Tennessee PCI Compliance

Bottom Line Up Front

If you just received a PCI compliance questionnaire from your payment processor and your stomach dropped — take a breath. For most small businesses in Tennessee, PCI compliance is far simpler than it sounds. If you use a modern payment terminal or a hosted online checkout, you likely qualify for one of the simplest self-assessment questionnaires, and you can complete the whole thing in an afternoon.

Here’s the short version of Tennessee PCI compliance: you accept credit cards, so you need to validate that you handle that card data safely. You’ll fill out a Self-Assessment Questionnaire (SAQ), possibly run a quarterly network scan, and submit a short attestation to your processor. That’s it for the majority of small merchants. This guide walks you through every step in plain English.

What Is PCI Compliance (In Plain English)

PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security rules designed to protect credit card data anywhere it’s stored, processed, or transmitted. If you accept card payments — in person, online, or over the phone — it applies to you.

The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) through a group called the PCI Security Standards Council (PCI SSC). The Council writes and maintains the rules, but it doesn’t enforce them directly. Enforcement flows down through your acquirer (also called your acquiring bank or payment processor). That’s why the questionnaire came from them — they’re contractually required to make sure their merchants comply.

So what happens if you ignore it? A few things, none of them good:

  • Non-compliance fines charged by your processor, often as monthly fees until you validate.
  • Breach liability — if card data is stolen and you weren’t compliant, you can be on the hook for forensic investigation costs, card reissuance, and penalties.
  • Loss of card processing — in serious cases, your ability to accept cards can be revoked.

Now the genuinely good news: most small businesses qualify for the simplest SAQ types. The scary-sounding 12 requirements and full audits apply mostly to large enterprises that store card data themselves. If you’ve outsourced the heavy lifting to a payment provider — which most of you have — your obligations shrink dramatically.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit cards in any form, yes. There’s no minimum transaction volume that exempts you. A coffee shop that runs ten cards a day has the same baseline obligation as a national chain — the complexity differs, but the requirement to validate does not.

Understanding Your Merchant Level

The card brands assign every merchant a level (1 through 4) based on annual transaction volume and risk. Most small and mid-size Tennessee businesses fall into Level 4 — the smallest tier — which means you validate compliance by completing an SAQ yourself rather than hiring an auditor.

Merchant Level Who It Generally Applies To How You Validate
Level 1 Highest-volume merchants Formal ROC by a QSA or ISA
Levels 2–3 Mid-volume merchants SAQ or ROC, varies by brand
Level 4 Most small businesses Self-Assessment Questionnaire (SAQ)

Confirm your exact level with your acquirer — thresholds are set by the individual card brands and can change. Don’t assume; ask.

The Questionnaire They Sent You

The compliance questionnaire your processor sent is their way of collecting your SAQ and Attestation of Compliance (AOC). They’re not trying to trip you up — they need this on file to stay compliant themselves. Think of it as the paperwork that proves you’re handling cards responsibly.

Which SAQ Do You Need?

The SAQ is a checklist tailored to how you accept payments. Picking the right one is the single most important decision you’ll make, because it determines how many questions you answer. Here’s the plain-language decision tree:

  • You use a payment terminal (Square, Clover, a countertop card reader) → likely SAQ B (standalone dial-out) or SAQ B-IP (internet-connected terminal).
  • You have an e-commerce site with a fully hosted checkout (Shopify Payments, Stripe Checkout, a PayPal redirect) where customers leave your site to pay → likely SAQ A.
  • Your website partially controls the payment page (an iframe or direct-post integration like Stripe Elements) → likely SAQ A-EP.
  • You take card payments over the phone using a web-based virtual terminal → likely SAQ C-VT.
  • You store card numbers anywhere (a spreadsheet, a notebook, a CRM field) → SAQ D, and please stop storing them.
Payment Scenario Likely SAQ Complexity
Fully hosted/redirect online checkout A Lowest
Website with embedded payment fields A-EP Moderate
Standalone dial-out terminal B Low
Internet-connected standalone terminal B-IP Low–Moderate
Virtual terminal (phone orders) C-VT Moderate
Payment systems connected to the internet C Moderate–High
Any electronic storage of card data D Highest

If your eyes are glazing over, this is exactly what our free SAQ Wizard is for. Answer a few simple questions about how you accept payments and it tells you precisely which SAQ applies — no guessing.

One critical note that runs through every SAQ: Sensitive Authentication Data (SAD) — the full magnetic stripe, the CVV/CVC code, and PINs — must never be stored after a transaction is authorized. Not in a file, not in a note. This is non-negotiable across all merchant types.

How to Complete Your SAQ

An SAQ is a document of yes/no questions grouped under the relevant PCI requirements. The simplest types (like SAQ A) contain a modest set of questions; SAQ D is far longer. For a typical Level 4 merchant on SAQ A or B, completion takes anywhere from an afternoon to a day or two.

When a question asks something like “Is multi-factor authentication used for remote access?”, a “yes” means the control is actually in place — not that you intend to set it up later. If you can’t honestly answer yes, that’s a gap to remediate before you attest.

Documentation You’ll Likely Gather

  • A simple network diagram showing how card data flows (even a hand-drawn sketch helps).
  • A list of any service providers that touch card data (your gateway, processor, hosting).
  • Your information security policy — yes, even small merchants need a basic written one.
  • Evidence of controls like MFA, audit logging, and patching if your SAQ type requires them.

The Quarterly ASV Scan

If your environment has any external-facing systems — an internet-connected terminal or a website that handles payments — you’ll likely need a quarterly ASV scan. An Approved Scanning Vendor (ASV) runs an automated external vulnerability scan against your public-facing IP addresses and produces a pass/fail report.

This catches things like outdated software and open ports. You’ll need a passing scan to validate, and it must be repeated every quarter. Our ASV scanning service handles this for you on schedule, so you’re not scrambling when the questionnaire comes due. Note: a fully hosted SAQ A merchant may not require a scan — your SAQ type tells you.

Submitting Your SAQ and AOC

Once your SAQ is complete and accurate, you sign the AOC — the official statement attesting to your compliance — and submit both to your acquirer through whatever portal or email channel they specified. Keep copies for your records.

What It Costs

Let’s be honest about money, because that’s everyone’s real question.

Item Typical Range Notes
Compliance platform / SAQ tools Low monthly or annual fee Often bundled with scanning
Quarterly ASV scanning Modest per-quarter cost Required for external-facing systems
QSA assessment (ROC) Significant Only for Level 1 or complex environments

For the average small Tennessee merchant on SAQ A or B, total annual compliance cost is genuinely modest — usually a small fraction of what a single non-compliance event would run.

Now weigh that against the cost of non-compliance: monthly fines from your processor, and far worse, breach liability that can include forensic investigation by a PCI Forensic Investigator (PFI), card reissuance costs, and the potential loss of your ability to accept cards. Annual compliance almost always costs less than a single breach fine. This is risk reduction, plain and simple.

Staying Compliant Year-Round

Here’s the part many merchants miss: PCI compliance is not a one-time event. You validate at least annually, and where required, you run quarterly ASV scans throughout the year. Compliance is point-in-time and continuous — passing once doesn’t mean you’re done.

A few things should trigger you to revisit your status before the next annual deadline:

  • You switch payment providers or add a new way to accept cards.
  • You redesign your website’s checkout or change how the payment page works.
  • You start storing card data you didn’t before (which usually pushes you toward SAQ D — avoid this).
  • You experience a suspected security incident.

The easiest way to stay on track is to set reminders and centralize your documentation. Our compliance dashboard tracks your SAQ status, scan schedule, and renewal dates in one place, so nothing slips through the cracks and you’re never surprised by a deadline.

FAQ

I just got the questionnaire and I’m overwhelmed. Where do I start?

Start by identifying how you accept card payments — that determines your SAQ type. Our free SAQ Wizard does this for you in a few minutes, which removes the biggest source of confusion right at the start.

Do I really have to comply if I only run a few cards a month?

Yes. There’s no volume too small to be exempt — every business that accepts cards must validate compliance. The good news is that low-volume merchants almost always qualify for the simplest SAQ types.

What if I can’t honestly answer “yes” to a question?

That’s a gap you need to fix before you attest — never check “yes” for a control that isn’t actually in place. Identify what’s missing, remediate it, and then complete the SAQ; remediation guidance can walk you through specific fixes.

Is my Square or Clover terminal automatically compliant?

The device may use compliant technology, but you are still responsible for validating your own environment. Using a reputable terminal usually qualifies you for a simpler SAQ (B or B-IP), but you still must complete and submit it.

Do I need a quarterly scan?

Only if your environment includes external-facing systems, such as an internet-connected terminal or a payment-handling website. A fully hosted SAQ A e-commerce merchant often doesn’t — your SAQ type confirms whether scanning applies.

Can I just store card numbers to make repeat billing easier?

Please don’t. Storing card data pushes you into the far more demanding SAQ D and dramatically increases your risk and liability — use your payment provider’s tokenization or stored-credential features instead, which keep the sensitive data out of your hands.

What happens if I never complete it?

Your processor will typically charge monthly non-compliance fees and may eventually restrict your ability to accept cards. Worse, if a breach occurs while you’re non-compliant, your liability is significantly higher.

Does PCI compliance guarantee I won’t be breached?

No — and be wary of anyone who claims otherwise. PCI compliance meaningfully reduces your risk and demonstrates due diligence, but security is ongoing risk reduction, not an absolute guarantee.

Conclusion

PCI compliance has a fearsome reputation, but for the vast majority of Tennessee small businesses, it comes down to a manageable checklist: pick the right SAQ, answer it honestly, run a scan if required, and submit your attestation — then keep it current year-round. The complexity scales with how you handle card data, and the simpler your setup, the lighter your obligations.

You don’t have to navigate it alone. PCICompliance.com gives you everything you need to achieve and maintain compliance in one place — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress all year. As an end-to-end platform serving thousands of merchants and service providers — from single-location retailers to multi-site enterprises — we pair the right tools with real expert support.

Start with the free SAQ Wizard, or talk to our compliance team — and turn that intimidating questionnaire into a checked box.

Leave a Comment

1,650 PCI scans completed this month