Thinkific PCI Compliance
You Just Got a PCI Compliance Notice — Don’t Panic
If you’re a small business owner who just received a PCI compliance questionnaire from your payment processor, take a deep breath. Yes, you need to complete it. No, it’s not as complicated as it looks. For most small businesses, achieving PCI compliance takes a few hours and some basic security practices you’re probably already following.
Here’s the bottom line: if you accept credit cards, you need to be PCI compliant. Your payment processor isn’t trying to make your life difficult — they’re required by the card brands to ensure everyone who handles card data follows basic security standards. The good news? Most small merchants qualify for the simplest compliance requirements, and we’ll show you exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. Think of it as a security checklist that anyone who accepts, processes, or stores credit card information must follow.
The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) enforces compliance. That’s why you received the questionnaire from them, not from Visa or Mastercard.
Why does this matter to you? Three reasons:
1. Fines: If you’re not compliant, your payment processor can charge monthly non-compliance fees (typically $25-100/month for small businesses)
2. Liability: If card data is compromised and you weren’t compliant, you could be liable for fraud losses and breach costs
3. Card acceptance: In extreme cases, you could lose the ability to accept credit cards
But here’s what your payment processor might not have mentioned: for most small businesses using modern payment systems, compliance is straightforward. If you’re using a reputable payment terminal or e-commerce platform, you’re already doing most of what’s required.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form — in person, online, over the phone, or even on paper order forms — yes, you need to be PCI compliant.
Your merchant level determines how you demonstrate compliance:
- Level 4 (under 20,000 transactions/year): Complete a Self-Assessment Questionnaire (SAQ)
- Level 3 (20,000-1 million transactions/year): Complete an SAQ
- Level 2 (1-6 million transactions/year): Complete an SAQ, may need additional validation
- Level 1 (over 6 million transactions/year): Requires an onsite assessment by a QSA
Most small businesses are Level 4 merchants, which means you can self-certify your compliance by completing the appropriate SAQ and having quarterly vulnerability scans if you have any internet-facing systems.
That questionnaire your payment processor sent? It’s asking you to complete your annual PCI compliance validation. They send it because the card brands require them to verify that all their merchants maintain compliance. Ignore it, and you’ll likely see non-compliance fees on your next statement.
Which SAQ Do You Need?
The most confusing part of PCI compliance for newcomers is figuring out which Self-Assessment Questionnaire applies to your business. There are different SAQ types based on how you accept and process payments. Here’s a plain-language guide:
| How You Accept Payments | Your SAQ Type | Questions | Complexity |
|---|---|---|---|
| Fully outsourced (PayPal only, Stripe Checkout) | SAQ A | 22 | Simple |
| E-commerce with direct post (payment form on your site) | SAQ A-EP | 191 | Moderate |
| Standalone terminals only (Square, Clover) | SAQ B | 41 | Simple |
| Terminals with IP connection | SAQ B-IP | 82 | Simple |
| Phone orders entered into virtual terminal | SAQ C-VT | 80 | Moderate |
| Any card data storage or complex processing | SAQ D | 329 | Complex |
Let’s break this down with real examples:
SAQ A: You use Shopify Payments, Stripe Checkout, or PayPal where customers are redirected to their hosted payment page. Your website never touches card data.
SAQ A-EP: Your website has a payment form, but when customers hit submit, the card data goes directly to your payment processor (like Stripe Elements or Authorize.net’s Accept.js).
SAQ B: You only accept cards using standalone terminals like Square readers or Clover devices that dial out over phone lines.
SAQ B-IP: Your payment terminals connect to the internet through your network (most modern terminals).
SAQ C-VT: You take orders over the phone and enter card numbers into a web-based virtual terminal.
SAQ D: You store card numbers in any form (even encrypted), have complex e-commerce setups, or don’t fit into the other categories.
Not sure which one fits? PCICompliance.com’s free SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Once you know your SAQ type, completing it is straightforward. The questionnaire consists of yes/no questions about your security practices. Here’s what to expect:
The Process:
1. Download or access your SAQ (your processor may provide a link, or you can use PCICompliance.com’s guided process)
2. Answer each question honestly — “Yes” means you’re doing what’s asked, “No” means you’re not
3. For any “No” answers, you’ll need to either implement the control or explain why it doesn’t apply
4. Complete your Attestation of Compliance (AOC) — this is your official declaration that you’re compliant
5. Submit everything to your payment processor
Documentation You’ll Need:
- Network diagram (can be simple for small businesses)
- List of any third-party service providers who handle card data
- Security policies (many templates available)
- Evidence of quarterly vulnerability scans (if required)
The Vulnerability Scan Requirement:
If your SAQ type requires quarterly ASV scans, you’ll need to:
- Hire an Approved Scanning Vendor (PCICompliance.com is an ASV)
- Run external vulnerability scans of any internet-facing systems
- Fix any failures and get a passing scan
- Submit the scan attestation with your SAQ
Most SAQs take 2-4 hours to complete for first-timers, less once you’re familiar with the process.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your business size and complexity:
Compliance Platform Fees:
- SAQ tools and guidance: $100-300/year for small merchants
- Mid-size businesses: $500-2,000/year
- Enterprise solutions: $5,000+/year
ASV Scanning (if required):
- Quarterly scans: $200-500/year for simple networks
- Complex environments: $1,000-5,000/year
Professional Services (if needed):
- QSA consultation: $150-300/hour
- Full ROC assessment: $15,000-50,000+ (only for Level 1 merchants)
The Cost of Non-Compliance:
- Monthly non-compliance fees: $25-100/month
- Breach fines: $5,000-100,000 depending on severity
- Forensic investigation costs: $20,000+ if you’re breached
- Lost business and reputation damage: incalculable
For most small merchants, annual compliance costs less than $500 — far less than a single month of breach-related costs. Think of it as security insurance that’s actually required.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done activity. Your compliance status expires annually, and you’ll need to:
Annual Requirements:
- Complete your SAQ again (it gets easier each year)
- Update your AOC
- Submit to your payment processor before the deadline
Quarterly Requirements (if applicable):
- ASV vulnerability scans
- Review and fix any scan failures
Ongoing Practices:
- Keep your payment systems updated
- Train staff on card data security
- Monitor for any changes that might affect your SAQ type
- Document security incidents and responses
When to Reassess:
- Adding new payment channels (like e-commerce to a retail store)
- Changing payment processors or systems
- Starting to store card data (please don’t)
- Significant business growth that changes your merchant level
PCICompliance.com’s compliance dashboard tracks all these dates and requirements, sending reminders before deadlines and keeping your documentation organized.
FAQ
Q: What happens if I just ignore the compliance questionnaire?
Non-compliance fees will appear on your merchant statement, typically $25-100 monthly. Worse, if there’s a breach, you’ll be liable for fraud losses and investigation costs. Some processors eventually terminate non-compliant merchants.
Q: We only process a few transactions per month. Do we still need to comply?
Yes, PCI DSS applies to any business that accepts credit cards, regardless of volume. Even one transaction per year triggers the requirement.
Q: Can’t I just check “Yes” to everything on the SAQ?
The SAQ is a legal attestation. Falsely claiming compliance when you’re not is fraud and makes you fully liable for any breach costs. Answer honestly and fix what needs fixing.
Q: We use Square for everything. What’s our compliance requirement?
If you only use Square’s standalone terminals, you likely need SAQ B or B-IP. Square handles most security, but you still need to complete the questionnaire and ensure your devices and networks are secure.
Q: How do I know if I need vulnerability scanning?
Check your SAQ type requirements. Generally, if you have any systems connected to the internet that are involved in card processing, you need quarterly ASV scans. SAQ A and B usually don’t require scans.
Q: What’s the difference between PCI compliance and other security standards?
PCI DSS is specifically for credit card data protection and is required by contract with your payment processor. Other standards like SOC 2 or ISO 27001 are broader and usually voluntary.
Q: We take cards over the phone. Any special requirements?
You’ll likely need SAQ C-VT. Never write down card numbers, use a secure virtual terminal, and train staff on proper phone order procedures. Consider call recording policies carefully.
Q: How long do I need to keep compliance records?
Keep all compliance documentation for at least three years. This includes completed SAQs, scan reports, and any remediation evidence. Your processor may require longer retention.
Take the First Step Today
PCI compliance might seem overwhelming at first glance, but remember — thousands of small businesses just like yours achieve and maintain compliance every year. The key is understanding which requirements actually apply to your specific situation and tackling them systematically.
Start by identifying your SAQ type. That single piece of information will clarify 90% of your compliance journey. From there, it’s simply a matter of working through the questionnaire and implementing any missing security controls.
PCICompliance.com makes this entire process manageable. Our free SAQ Wizard takes the guesswork out of determining your questionnaire type. Our ASV scanning service handles your quarterly vulnerability scans with automatic scheduling and clear remediation guidance. And our compliance dashboard keeps track of all your deadlines, documents, and requirements in one place.
Don’t let PCI compliance become a source of stress or unexpected fees. Whether you’re completing your first SAQ or looking for a better way to manage ongoing compliance, we’re here to help. Start with our free SAQ Wizard to identify your requirements, or speak with our compliance team to create a complete compliance plan for your business. With the right guidance and tools, you’ll have your compliance sorted in no time — and can get back to running your business.
