Understanding PCI Compliance: What Your Business Needs to Know
If you just received a PCI compliance questionnaire from your payment processor and feel overwhelmed, take a breath. What is PFI and other confusing acronyms aside, here’s the reality: for most small businesses, PCI compliance is much simpler than it sounds. You probably need to answer a few dozen yes/no questions once a year and run quarterly security scans — that’s it. No auditors, no massive security overhauls, no six-figure consulting fees.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover. If your business accepts credit cards in any way, these requirements apply to you.
Think of PCI DSS as basic security hygiene for handling payment cards. The standard exists because credit card data is valuable to criminals, and breaches hurt everyone — cardholders, businesses, banks, and card brands. The requirements cover common-sense practices like using secure passwords, keeping software updated, and protecting customer card data.
The card brands created the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Your acquirer (the bank or payment processor that handles your card transactions) enforces compliance. They’re the ones who sent you that questionnaire, and they’re the ones who can fine you for non-compliance or terminate your ability to accept cards.
Here’s what’s at stake if you ignore PCI compliance:
- Monthly fines from your processor (typically $50-500 for small merchants)
- Increased transaction fees
- Personal liability if a breach occurs
- Loss of card processing privileges
- Damage to your reputation and customer trust
But here’s the good news: most small businesses qualify for the simplest compliance paths. You don’t need a team of security experts or expensive consultants. You just need to understand which requirements apply to your specific situation.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards, you need to be PCI compliant. This includes:
- Running cards through a terminal or point-of-sale system
- Taking payments through your website
- Accepting cards over the phone
- Processing mail-order payments
- Storing card numbers (even in a filing cabinet)
Your merchant level determines how you prove compliance. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). Level 4 merchants complete a self-assessment questionnaire (SAQ) rather than hiring an external auditor.
Your payment processor expects you to:
1. Complete the appropriate SAQ annually
2. Run quarterly vulnerability scans if you have any systems connected to the internet
3. Submit an Attestation of Compliance (AOC) confirming you’ve met the requirements
4. Fix any security issues identified during the process
That compliance questionnaire they sent? It’s their way of reminding you to complete these steps. The deadline they gave you is real — missing it typically triggers automatic monthly fines.
Which SAQ Do You Need?
The SAQ (Self-Assessment Questionnaire) comes in several versions, each designed for different payment scenarios. Here’s how to determine which one applies to your business:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity Level |
|---|---|---|---|
| Outsource everything to a PCI-compliant processor (PayPal, Square online) | SAQ A | 22 | Simple |
| E-commerce site with payment page on another site (Stripe Checkout) | SAQ A-EP | 139 | Moderate |
| Standalone terminals with dial-up or cellular | SAQ B | 41 | Simple |
| Standalone terminals connected to your network | SAQ B-IP | 82 | Simple to Moderate |
| Payment application connected to internet | SAQ C | 160 | Complex |
| Manual card entry into virtual terminal | SAQ C-VT | 85 | Moderate |
| Any electronic card data storage | SAQ D | 329 | Very Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B (if it connects via phone line) or SAQ B-IP (if it connects to your internet).
If you have an e-commerce site using hosted checkout where customers are redirected to another site to enter card details (like Shopify Payments or Stripe Checkout), you’re likely SAQ A.
If you take payments over the phone and enter them into a web-based virtual terminal, you’re likely SAQ C-VT.
If you store card numbers in any electronic system — even QuickBooks or Excel — you’re stuck with SAQ D. Seriously consider stopping this practice.
Not sure which applies? PCICompliance.com offers a free SAQ Wizard that asks plain-English questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Each “yes” means you’ve implemented that security control. Here’s what to expect:
The questionnaire format: Each question describes a security requirement. You answer yes, no, or N/A (not applicable). For every “no” answer, you’ll need to explain when you’ll fix it or why you have an alternative control in place.
Time investment: SAQ A takes most businesses 30-60 minutes. SAQ B takes 1-2 hours. More complex SAQs can take several days, especially the first time.
Documentation you’ll need:
- Network diagram (even a simple sketch works for small businesses)
- List of any systems that handle card data
- Security policies (password rules, acceptable use, etc.)
- Vendor agreements showing PCI compliance status
- Scan reports from your quarterly vulnerability scans
The quarterly ASV scan: If you have any internet-facing systems (website, email server, remote access), you need quarterly vulnerability scans from an Approved Scanning Vendor (ASV). These automated scans check for security weaknesses. Schedule your first scan as soon as possible — fixing any issues found can take time.
Submitting your assessment: Once complete, you’ll sign an Attestation of Compliance (AOC) confirming your answers are accurate. Submit this along with your completed SAQ and passing scan reports to your processor.
What It Costs
PCI compliance costs vary based on your complexity, but here’s what most small businesses spend:
Compliance platforms and tools: $200-1,000 annually for SAQ completion software, guidance, and support. Basic tools just present the questions; better platforms provide plain-English help, track your progress, and store documentation.
ASV scanning services: $100-500 per year for quarterly external scans. Some compliance platforms include this; others charge separately.
Professional help: Most Level 4 merchants don’t need a QSA. If you do need expert assistance, expect $150-500 hourly for consultation or $2,000-10,000 for a full assessment.
The cost of non-compliance: Your processor will charge $50-500 monthly for non-compliance. A data breach could cost hundreds of thousands in fines, forensic investigations (conducted by a PFI — PCI Forensic Investigator), card reissuance fees, and lawsuits. One year of compliance costs less than one month of breach response.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly obligations. Here’s how to stay on track:
Set up your compliance calendar:
- Annual SAQ due date (usually 30-90 days before your processor’s deadline)
- Quarterly ASV scan dates (every 90 days)
- Annual review of security policies and procedures
- Update reminders for any software or systems
Know what triggers a reassessment:
- Changing payment processors or methods
- Adding new locations or payment channels
- Implementing new software that touches card data
- Significant network changes
Track your compliance status: Use a compliance dashboard that shows your current status, upcoming deadlines, and any open remediation items. PCICompliance.com’s platform automatically tracks all these elements and sends reminders before deadlines.
FAQ
What happens if I ignore the PCI questionnaire my processor sent?
Your processor will start charging monthly non-compliance fees (typically $50-500) after the deadline passes. These fees continue until you submit your completed assessment. Some processors also increase your transaction rates or hold a reserve from your deposits.
Do I need to hire a security consultant to complete my SAQ?
Most small businesses don’t need outside help for simple SAQ types (A, B, B-IP). The questions are straightforward, and good compliance platforms provide guidance. You might need help if you’re SAQ D or struggling with technical requirements.
What’s the difference between PCI compliance and EMV compliance?
PCI compliance covers overall card data security. EMV (chip card) compliance specifically relates to accepting chip cards to reduce fraud liability. You need both — EMV terminals help with PCI compliance but don’t replace it.
Can I just say “yes” to all the questions to pass?
Falsifying your SAQ is fraud and breach of contract with your processor. If a breach occurs and investigation reveals false attestation, you face personal liability, immediate termination, and placement on the MATCH list (essentially a ban from accepting cards).
How do I know if my payment provider is handling compliance for me?
Check if they’re a PCI-compliant payment facilitator and whether they completely remove your systems from scope. Services like Square, Stripe, and PayPal handle much of the compliance burden, but you still have responsibilities. Ask your provider which SAQ type applies to their merchants.
What if I fail my vulnerability scan?
Failing scans are common on the first attempt. Your ASV provides a report detailing what needs fixing. Address the critical and high-risk findings, rescan, and repeat until you pass. Most issues are outdated software or unnecessary services that can be updated or disabled.
Do I need PCI compliance if I only process a few transactions per month?
Yes, compliance applies regardless of transaction volume. The good news is that your low volume likely qualifies you for the simplest SAQ types and the lowest merchant level, making compliance relatively easy.
What’s a PFI and when would I need one?
A PFI (PCI Forensic Investigator) is a specialized firm approved by the PCI Council to investigate card data breaches. You’d only need a PFI if you experience a suspected breach — your processor would require a forensic investigation to determine what happened and which cards were compromised.
Taking the First Step
PCI compliance sounds intimidating, but for most small businesses, it’s manageable with the right approach. Start by understanding which SAQ applies to your payment setup — that alone eliminates 90% of the confusion. Then work through the requirements methodically, fixing any gaps as you go.
The investment in compliance pays for itself by avoiding non-compliance fees and reducing your breach risk. More importantly, it helps protect your customers’ payment data and your business’s reputation.
Ready to get started? PCICompliance.com makes the entire process straightforward. Our free SAQ Wizard identifies your exact requirements in minutes. Our ASV scanning service handles your quarterly scans automatically. And our compliance dashboard keeps you on track year-round, sending reminders before deadlines and tracking your progress. Whether you need to complete your first assessment or simplify your annual renewal, we provide the tools and guidance to achieve compliance without the complexity. Start with our SAQ Wizard to identify your requirements, or contact our compliance team for personalized guidance on your path to PCI compliance.
