Why Is Segmentation Important?
Bottom Line Up Front
Getting that PCI compliance questionnaire from your payment processor can feel overwhelming, but here’s the truth: for most small businesses, PCI compliance is simpler than you think. You probably don’t need to hire expensive consultants or overhaul your entire payment system. In fact, if you’re using modern payment terminals or hosted checkout pages, you might already be doing most of what’s required. This guide will walk you through exactly what PCI compliance means, which questionnaire you need to complete, and how to get it done without the stress.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by the major card brands — Visa, Mastercard, American Express, and Discover — to protect credit card data. If you accept card payments in any form, these requirements apply to you.
Think of it this way: the card brands want to ensure that every business handling credit cards follows basic security practices. They created the PCI Security Standards Council to manage these standards, but it’s your payment processor or acquiring bank who actually enforces them and collects your compliance documentation.
The consequences of non-compliance are real but manageable. Your payment processor can impose fines (typically $20-$100 monthly for small merchants), you face liability if there’s a data breach, and in extreme cases, you could lose your ability to accept credit cards. But here’s the good news: most small businesses qualify for the simplest SAQ types, which means answering a handful of yes/no questions once a year and running quarterly security scans.
Your compliance questionnaire isn’t a punishment — it’s your payment processor making sure you’re protecting your customers’ card data. Complete it once, set up a few simple processes, and you’re good for the year.
Do You Need to Be PCI Compliant?
The simple answer: if you accept credit cards in any form, yes, you need to be PCI compliant. This includes:
- Running cards through a terminal
- Processing payments on your website
- Taking card numbers over the phone
- Storing customer card information (please reconsider this one)
Your merchant level determines how much documentation you need to provide. Most small businesses are Level 4 merchants (processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually). This is good news — Level 4 merchants can self-assess using an SAQ rather than hiring a QSA for a full assessment.
That compliance questionnaire your payment processor sent? It’s their way of verifying you meet PCI requirements. They’re required to collect this documentation annually, and they’ll keep sending reminders (and eventually fines) until you complete it. The questionnaire typically includes:
- The appropriate SAQ (Self-Assessment Questionnaire) for your business
- An AOC (Attestation of Compliance) — basically your signature saying the answers are accurate
- Evidence of quarterly vulnerability scans if you process payments online
Which SAQ Do You Need?
Understanding why segmentation important PCI starts with choosing the right SAQ. The PCI Security Standards Council created different questionnaires for different payment scenarios. Here’s how to identify yours:
| How You Accept Payments | SAQ Type | Number of Questions | Complexity Level |
|---|---|---|---|
| Fully outsourced (PayPal, Square online) | SAQ A | 22 | Simple |
| E-commerce with hosted checkout (Stripe, Shopify) | SAQ A-EP | 191 | Moderate |
| Standalone terminals only (Square Reader, Clover) | SAQ B | 41 | Simple |
| Standalone terminals with IP connection | SAQ B-IP | 91 | Simple to Moderate |
| Phone/mail orders entered into virtual terminal | SAQ C-VT | 125 | Moderate |
| Everything else (storing cards, complex systems) | SAQ D | 339 | Complex |
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B or B-IP. These are straightforward — mostly asking about physical security of the terminals and basic network safety if they connect to the internet.
If you have an e-commerce site using hosted checkout (where customers are redirected to pay, or the payment fields are embedded from your processor), you’re likely SAQ A or A-EP. These focus on how your website handles the redirect and whether your other systems could impact payment security.
If you take card payments over the phone and enter them into a web-based virtual terminal, you need SAQ C-VT. This covers how you protect the computer used for entering payments.
If you store card numbers in any system, database, or even spreadsheets, you’re stuck with SAQ D — the full questionnaire with 339 requirements. This is where understanding why segmentation important PCI becomes crucial. Consider switching to tokenization or working with a payment processor who stores cards for you.
Not sure which one fits? PCICompliance.com’s SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which SAQ applies to your business.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your payment security practices. Here’s what to expect:
Each question asks whether you’ve implemented a specific security control. Answering “yes” means you currently do what the question asks — not that you plan to or think it’s a good idea. For example, if the question asks “Do you change default passwords on payment terminals?” you can only answer yes if you’ve actually changed them.
Documentation you’ll need:
- List of all payment terminals and their locations
- Your network diagram (even a simple sketch works for small businesses)
- Copies of your security policies (many small businesses use templates)
- Results from your quarterly ASV scans if you accept payments online
Speaking of ASV scans — if you have any internet-facing systems (like a website or IP-connected terminal), you need quarterly vulnerability scans from an Approved Scanning Vendor. These automated scans check for security weaknesses and typically take 15-30 minutes to run. You’ll need four passing scans per year, so start early.
Once you’ve answered all questions and gathered your documentation:
1. Complete the AOC (Attestation of Compliance) — this is your official signature
2. Submit everything through your payment processor’s compliance portal
3. Schedule your next quarterly scan if required
4. Mark your calendar for next year’s assessment
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your SAQ type and payment volume, but here’s what most small businesses spend:
Compliance platform and SAQ tools: Free to $30/month. Some payment processors include basic tools, while comprehensive platforms with guided questionnaires and policy templates run $200-$350 annually.
Quarterly ASV scanning: $50-$150 per scan, or $200-$600 annually. Many compliance platforms bundle this with their SAQ tools. Remember, you need four passing scans per year if you process payments online.
QSA assessment: Only required for Level 1 merchants or if your processor specifically demands it. These run $10,000-$50,000+ and aren’t needed for most small businesses.
Now consider the cost of non-compliance:
- Monthly fines from your processor: $20-$100 (every month until you comply)
- Breach liability: $50-$90 per compromised card, plus forensic investigation costs
- Lost ability to process cards: devastating for most businesses
The honest assessment: For most small merchants, annual compliance costs less than paying non-compliance fines for just a few months. Budget $300-$600 annually for tools and scanning — less than you’d pay in fines by mid-year.
Staying Compliant Year-Round
PCI compliance isn’t a one-time checkbox — it’s an annual requirement with quarterly components. Here’s how to stay on track:
Set up these reminders now:
- Annual SAQ due date (same time each year)
- Quarterly ASV scan dates (every 90 days)
- Security update checks for payment terminals
- Password changes for payment systems
What triggers a new assessment:
- Changing payment processors
- Adding new payment channels (like starting to accept phone orders)
- Significant changes to your payment environment
- Moving from outsourced to in-house payment processing
This is where understanding why segmentation important PCI helps reduce your ongoing burden. By keeping payment systems separate from other business systems, you limit what needs annual review.
PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and maintains your compliance history. No more scrambling when your processor asks for documentation.
FAQ
What happens if I don’t complete my PCI compliance?
Your payment processor will start with reminder emails, then move to monthly non-compliance fees ($20-$100 typically). Eventually, they can increase your processing rates or terminate your merchant account entirely.
Do I need to hire a QSA to help me?
Most small businesses don’t need a QSA. If you’re a Level 4 merchant (under 20,000 e-commerce transactions annually), you can self-assess using the appropriate SAQ. Only Level 1 merchants typically need a formal QSA assessment.
How long does the SAQ take to complete?
SAQ A takes about 30 minutes. SAQ B takes 1-2 hours. SAQ C-VT or A-EP take 2-4 hours. SAQ D can take days or weeks depending on your environment complexity.
What’s the difference between a vulnerability scan and penetration test?
Vulnerability scans are automated checks for known security weaknesses, required quarterly for merchants with internet-facing systems. Penetration tests involve security professionals actively trying to break into your systems and are only required for SAQ D merchants.
Can I just say “yes” to all the questions?
Absolutely not. False attestation is considered fraud and can result in significant fines and loss of card processing privileges. Only answer “yes” to requirements you’ve actually implemented.
What if I fail my ASV scan?
Fix the identified vulnerabilities and run a new scan. You have unlimited rescans with most ASV providers. Common failures include outdated SSL certificates or unpatched software vulnerabilities.
Do I need PCI compliance if I only use PayPal or Square?
Yes, but it’s usually very simple. If you only use PayPal or Square’s hosted checkout (where customers are redirected to their site), you likely qualify for SAQ A with just 22 questions.
Why does segmentation matter for small businesses?
Network segmentation — keeping your payment systems separate from other computers — can dramatically reduce your PCI scope. Instead of securing your entire network, you only need to protect the specific systems handling payments.
Conclusion
PCI compliance sounds intimidating, but for most small businesses, it’s a manageable annual task that protects both you and your customers. Start by identifying which SAQ applies to your business — in many cases, you’ll find you’re already doing most of what’s required. The key is understanding your specific requirements and staying organized with annual assessments and quarterly scans.
Remember, why segmentation important PCI becomes clear when you realize it can mean the difference between answering 22 questions (SAQ A) or 339 questions (SAQ D). Keep your payment processing simple and separated, use modern payment tools, and compliance becomes just another routine business task.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Instead of juggling multiple vendors and spreadsheets, you get a single platform that guides you through each requirement and keeps you compliant year after year. Start with our free SAQ Wizard to identify your requirements in minutes, or talk to our compliance team about which solution fits your business.
