Why annual SAQ

Why Annual SAQ Completion?

by

Bottom Line Up Front

That compliance questionnaire from your payment processor? It’s your annual SAQ (Self-Assessment Questionnaire) for PCI compliance. If you accept credit cards — even just through a Square reader or PayPal — you need to complete one every year. The good news: for most small businesses, the process takes about an hour and costs less than your monthly phone bill. You don’t need to be a security expert, and you definitely don’t need to panic. Let’s walk through exactly what you need to do.

What Is PCI Compliance (In Plain English)

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to protect credit card information. Think of it as basic security hygiene for businesses that accept card payments — like locking your doors at night or password-protecting your computer.

The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council. But here’s the important part: your payment processor or acquiring bank is the one who actually enforces them. That’s why they sent you that questionnaire.

What Happens If You Don’t Comply?

Your processor can (and will) fine you for non-compliance — typically $25-$100 per month until you complete your requirements. If there’s a data breach and you weren’t compliant, you could face:

  • Liability for fraudulent charges on compromised cards
  • Forensic investigation costs ($10,000-$100,000+)
  • Card brand fines (starting at $5,000 per month)
  • Loss of ability to accept credit cards entirely

But here’s what most compliance companies won’t tell you: if you’re a small business using modern payment tools, achieving compliance is usually straightforward. You’re probably already doing most of what’s required — you just need to document it.

Do You Need to Be PCI Compliant?

Simple answer: If you accept credit cards in any form, yes.

It doesn’t matter if you only process five transactions a month or if you only accept cards at craft fairs. The moment a customer hands you a credit card, types their number into your website, or reads it to you over the phone, you’re in scope for PCI compliance.

Your Merchant Level

Most small businesses fall into Merchant Level 4 — processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. This is good news because Level 4 merchants have the simplest compliance requirements:

  • Complete an annual SAQ (that questionnaire your processor sent)
  • Run quarterly vulnerability scans if you have an e-commerce website
  • Submit your Attestation of Compliance (AOC) — basically your compliance certificate

Your processor determines your merchant level based on your annual transaction volume. They’ll tell you which level you are in that compliance packet they sent.

What Your Payment Processor Expects

When your acquirer or payment processor sends that annual compliance questionnaire, they’re essentially saying: “Prove to us that you’re handling credit cards safely.” They want:

1. A completed SAQ appropriate to how you accept payments
2. A passing vulnerability scan (if required for your payment methods)
3. An Attestation of Compliance signed by you or a company officer

Miss the deadline they set? That’s when the monthly non-compliance fees start.

Which SAQ Do You Need?

The PCI Security Standards Council offers nine different SAQ types, but most small businesses only need to worry about four. Here’s how to figure out which one applies to you:

The SAQ Decision Tree in Plain Language

How You Accept Payments Your SAQ Type Questions to Answer Typical Time to Complete
Redirect to payment page (PayPal, Stripe Checkout) SAQ A 22 questions 20-30 minutes
Payment forms on your site (Stripe Elements, Square Web Payments) SAQ A-EP 139 questions 2-3 hours
Standalone terminal (Square Reader, Clover Go) SAQ B 41 questions 30-45 minutes
Terminal + computer (connected to POS system) SAQ B-IP 87 questions 1-2 hours
Phone orders (virtual terminal, key-entered) SAQ C-VT 160 questions 2-4 hours
Store/process card data (please reconsider) SAQ D 329 questions Days to weeks

Common Scenarios

“I use Square at my farmer’s market booth” → You’re probably SAQ B. Your Square reader is a standalone device that doesn’t connect to other systems.

“I have a Shopify store” → You’re likely SAQ A. Shopify handles all the card processing — customers never enter card details on your actual website.

“I take orders over the phone and type them into my computer” → That’s SAQ C-VT territory. You’re manually entering card numbers, which adds requirements.

“We have an old system that saves customer card numbers” → You need SAQ D, and you should seriously consider upgrading to a system that doesn’t store card data.

not sure which SAQ applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which questionnaire you need. No jargon, no guessing.

How to Complete Your SAQ

Your SAQ is a series of yes/no questions about your security practices. Despite what it might feel like, these aren’t trick questions — they’re asking about basic security measures.

What “Yes” Really Means

When a question asks “Do you restrict physical access to cardholder data?” and you answer yes, you’re saying:

  • Our payment terminal is in a secure location (not sitting unattended in a public area)
  • Only authorized staff can access our payment systems
  • We lock up any paper receipts with card numbers

You don’t need fancy biometric locks or security guards. “Restricted access” can mean the terminal is behind your counter where only employees can reach it.

Documentation You’ll Need

Before starting your SAQ, gather:

  • List of payment devices (terminal model numbers, software versions)
  • Network diagram (for SAQ types beyond A and B — can be a simple sketch)
  • Security policies (even basic ones count — “employees must log out when leaving their desk”)
  • Vendor agreements (contracts with your payment processor, POS provider)

The Quarterly ASV Scan

If you have any kind of e-commerce presence (even just a “buy now” button on your website), you’ll need quarterly vulnerability scans from an Approved Scanning Vendor.

Here’s what actually happens:
1. The ASV scans your website’s public-facing IP addresses
2. They check for known vulnerabilities (outdated software, security holes)
3. You get a report showing what passed or failed
4. You fix any failures and rescan
5. Once you pass, you’re good for three months

This sounds scarier than it is. Most well-maintained websites pass on the first try. If you use a major hosting provider or website platform, they’re already handling most of what the scan checks for.

Submitting Your Compliance Package

Once you’ve completed your SAQ and have passing scans (if required), you’ll:
1. Generate your Attestation of Compliance (AOC)
2. Have it signed by an authorized officer of your company
3. Submit everything through your processor’s compliance portal
4. Save copies for your records

That’s it. You’re compliant for another year.

What It Costs

Let’s talk real numbers. PCI compliance isn’t free, but for most small businesses, it’s far less expensive than you might fear.

Compliance Tools and Platforms

  • SAQ completion tools: $100-$300 per year
  • Compliance management platforms: $200-$500 per year
  • All-in-one solutions (like PCICompliance.com): $300-$600 per year

Quarterly ASV Scanning

  • Basic scanning service: $100-$200 per year (all four quarterly scans)
  • Scanning with remediation support: $200-$400 per year
  • Often included with compliance platform subscriptions

If You Need a QSA

Most Level 4 merchants don’t need a Qualified Security Assessor. But if you do:

  • SAQ validation by QSA: $2,000-$5,000
  • Full Report on Compliance (ROC): $15,000-$50,000+

The Cost of Non-Compliance

Here’s what you risk by ignoring that questionnaire:

  • Monthly non-compliance fees: $25-$100 from your processor
  • Data breach without compliance: Average $150,000 for small businesses
  • Card brand fines: Starting at $5,000/month, up to $100,000/month
  • Lost business: Customers don’t trust businesses that mishandle their data

Honest assessment: For most small merchants, annual compliance costs less than a single month’s non-compliance fine. It’s not an expense — it’s insurance.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox. Your processor will send that questionnaire again next year, and you’ll need to stay on top of quarterly scans if they apply to you.

Key Dates to Track

  • Annual SAQ due date (usually the anniversary of your merchant account)
  • Quarterly scan windows (every 90 days from your first scan)
  • Major changes that might change your SAQ type (new payment methods, new locations)

What Triggers a New Assessment

You’ll need to reassess your compliance if you:

  • Add new payment channels (start taking phone orders, add e-commerce)
  • Change payment providers or processors
  • Significantly increase transaction volume
  • Experience a data breach or security incident

Making It Manageable

Set calendar reminders for:

  • 30 days before your annual SAQ is due
  • One week before each quarterly scan window
  • Annual review of your payment processes

PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and shows your compliance status at a glance. No more scrambling when your processor’s deadline approaches.

FAQ

Q: Do I really need to do this every year?

Yes, PCI compliance is an annual requirement. Credit card fraud evolves constantly, so the card brands require yearly verification that your security measures are current. Think of it like renewing your business license — it confirms you’re still operating safely.

Q: What if I only accept payments through PayPal?

You still need to complete an SAQ, but it’s the simplest type (SAQ A). Since PayPal handles all the actual card processing, you’re just confirming that you redirect customers to PayPal’s secure environment. The whole questionnaire takes about 20 minutes.

Q: Can I just ignore the compliance questionnaire?

Technically yes, but it’s expensive. Your processor will charge monthly non-compliance fees, and if there’s a breach, you’re fully liable. One small business ignored PCI and ended up paying $50,000 in forensic investigation fees after a breach — far more than a lifetime of compliance would have cost.

Q: Do I need to hire a security consultant?

For most small businesses, no. If you qualify for SAQ A, B, or C-VT, the questions are straightforward enough to answer yourself. Save the consultant fees for if you genuinely get stuck or need SAQ D compliance.

Q: What’s the difference between my payment gateway and processor asking for compliance?

Your payment processor (who moves the money) is usually the one requiring PCI compliance. Your payment gateway (who captures the card details) might have their own security questionnaire, but the official PCI SAQ comes from your processor or acquiring bank.

Q: Is PCI compliance the same as being EMV compliant?

No, they’re different requirements. EMV (chip cards) is about the physical card reader technology, while PCI covers your overall card data security. You need both — EMV terminals for card-present transactions and PCI compliance for all card acceptance.

Q: How do I know if my website needs vulnerability scanning?

If customers enter any information on your website — even just their email address on the same domain where you process payments — you need quarterly ASV scans. When in doubt, scan. It’s inexpensive and provides valuable security feedback beyond just PCI compliance.

Q: What if I fail a vulnerability scan?

Don’t panic — first-time failures are common. The scan report shows exactly what failed and usually how to fix it. Most issues are simple updates or configuration changes your web host can handle. Fix the issues, request a rescan, and you’ll typically pass within a few days.

Conclusion

That annual SAQ your payment processor sent isn’t a bureaucratic hassle — it’s a health check for your payment security. For most small businesses, completing it takes less time than doing your quarterly taxes and costs less than your annual business insurance.

The key is choosing the right SAQ type for how you actually accept payments. Use modern payment tools that minimize your compliance scope. Answer the questions honestly based on your real practices, not perfection. And set up a simple system to track your annual and quarterly requirements.

PCICompliance.com simplifies this entire process. Our free SAQ Wizard identifies exactly which questionnaire you need — no payment industry jargon required. Our ASV scanning service handles your quarterly vulnerability scans with automatic scheduling and clear remediation guidance. And our compliance dashboard tracks everything in one place, sending reminders before deadlines and storing your documentation securely. Whether you’re completing your first SAQ or your tenth, we provide the tools and support to achieve compliance without the complexity. Start with our free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team about a complete solution that handles everything from scanning to submission.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP