Apple card on a background of hundred dollar bills

What Is Card-Present Transaction?

by

Bottom Line Up Front

If you just received a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, take a breath. For most small businesses, achieving PCI compliance is simpler than you think — often just a matter of answering a short questionnaire about how you accept payments and running a quarterly security scan. You don’t need to be a security expert, and you won’t need to hire expensive consultants. Let’s break down what this questionnaire means and exactly what you need to do.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card data. If your business accepts credit or debit cards — whether through a terminal, online, or over the phone — these requirements apply to you.

The standard was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) working together through something called the PCI Security Standards Council. Think of it as the card industry’s way of ensuring every business that touches payment cards maintains basic security practices.

Your acquirer (the bank or payment processor that handles your card transactions) is responsible for making sure you comply. That’s why they sent you that questionnaire — they’re required to verify that every merchant in their portfolio maintains PCI compliance.

What Happens If You Don’t Comply?

The consequences of non-compliance are real but manageable:

  • Monthly fines from your payment processor (typically $25-$100 for small merchants)
  • If there’s a data breach, you could be liable for fraud losses and investigation costs
  • In extreme cases, you could lose the ability to accept credit cards
  • You miss out on the reduced processing rates many acquirers offer to compliant merchants

Here’s the good news: most small businesses qualify for the simplest compliance paths. You’re not held to the same standards as Target or Home Depot. The PCI Council recognizes that a local coffee shop has different security needs than a major retailer.

Do You Need to Be PCI Compliant?

The simple answer: if you accept credit or debit cards in any form, yes, you need to be PCI compliant. It doesn’t matter if you’re a sole proprietor working from home or a retail chain — if you process payment cards, PCI DSS applies to you.

Understanding Your Merchant Level

PCI compliance requirements are scaled based on your transaction volume. Most small businesses fall into Merchant Level 4, which means:

  • You process fewer than 20,000 e-commerce transactions per year, OR
  • You process fewer than 1 million total transactions per year
  • You can self-assess your compliance using an SAQ (Self-Assessment Questionnaire)
  • You don’t need an on-site assessment from a QSA (Qualified Security Assessor)

Your payment processor determines your merchant level based on your annual transaction volume. If you’re unsure, the letter they sent you likely specifies your level, or you can find it in your merchant account portal.

What Your Payment Processor Expects

When your acquirer sends that compliance questionnaire, they’re essentially asking you to:
1. Complete the appropriate SAQ for your business type
2. Run quarterly security scans if you have any internet-facing systems
3. Submit an AOC (Attestation of Compliance) confirming you’ve met the requirements
4. Maintain this compliance status year-round

The questionnaire itself isn’t the compliance — it’s just how you document and attest to your compliance. Think of it like a safety checklist for handling payment cards.

Which SAQ Do You Need?

The PCI Council offers different SAQs based on how you accept and process payments. Each type has a different number of requirements, ranging from about 20 questions to over 300. Here’s how to determine which one applies to your business:

How You Accept Payments SAQ Type Number of Questions Complexity
E-commerce with fully hosted checkout (Shopify, Square Online) SAQ A ~20 Simple
E-commerce with payment fields on your site (Stripe Elements, PayPal Pro) SAQ A-EP ~130 Moderate
Standalone terminals only (Square Reader, Clover Go) SAQ B ~40 Simple
Terminals connected to your network SAQ B-IP ~80 Moderate
Taking payments over the phone SAQ C-VT ~80 Moderate
Physical terminal + e-commerce SAQ C ~140 Complex
Storing card numbers or complex setup SAQ D ~330 Very Complex

Real-World Examples

If you use a payment terminal like Square, Clover, or a traditional credit card machine:

  • Standalone terminal with dial-up or cellular connection → SAQ B
  • Terminal connected to your internet or POS system → SAQ B-IP

If you have an e-commerce site:

  • Using Shopify Payments, WooCommerce with Stripe Checkout, or similar hosted solution → SAQ A
  • Using Stripe Elements, Authorize.net Accept.js, or payment fields on your site → SAQ A-EP

If you take payments multiple ways:

  • Physical store with terminals + e-commerce site → SAQ C
  • Any scenario where you store card numbers (please reconsider this) → SAQ D

Not sure which applies? PCICompliance.com’s free SAQ Wizard walks you through a few simple questions about your payment setup and tells you exactly which SAQ you need.

How to Complete Your SAQ

Once you know which SAQ type applies, completing it is straightforward. The questionnaire consists of yes/no questions about your security practices. Here’s what to expect:

What the Questions Look Like

Each question addresses a specific security control. For example:

  • “Do you change vendor-supplied defaults on system passwords?”
  • “Is cardholder data storage limited to business need?”
  • “Do you have a firewall protecting your payment systems?”

When you answer “yes,” you’re confirming that control is in place. The SAQ doesn’t require proof (unless your acquirer specifically requests it), but you should be able to demonstrate compliance if asked.

How Long It Takes

  • SAQ A: 30-60 minutes (mostly about your payment provider’s security)
  • SAQ A-EP or B: 1-2 hours (reviewing your basic security practices)
  • SAQ B-IP or C-VT: 2-4 hours (includes network security questions)
  • SAQ C or D: Multiple days (requires detailed security documentation)

Documentation You’ll Need

Gather these items before starting:

  • Your payment processing agreements
  • Network diagram (for SAQ B-IP and above)
  • Security policies (even informal ones count)
  • List of who has access to payment systems
  • Any security scan results from the past year

The Quarterly ASV Scan

If your business has any internet-facing systems (website, email server, remote access), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). This automated scan:

  • Checks for known security vulnerabilities
  • Takes about 15 minutes to run
  • Costs $30-50 per scan
  • Must pass (no high-risk vulnerabilities) for PCI compliance

Even if you only have a basic website with no payment processing, if it’s on the same network as your payment systems, it needs scanning.

Submitting Your Compliance

After completing your SAQ and passing your ASV scan (if required):
1. Generate your Attestation of Compliance (AOC) — this is your official compliance certificate
2. Submit both documents through your acquirer’s portal or compliance platform
3. Save copies for your records
4. Set reminders for next quarter’s scan and next year’s assessment

What It Costs

PCI compliance costs vary based on your SAQ type and whether you handle it yourself or use a compliance platform:

Compliance Platform Costs

  • Basic SAQ tools: $100-200/year
  • Full compliance platforms with scanning: $200-500/year
  • Enterprise solutions with QSA support: $1,000+/year

Quarterly ASV Scanning

  • Individual scans: $30-50 each
  • Annual packages: $120-200/year
  • Often included with compliance platforms

If You Need a QSA

Most small merchants never need a QSA, but if you do:

  • Remote assessment: $5,000-15,000
  • On-site assessment: $15,000-50,000+
  • Only required for Level 1 merchants or by specific acquirer mandate

The Cost of Non-Compliance

Consider what you’re avoiding:

  • Monthly non-compliance fees: $25-100 (that’s $300-1,200/year)
  • Data breach costs: Average $150,000+ for small businesses
  • Lost ability to process cards: Catastrophic for most businesses
  • Increased processing rates: Many acquirers charge higher rates to non-compliant merchants

For most small merchants, annual compliance costs less than three months of non-compliance fees — and far less than a single data breach.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done activity. Your compliance status resets annually, and certain requirements need quarterly attention.

Annual Requirements

  • Complete your SAQ questionnaire
  • Review and update security policies
  • Train staff on payment security
  • Verify all patches and updates are current

Quarterly Requirements

  • Run ASV vulnerability scans (if applicable)
  • Review firewall rules (for higher SAQ types)
  • Check that only necessary people have payment system access

What Triggers a New Assessment

You’ll need to reassess your compliance if you:

  • Change payment processors or add new payment methods
  • Significantly change how you accept payments
  • Add e-commerce to a brick-and-mortar business
  • Start storing cardholder data (seriously, avoid this)
  • Experience a data breach

Making It Manageable

Set up these simple systems:

  • Calendar reminders for quarterly scans
  • Annual reminder two months before compliance expires
  • Document your payment setup and any changes
  • Keep your SAQ answers and documentation together

PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and maintains your compliance history in one place.

FAQ

Q: My payment processor says I need PCI compliance, but I only process a few transactions per month. Do I really need to comply?

Yes, PCI compliance applies to any business that accepts credit cards, regardless of volume. The good news is that with low transaction volume, you’ll qualify for the simplest SAQ types, which can be completed in under an hour.

Q: I use Square for all my payments. Am I already PCI compliant?

Not automatically. While Square handles much of the security for you, you still need to complete an SAQ (likely SAQ B for standalone terminals or SAQ A for Square’s online checkout) and submit it to your acquirer. Square’s security makes your compliance much simpler, but doesn’t eliminate the requirement.

Q: What’s the difference between PCI compliance and EMV compliance?

EMV refers to chip card acceptance, while PCI DSS covers overall payment security. You can be EMV-compliant (accepting chip cards) but still need PCI compliance. Think of EMV as one security tool, while PCI DSS is the complete security program.

Q: Can I just ignore the compliance questionnaire? What’s the worst that could happen?

Ignoring it leads to monthly fines, typically starting at $25-100 for small merchants. More seriously, if you experience a breach while non-compliant, you could face fraud liability, forensic investigation costs, and even lose your ability to accept cards. Compliance is far cheaper than the alternative.

Q: I don’t store any credit card numbers. Do I still need to be PCI compliant?

Yes. PCI compliance applies to any business that accepts, processes, stores, or transmits cardholder data. Even if you immediately process transactions without storage, you’re still handling sensitive payment data and need to protect it during that brief moment.

Q: How do I know if I passed my ASV scan?

Your ASV will provide a report showing “Pass” or “Fail” status. To pass, you cannot have any high-risk vulnerabilities and must meet other scanning requirements. If you fail, the report includes specific issues to fix before rescanning.

Q: My business just started accepting credit cards. When do I need to be compliant?

Technically, from day one — PCI requirements apply as soon as you process your first transaction. However, most acquirers give new merchants 30-90 days to complete initial compliance. Check your merchant agreement for specific deadlines.

Q: Do I need to hire a security consultant to help with PCI compliance?

For most small merchants using standard SAQs, no. The questionnaires are designed for self-completion, and compliance platforms like PCICompliance.com provide guidance throughout the process. Only SAQ D merchants typically need consultant assistance.

Conclusion

That PCI compliance questionnaire sitting on your desk might look intimidating, but now you know what it really means. For most small businesses, achieving compliance is simply a matter of understanding which SAQ applies to your payment setup, answering straightforward questions about your security practices, and maintaining those practices year-round.

The key is getting started. Once you complete your first SAQ, you’ll realize it’s not the complex ordeal you might have imagined. With the right tools and guidance, most merchants can achieve compliance in an afternoon and maintain it with minimal ongoing effort.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Rather than juggling multiple vendors and deadlines, you get a single platform that guides you through initial compliance and keeps you on track every year after. Start with the free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team about how we can simplify your path to PCI compliance.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP