Bottom Line Up Front
If you use SimplyBook.me to take appointments and accept card payments — and you just got a PCI compliance questionnaire from your payment processor — take a breath. SimplyBook PCI compliance is almost certainly simpler than the scary-sounding paperwork suggests. For most small businesses using a hosted booking and payment platform, you’ll qualify for the shortest, easiest self-assessment questionnaire (SAQ), and you can complete it without being a security expert.
Here’s the short version: PCI compliance is a set of security rules for anyone who accepts credit cards. Your payment processor sent you that questionnaire because they’re required to confirm you follow them. Most small merchants finish their assessment in an afternoon, run one external scan if needed, and submit a short attestation. That’s it. Let’s walk through exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a list of security requirements designed to protect credit card data — the card number (called the PAN, or Primary Account Number), the cardholder’s name, the expiration date, and the security code on the back.
It was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a group called the PCI Security Standards Council (PCI SSC). The Council writes and maintains the standard, but the card brands and your acquirer (the bank or company that processes your card transactions) are the ones who actually enforce it. That’s why the questionnaire came from your processor, not from some government agency.
If you accept credit cards in any form, PCI applies to you. It doesn’t matter if you process two transactions a month or two thousand a day.
What happens if you ignore it? A few things, none of them fun:
- Fines from your processor. Many acquirers charge monthly non-compliance fees until you complete your assessment.
- Liability if there’s a breach. If card data is stolen and you weren’t compliant, you can be on the hook for fraud losses, forensic investigation costs, and card reissuance.
- Losing the ability to accept cards. In serious cases, a processor can terminate your account.
Now the good news: the standard is organized into 6 control objectives covering 12 requirements, but most small businesses only have to address a small slice of them. The more you outsource card handling to a compliant platform like SimplyBook.me, the fewer requirements apply to you.
Do You Need to Be PCI Compliant?
Simple answer: yes. If you accept credit cards through SimplyBook.me — or anywhere else — you fall under PCI DSS.
The next question is your merchant level. Card brands and your acquirer assign your level based on your annual transaction volume and risk. There are four merchant levels (1 through 4), and the vast majority of small businesses land at Level 4 — the lowest-volume, lowest-burden tier.
> Important: Don’t assume your level. The exact transaction thresholds are set by the card brands and can change. Confirm your merchant level with your acquirer — they’ll tell you exactly which level and which validation method they expect.
For most Level 4 merchants, your processor expects one thing each year: a completed SAQ (Self-Assessment Questionnaire) plus an AOC (Attestation of Compliance) — and a quarterly external scan if your setup involves internet-facing systems.
That questionnaire your processor sent you? It’s their way of confirming you’ve reviewed the relevant security requirements and can attest that you meet them. They’re required to collect it. It’s routine — not an accusation that you’ve done something wrong.
Which SAQ Do You Need?
This is where most people get stuck, so let’s make it plain. The SAQ you need depends entirely on how card data flows through your business — and specifically, how much of it you touch.
If your customers enter their card details directly into SimplyBook.me’s hosted payment page (or a connected gateway like Stripe), and that card data never lands on your own servers, you’re in the simplest category. The less you handle, the smaller your Cardholder Data Environment (CDE) — and a smaller CDE means fewer requirements.
Here’s a plain-language map:
| Your Payment Scenario | Likely SAQ | Complexity |
|---|---|---|
| Online booking with a fully hosted checkout (SimplyBook.me, Stripe, hosted gateway) — you never touch card data | SAQ A | Lowest |
| E-commerce where your site partially controls the payment page (iframe, redirect, direct-post) | SAQ A-EP | Moderate |
| Standalone dial-out card terminal, no electronic card storage | SAQ B | Low |
| Standalone IP-connected terminal (Square, Clover-type devices) | SAQ B-IP | Low–Moderate |
| Virtual terminal — you key in cards taken by phone | SAQ C-VT | Moderate |
| Internet-connected payment system, no electronic storage | SAQ C | Moderate |
| You store card numbers electronically (please stop) | SAQ D | Highest |
For a typical SimplyBook.me user whose customers pay through the platform’s hosted checkout, you’re most likely looking at SAQ A — the shortest path. If you also key cards in by hand over the phone using a virtual terminal, SAQ C-VT may apply.
Not sure? Don’t guess. Our free SAQ Wizard asks a few plain-English questions about how you take payments and tells you exactly which SAQ fits your business — no jargon required.
How to Complete Your SAQ
An SAQ is a structured questionnaire of yes/no questions, each tied to a security requirement. The simplest SAQs (like SAQ A) have far fewer questions than the comprehensive SAQ D — which is the whole point of getting your scope right first.
A few realities to set expectations:
- Yes/no doesn’t mean trivial. Answering “yes” means you genuinely meet that requirement. For example, if a question asks whether you use multi-factor authentication (MFA) for administrative access, “yes” means it’s actually turned on — not that you plan to.
- Most small-merchant SAQs are short. A scoped-down SAQ A can often be completed in an afternoon.
- You’ll gather some documentation. Depending on your SAQ, this can include a basic description of how card data flows, confirmation that your service providers (like SimplyBook.me and your gateway) are themselves PCI compliant, and your written information security policy.
The quarterly ASV scan
If your environment includes internet-facing systems, the standard requires a quarterly ASV scan — an external vulnerability scan run by an Approved Scanning Vendor (ASV). The scan checks your public-facing systems for known weaknesses and produces a report you submit alongside your SAQ.
Whether you need one depends on your SAQ type and setup — many fully hosted SAQ A merchants have minimal external scope. When in doubt, confirm with your acquirer. Our ASV scanning service handles these scans on the required quarterly schedule and delivers compliant reports.
Submitting your SAQ and AOC
Once you’ve answered every question and (if applicable) attached your passing scan, you sign the AOC — the Attestation of Compliance. That’s the official document stating you’ve completed your assessment. You submit the SAQ and AOC to your acquirer or through the portal they specified. Done — until next year.
What It Costs
Honest answer: for most small merchants, annual PCI compliance is one of the cheaper line items in your business.
| Cost Item | When It Applies | Typical Budget |
|---|---|---|
| Compliance platform / SAQ tools | Most merchants | Low annual subscription |
| Quarterly ASV scanning | If you have internet-facing systems | Modest annual cost |
| QSA (Qualified Security Assessor) | Level 1, or complex environments | Significantly higher — engagement-based |
| Non-compliance fees | If you don’t complete your SAQ | Recurring monthly charges from your processor |
A QSA is only required when you need a full ROC (Report on Compliance) — typically Level 1 merchants or unusually complex environments. The overwhelming majority of small businesses self-assess and never need to hire one.
Now weigh that against the cost of non-compliance. Processor non-compliance fees stack up month after month. And if a breach occurs while you’re non-compliant, you can face forensic investigation costs, fraud liability, and card reissuance expenses that dwarf a year of compliance tooling. For most small merchants, annual compliance costs less than a single breach fine — and far less than losing the ability to accept cards at all.
Staying Compliant Year-Round
Here’s the part people miss: PCI compliance isn’t a one-time event. Your SAQ is validated at least annually, and if scans apply to you, they run quarterly. Compliance is a point-in-time attestation backed by ongoing practices — you’re confirming you’re secure now and staying that way.
A few things that should trigger a fresh look at your assessment before your annual renewal:
- You change how you take payments (switching gateways, adding phone orders, adding a new terminal).
- You start storing card data (this jumps you to SAQ D — avoid it if you can).
- You add new systems that touch cardholder data or sit in your CDE.
The easiest way to avoid scrambling at renewal time is to set reminders and track everything in one place. Our compliance dashboard keeps your SAQ status, scan schedule, and renewal dates visible year-round, so you’re never surprised by a deadline or a lapsed scan.
FAQ
I just got a PCI questionnaire and I’m overwhelmed. Where do I start?
Start by identifying the right SAQ for how you accept payments — that single step determines how much you actually have to do. Use our free SAQ Wizard, then work through the questionnaire it points you to. Most small merchants find the scope is far smaller than they feared.
Does SimplyBook.me make me automatically PCI compliant?
No — using a compliant platform reduces your burden but doesn’t eliminate your responsibility. You still need to complete your own SAQ and AOC and confirm your service providers are compliant. The benefit is that a hosted payment flow keeps card data off your systems, which usually qualifies you for the simplest SAQ.
What’s the difference between an SAQ and an AOC?
The SAQ is the questionnaire where you confirm you meet the applicable requirements. The AOC (Attestation of Compliance) is the signed summary document stating you completed your assessment — it’s what you actually submit to your acquirer alongside the SAQ.
Do I really need a quarterly ASV scan?
It depends on your SAQ type and whether you have internet-facing systems in scope. Some fully hosted SAQ A merchants have minimal external scope, while others do require quarterly scans. Confirm with your acquirer, and if you need scans, our ASV scanning service handles them on schedule.
Can I store customer card numbers to make rebooking easier?
Please don’t. Storing card data pushes you into SAQ D — the most demanding assessment — and you can never store Sensitive Authentication Data (the security code, full track data, or PIN) after authorization. Use tokenization through your platform instead, so you can charge repeat customers without holding the raw card number.
What happens if I just ignore the questionnaire?
Your processor will likely charge recurring non-compliance fees, and you’ll carry full liability if a breach occurs. In serious cases, your acquirer can suspend your ability to accept cards. Completing a simple SAQ is far cheaper and easier than living with those risks.
How do I know my merchant level?
Your acquirer assigns your level based on annual transaction volume and risk — most small businesses are Level 4. Don’t assume; ask your processor directly so you complete the validation method they actually expect.
Is compliance a one-time thing once I finish?
No — it’s renewed at least annually, with quarterly scans where they apply. Any major change to how you handle payments can require a fresh assessment, which is why year-round tracking matters.
Conclusion
If you take one thing away, let it be this: PCI compliance for a small business using a hosted booking and payment platform is usually far more manageable than the questionnaire makes it look. Get your SAQ right, answer it honestly, run a scan if you need one, sign your AOC, and keep an eye on it through the year. That’s the whole job.
PCICompliance.com is an end-to-end PCI compliance platform serving thousands of merchants and service providers — from single-location shops to multi-site enterprises — with everything you need in one place. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, our remediation guidance helps you close any gaps, and our compliance dashboard tracks your progress year-round with expert support behind it.
Start with the free SAQ Wizard to find your path in minutes — or talk to our compliance team and let us walk you through it.