A security and privacy dashboard with its status.

Single Product Store PCI

by

Single Product Store PCI: Your Straightforward Guide to Payment Card Compliance

Bottom Line Up Front

If you just received a PCI compliance questionnaire from your payment processor and feel overwhelmed, take a breath. For most small businesses — including single product store PCI scenarios — compliance is simpler than you think. You’re likely looking at answering a few dozen yes/no questions once a year and running quarterly security scans. That’s it. No expensive consultants, no massive security overhauls, just basic protections that you probably already have in place.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business accepting credit card payments. The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through the PCI Security Standards Council to protect cardholder data from breaches.

Your acquirer (the bank or payment processor that handles your card transactions) enforces these requirements. They’re the ones who sent you that compliance questionnaire. They’re required by the card brands to ensure all their merchants maintain PCI compliance.

The consequences of non-compliance are real but manageable. Your processor can fine you (typically $5,000-$100,000 depending on size and violations), you’ll be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept card payments. But here’s the good news: most small merchants qualify for the simplest compliance requirements.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a massive retailer or selling a single product from your garage — PCI compliance applies to you.

Most small businesses fall into Merchant Level 4 (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is actually good news — Level 4 merchants have the simplest compliance requirements.

Your payment processor expects you to:

  • Complete an annual Self-Assessment Questionnaire (SAQ)
  • Pass quarterly vulnerability scans if you process payments online
  • Submit an Attestation of Compliance (AOC) confirming you’ve met requirements

That compliance questionnaire they sent? It’s your annual reminder to complete these requirements. They’re not trying to trip you up — they’re required to verify all their merchants maintain compliance.

Which SAQ Do You Need?

The SAQ you complete depends entirely on how you accept payments. Here’s a plain-language guide to determining your type:

How You Accept Payments SAQ Type Questions Complexity
Redirect to payment page (PayPal, Stripe Checkout) SAQ A ~22 Simplest
Payment form on your site (Stripe Elements, Square) SAQ A-EP ~139 Moderate
Standalone terminal (Square Reader, Clover) SAQ B or B-IP ~41-82 Simple
Phone orders (no electronic storage) SAQ C-VT ~84 Moderate
Store/process card data electronically SAQ D ~329 Complex

For single product stores, you’re most likely:

  • SAQ A if you use Shopify, WooCommerce with PayPal, or any setup that redirects to a hosted payment page
  • SAQ A-EP if you have payment fields on your site using Stripe Elements or similar
  • SAQ B if you only use a physical terminal like Square Reader

PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ applies — no guesswork required.

How to Complete Your SAQ

Your SAQ is a questionnaire with yes/no questions about your security practices. For SAQ A (the simplest), you’re looking at about 22 questions that take 30-45 minutes to complete. Questions are straightforward: “Do you have a firewall?” or “Do you change default passwords?”

“Yes” means you have the control in place and working. If you answer “no” to any required control, you’ll need to implement it or explain why it’s not applicable to your environment.

You’ll need to gather:

  • Your payment processor agreements
  • Network diagrams (for SAQ A, this might just be noting you don’t touch card data)
  • Security policies (many small merchants create these during their first assessment)
  • ASV scan reports (if required for your SAQ type)

The quarterly ASV scan applies if you have any internet-facing systems involved in payment processing. An Approved Scanning Vendor runs automated scans looking for vulnerabilities. These typically cost $200-500 annually and take minutes to set up. Most compliance platforms include ASV scanning.

Once complete, you’ll submit your SAQ and AOC (a formal attestation that you’ve met requirements) to your payment processor through their compliance portal.

What It Costs

PCI compliance for small merchants is surprisingly affordable:

Compliance platform fees: $150-500 annually for SAQ tools, scanning, and support. Some payment processors include basic tools free.

ASV scanning: $200-500 annually if not included in your platform. Required for any merchant with internet-facing payment systems.

QSA assessment: Only required for Level 1-2 merchants. If you’re reading this beginner guide, you likely don’t need one. When required, expect $15,000-50,000 for a formal assessment.

Non-compliance costs: This is where it gets expensive. Processors typically fine $5,000-25,000 for non-compliance, plus monthly penalties until you comply. If you suffer a breach while non-compliant, you’re liable for fraud losses, forensic investigation costs, and potential fines up to $500,000.

For most small merchants, annual compliance costs less than a single non-compliance fine. It’s cheap insurance.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done exercise. Your SAQ must be completed annually, and if required, ASV scans run quarterly.

Set calendar reminders for:

  • Annual SAQ completion (usually 30-60 days before your deadline)
  • Quarterly ASV scans (every 90 days)
  • Security update reviews
  • Password changes

Certain changes trigger a new assessment:

  • Switching payment processors or methods
  • Adding new payment channels (like adding phone orders to your online store)
  • Significant changes to your payment environment

PCICompliance.com’s compliance dashboard tracks all these dates and sends automatic reminders. You’ll never miss a deadline or wonder about your compliance status.

FAQ

I’m just a single product store. Do I really need to worry about PCI?

Yes, but don’t panic. Size doesn’t matter — accepting cards does. The good news is that single product stores typically qualify for the simplest SAQ types, making compliance straightforward and affordable.

What happens if I ignore the compliance questionnaire?

Your processor will eventually fine you (typically starting at $5,000) and may add monthly penalties. Worse, if you suffer a breach while non-compliant, you’re fully liable for fraud losses and investigation costs.

Can I just say “yes” to all the SAQ questions?

Only if they’re actually true. Lying on your SAQ is considered fraud and makes you liable for any breaches. Most questions are basic security practices you likely already follow.

Do I need to hire a security consultant?

For Level 4 merchants completing SAQ A or B, probably not. The questions are straightforward, and good compliance platforms provide guidance. Save consultants for complex environments or if you’re struggling with specific requirements.

How is PCI different for online versus physical stores?

Online stores face additional requirements around secure transmission and vulnerability scanning. Physical stores using standalone terminals often have simpler requirements but must ensure terminals are properly configured and physically secure.

What if I don’t store any card numbers?

Great! You’re already following a key principle of PCI: don’t store what you don’t need. You still need to complete an SAQ, but you’ll qualify for one of the simpler types.

My payment processor handles everything. Am I still responsible?

Yes. While processors handle much of the security, you’re responsible for your piece — like keeping terminals secure, not writing down card numbers, and maintaining passwords. Your SAQ covers your responsibilities.

How do I know if I’m doing this right?

Your completed SAQ and passed ASV scans (if required) confirm compliance. If your processor accepts your submission without requesting corrections, you’re doing it right.

Conclusion

PCI compliance for a single product store doesn’t have to be overwhelming. In most cases, you’re looking at completing a simple questionnaire annually and running quarterly scans if you process online. The requirements exist to protect both you and your customers from card fraud — something every business should care about.

Start by identifying your SAQ type based on how you accept payments. Complete the questionnaire honestly, implement any missing controls, and submit your compliance documentation to your processor. Set reminders for annual renewals and quarterly scans. That’s really all there is to it.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll never miss a deadline or wonder about your compliance status again. Start with the free SAQ Wizard or talk to our compliance team to get your single product store PCI compliant quickly and affordably.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP