What Is Network Segmentation?
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and saw something about “network segmentation,” don’t panic. Here’s the truth: network segmentation is simply keeping your credit card processing systems separate from everything else on your network — like having a locked cash register in your store instead of leaving money on the counter. For most small businesses, you’re probably already doing this without realizing it, especially if you use modern payment terminals or hosted checkout pages. Let me walk you through what you actually need to know.
What Is PCI Compliance (In Plain English)
PCI compliance exists for one simple reason: to protect credit card data from falling into the wrong hands. If you accept credit cards — whether you’re a corner coffee shop or an online boutique — PCI DSS (Payment Card Industry Data Security Standard) applies to you.
The major card brands (Visa, Mastercard, American Express, and Discover) created these security standards through an organization called the PCI Security Standards Council. But here’s who actually enforces them: your acquirer (the bank or payment processor that handles your credit card transactions). That’s why they sent you that compliance questionnaire.
What happens if you ignore it? Your payment processor can fine you — typically $5,000 to $100,000 per month for non-compliance. If there’s a data breach, you could be liable for fraud losses and forensic investigation costs. In extreme cases, you could lose your ability to accept credit cards entirely.
But here’s the good news: most small businesses qualify for the simplest compliance requirements. You don’t need a team of security experts or expensive consultants. You just need to understand which form applies to you and answer some straightforward questions about how you handle payments.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you process one transaction or one million — PCI compliance is mandatory.
Your merchant level determines how you demonstrate compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you complete a self-assessment questionnaire (SAQ) instead of hiring an external auditor.
What does your payment processor expect? They want you to:
- Complete the right SAQ for your business
- If required, run quarterly vulnerability scans
- Submit your Attestation of Compliance (AOC)
- Keep doing this every year
That questionnaire they sent? It’s their way of saying “prove to us that you’re protecting cardholder data.” They’re required by the card brands to collect this from every merchant.
Which SAQ Do You Need?
Think of SAQs as different levels of a security checklist. The type you need depends entirely on how you accept and process credit cards. Here’s the decision tree in plain language:
| How You Accept Payments | Your SAQ Type | Questions to Answer | Complexity |
|---|---|---|---|
| Payment terminal only (Square, Clover standalone) | SAQ B | 21 questions | Simple |
| Terminal with IP connection (terminal connects to internet) | SAQ B-IP | 82 questions | Moderate |
| E-commerce with hosted checkout (PayPal, Stripe Checkout, Shopify) | SAQ A | 22 questions | Simple |
| E-commerce with payment form on your site (Stripe Elements, Authorize.net) | SAQ A-EP | 191 questions | Complex |
| Phone/mail orders only (virtual terminal, no storage) | SAQ C-VT | 80 questions | Moderate |
| Multiple channels, no storage | SAQ C | 160 questions | Complex |
| Store card numbers (please stop!) | SAQ D | 329 questions | Very Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B or B-IP. The difference? SAQ B is for dial-up terminals (yes, they still exist), while B-IP is for internet-connected terminals.
If you have an e-commerce site using Shopify Payments, PayPal, or Stripe Checkout where customers are redirected to pay, you’re probably SAQ A — the simplest form with just 22 questions.
If you take payments over the phone using a virtual terminal but never store card numbers, you’ll complete SAQ C-VT.
If you store card numbers in any form — in files, databases, or even written down — you’re stuck with SAQ D, the full assessment. This is why we recommend: please stop storing card numbers.
Not sure which one? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which SAQ you need.
How to Complete Your SAQ
Your SAQ is a questionnaire with yes/no questions about your security practices. When you answer “yes,” you’re confirming you have that security control in place. Here’s what to expect:
The questions cover areas like:
- Do you have a firewall? (Your internet router counts)
- Do you change default passwords? (Please say yes)
- Do you install security updates? (Windows Update counts)
- Do you limit access to payment systems? (Only certain employees can use the terminal)
Documentation you’ll need:
- A simple network diagram (even a hand drawing works for small merchants)
- Your security policies (can be one page for small businesses)
- Evidence of quarterly scans if required
Speaking of scans, if you accept payments online (SAQ A-EP, C, or D), you need quarterly ASV scans. An Approved Scanning Vendor checks your website for vulnerabilities four times per year. It’s automated — you provide your website URL, and the scanner does the rest.
Once complete, you’ll sign an Attestation of Compliance (AOC) stating your answers are accurate, then submit both documents to your payment processor.
What It Costs
Let’s talk real numbers:
Compliance platforms and tools: Most small merchants spend $200-500 annually for SAQ tools, documentation templates, and support. PCICompliance.com’s basic package covers everything a Level 4 merchant needs.
Quarterly ASV scanning: Required for online merchants, typically $200-400 per year for all four scans. Some compliance platforms include this.
QSA assessment: Only required for Level 1 merchants or if your acquirer specifically demands it. Costs $10,000-50,000+ annually. Most small businesses never need this.
The cost of non-compliance? Your processor can fine you $5,000-100,000 per month. One data breach could cost hundreds of thousands in forensic investigations, fraud reimbursements, and legal fees. Annual compliance costs less than a single month’s non-compliance fine.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly responsibilities. Your payment processor will send that questionnaire every year, and if you process online, you need those ASV scans every three months.
Set up these reminders:
- Annual SAQ due date (usually your anniversary date with your processor)
- Quarterly scan dates (every 90 days)
- Security update schedule (monthly is fine)
- Employee training refresher (annually)
What triggers a reassessment? Major changes like:
- Switching payment processors or adding new payment methods
- Moving from terminal-only to e-commerce
- Significantly increasing transaction volume
- Starting to store cardholder data (again, please don’t)
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and keeps your documentation organized year-round.
FAQ
I’m just a small business. Do I really need to do this?
Yes, but it’s likely simpler than you think. If you use Square or PayPal, you might only need to answer 20-25 questions once a year. The smallest SAQs take about an hour to complete.
What exactly is network segmentation and do I need it?
Network segmentation means keeping your payment systems separate from other technology. If you use a standalone payment terminal or hosted checkout, you’re already segmented. It’s built into these solutions.
My payment processor says I need an ASV scan. What is that?
An Approved Scanning Vendor scan is an automated security check of your website. If you process payments online, you need one every 90 days. The scanner looks for vulnerabilities hackers could exploit.
Can I just ignore the compliance questionnaire?
Technically yes, but your processor will likely fine you $100-500 per month until you comply. They may eventually terminate your merchant account, meaning you can’t accept credit cards at all.
How do I know if I’m storing credit card data?
Search your computers for spreadsheets, documents, or databases containing card numbers. Check your email for customer card details. If you find any, securely delete them immediately and consider switching to tokenization.
What if I fail my ASV scan?
You’ll receive a report showing what failed and how to fix it. Most failures are minor — outdated software, unnecessary services running. Fix the issues and rescan. You have time to remediate before your compliance deadline.
Do I need to hire a QSA?
Only if you’re a Level 1 merchant (over 6 million transactions annually) or your processor specifically requires it. Most small businesses never need a QSA — the self-assessment is sufficient.
What’s the difference between PCI compliance and network segmentation?
PCI compliance is the overall requirement to protect card data. Network segmentation is one method of reducing what you need to protect by keeping payment systems separate from everything else.
Conclusion
PCI compliance might seem overwhelming when that questionnaire first arrives, but for most small businesses, it’s manageable. You’re probably already doing many of the required security practices — using secure payment terminals, not writing down card numbers, keeping your software updated. The SAQ just formalizes these practices.
Remember: the goal isn’t to make your life difficult. It’s to protect your customers’ payment data and your business from the devastating costs of a breach. Start by identifying which SAQ type applies to your payment setup, gather your basic documentation, and work through the questions methodically.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. You don’t need to become a security expert or navigate this alone. Start with the free SAQ Wizard to identify your requirements in under five minutes, or talk to our compliance team who’ve helped thousands of merchants just like you protect their businesses and meet their compliance obligations.
