Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and your stomach dropped — take a breath. For most small businesses, Unbounce PCI compliance (and PCI compliance generally) is far simpler than the intimidating paperwork makes it look. If you use a hosted landing page or checkout that hands the actual card entry off to a payment provider, you likely qualify for one of the simplest self-assessment questionnaires (SAQs) available.
Here’s the short version: PCI compliance exists to protect credit card data. You almost certainly need to do it if you accept cards. But “doing it” usually means filling out a yes/no questionnaire once a year, running a quarterly scan if you have a website, and signing an attestation. No QSA audit, no months of work. Let’s walk through exactly what you need.
What Is PCI Compliance (In Plain English)
PCI DSS — the Payment Card Industry Data Security Standard — is a set of security rules designed to protect cardholder data anywhere it’s stored, processed, or transmitted. If you accept Visa, Mastercard, American Express, Discover, or JCB in any form, the standard applies to your business.
The standard was created by the major card brands, who formed the PCI Security Standards Council (PCI SSC) to maintain it. The Council writes the rules, but it doesn’t enforce them directly. Enforcement flows through your acquiring bank (also called your acquirer) and your payment processor — the company that moves money from your customer’s card to your bank account.
That’s why the questionnaire came from them, not from some government agency. Your processor is contractually required to confirm that the merchants it serves are meeting PCI obligations.
What happens if you ignore it
PCI compliance isn’t optional, and non-compliance has real teeth:
- Monthly non-compliance fees charged by your processor until you validate.
- Liability if you suffer a breach — fines, forensic investigation costs, and card reissuance charges can be severe.
- Loss of card-acceptance privileges in serious cases, which can shut down a business that runs on card payments.
The good news bears repeating: most small businesses qualify for the simplest SAQ types, which means a short questionnaire and minimal technical lift.
Do You Need to Be PCI Compliant?
If you accept credit cards in any form — yes. In person, online, over the phone, through a landing page, or via invoice — it all counts. There’s no transaction volume too small to be exempt.
Your merchant level
The card brands assign every merchant a level (1 through 4) based on annual transaction volume and risk. Most small and mid-size businesses fall into Level 4, the category with the lightest validation requirements — typically a self-assessment rather than a formal audit.
Don’t guess at your level. Confirm it directly with your acquirer, since the thresholds are card-brand-specific and can change.
Why your processor sent the questionnaire
The questionnaire your processor sent is almost certainly a Self-Assessment Questionnaire (SAQ) plus a request for an Attestation of Compliance (AOC) — a signed statement confirming you meet the requirements. Your processor needs this on file to demonstrate that their merchant portfolio is compliant. Completing it is how you stay in good standing and avoid non-compliance fees.
Which SAQ Do You Need?
There isn’t one PCI questionnaire — there are several SAQ types, and the right one depends entirely on how you accept cards. Picking the correct SAQ is the single most important decision you’ll make, because it determines how many requirements actually apply to you.
Here’s the plain-language decision tree:
- You use a payment terminal (standalone card reader, dial-out or IP-connected) → likely SAQ B or SAQ B-IP.
- You have an e-commerce site or landing page with fully hosted checkout — the card is entered on your provider’s page, not yours (Shopify checkout, Stripe Checkout, a hosted payment page) → likely SAQ A.
- Your page partially controls the payment flow (an iframe, redirect, or direct-post where your site is still involved) → likely SAQ A-EP.
- You take card payments over the phone using a virtual terminal → likely SAQ C-VT.
- You store card numbers in a spreadsheet, CRM, or file (please stop) → SAQ D, the most demanding type.
| Payment Scenario | Likely SAQ | Complexity |
|---|---|---|
| Hosted checkout / landing page, card entered on provider’s page | A | Lowest |
| E-commerce where your page partly handles the payment | A-EP | Moderate |
| Standalone dial-out terminal, no electronic storage | B | Low |
| IP-connected standalone terminal | B-IP | Low–Moderate |
| Virtual terminal for phone/mail orders | C-VT | Moderate |
| Payment systems on the internet, no storage | C | Moderate–High |
| You store cardholder data electronically | D | Highest |
A note for Unbounce and landing-page users
If you build landing pages in Unbounce and embed a payment provider’s hosted checkout — meaning the customer is redirected to or sees an iframe served by Stripe, PayPal, or a similar processor — the card data never touches your own systems. That typically places you in SAQ A territory, the simplest path. If your landing page captures or transmits card details itself before passing them along, you move into SAQ A-EP, which carries more requirements.
Not sure which side of that line you’re on? That distinction matters enormously, and it’s exactly what our free SAQ Wizard is built to resolve — answer a few questions and we’ll tell you exactly which questionnaire you need.
How to Complete Your SAQ
The SAQ is a structured questionnaire with yes/no answers. Each question maps to a control from the 12 requirements of PCI DSS, grouped under six broad goals like building a secure network, protecting account data, and controlling access.
For the simplest SAQs, you may be answering a modest handful of questions; for SAQ D, it’s a long list. Either way, answering “yes” means you genuinely have that control in place — not that you intend to. If the honest answer is “no,” that’s a remediation item to fix before you attest.
Documentation you’ll gather
Depending on your SAQ, you may need:
- A basic network or data-flow diagram showing how card data moves.
- Your information security policy.
- Evidence of access controls — who can touch payment systems, and how (including multi-factor authentication where required).
- Confirmation that you’re not storing prohibited data like full card verification codes (SAD must never be stored after authorization).
The quarterly ASV scan
If your environment has any external-facing systems — basically, if you have a website involved in payments — the current standard requires a quarterly ASV scan. An Approved Scanning Vendor (ASV) runs an external vulnerability scan against your internet-facing assets and produces a pass/fail report.
This isn’t optional for the SAQ types that require it, and a “fail” means you fix the flagged issues and rescan until you pass. You can schedule recurring scans through an ASV like PCICompliance.com’s ASV scanning service so you never miss a quarter.
Submitting
Once your SAQ is complete and (if required) your ASV scan passes, you sign the AOC and submit both to your acquirer or processor — often through their compliance portal. That completes your validation for the period.
What It Costs
PCI compliance for a small merchant is usually a modest annual expense — and dramatically cheaper than the alternative.
| Item | What to Expect |
|---|---|
| Compliance platform / SAQ tools | Often bundled into a low monthly or annual subscription |
| Quarterly ASV scanning | Budgeted per year; affordable for small environments |
| QSA-led assessment (ROC) | Only for larger / Level 1 entities; a significant engagement |
| Non-compliance fees | Recurring monthly charges from your processor |
| Breach liability | Forensics, fines, and reissuance — potentially business-ending |
Most small merchants never need a QSA at all — self-assessment is the norm at Level 4. A QSA or ROC (Report on Compliance) typically comes into play only for high-volume Level 1 merchants or where an acquirer specifically requires it.
The honest bottom line: for a typical small business, a full year of compliance tooling and scanning costs less than a single processor non-compliance fine — and a tiny fraction of what a real breach would cost.
Staying Compliant Year-Round
Here’s the thing many merchants miss: PCI compliance is not a one-and-done task. Validation happens at least annually, with quarterly ASV scans in between for applicable environments. Your AOC reflects a point in time — staying compliant means maintaining those controls continuously.
A few practical habits keep you on track:
- Set reminders for your annual SAQ renewal and each quarterly scan.
- Re-assess when things change — a new payment provider, a redesigned checkout, a new landing page that handles cards, or moving from hosted to self-managed payment fields can all change your SAQ type.
- Keep your documentation current so next year’s assessment isn’t a scramble.
This is exactly where PCICompliance.com’s compliance dashboard earns its keep — it tracks your SAQ status, schedules your scans, surfaces what’s due, and keeps your evidence organized so you’re never caught off guard when your acquirer asks.
FAQ
I’m overwhelmed — is PCI compliance really this complicated?
For most small merchants using hosted checkout or simple terminals, no. The complexity you see online mostly applies to large enterprises and businesses that store card data. Identify the right SAQ first, and the scope usually shrinks to something very manageable.
What if I don’t store any card numbers?
That’s good news — not storing cardholder data is the single biggest way to reduce your scope. It often qualifies you for the simplest SAQ types and removes many of the toughest requirements. Just confirm your payment provider is handling the card data on their compliant systems.
Do I really need the quarterly scan?
You need an ASV scan if your SAQ type involves external-facing systems — generally, if a website is part of your payment flow. If you only use standalone dial-out terminals with no internet-connected payment systems, you may not. Your SAQ type tells you definitively.
What’s the difference between an SAQ and an AOC?
The SAQ is the questionnaire where you answer whether you meet each control. The AOC (Attestation of Compliance) is the signed summary confirming your results, which you submit to your acquirer. You typically complete both together.
Can my payment processor make me PCI compliant for me?
No — compliance is your responsibility as the merchant, even when you outsource card handling. A compliant provider reduces your burden, but you still must complete your own SAQ and AOC. Using compliant third parties does, however, shrink what you have to attest to.
What happens if I just ignore the questionnaire?
Your processor will typically start charging monthly non-compliance fees, and you’ll carry full liability if a breach occurs. In serious cases, you can lose the ability to accept cards. It’s far cheaper and less stressful to complete the SAQ.
How do I know if I’m SAQ A or SAQ A-EP?
It comes down to whether your own page touches the card data. Fully hosted checkout (card entered on the provider’s page) points to SAQ A; partial involvement like a customizable iframe or direct-post often means SAQ A-EP. Our SAQ Wizard resolves this in a few questions.
Is my business ever “permanently” compliant?
No — compliance is point-in-time and ongoing. You validate annually, scan quarterly where required, and re-assess when your payment setup changes. Think of it as continuous maintenance, not a finish line.
Conclusion
PCI compliance sounds far scarier than it usually is. Once you’ve identified the right SAQ, confirmed your merchant level with your acquirer, completed an honest yes/no questionnaire, scheduled any required scans, and signed your AOC, you’re validated — and for most small merchants that’s a light annual lift, not a months-long ordeal.
The key is starting with the right SAQ so you’re only answering the questions that actually apply to you. PCICompliance.com is an end-to-end PCI compliance platform serving thousands of merchants and service providers — from single-location retailers to multi-site enterprises — bringing the SAQ wizard, ASV scanning, remediation guidance, compliance tracking, and expert support together in one place.
Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard, or talk to our compliance team — and turn that intimidating questionnaire into a done-and-dusted checkbox.