Getting Your First PCI Compliance Questionnaire? Here’s What You Actually Need to Know
Your payment processor just sent you a PCI compliance questionnaire, and suddenly you’re drowning in acronyms like SAQ, AOC, and ASV. Take a breath. For most small businesses, Stax PCI compliance is simpler than that intimidating email makes it seem. If you’re using modern payment tools like Stax, Square, or Stripe, you’re already doing most of what PCI requires — you just need to document it properly.
Here’s the reality: thousands of small businesses complete their PCI compliance requirements every year without hiring consultants or making massive technology changes. You can too. This guide will walk you through exactly what that questionnaire means, which form you actually need to fill out, and how to get it done without losing your mind.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to every business that accepts credit cards. The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through the PCI Security Standards Council (PCI SSC) to protect cardholder data from breaches.
Think of it this way: when customers trust you with their credit card information, the card brands want to ensure you’re protecting that data. The standards cover things like using secure payment terminals, encrypting card data during transmission, and limiting who can access payment information.
Your acquirer (the bank or payment processor that handles your card transactions) enforces these requirements. They’re the ones who sent you that compliance questionnaire. While the card brands set the standards, your acquirer makes sure you follow them.
The Consequences Matter
Non-compliance isn’t just about paperwork. If you’re not PCI compliant, you face:
- Monthly fines from your payment processor (typically $20-100 per month for small merchants)
- Breach liability if card data gets stolen (potentially thousands per compromised card)
- Loss of card processing privileges in extreme cases
- Higher processing rates as processors view non-compliant merchants as higher risk
The Good News
Most small businesses qualify for the simplest compliance requirements. If you’re using modern payment tools — hosted payment pages, point-to-point encrypted terminals, or payment facilitators like Stax — you’ve already outsourced the complex security requirements to companies that specialize in them. Your job is mainly to confirm you’re using these tools properly.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit or debit cards in any form, yes. This includes:
- In-person card payments
- Online transactions
- Phone orders
- Mobile payments
- Recurring billing
Your merchant level determines how you prove compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you complete a self-assessment questionnaire (SAQ) rather than hiring an external auditor.
What Your Payment Processor Expects
When your acquirer sends that annual compliance notice, they’re asking you to:
1. Complete the appropriate SAQ for your payment environment
2. Run quarterly vulnerability scans if you have any systems connected to the internet
3. Submit an Attestation of Compliance (AOC) confirming you’ve met the requirements
4. Maintain compliance throughout the year
That questionnaire they sent? It’s not trying to catch you doing something wrong. It’s a checklist to ensure you’re protecting cardholder data the way the card brands require.
Which SAQ Do You Need?
The PCI DSS includes multiple SAQ types, each designed for different payment scenarios. Choosing the right one is crucial — pick one that’s too complex and you’ll waste time on irrelevant requirements. Pick one that’s too simple and you won’t be properly compliant.
Here’s how to determine which SAQ applies to your business:
| Your Payment Scenario | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| E-commerce with fully hosted checkout (customer never enters card data on your site) | SAQ A | 22 | Simplest |
| E-commerce with payment fields on your site (using iframe or JavaScript) | SAQ A-EP | 191 | Moderate |
| Physical terminal with no electronic storage | SAQ B | 41 | Simple |
| Physical terminal with IP connection | SAQ B-IP | 82 | Simple |
| Manual entry (virtual terminal or phone) | SAQ C-VT | 160 | Moderate |
| Any electronic storage of card numbers | SAQ D | 329+ | Complex |
Common Scenarios
If you use a payment terminal like Stax, Square, or Clover for in-person transactions, you likely need:
- SAQ B if your terminal is standalone with no network connection
- SAQ B-IP if your terminal connects to the internet
If you have an e-commerce site:
- SAQ A if you use a fully hosted checkout where customers are redirected to another site to enter card details
- SAQ A-EP if you use payment fields embedded on your site (like Stripe Elements)
If you take payments over the phone and enter them into a virtual terminal, you need SAQ C-VT.
If you store credit card numbers in any electronic format — even in Excel — you need SAQ D. This is the most complex assessment and frankly, most small businesses should avoid storing card data entirely.
PCICompliance.com offers a free SAQ Wizard that asks a few simple questions about how you accept payments and tells you exactly which SAQ you need. No guessing required.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is straightforward. Each SAQ contains yes/no questions about your payment security practices. Here’s what to expect:
What the Questions Look Like
SAQ questions are specific and technical-sounding, but they’re checking for basic security practices. For example:
- “Do you change default passwords on payment systems?”
- “Do you have a firewall protecting your payment environment?”
- “Do you limit physical access to payment terminals?”
When you answer “yes,” you’re confirming that control is in place. When you answer “no,” you’ll need to either implement that control or explain why it doesn’t apply to your environment.
Documentation You’ll Need
Gather these items before starting your SAQ:
- Network diagram (even a simple one showing how your payment systems connect)
- List of payment systems and software versions
- Security policies (many small businesses create these during their first assessment)
- Vendor compliance documents (your payment processor should provide their PCI compliance attestation)
The Quarterly ASV Scan
If your business has any systems connected to the internet (even just a website), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). These automated scans check for security vulnerabilities that could expose payment data.
The scan process is simple:
1. Provide your IP addresses or URLs to the ASV
2. They run automated security scans
3. You receive a report showing any vulnerabilities
4. Fix any failing issues and request a rescan
5. Obtain a passing scan report each quarter
Submitting Your Compliance Package
After completing your SAQ and obtaining passing ASV scans (if required), you’ll:
1. Complete the Attestation of Compliance (AOC) — a formal declaration that you’ve met all requirements
2. Submit everything to your acquirer through their compliance portal
3. Save copies for your records
Most acquirers want this done annually, with quarterly ASV scans throughout the year.
What It Costs
PCI compliance costs vary based on your payment setup and chosen tools, but for most small businesses, it’s quite reasonable:
Compliance Platform Fees
- Basic SAQ tools: $0-50 per year
- Full compliance platforms: $200-500 per year
- Enterprise solutions: $1,000+ per year
ASV Scanning
- Basic scanning: $200-400 per year for four quarterly scans
- Multiple IPs/domains: $400-800 per year
- Advanced scanning with support: $1,000+ per year
Professional Services (If Needed)
- QSA consultation: $150-300 per hour
- Full QSA assessment: $15,000-50,000 (only required for Level 1 merchants)
- Remediation assistance: $1,000-5,000 depending on scope
The Cost of Non-Compliance
Before you balk at these costs, consider the alternative:
- Monthly non-compliance fees: $20-100 from your processor
- Breach costs: Average of $3.86 million for businesses that suffer a breach
- Card brand fines: $5,000-100,000 per month during non-compliance
- Lost business: Customers lose trust after a breach
For most small merchants, annual compliance costs less than just three months of non-compliance fees.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox. Your acquirer expects you to maintain compliance throughout the year. Here’s how to stay on track:
Annual Requirements
- Complete your SAQ and AOC annually
- Update your compliance documentation if your payment environment changes
- Review and update security policies
Quarterly Requirements
- Run ASV scans every 90 days
- Review scan results and fix any failures
- Maintain passing scan reports
Tracking Changes
Certain changes trigger the need for a new assessment:
- Adding new payment channels
- Changing payment processors
- Implementing new payment software
- Significantly increasing transaction volume
Making It Manageable
Set calendar reminders for:
- Quarterly scan due dates
- Annual SAQ renewal
- Security policy reviews
- Employee security training
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and maintaining a complete compliance history for your records.
FAQ
Q: My payment processor says I need to be PCI compliant or they’ll charge me fees. Is this legitimate?
Yes, this is standard practice. All merchants who accept cards must validate PCI compliance annually. Non-compliance fees typically range from $20-100 monthly and are completely avoidable by completing your annual requirements.
Q: I only process a handful of transactions each month. Do I still need to comply?
Yes, PCI DSS applies to any business that accepts payment cards, regardless of transaction volume. However, smaller merchants typically qualify for the simplest SAQ types, making compliance straightforward.
Q: What’s the difference between SAQ A and SAQ A-EP? My e-commerce developer isn’t sure which applies.
SAQ A is for fully outsourced e-commerce where customers are redirected away from your site to enter card details. SAQ A-EP is for sites with embedded payment fields (like Stripe Elements) where card data passes through your website, even if you don’t store it.
Q: Can I just check “yes” to all the questions on my SAQ to pass?
Absolutely not. The SAQ is a legal attestation of your security practices. Falsely claiming compliance when you haven’t implemented required controls constitutes fraud and dramatically increases your liability in case of a breach.
Q: I use Stax for all my payments. What do I need to do for PCI compliance?
Most Stax merchants qualify for simpler SAQ types since Stax handles the complex security requirements. You’ll still need to complete an annual SAQ confirming you’re using their tools properly and maintaining basic security practices like password policies.
Q: How long does it take to complete an SAQ?
For simpler SAQ types (A, B, B-IP), expect 1-2 hours if you have your documentation ready. More complex types like SAQ C-VT or D can take several hours or days, especially if you need to implement missing controls.
Q: What happens if I fail an ASV scan?
Failing scans are common on the first attempt. The ASV provides a detailed report showing what failed. Fix the identified vulnerabilities (often just software updates or configuration changes) and request a rescan. You need a passing scan once per quarter.
Q: Do I need to hire a QSA?
Most small businesses (Level 2-4 merchants) complete self-assessments without a QSA. Only Level 1 merchants and some service providers require formal QSA assessments. If you’re unsure about your requirements, a brief QSA consultation can provide clarity without a full engagement.
Moving Forward with Confidence
PCI compliance might seem overwhelming when you first receive that questionnaire, but remember — thousands of businesses just like yours complete these requirements every year. If you’re using modern payment tools and following basic security practices, you’re probably already doing most of what PCI requires.
The key is choosing the right SAQ for your payment environment and systematically working through the requirements. With the right tools and a bit of organization, you can achieve compliance without disrupting your business operations.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard helps you identify exactly which questionnaire you need — no more guessing or wading through technical decision trees. Our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard keeps track of all your deadlines and documentation in one place. Whether you’re completing your first SAQ or managing compliance for multiple locations, we provide the tools and support to make PCI compliance manageable. Start with our free SAQ Wizard to identify your requirements, or contact our compliance team for personalized guidance on your path to PCI compliance.