Terraform for PCI Compliance
What You Actually Need to Know About PCI Compliance
You just received a PCI compliance questionnaire from your payment processor, and you’re staring at a wall of acronyms and technical jargon. Take a deep breath — for most small businesses, PCI compliance is much simpler than it first appears. If you’re using modern payment tools like Square, Stripe, or PayPal, you’re likely already doing 90% of what’s required. This guide will help you understand what PCI DSS actually means for your business and how to complete that questionnaire without hiring a team of consultants.
Think of PCI compliance like getting a driver’s license — it sounds intimidating until you realize millions of businesses just like yours do it every year. The questionnaire your processor sent isn’t trying to trick you; it’s just making sure you’re handling credit card data safely. For most small merchants, this means answering a simple yes/no questionnaire once a year and running a security scan every quarter.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. If you accept any of these cards, you need to follow these rules. The card brands created the PCI Security Standards Council to manage the standard, but it’s your payment processor or acquiring bank that actually enforces it.
Here’s what matters: PCI DSS exists to protect credit card numbers (the PAN or Primary Account Number) and related data. Every business that accepts, processes, stores, or transmits card data needs to prove they’re protecting it properly. That proof comes in the form of a questionnaire called an SAQ (Self-Assessment Questionnaire) and an AOC (Attestation of Compliance).
The consequences of non-compliance are real but manageable. Your payment processor can fine you (typically $5,000 to $100,000 depending on your size), you could be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards. But here’s the good news — compliance isn’t complicated for most businesses, and the cost of compliance is far less than even the smallest non-compliance fine.
Your payment processor sent you that questionnaire because they’re required to verify all their merchants are compliant. They’re not trying to catch you doing something wrong; they just need documentation that you’re protecting card data properly. Think of it like insurance paperwork — a bit tedious, but necessary to keep your business protected.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you process one transaction or one million, if you’re a tiny Etsy shop or a growing restaurant chain. The moment a customer’s card number touches your business in any way, PCI DSS applies to you.
Most small businesses are Level 4 merchants — those processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. This is good news because Level 4 merchants have the simplest compliance requirements. You complete a self-assessment questionnaire, maybe run some security scans, and submit your compliance documentation once a year.
Your payment processor expects three things from you:
- Complete the right SAQ for your business type
- Pass quarterly security scans (if required for your SAQ type)
- Submit your compliance documentation annually
That compliance questionnaire they sent is your annual reminder to complete these steps. Some processors bundle it with other paperwork, others send a separate PCI compliance notice. Either way, it’s not optional — ignoring it usually results in monthly non-compliance fees ($25-$100) until you complete it.
Which SAQ Do You Need?
The biggest source of confusion in PCI compliance is figuring out which questionnaire applies to your business. There are different SAQ types based on how you accept payments, and choosing the wrong one makes everything harder than it needs to be. Here’s how to determine which one you need:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Outsource everything (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| E-commerce with payment form on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminals only | SAQ B | 41 | Easy |
| Terminals connected to internet | SAQ B-IP | 93 | Easy-Moderate |
| Phone/mail orders only | SAQ C-VT | 85 | Moderate |
| Paper forms (please stop!) | SAQ C | 160 | Complex |
| Store card numbers | SAQ D | 329 | Very Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B (if it’s standalone) or SAQ B-IP (if it connects to the internet). These are straightforward — mostly asking about physical security of the terminal and whether you keep paper receipts locked up.
If you have an e-commerce site using hosted checkout pages (where customers get redirected to PayPal, Stripe, or similar), you qualify for SAQ A — the shortest and simplest questionnaire with just 22 yes/no questions. This is the holy grail of PCI compliance.
If you take payments over the phone, you’ll need SAQ C-VT. This assumes you’re entering card numbers into a virtual terminal provided by your processor, not storing them anywhere.
If you store card numbers in any form — spreadsheets, customer database, even post-it notes — you’re stuck with SAQ D, the full questionnaire. This is where PCI compliance gets expensive and complex. The good news? There’s almost never a good business reason to store card data anymore.
PCICompliance.com offers a free SAQ Wizard that asks you a few simple questions about your payment setup and tells you exactly which SAQ type applies. It takes less than five minutes and removes all the guesswork.
How to Complete Your SAQ
Once you know which SAQ you need, completing it is straightforward. Each SAQ is a series of yes/no questions about your security practices. Here’s what “yes” actually means:
- “Yes, we do this” — You have this security control in place and can prove it
- “No” — You don’t do this, and you’ll need to either implement it or explain why it doesn’t apply
- “N/A” — This requirement doesn’t apply to your business setup
For SAQ A, you’ll answer questions like “Do you review and verify that your payment page redirects to a compliant service provider?” The answer is usually yes if you’re using a major payment provider, and you can prove it by showing your integration uses their hosted checkout.
Documentation you’ll need varies by SAQ type but typically includes:
- Your network diagram (for SAQ A, this might just be “Customer → Our Website → Stripe”)
- Contracts with your payment providers
- Any security policies you’ve written
- Screenshots of your payment pages
- Results from your quarterly ASV scans
Speaking of ASV scans — if your SAQ requires them (most do except SAQ A), you’ll need to run external vulnerability scans every quarter. An Approved Scanning Vendor runs automated tests against your website or payment systems looking for security holes. It’s like a safety inspection for your car — mostly automated, usually passes without issues, and required to stay on the road.
Once everything is complete, you’ll sign an Attestation of Compliance (AOC) — basically a form saying “yes, we completed the SAQ and everything we said is true.” Submit this along with your SAQ and scan results to your payment processor, and you’re done for the year.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and whether you do it yourself or need help:
DIY Approach:
- SAQ platform/tools: $100-300/year
- Quarterly ASV scanning: $200-400/year
- Total: $300-700/year for most small merchants
With Help:
- Compliance platform with support: $500-1,500/year
- Includes ASV scanning, questionnaire help, and remediation guidance
- QSA consultation (if needed): $1,500-5,000
The Cost of NON-Compliance:
- Monthly non-compliance fees: $25-100
- Initial fine from processor: $5,000-100,000
- Breach-related costs: $50-250 per compromised card
- Loss of ability to accept cards: priceless (and business-ending)
For most Level 4 merchants, annual compliance costs less than what you’d pay in non-compliance fees over just one year. It’s also far less than even the smallest breach-related fine. Think of it as business insurance that actually prevents problems rather than just paying for them afterward.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity — it’s an annual requirement with quarterly checkpoints. Here’s how to stay on track without it becoming a full-time job:
Set up these reminders:
- Annual SAQ due date (usually 30-60 days before your processor’s deadline)
- Quarterly ASV scan windows (every 90 days)
- Security update reviews (monthly for e-commerce sites)
- Employee training refreshers (annually for anyone handling payments)
What triggers a new assessment:
- Changing payment processors or methods
- Adding new payment channels (like starting e-commerce)
- Major website or infrastructure changes
- Moving from outsourced to in-house payment processing
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and stores your documentation in one place. When your processor asks for last year’s AOC or your most recent scan results, everything is right where you need it.
The key is building simple habits — like reviewing who has access to your payment systems monthly or ensuring new employees understand basic card data security. These small, consistent actions prevent the panic scramble when your annual questionnaire arrives.
FAQ
Q: What happens if I just ignore the PCI compliance questionnaire?
Most payment processors start charging monthly non-compliance fees ($25-100) after 30-60 days. Eventually, they may suspend your ability to process cards or increase your processing rates. Ignoring it doesn’t make it go away — it just makes it more expensive.
Q: I only process a few transactions a month. Do I really need to comply?
Yes, transaction volume doesn’t exempt you from PCI requirements. However, low volume means you’re likely eligible for the simplest SAQ types. The good news is compliance takes less time than fighting non-compliance fees.
Q: Can I just say “yes” to all the questions to pass?
The SAQ is a legal attestation — lying on it is fraud. Plus, if there’s ever a breach, investigators will check if your actual practices matched your SAQ answers. Be honest; if you can’t answer “yes,” the requirement probably suggests a simple security improvement worth making anyway.
Q: What’s the difference between PCI compliance and being “PCI certified”?
There’s no such thing as “PCI certification” for merchants — you’re either compliant or non-compliant. Only service providers get formally certified. Merchants demonstrate compliance by completing their SAQ and meeting all requirements for their level.
Q: Do I need to hire a QSA to help with compliance?
Most Level 4 merchants don’t need a QSA — the self-assessment process is designed for you to complete independently. You might need QSA help if you’re SAQ D, having trouble with remediation, or if your acquirer specifically requires it. Start with the SAQ yourself; you can always get help later if needed.
Q: How long does the SAQ take to complete?
SAQ A takes most merchants 30-60 minutes. SAQ B might take 2-3 hours including gathering documentation. The more complex SAQs (C-VT, D) can take days or weeks, especially if you need to implement missing controls. The time investment is worth avoiding non-compliance fees.
Q: What if I fail my ASV scan?
Failing vulnerabilities need to be fixed and the scan re-run until you pass. Most failures are common issues like outdated SSL certificates or missing security patches. Your ASV provides a report explaining what failed and how to fix it. You typically have 30 days to remediate and achieve a passing scan.
Q: I use Square for everything. What’s my SAQ type?
If you use Square’s standalone reader or terminal and don’t integrate it with any other systems, you’re likely SAQ B. If the Square device connects to the internet or integrates with your POS system, you might be SAQ B-IP. The Square website checkout option could qualify you for SAQ A.
Making PCI Compliance Work for Your Business
PCI compliance sounds overwhelming, but for most small businesses, it’s simpler than doing your taxes. If you’re using modern payment tools and following basic security practices, you’re already doing most of what’s required. The questionnaire is just documenting those practices.
Start by identifying your SAQ type — this single step eliminates 90% of the confusion. Use PCICompliance.com’s free SAQ Wizard to get an instant answer based on your actual payment setup. Once you know whether you’re SAQ A, B, or something else, the path forward becomes clear.
Remember, your payment processor wants you to succeed at this. They’re not trying to catch you out; they just need documentation that card data is protected. Complete your SAQ honestly, fix any gaps it reveals, run your quarterly scans, and submit your paperwork on time. That’s really all there is to it.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You can start with the free SAQ Wizard right now, or talk to our compliance team if you need guidance. Either way, you’ll have your compliance sorted in less time than it took to read this guide.
