Wave Payments PCI Compliance Guide: Everything Small Businesses Need to Know
Bottom Line Up Front
Take a deep breath — for most small businesses, PCI compliance is much simpler than it sounds. If you just received a compliance questionnaire from Wave or another payment processor and feel overwhelmed, you’re in the right place. Most small merchants can achieve compliance in a few hours with the right guidance. This guide will walk you through exactly what Wave PCI compliance means, which form you need to fill out, and how to get it done without the headache.
What Is PCI Compliance (In Plain English)
PCI compliance refers to following the Payment Card Industry Data Security Standard (PCI DSS) — a set of security requirements designed to protect credit card information. If you accept Visa, Mastercard, American Express, or Discover payments through Wave or any other processor, these requirements apply to you.
The major card brands created these standards through the PCI Security Standards Council (PCI SSC), but your payment processor — Wave in this case — is who enforces them. Think of it like this: the card brands make the rules, and Wave makes sure you follow them.
What happens if you don’t comply? Your processor can impose monthly fines (typically $20-100 for small merchants), you’ll be liable for fraud losses if there’s a breach, and in extreme cases, you could lose your ability to accept card payments. The good news? Most small businesses qualify for the simplest compliance requirements, which you can complete in an afternoon.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit or debit cards in any form, yes. This includes:
- Swiping cards through a terminal
- Taking payments through your website
- Accepting card numbers over the phone
- Processing cards through mobile readers
- Using virtual terminals to key in transactions
Most small businesses are classified as Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news — Level 4 merchants have the simplest compliance requirements.
Wave, like all payment processors, requires annual compliance validation. That questionnaire they sent? It’s called a Self-Assessment Questionnaire (SAQ), and it’s how you prove you’re following the security standards. They need this documentation to satisfy their own compliance requirements with the card brands.
Which SAQ Do You Need?
The PCI SSC offers different SAQs based on how you accept payments. Here’s the decision tree in plain language:
| How You Accept Payments | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| Redirect to Wave’s hosted checkout (customer never enters card data on your site) | SAQ A | Simplest (22 questions) | ~15-30 minutes |
| Standalone terminal (no connection to other systems) | SAQ B | Simple (41 questions) | ~30-45 minutes |
| Terminal connected to internet (IP-based terminal) | SAQ B-IP | Simple (82 questions) | ~45-60 minutes |
| Manual entry only (virtual terminal, phone orders) | SAQ C-VT | Moderate (80 questions) | ~45-60 minutes |
| Card data touches your website (even briefly) | SAQ A-EP | Moderate (191 questions) | ~2-3 hours |
| Store card numbers in any system | SAQ D | Complex (329 questions) | Multiple days + possible QSA |
Most Wave merchants fall into the first few categories. If you’re using Wave’s standard checkout where customers are redirected to Wave’s secure payment page, you likely need SAQ A — the simplest form.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ you need. No guesswork required.
How to Complete Your SAQ
Your SAQ is essentially a security checklist with yes/no questions. Here’s what to expect:
What the questionnaire looks like: Each question asks about a specific security practice. For example, “Do you restrict physical access to cardholder data?” For SAQ A merchants, answering “yes” might mean “I don’t store any card data, so there’s nothing to physically access.”
Time investment: SAQ A takes most merchants 15-30 minutes. SAQ B or C-VT typically takes 45-60 minutes. You don’t need to be technical — the questions are written for business owners.
Documentation you’ll need:
- Your payment processing setup details (how customers pay you)
- List of any third-party services that handle payments
- Network details (only for more complex SAQs)
- Security policies (templates are usually provided)
The quarterly ASV scan: If you have any systems connected to the internet that handle card data, you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan checks for security weaknesses. Most ASV services cost $100-300 per year and include all four quarterly scans.
Submitting your compliance: Once you complete your SAQ, you’ll sign an Attestation of Compliance (AOC) — basically a formal declaration that your answers are accurate. Submit both documents through Wave’s compliance portal or your compliance platform.
What It Costs
Let’s talk real numbers for Wave PCI compliance:
Compliance platforms and tools: Most services charge $100-500 annually for small merchants. This typically includes your SAQ wizard, document storage, and compliance tracking. Some processors include basic tools for free.
Quarterly ASV scanning: If required for your SAQ type, budget $100-300 annually. This covers all four quarterly scans plus basic support. PCICompliance.com includes ASV scanning in our compliance packages.
QSA services: Only needed if you’re SAQ D or a larger merchant. Level 4 merchants almost never need a QSA. If you do, expect $5,000-25,000 for a formal assessment.
The cost of non-compliance: Wave may charge $20-100 monthly for non-compliance. But the real risk? If there’s a breach and you’re not compliant, you’re liable for fraud losses, forensic investigation costs ($10,000+), and potential fines up to $500,000 from the card brands.
For most small merchants, annual compliance costs less than two months of non-compliance fines. It’s genuinely the cheapest insurance you can buy.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with some quarterly obligations. Here’s how to stay on track:
Annual requirements: Your SAQ must be completed every year. Wave will send reminders, but mark your calendar for the same month each year.
Quarterly scans: If you need ASV scans, they’re due every 90 days. Miss a quarter and you’re technically non-compliant. Set up automatic scanning to avoid gaps.
When things change: Major changes to how you accept payments require reassessment. Adding e-commerce to your retail store? Your SAQ type might change. Starting to store card numbers? Definitely time to reassess (and probably stop storing them).
Tracking compliance: PCICompliance.com’s compliance dashboard shows your status at a glance — when your next scan is due, SAQ expiration date, and any issues needing attention. No more compliance surprises.
FAQ
Q: I only process a few cards per month. Do I still need to comply?
A: Yes, PCI compliance applies regardless of transaction volume. Even one card payment per year triggers the requirement. The good news is your low volume means simpler requirements.
Q: Wave handles all my payments. Why is compliance my responsibility?
A: While Wave secures their systems, you’re responsible for how you handle card data before it reaches them. This includes your terminals, computers, and any processes involving card information.
Q: What if I fail my vulnerability scan?
A: Don’t panic — most merchants fail their first scan due to minor issues. Your ASV provides a report showing what needs fixing. Address the issues (usually software updates) and rescan. You have time to remediate before it affects your compliance.
Q: Can I just mark ‘yes’ to all questions?
A: Only mark ‘yes’ if it’s accurate — false attestation can result in significant fines if discovered. Most questions have clear guidance on what ‘yes’ means. When in doubt, ask for help rather than guessing.
Q: Do I need to hire an IT consultant?
A: Most small merchants don’t need outside help for basic SAQs. If you’re SAQ A or B, you can likely handle it yourself. More complex scenarios might benefit from expert guidance.
Q: How do I know if I’m storing card data?
A: Check your systems for saved card numbers — in spreadsheets, customer databases, email, or paper files. If you find any, secure them immediately and work toward eliminating storage. Modern payment methods eliminate the need to store card data.
Q: What’s the difference between PCI compliance and EMV?
A: EMV (chip cards) is one security technology, while PCI compliance covers all aspects of card data security. Using EMV terminals helps with compliance but doesn’t replace the need for PCI assessment.
Q: How long do I need to keep compliance documentation?
A: Keep all compliance documentation for at least three years. This includes completed SAQs, ASV scan reports, and any remediation evidence. Your compliance platform should store these automatically.
Conclusion
Wave PCI compliance might seem daunting at first glance, but for most small businesses, it’s a straightforward process that protects both you and your customers. The key is understanding which SAQ applies to your payment setup and completing it accurately each year.
Remember, compliance isn’t just about avoiding fines — it’s about protecting your business from the devastating costs of a data breach. The few hours you invest in compliance today could save you from significant financial and reputational damage tomorrow.
Ready to tackle your Wave PCI compliance requirements? PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. We’ve helped thousands of merchants navigate PCI requirements, from single-location retailers to multi-site enterprises. Start with our free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team for personalized guidance on your Wave PCI compliance journey.
