What Is the PCI SSC?
Here’s the bottom line: if you just got a PCI compliance questionnaire from your payment processor and you’re feeling overwhelmed, relax. For most small businesses, PCI compliance is far simpler than it sounds. The PCI SSC (Payment Card Industry Security Standards Council) created the standards you need to follow, but in practice, you’re probably looking at a straightforward questionnaire that takes an hour or two to complete — not the complex audit you might be imagining.
What Is PCI Compliance (In Plain English)
PCI compliance simply means following security rules designed to protect credit card data. If you accept Visa, Mastercard, American Express, or Discover payments — whether in person, online, or over the phone — these rules apply to you.
The PCI Security Standards Council is the organization created by the major card brands to develop these security standards. Think of them as the rule-makers. They write the PCI DSS (Payment Card Industry Data Security Standard), which is the official set of requirements everyone who handles card payments must follow.
But here’s what confuses many business owners: the PCI SSC doesn’t enforce these rules directly. Your acquirer (the bank or payment processor that handles your card transactions) is the one who sends you compliance questionnaires and can impose fines if you don’t comply. Companies like Square, Stripe, PayPal, or your merchant services provider — they’re the ones asking you to prove compliance.
The consequences of ignoring that compliance questionnaire? Your payment processor can fine you monthly (typically $20-100 for small merchants), you’ll be liable for fraud losses if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards entirely. But here’s the good news: most small businesses qualify for the simplest compliance requirements, which means filling out a short questionnaire and running quarterly security scans.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:
- Running cards through a terminal or point-of-sale system
- Taking payments on your website
- Accepting cards over the phone
- Processing mail orders with card numbers
- Using mobile card readers like Square or PayPal Here
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This means you complete a Self-Assessment Questionnaire (SAQ) instead of hiring an expensive auditor.
When your payment processor sends that annual compliance questionnaire, they’re essentially asking you to prove you’re following PCI rules appropriate for how you handle card payments. They need this documentation to satisfy the card brands and protect themselves from liability. That questionnaire isn’t bureaucracy — it’s your processor making sure you’re not creating risk for the payment ecosystem.
Which SAQ Do You Need?
The Self-Assessment Questionnaire comes in different versions based on how you accept and process card payments. Here’s the decision tree in plain language:
If you use a standalone payment terminal
Like Square Terminal, Clover, or a traditional credit card machine that connects via phone line or internet? You’re likely SAQ B (for dial-up terminals) or SAQ B-IP (for internet-connected terminals). These are straightforward — mostly asking about physical security of the device.
If you have an e-commerce site with hosted checkout
Using Shopify Payments, WooCommerce with Stripe Checkout, or any solution where customers are redirected to another site to enter card details? You’re probably SAQ A — the simplest questionnaire with just 22 questions.
If you take payments by phone
Customers call and give you their card number? That’s SAQ C-VT territory. You’ll need to address how you protect those phone payments and ensure you’re not writing down or storing card numbers.
If you store card numbers
Still saving customer card details in your system? First, please stop — there are better ways. Second, you’re looking at SAQ D, the full questionnaire with over 300 requirements. This is what you want to avoid.
| Payment Scenario | SAQ Type | Complexity | Typical Questions |
|---|---|---|---|
| Payment page fully hosted by processor (PayPal, Stripe Checkout) | SAQ A | Simple (22 questions) | Do you redirect all card data collection? |
| Standalone terminal, no computer connection | SAQ B | Simple (41 questions) | Is the terminal in a secure location? |
| Terminal connected to internet | SAQ B-IP | Moderate (82 questions) | Is the terminal behind a firewall? |
| Taking cards over the phone | SAQ C-VT | Moderate (83 questions) | Do you record phone calls? |
| Any scenario where you store/process card data | SAQ D | Complex (329 questions) | Full security audit required |
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks a few simple questions about how you accept payments and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Your Self-Assessment Questionnaire is exactly what it sounds like — a series of yes/no questions about your payment security practices. Here’s what to expect:
The questions are straightforward but specific. When they ask “Do you have a firewall?” they mean a properly configured firewall that blocks unnecessary traffic to your payment systems. “Yes” means you can prove it’s there and working, not just that you think your internet router probably has one.
Documentation you’ll need:
- Your network diagram (even a simple sketch works for small businesses)
- List of who has access to payment systems
- Your information security policy (we provide templates)
- Evidence of your quarterly ASV scans (automated vulnerability scans)
Speaking of ASV scans — if you accept payments online, you need quarterly external vulnerability scans from an Approved Scanning Vendor. These automated scans check your website and payment systems for security holes. They’re not optional, but they’re also not scary — most small business sites pass on the first try, and if you don’t, the scan report tells you exactly what to fix.
Once you’ve answered all questions and gathered your documentation, you’ll sign an Attestation of Compliance (AOC). This is your formal declaration that you’ve completed the assessment honestly and maintain the security controls you claimed. Submit this to your payment processor along with your latest passing ASV scan, and you’re done — until next year.
What It Costs
Let’s talk real numbers for PCI compliance:
Compliance platforms and SAQ tools typically run $20-50 per month for small businesses. This includes the questionnaire wizard, policy templates, and compliance tracking. Some payment processors include basic tools for free.
Quarterly ASV scanning costs $30-100 per scan, depending on your network complexity. Many compliance platforms bundle this into their monthly fee. Remember, you need four passing scans per year.
QSA assessment only applies if you’re a Level 1 merchant or have specific requirements from your processor. These formal audits start around $10,000 annually — but again, most small businesses never need one.
Here’s the honest assessment: for most small merchants, annual compliance costs less than a single month’s non-compliance fine from your processor. And those fines are nothing compared to the costs of a breach — average breach liability for small businesses exceeds $50,000, not including lost business and reputation damage.
Think of PCI compliance like business insurance. You’re spending a few hundred dollars annually to avoid potentially business-ending costs if card data gets compromised.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor will ask for updated documentation every year, and you need those quarterly ASV scans throughout the year.
Set calendar reminders for:
- Quarterly ASV scans (every 90 days)
- Annual SAQ renewal (usually on your anniversary date)
- Security policy reviews (annually or when things change)
What changes trigger a new assessment?
- Switching payment processors or adding new payment methods
- Moving from in-person to e-commerce (or vice versa)
- Starting to store card numbers (please don’t)
- Major changes to your network or payment systems
PCICompliance.com’s compliance dashboard tracks all these dates automatically. You’ll get email reminders before scans are due, alerts if your compliance status changes, and a clear view of what needs attention. No spreadsheets, no guessing whether you’re current.
FAQ
What exactly is the PCI SSC and why should I care?
The PCI Security Standards Council is the organization formed by Visa, Mastercard, Discover, American Express, and JCB to create universal security standards for card payments. You should care because your payment processor requires you to follow their standards — ignore them and you’ll face fines and potentially lose card processing abilities.
My processor says I need to be “PCI compliant” — what does that actually mean?
It means you need to follow security practices appropriate for how you handle card payments, document that you’re following them via a Self-Assessment Questionnaire, and maintain those practices year-round. For most small businesses, this means completing a simple questionnaire and running quarterly security scans.
How do I know which SAQ type I need?
Look at how you accept payments: fully hosted checkout pages (SAQ A), standalone terminals (SAQ B/B-IP), phone orders (SAQ C-VT), or storing card data (SAQ D). When in doubt, use PCICompliance.com’s SAQ Wizard or ask your payment processor which type they expect.
What happens if I just ignore the compliance questionnaire?
Your payment processor will likely start charging non-compliance fees ($20-100 monthly is typical), you’ll be fully liable for any fraud or breaches, and eventually they may terminate your ability to accept cards. The questionnaire usually takes less time than dealing with the consequences of ignoring it.
Do I really need quarterly ASV scans if I’m a tiny business?
If you have any internet-facing payment systems (including e-commerce sites), yes, quarterly ASV scans are required regardless of business size. They’re automated, usually take just minutes to run, and catch security issues before criminals do.
How much should I budget for PCI compliance?
Most small businesses spend $300-600 annually on compliance tools and scanning. That’s less than the typical monthly non-compliance fine and far less than breach costs.
Is PCI compliance a one-time thing or ongoing?
It’s ongoing — you’ll need to complete your SAQ annually, run ASV scans quarterly if required, and maintain security practices year-round. Think of it like renewing your business license.
What if I use Square/PayPal/Stripe — do I still need to worry about PCI?
Yes, but your compliance requirements are usually simpler. These providers handle much of the security burden, often qualifying you for SAQ A or B. You still need to complete the annual questionnaire your processor requires.
Conclusion
Finding that PCI compliance questionnaire in your inbox can feel overwhelming, but now you know the truth — for most businesses, it’s a manageable annual task that protects both you and your customers. The PCI SSC created these standards for good reason: to keep card data secure across the entire payment ecosystem. Your part in that ecosystem might be as simple as completing a 22-question checklist and running automated scans four times a year.
The key is knowing which requirements actually apply to your business and having the right tools to stay on track. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to see just how straightforward your compliance journey can be, or talk to our compliance team if you need guidance getting started.
