Substack PCI Compliance: What Small Businesses Need to Know
If you just received a PCI compliance questionnaire from your payment processor and don’t know where to start, relax. For most small businesses accepting credit cards, PCI compliance is simpler than it sounds. You don’t need to be a security expert or hire expensive consultants — you just need to understand which forms to fill out and what basic security practices to follow. This guide will walk you through exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to any business accepting credit card payments. Think of it as a checklist of security practices designed to protect your customers’ card information from theft.
The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through an organization called the PCI Security Standards Council. But here’s the important part: the card brands don’t enforce compliance directly. Your acquirer (the bank or payment processor that handles your credit card transactions) does.
When your payment processor sends you that compliance questionnaire, they’re not trying to make your life difficult. They’re required by the card brands to ensure all their merchants protect cardholder data properly. If you don’t comply, the consequences are real:
- Monthly fines from your processor (typically $25-$100 for small merchants)
- If card data gets stolen from your business, you’re liable for the fraud losses
- In extreme cases, you could lose the ability to accept credit cards entirely
But here’s the good news: most small businesses qualify for the simplest compliance requirements. You’re not held to the same standards as Amazon or Target. The PCI standards scale based on your size and how you handle card payments.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant.
This applies whether you:
- Run card payments through a terminal
- Accept payments on your website
- Take card numbers over the phone
- Store customer card information for recurring billing
- Even if you only process a handful of transactions per year
Your merchant level determines how extensive your compliance requirements are. For most small businesses reading this, you’re likely a Level 4 merchant — processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. This is good news because Level 4 merchants have the simplest compliance path.
Your payment processor expects you to:
1. Complete an annual Self-Assessment Questionnaire (SAQ) — a form confirming you follow required security practices
2. If applicable, pass quarterly network security scans
3. Submit an Attestation of Compliance (AOC) — basically your signature saying the information in your SAQ is accurate
That compliance questionnaire they sent you? It’s their way of saying “it’s time to complete your annual PCI assessment.” They need this documentation to prove to the card brands that their merchants are protecting cardholder data.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept payments. Think of it like tax forms — different situations require different forms. Here’s how to determine which one applies to you:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Payment terminal only (Square, Clover, standalone) | SAQ B or B-IP | 41 or 82 | Simple |
| E-commerce with hosted checkout (Stripe, PayPal, Shopify) | SAQ A | 22 | Simplest |
| E-commerce with payment form on your site | SAQ A-EP | 191 | Moderate |
| Phone/mail orders only | SAQ C-VT | 80 | Moderate |
| Multiple channels or store card data | SAQ D | 329 | Complex |
Let’s break down the most common scenarios:
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’ll likely complete SAQ B (for dial-up terminals) or SAQ B-IP (for internet-connected terminals). These are straightforward — mostly asking about physical security of the device and whether you follow basic practices like not writing down card numbers.
If you have an e-commerce site using a hosted payment page — where customers get redirected to PayPal, Stripe Checkout, or your shopping cart’s payment processor — you’ll complete SAQ A. This is the simplest form with only 22 questions because you never actually touch the card data.
If you take payments over the phone, you’ll need SAQ C-VT. This requires a bit more because you’re hearing and entering card numbers, even if you don’t store them.
If you store card numbers in any form — whether in a spreadsheet, your accounting software, or a customer database — you’re looking at SAQ D. This is the full assessment with 329 questions. If this is you, seriously consider whether you need to store those card numbers. Moving to tokenization or recurring billing through your processor can often eliminate this requirement.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is more straightforward than you might expect. The questionnaire consists of yes/no questions about your security practices. Here’s what the process looks like:
What ‘Yes’ Really Means
When you answer “yes” to a question like “Are payment terminals physically secured?”, you’re confirming you actually do this. It doesn’t mean you have Fort Knox-level security — it means you follow the basic practice described. For example, “physically secured” might mean your terminal sits on a counter where employees can see it, not locked in a vault.
Documentation You’ll Need
Gather these before you start:
- List of all payment terminals or software you use
- Your network/WiFi setup if using IP-connected devices
- Any written procedures for handling card payments
- Contact information for your IT support (if applicable)
The Quarterly ASV Scan
If you’re doing any SAQ type except B, you’ll need quarterly vulnerability scans performed by an Approved Scanning Vendor (ASV). Don’t let the technical name scare you — this is an automated scan that checks your payment website or network for security vulnerabilities. It typically takes 15-30 minutes to set up and runs automatically. Think of it like an antivirus scan but for your payment infrastructure.
Submitting Your Compliance Package
Once complete, you’ll submit:
1. Your completed SAQ
2. The Attestation of Compliance (AOC) — a cover page you sign
3. Evidence of passing ASV scans (if required)
4. Any additional documentation your processor requires
Most processors accept these through their online portal, though some still use email or paper forms.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you handle it yourself or use a compliance service:
Compliance Platform and Tools
- Basic SAQ tools: $50-150/year
- Full-service compliance platforms: $200-500/year
- Enterprise solutions: $1,000+/year
Quarterly ASV Scanning
- Typically $30-60 per scan ($120-240/year)
- Often bundled with compliance platforms
- Required for all SAQ types except B
If You Need a QSA
Most small merchants don’t need a Qualified Security Assessor (QSA). You’d only need one if you’re a Level 1 merchant (over 6 million transactions annually) or your acquirer specifically requires it. QSA assessments typically cost $10,000-50,000+ depending on complexity.
The Cost of NON-Compliance
- Monthly non-compliance fees: $25-100 (common)
- Data breach liability: $50-90 per compromised card
- Forensic investigation costs: $10,000-100,000+
- Loss of credit card acceptance privileges: priceless
For most small merchants, annual compliance costs less than a single month of non-compliance fees. It’s not just about avoiding fines — it’s about protecting your business from the devastating costs of a data breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your acquirer expects you to maintain compliance throughout the year and re-certify annually. Here’s how to stay on track:
Annual Recertification
Mark your calendar — SAQs expire after 12 months. Your processor will send reminders, but don’t wait until the last minute. Set your own reminder 30 days before expiration.
Quarterly Requirements
If you need ASV scans, they’re due every 90 days. Missing even one quarter can invalidate your compliance status. Most ASV services can schedule these automatically.
What Triggers a New Assessment
Certain changes require immediate re-assessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or terminals
- Beginning to store card data
- Significant network or system changes
Tracking Your Compliance Status
Keep these records:
- Current SAQ and AOC
- All passing ASV scan reports
- Documentation of any security updates or changes
- Correspondence with your processor about compliance
PCICompliance.com’s compliance dashboard tracks all of this automatically, sending reminders for quarterly scans and annual recertification so nothing falls through the cracks.
FAQ
My processor says I’m non-compliant but I’ve never heard of PCI before. What do I do?
Don’t panic. Contact your processor to confirm exactly what they need — usually just a completed SAQ and AOC. Ask about any deadlines and whether they offer a compliance program. You can typically complete the requirements within a few days to stop any fees.
I only process a few transactions per month. Do I really need to do this?
Yes, PCI compliance applies to all merchants regardless of transaction volume. The good news is that with low volume, you’ll qualify for the simplest SAQ types and the process should take less than an hour annually.
What’s the difference between PCI compliance and being PCI certified?
Merchants achieve PCI compliance by completing their annual assessment. Only service providers and payment applications get “certified.” If someone offers to make you “PCI certified,” they likely mean helping you become compliant.
Can I just use PayPal or Square to avoid PCI compliance?
Using these services can significantly reduce your compliance burden, but doesn’t eliminate it entirely. You’ll still need to complete SAQ A or B, but these are the simplest forms available. The heavy lifting of securing card data shifts to your payment provider.
How do I know if I’m storing card data?
Check anywhere you might save customer information: accounting software, email, CRM systems, spreadsheets, even paper files. If you can see full card numbers (not just last 4 digits), you’re storing card data. This dramatically increases your compliance complexity.
What happens if I fail my ASV scan?
Failing initially is common — most merchants have at least one finding to fix. Your ASV provides a report showing what needs attention. Fix the issues (usually software updates or configuration changes) and request a rescan. You typically get unlimited rescans within the quarter.
Is PCI compliance the same as HTTPS for my website?
HTTPS is one component of PCI compliance for e-commerce sites, but not the whole picture. Think of HTTPS as locking your front door — important, but you also need to secure the windows, back door, and alarm system. PCI looks at all aspects of payment security.
Do I need to hire an IT consultant to help with compliance?
Most small merchants can handle SAQ A or B compliance themselves using online tools and guides. If you’re SAQ C-VT or D, or if technology isn’t your strong suit, a few hours of consultant time can save headaches and ensure you’re truly compliant.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but for most small businesses, it’s a manageable annual task. Identify which SAQ applies to your payment setup, answer the questions honestly, schedule your scans if required, and submit the paperwork. The entire process typically takes a few hours per year — a small investment to protect your business and customers.
Remember, PCI compliance isn’t about achieving perfect security. It’s about following proven practices that significantly reduce the risk of card data theft. Every business that accepts credit cards faces the same requirements, and millions of small merchants successfully maintain compliance every year.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team about which solution fits your business. You don’t have to figure this out alone — we’ve helped thousands of merchants just like you navigate PCI compliance without the confusion or complexity.
