a desk with several monitors

Vagaro PCI Compliance

by

Vagaro PCI Compliance: A Small Business Owner’s Guide to Card Security

The Bottom Line Up Front

If you just received a PCI compliance questionnaire from your payment processor and your heart sank, take a breath. For most small businesses accepting credit cards, PCI compliance is simpler than you think. You’re likely looking at a straightforward checklist that takes an hour or two to complete, not the complex security audit you might be imagining. This guide will walk you through exactly what you need to do, step by step, in plain English.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. Think of it as a security checklist that ensures businesses handle credit card information safely. If you accept credit cards in any form, these requirements apply to you.

The card brands created a central organization called the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) enforces PCI compliance as part of your merchant agreement. When they send you that compliance questionnaire, they’re essentially saying: “Show us you’re handling card data safely.”

Why It Matters

Non-compliance has real consequences:

  • Monthly fines from your processor (typically $25-$100/month for small merchants)
  • Liability for fraud losses if card data is compromised
  • Loss of card acceptance privileges in severe cases
  • Higher processing fees as processors view you as higher risk

But here’s the good news: most small businesses qualify for the simplest SAQ types (Self-Assessment Questionnaires) that focus on basic security practices you’re probably already following. You don’t need a security team or expensive consultants — just a clear understanding of what’s required.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit cards in any form, yes. This includes:

  • In-person card payments (terminals, mobile readers)
  • Online payments through your website
  • Phone orders where customers give you their card number
  • Mail order forms with credit card fields
  • Even if you only process one card per year

Your Merchant Level

Your processor assigns you a merchant level based on your annual transaction volume:

Level Annual Visa Transactions What It Means
Level 1 Over 6 million Full annual assessment by QSA required
Level 2 1-6 million Annual self-assessment + quarterly scans
Level 3 20,000-1 million Annual self-assessment + quarterly scans
Level 4 Under 20,000 Annual self-assessment + quarterly scans

Most small businesses fall into Level 4, which means you complete your own assessment using an SAQ rather than hiring an external auditor.

What Your Processor Expects

When your payment processor sends that compliance questionnaire, they’re typically asking you to:
1. Complete the appropriate SAQ for your business
2. Run quarterly vulnerability scans if you process cards online
3. Submit an Attestation of Compliance (AOC) — basically your signature saying you’ve met the requirements
4. Maintain compliance year-round, not just at assessment time

Which SAQ Do You Need?

The most confusing part of PCI compliance is figuring out which SAQ applies to your business. There are different questionnaires based on how you accept and process cards. Here’s a plain-English guide:

How You Accept Cards Your SAQ Type Complexity
Outsourced completely (PayPal, Square online) SAQ A Simplest (22 questions)
E-commerce with hosted payment page (Stripe Checkout, Authorize.net SIM) SAQ A-EP Simple (139 questions)
Standalone terminal (no electronic storage) SAQ B Simple (41 questions)
Standalone terminal with IP connection SAQ B-IP Simple (82 questions)
Phone orders only (no electronic storage) SAQ C-VT Moderate (160 questions)
Card data in your systems SAQ D Complex (329 questions)

Real-World Examples

You’re likely SAQ A if:

  • Your website redirects to PayPal for payment
  • You use Stripe Checkout or similar hosted solution
  • You never see or touch the actual card numbers

You’re likely SAQ B or B-IP if:

  • You have a Square terminal at your counter
  • You use a Clover or similar standalone device
  • The terminal connects via phone line (B) or internet (B-IP)

You’re likely SAQ C-VT if:

  • You take orders over the phone
  • You type card numbers into a virtual terminal
  • You don’t store card numbers electronically

You’re SAQ D if:

  • You store card numbers in your database (please reconsider this)
  • Your e-commerce site processes cards directly
  • Card data touches your servers in any way

Not sure? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ applies — no guesswork needed.

How to Complete Your SAQ

Once you know which SAQ you need, completing it is straightforward:

1. Download or Access Your SAQ

Your processor may provide a portal, or you can get the official forms from the PCI Security Standards Council website. PCICompliance.com provides an interactive version that’s much easier to work with than PDFs.

2. Answer Yes/No Questions

Each SAQ contains yes/no questions about your security practices. For example:

  • “Do you change default passwords on payment systems?”
  • “Is your payment terminal in a secure location?”
  • “Do you have a firewall protecting your network?”

“Yes” means you have implemented that security control and can prove it if asked. If you answer “no” to any question, you’ll need to either implement that control or explain why it doesn’t apply to your environment.

3. Gather Documentation

While Level 4 merchants rarely need to submit documentation, you should have it ready:

  • Network diagram (even a simple one)
  • Policy documents (can be basic for small merchants)
  • ASV scan reports (if required for your SAQ type)
  • Evidence of security controls (screenshots, configs, receipts)

4. Complete Quarterly Scans (If Required)

If you process cards online (SAQ A-EP, C, or D), you need quarterly ASV scans. These automated scans check your internet-facing systems for vulnerabilities. Despite the technical name, they’re simple:

  • Sign up with an Approved Scanning Vendor
  • Enter your website/IP addresses
  • Run the scan (takes minutes)
  • Fix any critical issues found
  • Get your passing scan report

5. Submit Your Attestation

After completing your SAQ, you’ll fill out an Attestation of Compliance (AOC). This is your official declaration that you’ve met PCI requirements. Submit both your SAQ and AOC to your processor through their compliance portal.

What It Costs

Let’s be honest about the real costs of PCI compliance for small businesses:

Compliance Tools and Platforms

  • Basic SAQ tools: Free to $30/month
  • Comprehensive platforms (like PCICompliance.com): $20-100/month
  • PDF forms from PCI SSC: Free (but time-consuming)

Quarterly ASV Scanning

  • Per scan: $30-50
  • Annual packages: $100-200
  • Included with compliance platforms: Often bundled

Professional Help (If Needed)

  • QSA consultation: $150-500/hour (rarely needed for Level 4)
  • Full Level 1 assessment: $10,000-50,000 (only for largest merchants)
  • Compliance platform support: Usually included

The Cost of NON-Compliance

  • Monthly processor fines: $25-100 for Level 4 merchants
  • Breach liability: Can exceed $100,000 even for small merchants
  • Lost business: Reputational damage if customer data is compromised
  • Increased processing rates: Up to 0.5% higher for non-compliant merchants

Bottom line: Annual compliance for a small merchant typically costs less than two months of non-compliance fines. It’s an investment in keeping your ability to accept cards and protecting your customers.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox — it’s an ongoing commitment that renews annually. Here’s how to stay on track:

Set Up Your Compliance Calendar

  • Annual: Complete and submit your SAQ
  • Quarterly: Run ASV scans (if required)
  • Monthly: Review any security reports or alerts
  • Ongoing: Maintain the security practices you’ve attested to

Know Your Triggers for Reassessment

You’ll need to complete a new SAQ if you:

  • Change how you accept payments
  • Add new payment channels
  • Switch payment processors
  • Upgrade or change your payment systems
  • Experience a security incident

Use Compliance Tracking Tools

Manual tracking with spreadsheets and calendar reminders works, but it’s easy to miss deadlines. PCICompliance.com’s compliance dashboard automatically:

  • Reminds you when assessments are due
  • Schedules your quarterly scans
  • Tracks your compliance history
  • Alerts you to requirement changes
  • Stores your documentation securely

FAQ

Q: What happens if I ignore PCI compliance?

Your payment processor will start with reminder notices, then monthly fines (typically $25-100 for small merchants). Eventually, they may increase your processing rates or terminate your merchant account entirely. If card data is compromised, you’re liable for fraud losses and forensic investigation costs.

Q: I only process a few cards per month. Do I still need to comply?

Yes, PCI requirements apply regardless of transaction volume. However, as a Level 4 merchant with minimal volume, you’ll qualify for the simplest SAQ types and your processor may be more flexible with deadlines.

Q: My payment processor says I need to be compliant but didn’t send an SAQ. What do I do?

Contact your processor’s compliance department and ask specifically which SAQ type they require. If they’re unsure, use PCICompliance.com’s SAQ Wizard to determine the correct type based on your payment methods, then confirm with your processor.

Q: Can I just answer “yes” to everything on the SAQ?

Technically yes, but this is fraudulent and leaves you fully liable if there’s a breach. The SAQ is a legal attestation — false statements can result in immediate termination of your merchant account and personal liability for any losses.

Q: How long does it take to complete an SAQ?

For simple SAQ types (A, B): 30 minutes to 2 hours. For moderate types (A-EP, C-VT): 2-4 hours. For SAQ D: Several days to weeks, depending on your environment. Most of the time is spent gathering information, not filling out the form itself.

Q: What’s the difference between PCI compliance and EMV?

EMV (chip cards) is about authenticating physical cards to prevent counterfeit fraud. PCI compliance covers all aspects of card data security — physical, network, and procedural. You need both: EMV terminals for in-person transactions and PCI compliance for overall security.

Q: Do I need to hire a QSA?

Level 4 merchants (under 20,000 transactions annually) complete self-assessments — no QSA required. Only Level 1 merchants must have an annual onsite assessment by a QSA. If you’re unsure about requirements, a QSA consultation might help, but it’s not mandatory.

Q: My website is “secure” with an SSL certificate. Am I compliant?

SSL/TLS encryption is just one requirement among many. Depending on your SAQ type, you may also need firewalls, access controls, security policies, and regular scanning. An SSL certificate is necessary but not sufficient for PCI compliance.

Conclusion

PCI compliance might seem overwhelming when that first questionnaire arrives from your processor, but for most small businesses, it’s a manageable process that protects both you and your customers. The key is identifying which SAQ applies to your specific situation and methodically working through the requirements.

Remember, the goal isn’t to build Fort Knox — it’s to implement reasonable security measures appropriate for how you handle card payments. For many merchants, that means completing a simple questionnaire annually and running quarterly scans if you process online.

PCICompliance.com simplifies this entire process with our free SAQ Wizard that identifies exactly which questionnaire you need, automated ASV scanning service for your quarterly vulnerability scans, and a compliance dashboard that tracks your progress year-round. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and guidance to keep you compliant without the complexity. Start with our free SAQ Wizard to identify your requirements in minutes, or reach out to our compliance team for personalized guidance on your path to PCI compliance.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP