a padlock on top of a circuit board

Virginia PCI Compliance (VCDPA + PCI)

by

Virginia PCI Compliance: A Business Owner’s Guide to Card Payment Security

If you just received a PCI compliance questionnaire from your payment processor and felt a wave of confusion (or panic), take a deep breath. Here’s the truth: for most Virginia businesses, PCI compliance is much simpler than it first appears. You don’t need a computer science degree or a team of security experts — you just need to understand what applies to your specific situation and follow a straightforward process. This guide will walk you through everything in plain English.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that apply to any business that accepts credit card payments. Think of it as basic security hygiene for handling customer payment information — like health codes for restaurants, but for credit card data.

The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. While the Council writes the rules, your acquirer (the bank or payment processor that handles your card transactions) enforces them. That’s why they sent you that compliance questionnaire.

Why Should You Care?

Non-compliance can hurt your business in three ways:

  • Monthly fines from your payment processor (typically $20-100 per month for small merchants)
  • Liability for fraud losses if cardholder data is compromised
  • Loss of card processing privileges in extreme cases

The good news? Most small businesses qualify for the simplest compliance options. If you use modern payment terminals or hosted checkout pages, you’re already doing most of what’s required.

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit cards in any form, yes. This includes:

  • Physical card readers or terminals
  • Online payments through your website
  • Phone orders where customers read you their card number
  • Mobile payments through apps or devices

Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you can self-assess using an SAQ (Self-Assessment Questionnaire) rather than hiring an expensive QSA for a full audit.

When your payment processor sends you that annual compliance questionnaire, they’re asking you to:
1. Complete the right SAQ for your business
2. Run quarterly vulnerability scans if you have e-commerce
3. Attest that you’re following the security standards

Which SAQ Do You Need?

The SAQ you need depends entirely on how you accept payments. Here’s a simple breakdown:

How You Accept Payments SAQ Type Questions Complexity
Outsource everything (PayPal, Square online) SAQ A 22 Simplest
E-commerce with hosted checkout (Stripe, Authorize.net) SAQ A-EP 191 Moderate
Physical terminals only, no electronic storage SAQ B 41 Simple
Physical terminals with IP connection SAQ B-IP 82 Simple
Phone/mail orders, virtual terminal SAQ C-VT 80 Moderate
Any electronic storage of card numbers SAQ D 329+ Complex

Real-World Examples

SAQ A or A-EP: You run an online boutique using Shopify or WooCommerce with Stripe Checkout. Customers enter their card details on a hosted payment page, not your website.

SAQ B or B-IP: You own a retail shop with a standalone Square or Clover terminal. Cards are swiped or inserted, but you never see or store the full card number.

SAQ C-VT: You take orders over the phone and enter card details into a virtual terminal (web-based payment form) provided by your processor.

SAQ D: You store customer card numbers in your system for recurring billing or future purchases. (If this is you, strongly consider switching to tokenization to reduce your scope.)

Not sure which one applies? PCICompliance.com’s free SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need.

How to Complete Your SAQ

Once you know your SAQ type, the process is straightforward:

1. Download the Correct Questionnaire

Your payment processor usually provides a link, or you can get it from the PCI Security Standards Council website. The questionnaire contains yes/no questions about your security practices.

2. Answer the Questions Honestly

Each question asks about a specific security control. “Yes” means you’re doing it, “No” means you’re not. For example:

  • “Are default passwords changed?” means you’ve changed any default passwords on payment terminals or routers
  • “Is antivirus installed?” means your computers have up-to-date antivirus software

3. Fix Any “No” Answers

If you answer “No” to required questions, you’ll need to implement those controls. Most are simple:

  • Install antivirus software
  • Change default passwords
  • Limit who can access payment systems

4. Schedule Quarterly ASV Scans (If Required)

If you have any e-commerce presence (SAQ A-EP or D), you need quarterly vulnerability scans from an Approved Scanning Vendor. These automated scans check your website for security holes. They typically take 1-2 days and cost $150-300 per year for all four quarterly scans.

5. Complete Your Attestation

Once all questions are “Yes” and scans pass, you’ll sign an AOC (Attestation of Compliance) stating you meet the requirements. Submit this to your payment processor along with your completed SAQ.

What It Costs

PCI compliance costs vary based on your complexity:

Basic Costs (SAQ A, B, B-IP)

  • Compliance platform: $100-300/year for tools and guidance
  • Time investment: 2-4 hours annually
  • No scanning required for card-present only merchants

Moderate Costs (SAQ A-EP, C-VT)

  • Compliance platform: $200-500/year
  • ASV scanning: $150-300/year for quarterly scans
  • Time investment: 4-8 hours annually

Higher Costs (SAQ D or Level 1-2 Merchants)

  • QSA assessment: $10,000-50,000+ for on-site audits
  • Penetration testing: $5,000-15,000 annually
  • Ongoing compliance management: Significant internal resources

The Cost of Non-Compliance

  • Monthly non-compliance fees: $20-100 from your processor
  • Breach-related fines: $5,000-100,000+ depending on severity
  • Forensic investigation costs: $10,000+ if a breach occurs
  • Lost business and reputation damage: Incalculable

For most small merchants, annual compliance costs less than two months of non-compliance fees.

Staying Compliant Year-Round

PCI compliance isn’t a one-time checkbox — it’s an ongoing process:

Annual Requirements

  • Complete your SAQ questionnaire
  • Update any changed business processes
  • Renew your attestation with your processor

Quarterly Requirements (If Applicable)

  • Run ASV vulnerability scans
  • Review and address any failing scan results
  • Keep scan reports for your records

Ongoing Best Practices

  • Track changes: Document when you add new payment channels or change providers
  • Set reminders: Calendar quarterly scans and annual assessments
  • Train staff: Ensure everyone handling payments knows the basics
  • Update systems: Keep payment software and terminals current

When to Reassess

You’ll need to review your SAQ type if you:

  • Add new payment channels (like starting e-commerce)
  • Change payment processors or gateways
  • Begin storing card data electronically
  • Significantly increase transaction volume

PCICompliance.com’s compliance dashboard tracks all these requirements automatically, sending reminders when action is needed and maintaining your compliance history in one place.

FAQ

Do I need PCI compliance if I only accept a few cards per month?

Yes, PCI compliance applies to any merchant accepting credit cards, regardless of volume. However, as a small merchant, you’ll qualify for the simplest SAQ types with fewer requirements. The standards scale with your risk level.

What’s the difference between PCI compliance and the Virginia Consumer Data Protection Act (VCDPA)?

PCI DSS specifically protects credit card data, while VCDPA protects broader consumer privacy rights. You need to comply with both, but they serve different purposes. PCI focuses on payment security, VCDPA on data privacy and consumer rights.

Can I just use PayPal or Square to avoid PCI compliance?

Using payment aggregators reduces but doesn’t eliminate your PCI obligations. You’ll likely qualify for SAQ A (the simplest), but you still need to complete annual compliance validation. These services handle most security requirements for you.

What happens if I fail an ASV scan?

Failing scans are common and fixable — they’re meant to identify vulnerabilities before criminals do. Your ASV provides a report showing what failed and how to fix it. You have time to remediate issues and rescan before your compliance deadline.

Do I need to hire a QSA?

Most small to mid-size merchants can self-assess using SAQs without hiring a QSA. Only Level 1 merchants (processing over 6 million transactions annually) typically require QSA involvement. Some processors may require it for SAQ D merchants due to higher risk.

How long does PCI compliance take?

For most small merchants using modern payment systems, initial compliance takes 2-4 hours. This includes understanding your requirements, completing the questionnaire, and setting up any missing controls. Annual recertification typically takes less time.

What if I’m already doing everything but haven’t filed the paperwork?

You’re technically non-compliant until you submit your completed SAQ and attestation. The good news is you can complete this quickly if you’re already following the practices. Your processor needs documentation to verify compliance.

Can I store credit card numbers if customers request it?

Technically yes, but it moves you to SAQ D with 329+ requirements — seriously consider alternatives. Use tokenization or your payment processor’s card-on-file feature instead. The complexity and cost increase dramatically when storing card data.

Take Control of Your Compliance

PCI compliance might seem overwhelming at first glance, but for most Virginia businesses, it’s a manageable process that protects both you and your customers. The key is understanding which requirements actually apply to your business and tackling them systematically.

Start by identifying your SAQ type — this single step clarifies 90% of what you need to do. If you’re like most small merchants using modern payment tools, you’ll find the actual requirements are reasonable security practices you should be doing anyway.

PCICompliance.com makes the entire process manageable with our comprehensive compliance platform. Our free SAQ Wizard takes the guesswork out of determining your requirements, our ASV scanning service handles your quarterly vulnerability scans automatically, and our compliance dashboard keeps you on track throughout the year. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and guidance to protect your business and satisfy your processor’s requirements. Start with our free SAQ Wizard to see exactly what you need, or reach out to our compliance team for personalized guidance on your situation.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP