When Do You Need a QSA Audit?
If you just received a PCI compliance questionnaire from your payment processor and your first thought was “What is this and do I really need to deal with it?” — take a deep breath. For most small businesses, PCI compliance is actually much simpler than it sounds. You probably don’t need a QSA audit at all. Instead, you’ll complete a short self-assessment questionnaire, run some basic security scans, and move on with running your business. Let’s break down exactly what you need to do.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to anyone who accepts credit card payments. Think of it as basic security hygiene for handling customer payment information — the digital equivalent of locking your cash register at night.
The major card brands (Visa, Mastercard, American Express, Discover) created these standards through the PCI Security Standards Council. But they don’t enforce compliance directly. Instead, your acquirer (the bank or payment processor that handles your card transactions) sends you that annual questionnaire and expects you to confirm you’re following the rules.
Why should you care? Non-compliance can result in monthly fines from your processor (typically $5-100 per month for small merchants), but the real risk is liability. If your business experiences a data breach and you’re not compliant, you could be responsible for fraud losses, forensic investigation costs, and card replacement fees. Some processors will even terminate your ability to accept cards.
Here’s the good news: the PCI standards recognize that a small coffee shop has different security needs than Amazon. Most small businesses qualify for the simplest compliance requirements — often just answering a short questionnaire and running quarterly security scans.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a food truck with a mobile reader, an online boutique, or a dental office that keeps cards on file for payment plans. Touch credit card data, even for a moment, and PCI DSS applies to you.
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or 1 million total card transactions annually). Level 4 merchants complete a self-assessment questionnaire — no QSA required.
When your payment processor sends that compliance questionnaire, they’re essentially asking: “Are you following basic security practices to protect the card data flowing through your business?” They need this confirmation to satisfy the card brands that their merchant portfolio is secure. That questionnaire isn’t optional — it’s part of your merchant agreement.
Which SAQ Do You Need?
The most confusing part of PCI compliance is figuring out which SAQ (Self-Assessment Questionnaire) applies to your business. Think of SAQs as different compliance paths based on how you accept payments. Here’s the decision tree in plain language:
If you redirect customers to a third-party payment page (like PayPal, Square Online, or Stripe Checkout) where they enter card details on the payment provider’s website → You need SAQ A (the simplest one, about 20 questions)
If you use a standalone payment terminal that connects directly to your processor (like a Clover terminal or traditional credit card machine) → You need SAQ B (about 40 questions) or SAQ B-IP if it connects via internet
If you have an e-commerce website where customers enter card details on your pages (even if you don’t store them) → You need SAQ A-EP (about 140 questions covering your website security)
If you take payments over the phone and enter them into a virtual terminal or payment system → You need SAQ C-VT (about 80 questions)
If you store card numbers in any form (files, databases, even paper) → You need SAQ D (over 300 questions — and you should really consider stopping this practice)
Here’s a quick reference table:
| Payment Scenario | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to PayPal/Stripe Checkout | SAQ A | ~20 | Simple |
| Square/Clover terminal only | SAQ B | ~40 | Simple |
| Terminal with internet connection | SAQ B-IP | ~80 | Moderate |
| E-commerce with payment form on your site | SAQ A-EP | ~140 | Moderate |
| Phone orders into virtual terminal | SAQ C-VT | ~80 | Moderate |
| Any card number storage | SAQ D | 300+ | Complex |
Not sure which one applies? PCICompliance.com offers a free SAQ Wizard — answer a few questions about how you accept payments, and we’ll tell you exactly which questionnaire you need.
How to Complete Your SAQ
Once you know which SAQ applies, completing it is straightforward. The questionnaire consists of yes/no questions about your security practices. Each question relates to a specific PCI requirement, like “Do you change default passwords on payment systems?” or “Do you have a firewall protecting your payment environment?”
Answering “yes” means you currently have that security control in place. If you answer “no,” you’ll need to either implement the control or explain why it doesn’t apply to your environment. For most Level 4 merchants, there’s no external validation — you’re attesting that your answers are accurate.
You’ll need to gather some basic documentation:
- Network diagram (can be hand-drawn) showing how payment data flows through your business
- Vendor list of any third parties that handle your payment processing
- Security policies (many small businesses create these during their first compliance assessment)
Don’t forget the quarterly ASV scan requirement. An Approved Scanning Vendor runs automated security scans of any internet-facing systems that handle card data. These scans check for vulnerabilities like outdated software or weak security settings. Schedule your first scan as soon as you identify which systems are in scope.
Once you’ve completed the questionnaire and passed your ASV scans, you’ll sign an Attestation of Compliance (AOC) — basically a formal statement that you’ve completed the assessment and meet the requirements. Submit this to your acquirer by their deadline, and you’re done for the year.
What It Costs
Let’s talk real numbers. For most small merchants, annual PCI compliance costs include:
Compliance platform fees: $200-500 per year for tools that guide you through the SAQ, track your progress, and store documentation. Some payment processors include basic tools with your merchant account.
ASV scanning: $100-300 per year for quarterly external vulnerability scans. Required for most merchants with any internet-connected payment systems.
Potential remediation: If scans find issues, you might need IT help to fix them. Budget a few hours of IT support time.
For comparison, non-compliance typically costs more than staying compliant:
- Monthly non-compliance fees from your processor: $20-100
- If you experience a breach while non-compliant: $5,000-50,000+ in forensic investigation fees
- Lost ability to accept cards: Devastating for most businesses
For Level 1 merchants (processing over 6 million transactions annually), you’ll need a full QSA audit which can cost $15,000-50,000 annually. But if you’re reading this guide wondering when you need a QSA audit, you’re probably not at that volume.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual cycle with quarterly checkpoints. Your processor will send that questionnaire every year, and you’ll need current ASV scans each quarter.
Set calendar reminders for:
- Annual SAQ due date (usually on your merchant account anniversary)
- Quarterly ASV scans (every 90 days)
- Security update reviews (monthly is good practice)
Major changes to your payment setup trigger a reassessment. Adding a new e-commerce platform, changing payment terminals, or starting to store card data could move you to a different SAQ type. When in doubt, run through the SAQ Wizard again.
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sends reminders before deadlines, and maintains your compliance history in one place. No more scrambling when your processor asks for last year’s AOC.
FAQ
I’m just a small business. Do I really need to worry about this?
Yes, but it’s probably simpler than you think. Your payment processor requires PCI compliance as part of your merchant agreement. For most small businesses using modern payment systems, you’ll spend 2-3 hours per year on compliance. That’s far less time than you’d spend dealing with a breach or processor fines.
What happens if I ignore the compliance questionnaire?
Your processor will likely start charging monthly non-compliance fees ($20-100 typically). More seriously, if you experience a breach while non-compliant, you could be liable for fraud losses and investigation costs. Some processors will eventually terminate non-compliant merchants.
How do I know if I need a QSA audit versus self-assessment?
Check your processing volume. Level 1 merchants (over 6 million transactions annually) need a QSA audit. Everyone else can self-assess using the appropriate SAQ. If your processor specifically requires a QSA audit due to previous security issues, they’ll tell you explicitly.
Can I just check ‘yes’ to all the questions?
Only if it’s true. You’re legally attesting to your answers’ accuracy. False attestation is fraud and could result in personal liability if a breach occurs. If you can’t honestly answer ‘yes,’ either implement the control or work with a compliance professional to document compensating controls.
Do I need to be compliant if I only accept payments through PayPal?
Yes, but you likely qualify for SAQ A — the simplest form with about 20 questions. Even though PayPal handles the actual card data, you’re still part of the payment ecosystem and need to maintain basic security controls like using strong passwords and keeping your integration secure.
How often do I need to run ASV scans?
Quarterly (every 90 days) at minimum. You need four passing scans within the compliance year. If a scan fails, you must remediate the issues and run a clean scan before the quarter ends. Many merchants run scans monthly to catch issues early.
What if my payment setup changes during the year?
Reassess immediately. Changes like adding e-commerce, switching payment processors, or starting to store card data could move you to a different SAQ type. Run through the SAQ Wizard again whenever your payment environment changes significantly.
Is PCI compliance the same as being secure?
PCI compliance is a security baseline, not comprehensive protection. Think of it as the minimum acceptable security standard for handling card data. Smart merchants use PCI requirements as a starting point and add additional security measures based on their specific risks.
Conclusion
When you need a QSA audit comes down to one factor: your processing volume. If you’re processing over 6 million transactions annually, you’re a Level 1 merchant who needs annual QSA audits. Everyone else self-assesses using the appropriate SAQ.
For most businesses receiving that first compliance questionnaire, the path forward is clear: identify which SAQ applies to your payment setup, answer the questions honestly, run your quarterly ASV scans, and submit your attestation. It’s a few hours of work that protects your business and keeps your processor happy.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard identifies exactly which questionnaire you need in minutes. Our platform guides you through each requirement with plain-English explanations and PCI Requirement 9:. Built-in ASV scanning runs automatically every quarter, and our compliance dashboard tracks everything in one place. No more confusion about requirements, no missed deadlines, no compliance headaches. Start with our free SAQ Wizard to see exactly what your compliance journey looks like, or contact our team for personalized guidance. We’ve helped thousands of merchants achieve compliance — from food trucks to enterprise retailers — and we’re here to help you too.
