When to Rescan After Remediation?
Bottom Line Up Front
If you just received a PCI compliance questionnaire from your payment processor and you’re staring at terms like “ASV scan” and “remediation,” take a deep breath. For most small businesses, PCI compliance is simpler than it sounds, and knowing when to rescan PCI systems after fixing security issues is even simpler. Here’s what you actually need to know: if your quarterly scan failed, you have 30 days to fix the issues and rescan. That’s it — no mystery, no complex timeline calculations.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) exists for one reason: to protect credit card data from theft. If you accept credit cards in any form — whether through a terminal, online, or over the phone — these rules apply to you.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But here’s who actually enforces them: your acquirer (the bank that processes your card payments) or your payment processor. They’re the ones who sent you that compliance questionnaire.
What happens if you ignore it? Your processor can fine you monthly (typically $25-$500 for small merchants), you become liable for fraud losses if there’s a breach, and worst case — they can terminate your ability to accept credit cards. The good news? Most small businesses qualify for the simplest compliance requirements, which take just a few hours per year to complete.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a food truck with a Square reader or a Fortune 500 retailer — the moment you take a credit card payment, PCI DSS applies to you.
Your merchant level determines how much documentation you need. Most small businesses processing fewer than 1 million transactions annually are Level 4 merchants. This means you complete a self-assessment questionnaire (SAQ) instead of hiring an expensive auditor.
Your payment processor expects three things from you annually: a completed SAQ that matches your payment setup, an Attestation of Compliance (AOC) confirming you’ve met the requirements, and usually quarterly vulnerability scans from an Approved Scanning Vendor (ASV). That compliance questionnaire they sent? It’s their way of collecting this documentation to prove to the card brands that their merchants are secure.
Which SAQ Do You Need?
The Self-Assessment Questionnaire comes in different versions based on how you accept payments. Here’s the decision tree in plain language:
| How You Accept Payments | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to payment page (PayPal, Square Checkout) | SAQ A | 22 | Easiest |
| Payment form on your site (Stripe Elements, embedded iframe) | SAQ A-EP | 191 | Moderate |
| Standalone terminal (no computer connection) | SAQ B | 41 | Easy |
| Terminal connected to internet | SAQ B-IP | 82 | Easy-Moderate |
| Phone/mail orders (no electronic storage) | SAQ C-VT | 160 | Moderate |
| Any electronic card storage | SAQ D | 329+ | Complex |
Common scenarios:
- Running a Shopify store? You’re likely SAQ A since Shopify handles all the card data
- Using Square or Clover terminals? That’s SAQ B or B-IP depending on connectivity
- Taking orders over the phone? You’re looking at SAQ C-VT
- Storing card numbers in your system? Please stop — but if you must, that’s SAQ D
PCICompliance.com offers a free SAQ Wizard that asks a few simple questions about your payment setup and tells you exactly which questionnaire applies. No guessing required.
How to Complete Your SAQ
Your SAQ looks like a security checklist with yes/no questions. When you answer “yes,” you’re confirming you have that security control in place. For example: “Do you change default passwords on payment terminals?” isn’t asking if you know how — it’s asking if you’ve actually done it.
Documentation you’ll need:
- List of all payment terminals and their locations
- Your network setup (for anything beyond SAQ A or B)
- Security policies (templates are fine for small merchants)
- Scan results from your ASV
The quarterly ASV scan checks your public-facing systems for vulnerabilities. It’s required for any SAQ type where you have internet-connected payment systems. The scan takes about 30 minutes to run and generates a report showing if you passed or failed. If you fail, you have 30 days to fix the issues and rescan — this answers our main question about when to rescan PCI systems.
Submit your completed SAQ and AOC to your payment processor through their portal or via email. Keep copies for your records — they’re valid for one year.
What It Costs
Compliance platform and SAQ tools: $200-$500 annually for small merchants. This typically includes questionnaire guidance, policy templates, and a compliance dashboard to track your progress.
Quarterly ASV scanning: $100-$300 per year for all four required scans. Some compliance platforms bundle this with their annual fee.
If you need a QSA: Only required for Level 1 merchants (over 6 million transactions annually). For everyone else, self-assessment is sufficient. QSA assessments run $10,000-$50,000 — another reason to stay below that threshold if possible.
The cost of NON-compliance: Monthly fines from your processor ($25-$500), increased transaction fees, liability for any fraud losses, and potential loss of card processing abilities. For most small merchants, annual compliance costs less than a single month of non-compliance fines.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly touch points. Your SAQ expires after 12 months, and those ASV scans are due every 90 days.
Set up these reminders:
- Quarterly ASV scan due dates
- Annual SAQ renewal (60 days before expiration)
- Security update schedules for payment systems
- Password change intervals
What changes trigger a new assessment:
- Adding new payment channels (like starting e-commerce)
- Changing payment processors or terminals
- Beginning to store cardholder data
- Major network or system changes
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and flagging any changes that might affect your SAQ type. No spreadsheets or calendar management required.
FAQ
Q: I only process a few cards per month. Do I still need to comply?
A: Yes, PCI DSS applies regardless of transaction volume. Even one card payment per year means you need to complete an SAQ and maintain compliance.
Q: How long does completing an SAQ take?
A: For SAQ A or B (most small merchants), expect 2-4 hours including gathering documentation. More complex SAQs can take days, but if you need those, you probably have IT staff to help.
Q: What’s the difference between a vulnerability scan and ASV scan?
A: An ASV scan is a specific type of vulnerability scan performed by a PCI-approved vendor. Only ASV scans count for PCI compliance — your IT department’s internal scans don’t satisfy this requirement.
Q: Can I just tell my processor I’m compliant without doing the work?
A: Technically yes, but you’re accepting massive liability. If there’s a breach, you’ll face fines, lawsuits, and forensic investigation costs that can bankrupt a small business.
Q: My payment processor says I need to rescan after failing. How long do I have?
A: You have 30 days from a failed scan to fix the issues and achieve a passing scan. This is when to rescan PCI systems — as soon as you’ve fixed the vulnerabilities but within that 30-day window.
Q: Do I need to be PCI compliant if I only use PayPal or Square?
A: Yes, but it’s much easier. These services handle most security requirements for you, so you’ll typically qualify for SAQ A with just 22 questions.
Q: What if I can’t fix all the vulnerabilities within 30 days?
A: Contact your payment processor immediately. They may grant an extension or help you implement compensating controls while you work on permanent fixes.
Q: Is PCI compliance the same as being secure?
A: PCI DSS provides a solid security baseline, but it’s minimum requirements. True security means going beyond compliance to protect your entire business, not just card data.
Conclusion
That PCI compliance questionnaire in your inbox might look intimidating, but now you know what it means and what to do next. For most small businesses, achieving compliance means spending a few hours annually on a simple questionnaire and running quarterly scans of your payment systems. When those scans find issues, you have 30 days to fix and rescan — straightforward and manageable.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans with automated rescanning when needed, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to identify your requirements in under 5 minutes, or talk to our compliance team if you need guidance on remediation and rescanning timelines. We’ve helped thousands of merchants navigate their first compliance assessment, and we’re here to make yours just as smooth.
