a simple sketch works for small businesses)
  • List of all systems that touch payment data
  • Security policies (even informal ones)
  • Vendor agreements for payment services
  • ASV scan results (if required)

The Quarterly ASV Scan

If your SAQ type requires it (most do, except SAQ A and B), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks your internet-facing systems for security vulnerabilities. It typically:

  • Takes 30-60 minutes to run
  • Costs $50-200 per quarter
  • Must pass (no high-risk vulnerabilities) for compliance
  • Needs to be repeated every 90 days

Submitting Your Compliance

After completing your SAQ:
1. Review all your answers
2. Fix any “No” responses if possible
3. Complete the Attestation of Compliance (AOC) — a formal declaration that you’ve completed the assessment
4. Submit both documents to your payment processor
5. Save copies for your records

The whole process typically takes 2-4 hours for simple SAQ types, or 1-2 days for complex ones.

What It Costs

Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you do it yourself or use tools and services.

Compliance Platform and Tools

  • SAQ wizards and guided questionnaires: Free to $30/month
  • Full compliance platforms: $20-150/month depending on features
  • Enterprise solutions: $200+ per month

Quarterly ASV Scanning

  • Basic scanning service: $50-100 per quarter
  • Scanning with remediation support: $100-200 per quarter
  • Bundled with compliance platform: Often included

Professional Support (If Needed)

  • QSA consultation: $150-300/hour
  • Full QSA assessment (only for Level 1 merchants): $10,000-50,000
  • Compliance coaching: $500-2,000 for initial setup

The Cost of NON-Compliance

Here’s what makes the compliance costs look reasonable:

  • Monthly non-compliance fees: $20-100/month from your processor
  • Non-compliance fines: $5,000-100,000 per incident
  • Breach costs: Average $150 per compromised card
  • Lost ability to process cards: Potentially business-ending

For most small merchants, annual compliance costs less than $1,000 — far less than a single non-compliance fine or the cost of a data breach.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox. Your payment processor will ask for updated compliance annually, and you’ll need quarterly scans throughout the year.

Set Up Your Compliance Calendar

Mark these recurring tasks:

  • Quarterly: Run ASV scans (if required)
  • Annually: Complete and submit your SAQ
  • Ongoing: Review logs and security settings
  • As needed: Update your assessment if payment methods change

What Triggers a New Assessment

You’ll need to reassess your compliance if you:

  • Change payment processors
  • Add new payment methods
  • Significantly increase transaction volume
  • Change how you handle card data
  • Experience a security incident

Making It Manageable

The secret to stress-free compliance? Automation and tracking:

  • Use a compliance dashboard to track deadlines
  • Set up automatic ASV scans
  • Document your processes as you go
  • Keep all compliance documents in one place

PCICompliance.com’s compliance dashboard handles all of this automatically — tracking your SAQ status, scheduling ASV scans, and alerting you before deadlines.

FAQ

I only process a few transactions a month. Do I really need to comply?

Yes, PCI compliance applies to any business that accepts credit cards, regardless of transaction volume. Even one transaction per year means you need to comply. The good news? With such low volume, you’ll likely qualify for the simplest SAQ types.

My payment processor handles everything. Aren’t they responsible for compliance?

Your payment processor is responsible for their own PCI compliance, but you’re responsible for yours. Even if they handle most of the security, you still need to complete an SAQ to document your part of the process. Think of it as a shared responsibility.

What’s the difference between PCI compliance and being PCI certified?

“PCI certified” isn’t technically correct terminology, though many use it. Merchants become “PCI compliant” by completing their assessment. Only service providers and certain solution providers receive actual “certification” from the PCI Council.

How long does the SAQ take to complete?

It depends on your SAQ type. SAQ A takes about 30 minutes. SAQ A-EP or B might take 1-2 hours. SAQ D can take several days. Most small businesses can complete their assessment in an afternoon.

Can I just say “yes” to all the questions to pass?

Absolutely not. False attestation is fraud and can result in major fines, loss of card processing privileges, and legal liability if there’s a breach. Answer honestly — the questionnaire helps identify real security gaps that could put your business at risk.

Do I need to hire a QSA?

Most Level 4 merchants (under 20,000 transactions annually) can self-assess using an SAQ. You only need a Qualified Security Assessor (QSA) if you’re a Level 1 merchant or if your acquirer specifically requires it due to past compliance issues.

What if I fail my ASV scan?

Don’t panic. Failed scans are common on the first try. The scan report will detail what vulnerabilities were found. Fix the high-risk issues (often just software updates or configuration changes), then rescan. Most ASV services include unlimited rescans within the quarter.

My business model is changing. Do I need a new assessment?

Yes, if the change affects how you accept or handle card payments. Moving from in-person to online sales, adding phone orders, or starting to store card numbers all require reassessing which SAQ applies to you.

Take the First Step Today

PCI compliance might seem overwhelming when you’re staring at that first questionnaire from your payment processor, but you’ve got this. Most small businesses using modern payment tools can achieve compliance in an afternoon. The key is understanding which requirements actually apply to your situation and methodically working through them.

Remember, the goal isn’t perfection — it’s protecting your business and your customers’ card data while maintaining your ability to accept payments. Start by identifying your SAQ type, honestly assess your current practices, and fix any gaps you find.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You don’t have to figure this out alone. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team for personalized guidance. We’ve helped thousands of businesses navigate PCI compliance, and we’re here to help you too.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP