Ubuntu Server PCI Compliance
Bottom Line Up Front
If you just received a PCI compliance questionnaire and you’re feeling overwhelmed, take a deep breath. For most small businesses, PCI compliance is far simpler than it first appears. Yes, you need to be compliant if you accept credit cards — but no, you probably don’t need to hire an army of consultants or completely overhaul your business. This guide will walk you through exactly what you need to do, in plain English, without the jargon that makes compliance sound scarier than it is.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major credit card brands — Visa, Mastercard, American Express, Discover, and JCB. These companies formed the PCI Security Standards Council to develop and maintain these standards. Think of it as a security checklist designed to protect credit card information from theft and fraud.
Here’s the crucial part: if your business accepts, processes, stores, or transmits credit card information in any way, you must comply with PCI DSS. This applies whether you’re a corner coffee shop with a single payment terminal or an online retailer processing thousands of transactions daily.
Your acquirer (the bank or payment processor that handles your credit card transactions) enforces these requirements. They’re the ones who sent you that compliance questionnaire, and they’re required by the card brands to ensure all their merchants maintain compliance.
The consequences of non-compliance are real but manageable. Your payment processor can impose fines ranging from $5,000 to $100,000 per month for non-compliance. If a data breach occurs and you weren’t compliant, you could face liability for fraud losses and remediation costs. In extreme cases, you could lose the ability to accept credit cards entirely. But here’s the good news: for most small businesses, achieving compliance is straightforward and affordable — often requiring just a few hours of work annually.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit or debit cards in any form, yes, you need to be PCI compliant. This includes:
- Physical card readers or terminals in your store
- Online payments on your website
- Mobile card readers attached to phones or tablets
- Phone orders where customers give you their card number
- Mail order forms with credit card fields
Most small businesses fall into Merchant Level 4, which means you process fewer than 20,000 e-commerce transactions or up to 1 million total Visa transactions annually. This is good news — Level 4 merchants have the simplest compliance requirements, typically completing a self-assessment questionnaire (SAQ) rather than hiring an external assessor.
Your payment processor expects you to:
1. Complete the appropriate SAQ annually
2. Perform quarterly ASV scans if you have any internet-facing systems
3. Submit your Attestation of Compliance (AOC) to confirm you’ve met the requirements
4. Maintain compliance throughout the year, not just at assessment time
That compliance questionnaire they sent? It’s your annual reminder to complete these requirements. Think of it like renewing your business license — a necessary step to keep operating legally.
Which SAQ Do You Need?
The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you handle card payments. Here’s how to determine which one applies to your business:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity Level |
|---|---|---|---|
| Fully outsourced (PayPal, Square standalone) | SAQ A | 22 | Simple |
| E-commerce with hosted payment page (Stripe Checkout, Shopify) | SAQ A-EP | 191 | Moderate |
| Standalone terminals only, no electronic storage | SAQ B | 41 | Simple |
| Standalone terminals with IP connection | SAQ B-IP | 91 | Moderate |
| Payment terminal connected to your systems | SAQ C | 160 | Complex |
| Call center or virtual terminal only | SAQ C-VT | 85 | Moderate |
| Any electronic storage of card numbers | SAQ D | 329 | Very Complex |
If you use payment terminals like Square, Clover, or traditional credit card machines that aren’t connected to your other business systems, you’ll likely complete SAQ B (for dial-up terminals) or SAQ B-IP (for internet-connected terminals).
If you have an e-commerce site using Shopify Payments, WooCommerce with Stripe Checkout, or similar hosted payment solutions where customers are redirected to pay, you’ll likely complete SAQ A or SAQ A-EP.
If you take payments over the phone using a virtual terminal from your payment processor, you’ll complete SAQ C-VT.
If you store credit card numbers in any electronic format — in spreadsheets, databases, or even email — you’ll need to complete SAQ D, the most comprehensive questionnaire. Consider this a strong hint to stop storing card numbers and investigate tokenization instead.
Not sure which applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which SAQ you need — no guesswork required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Don’t let the technical-sounding questions intimidate you — most are asking about basic security measures you probably already have in place.
When you answer “yes” to a question, it means you’ve implemented that security control. For example:
- “Do you change default passwords?” — Yes means you’ve changed the password on your payment terminal from ‘1234’ to something secure
- “Is antivirus software installed?” — Yes means you have current antivirus on any computer that handles payments
- “Do you restrict access to cardholder data?” — Yes means only authorized employees can process payments
You’ll need to gather some basic documentation:
- Network diagram (can be a simple sketch showing your payment terminal and how it connects to the internet)
- List of payment systems (terminals, software, websites that handle payments)
- Security policies (even informal ones — how you train staff, who has access to payment systems)
If your SAQ type requires it, you’ll also need to complete quarterly ASV scans. An Approved Scanning Vendor runs automated security scans on your internet-facing systems (like your website) to check for vulnerabilities. These scans typically take 30-60 minutes to complete and cost $50-150 per quarter. Schedule your first scan as soon as you identify your SAQ type — you’ll need four passing quarterly scans for full compliance.
Once you’ve answered all questions and completed any required scans, you’ll sign the Attestation of Compliance (AOC). This is your formal declaration that you’ve met all applicable requirements. Submit this to your payment processor by their deadline, and you’re done — until next year.
What It Costs
PCI compliance costs vary based on your SAQ type and business setup, but for most small merchants, it’s quite affordable:
Compliance platforms and tools: $100-500 annually for SAQ completion software, guidance, and tracking. Many payment processors include basic tools with your merchant account.
Quarterly ASV scanning: $200-600 annually ($50-150 per quarterly scan). Required for most merchants with any internet presence.
Expert assistance: If you need help completing your SAQ, consultants typically charge $500-2,000 for Level 4 merchants. Most small businesses can complete their SAQ without assistance.
QSA assessment: Only required for Level 1-3 merchants. If you’re processing millions of transactions annually, budget $15,000-50,000 for a formal assessment.
Compare these costs to non-compliance:
- Monthly fines from your processor: $5,000-100,000
- Breach liability: Average small business breach costs exceed $150,000
- Lost business: Customers don’t trust businesses that mishandle their card data
For most small merchants, annual compliance costs less than a single month’s non-compliance fine. Think of it as security insurance — a small investment that protects against massive potential losses.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an ongoing responsibility. Your business must maintain compliance every day, not just during assessment time.
Set these reminders:
- Annual: Complete your SAQ 30 days before your processor’s deadline
- Quarterly: Schedule ASV scans if required (every 90 days)
- Monthly: Review who has access to payment systems
- Ongoing: Update your assessment if you change payment methods
Common changes that trigger a new assessment:
- Adding e-commerce to your brick-and-mortar store
- Switching payment processors or terminals
- Starting to accept phone orders
- Implementing new payment software
PCICompliance.com’s compliance dashboard tracks all these deadlines automatically. You’ll receive reminders before each milestone, see your compliance status at a glance, and maintain an audit trail of all your compliance activities. No more scrambling when your processor asks for documentation.
FAQ
Q: I only process a few cards per month. Do I still need to comply?
A: Yes, PCI compliance applies to any business that accepts credit cards, regardless of volume. The good news is that low-volume merchants typically qualify for the simplest SAQ types.
Q: What happens if I don’t complete my compliance requirements?
A: Your payment processor can impose monthly fines starting at $5,000, and you’ll face full liability for any fraud or breach-related costs. Some processors will eventually terminate your ability to accept cards.
Q: Can I just say “yes” to all the questions to pass?
A: Falsely attesting to compliance is fraud and makes you fully liable for any breach-related costs. Answer honestly — if you can’t answer “yes” to something, fix the issue first or work with your processor on a remediation plan.
Q: Do I need to hire a QSA?
A: Most small businesses (Level 4 merchants) complete self-assessments without a QSA. You only need a QSA if you’re a Level 1-3 merchant or if your acquirer specifically requires it.
Q: How long does the SAQ take to complete?
A: SAQ A takes most merchants 1-2 hours. SAQ B and B-IP typically require 2-4 hours. More complex SAQs like C and D can take several days, especially the first time.
Q: What’s the difference between PCI compliance and other security standards?
A: PCI DSS specifically protects payment card data. Other standards like HIPAA (healthcare) or SOX (financial reporting) cover different types of sensitive information and have different requirements.
Q: Can I use the same SAQ for multiple locations?
A: If all locations use identical payment processes and security controls, you can complete one SAQ. If locations differ in how they accept payments, you may need separate assessments.
Q: My payment processor says I’m compliant — am I done?
A: Your processor’s “compliant” status means you’ve submitted required documentation. You still need to maintain those security controls daily and re-attest annually to remain compliant.
Conclusion
PCI compliance might seem daunting when you first receive that questionnaire, but for most small businesses, it’s a manageable process that protects both you and your customers. The key is understanding which requirements actually apply to your business — chances are, it’s simpler than you think.
Start by identifying your SAQ type based on how you accept payments. Complete the questionnaire honestly, schedule any required scans, and submit your attestation. Then maintain those security practices throughout the year. That’s really all there is to it.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You’ll never miss a deadline or wonder about your compliance status again. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team if you need guidance. We’ve helped thousands of merchants navigate PCI compliance, and we’re here to help you protect your business and your customers’ payment data.
