Sezzle PCI Compliance
You Just Got a PCI Compliance Questionnaire — Don’t Panic
Your payment processor just sent you a PCI compliance questionnaire, and you’re staring at terms like “SAQ,” “ASV scan,” and “cardholder data environment.” Take a deep breath. For most small businesses, PCI compliance is far simpler than it sounds. You probably qualify for one of the easier questionnaires that takes less than an hour to complete. This guide will explain exactly what you need to do, in plain English, without the technical jargon that makes compliance seem impossible.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules created by the major credit card brands — Visa, Mastercard, American Express, and Discover. Through the PCI Security Standards Council, they established these requirements to protect credit card data from theft and fraud. If you accept credit cards in any form — whether through a terminal, online, or over the phone — these rules apply to your business.
Your acquirer (the bank or payment processor that handles your card transactions) enforces these rules. They’re the ones who sent you that compliance questionnaire. They need proof that you’re following PCI security standards because they’re on the hook if something goes wrong.
The consequences of ignoring PCI compliance are real. Your payment processor can fine you monthly until you comply — typically $20-100 per month for small merchants. If there’s a data breach and you’re not compliant, you could face fines ranging from thousands to hundreds of thousands of dollars, plus liability for fraudulent charges. In extreme cases, you could lose the ability to accept credit cards entirely.
Here’s the good news: most small businesses qualify for the simplest compliance types. You’re not building Fort Knox — you’re following basic security practices that make sense for your business.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant.
It doesn’t matter if you’re a food truck with a Square reader, an online boutique using Shopify, or a consultant who occasionally takes card payments over the phone. The moment you enter the payment card ecosystem, PCI DSS applies to you.
Your merchant level determines how you demonstrate compliance. Most small businesses fall into Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a self-assessment questionnaire (SAQ) rather than undergoing a formal audit by a QSA.
Your payment processor expects you to:
- Complete the appropriate SAQ (Self-Assessment Questionnaire) annually
- Run quarterly ASV scans if you have any systems connected to the internet
- Submit an AOC (Attestation of Compliance) confirming you’ve met all requirements
- Maintain compliance throughout the year
That compliance questionnaire they sent? It’s your reminder to complete these steps. They’re not trying to catch you — they need this documentation to show the card brands that their merchants are secure.
Which SAQ Do You Need?
The hardest part of PCI compliance is figuring out which questionnaire applies to your business. There are nine different SAQ types, but most small businesses fit into one of four categories:
| How You Accept Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| Redirect to payment processor (PayPal, Stripe Checkout) | SAQ A | Simplest | 22 questions |
| Embedded payment form (Stripe Elements, payment iframe) | SAQ A-EP | Simple | 139 questions |
| Standalone terminal (Square, Clover, Ingenico) | SAQ B or B-IP | Moderate | 41-82 questions |
| Taking cards over phone/mail | SAQ C-VT | Moderate | 80 questions |
| Storing card numbers (please stop!) | SAQ D | Complex | 329 questions |
Let’s break this down:
SAQ A is for e-commerce merchants who completely redirect customers to a third-party payment page. If you use PayPal, Stripe Checkout, or similar services where customers leave your site to enter card details, this is probably you.
SAQ A-EP applies when payment forms are embedded on your site but the card data goes directly to the processor. Think Stripe Elements or hosted payment fields where your server never touches the card number.
SAQ B covers merchants using standalone payment terminals that aren’t connected to any other systems. That Square reader at your farmers market booth? Classic SAQ B.
SAQ B-IP is for merchants using payment terminals connected to the internet but isolated from other systems. Many modern cloud-connected terminals fall here.
SAQ C-VT is for merchants taking payments over the phone using virtual terminals — web-based applications where you type in customer card details.
SAQ D is the comprehensive questionnaire for merchants who store, process, or transmit card data on their own systems. If this is you, strongly consider switching to a solution that reduces your scope.
PCICompliance.com’s SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which SAQ you need — no guessing required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Don’t let the technical language intimidate you — most questions translate to common-sense security measures.
When the questionnaire asks “Do you restrict physical access to cardholder data?” it’s really asking “Do you keep your payment terminal in a secure location where customers or unauthorized staff can’t tamper with it?”
Documentation you’ll need:
- List of all payment acceptance methods and devices
- Your network setup (for anything beyond SAQ A)
- Security policies (even informal ones count)
- Vendor compliance certificates (from your payment processor)
The quarterly ASV scan sounds technical but it’s straightforward. An Approved Scanning Vendor runs automated security scans of any internet-facing systems — your website, email server, or cloud-connected payment devices. The scan identifies vulnerabilities that hackers could exploit. Schedule your first scan as soon as you start the SAQ process, as results can take a few days.
Once complete, you’ll sign an Attestation of Compliance (AOC) — a formal declaration that you’ve answered honestly and meet all applicable requirements. Submit this along with your completed SAQ and most recent ASV scan results to your payment processor.
Most small merchants complete their first SAQ in 1-3 hours. Subsequent years are faster since you’re just confirming nothing has changed.
What It Costs
PCI compliance costs vary based on your business complexity, but for most small merchants, it’s surprisingly affordable:
Compliance platforms and SAQ tools: Free to $30/month for basic plans. These guide you through the questionnaire and track your compliance status.
Quarterly ASV scanning: $20-50 per scan, or $80-200 annually. Some compliance platforms include this in their subscription.
Professional help: If you need a QSA for complex environments, expect $5,000-25,000 for a formal assessment. But remember — most small businesses never need this level of service.
Compare this to non-compliance costs:
- Monthly non-compliance fees: $20-100
- Data breach fines: $5,000-500,000 depending on severity
- Forensic investigation costs: $10,000-100,000
- Card replacement costs: $3-5 per compromised card
- Lost ability to process cards: invaluable
For most small merchants, annual compliance costs less than a single month of non-compliance fees. It’s not just about avoiding fines — it’s about protecting your business and your customers.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your compliance expires annually, and you’ll need to:
- Complete your SAQ again each year
- Run ASV scans quarterly (if required for your SAQ type)
- Update your assessment if your payment methods change
- Maintain the security practices you attested to
Set up reminders for:
- Annual SAQ renewal (2 months before expiration)
- Quarterly ASV scans (every 90 days)
- Security updates for payment systems
- Staff training refreshers
Changes that trigger a new assessment:
- Adding new payment channels (like starting e-commerce)
- Switching payment processors or terminals
- Storing card data when you didn’t before
- Significant network or system changes
PCICompliance.com’s compliance dashboard tracks all these dates and sends automatic reminders. You’ll see your compliance status at a glance and get alerts before anything expires.
FAQ
Q: What if I only process a few transactions per year?
Even if you process a single credit card transaction annually, you need to be PCI compliant. There’s no minimum threshold — the requirement kicks in the moment you enter the payment ecosystem.
Q: Can’t my payment processor handle this for me?
Your payment processor handles the security of transactions once they reach their systems, but you’re responsible for security at your point of sale. They can’t attest to practices at your business location.
Q: What’s the difference between PCI compliance and PA-DSS?
PCI DSS applies to merchants and service providers handling card data. PA-DSS was for payment application vendors — it’s been replaced by newer standards, so focus on PCI DSS for your business.
Q: Do I need to hire a QSA?
Most small businesses (Level 4 merchants) complete self-assessment questionnaires without a QSA. You only need a QSA if you’re a Level 1 merchant or your acquirer specifically requires it.
Q: What if I fail my ASV scan?
Failing your initial scan is normal — most businesses have some vulnerabilities to fix. The scan report shows exactly what needs attention, and you typically have 30 days to remediate and rescan.
Q: Can I just use a P2PE solution and skip compliance?
P2PE (Point-to-Point Encryption) solutions dramatically reduce your compliance scope, but don’t eliminate it entirely. You’ll likely qualify for SAQ P2PE, which has only 33 questions focused on device management.
Q: What happens if I don’t complete my SAQ?
Your payment processor will likely start charging monthly non-compliance fees after a grace period. Continued non-compliance could result in increased processing rates or termination of your merchant account.
Q: Is tokenization the same as encryption?
No — encryption scrambles data that can be decrypted with the right key, while tokenization replaces card numbers with non-sensitive tokens. Both reduce your PCI scope but work differently.
Take the First Step Today
PCI compliance sounds overwhelming until you start — then you realize it’s mostly common-sense security practices you’re probably already following. The questionnaire your payment processor sent isn’t a test you can fail; it’s a checklist to ensure you’re protecting your customers’ card data.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance. Our free SAQ Wizard identifies exactly which questionnaire you need in under two minutes. Our ASV scanning service handles your quarterly vulnerability scans with automated scheduling and clear remediation guidance. And our compliance dashboard tracks your progress year-round, sending reminders before anything expires. Start with the free SAQ Wizard to see just how simple compliance can be, or talk to our compliance team if you need guidance on your specific situation.
