If you accept credit or debit cards, you are required to be PCI compliant. That is not optional. It applies to every business regardless of size — from a single-location coffee shop processing $30,000 a month to a national retailer processing $30 million.
The problem is that nobody explains what PCI compliance actually involves for a small business. Processors send vague emails about "maintaining your compliance status." Your statement shows a monthly fee labeled "PCI" or "PCI non-compliance." And somewhere in the back of your mind, you know you should probably do something about it — but nobody has told you what.
This guide covers what PCI DSS is, which level applies to you, which form you need to fill out, and how to stop paying penalties for something that takes most merchants under 30 minutes to resolve.
What PCI DSS is and why it exists
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security requirements created by the major card networks — Visa, Mastercard, American Express, Discover, and JCB — through an organization called the PCI Security Standards Council.
The standard exists for one reason: to protect cardholder data. Every year, data breaches expose millions of card numbers. When that happens, the card networks bear fraud losses, banks have to reissue cards, and consumers deal with the fallout. PCI DSS sets a baseline for how businesses that touch card data must handle it.
PCI compliance is not a law — it is a contractual requirement. When you signed your merchant processing agreement, you agreed to maintain PCI compliance. Failure to comply can result in fines, increased liability, and loss of the ability to accept card payments.
The current version of the standard is PCI DSS 4.0, which became mandatory in March 2025. It replaced version 3.2.1 and introduced several new requirements, particularly around authentication, encryption, and monitoring. For most small businesses, the practical impact of the update is reflected in updated self-assessment questionnaires.
The four PCI compliance levels
The card networks assign merchants to one of four compliance levels based on annual transaction volume. Each level has different validation requirements — higher levels require more rigorous assessments.
| Level | Annual transactions | Validation requirements |
|---|---|---|
| Level 1 | Over 6 million | Annual on-site audit by a Qualified Security Assessor (QSA), quarterly network scans |
| Level 2 | 1–6 million | Annual SAQ, quarterly network scans |
| Level 3 | 20,000–1 million (e-commerce) | Annual SAQ, quarterly network scans |
| Level 4 | Under 1 million (or under 20,000 e-commerce) | Annual SAQ, quarterly network scans if applicable |
The vast majority of small businesses are Level 4. If you process fewer than one million Visa or Mastercard transactions per year — which includes nearly every independent restaurant, retail shop, professional services firm, and local business — you are Level 4. This is the simplest compliance tier.
What Level 4 merchants actually need to do
Level 4 compliance requires two things, and for many merchants only one:
- Complete an annual Self-Assessment Questionnaire (SAQ). This is a standardized form where you answer questions about how you handle card data. The length and complexity depend on which SAQ type applies to your business (covered below).
- Quarterly network vulnerability scans — but only if your SAQ type requires them. Many Level 4 merchants do not need scans at all. Scans must be performed by an Approved Scanning Vendor (ASV) and check your external-facing systems for known vulnerabilities.
That's it. There is no on-site audit. There is no third-party assessor. For most small businesses, PCI compliance means filling out a questionnaire once a year — and the right questionnaire might be as short as 22 questions.
The SAQ types: which one applies to you
There is not a single SAQ for everyone. The PCI Council created different versions depending on how your business accepts and processes card payments. Choosing the correct SAQ is the most important step — it determines the scope of your compliance obligation.
| SAQ type | Who it's for | Questions | Quarterly scan? |
|---|---|---|---|
| SAQ A | E-commerce merchants using a fully hosted payment page (Shopify, Stripe Checkout, etc.) — card data never touches your systems | ~22 | No |
| SAQ A-EP | E-commerce merchants whose website controls the payment page layout but card data goes directly to the processor (e.g., Stripe.js, Braintree hosted fields) | ~140 | Yes |
| SAQ B | Merchants using standalone dial-up or cellular terminals only — no internet connection, no electronic card data storage | ~41 | No |
| SAQ C | Merchants with IP-connected payment terminals (e.g., countertop terminals connected to your router) — no electronic card data storage | ~80 | Yes |
| SAQ D | Everyone else — merchants who store, process, or transmit card data electronically in ways not covered by SAQ A through C | ~300+ | Yes |
If you swipe, dip, or tap cards on a countertop terminal that connects to the internet via Ethernet or Wi-Fi, you likely need SAQ C. If your terminal uses a phone line or cellular connection only, SAQ B applies. If you sell online through Shopify or a similar platform where customers enter card info on the platform's page — not yours — SAQ A is correct.
The difference matters. SAQ A has roughly 22 questions and no scan requirement. SAQ D has over 300 questions and requires quarterly scans. Choosing the wrong SAQ — or defaulting to SAQ D because nobody told you otherwise — turns a 30-minute task into a multi-day project.
Common PCI compliance mistakes
1. Ignoring the SAQ entirely
This is the most expensive mistake. If you never complete your annual SAQ, your processor will flag you as non-compliant and charge a monthly non-compliance fee — typically $20 to $50 per month, every month, until you complete the questionnaire. Over a year, that's $240 to $600 in completely avoidable fees.
2. Writing down card numbers
If you take phone orders and write card numbers on paper, or keep a notebook of customer card information for recurring charges, you are storing cardholder data. This significantly expands your compliance scope — potentially pushing you into SAQ D territory — and creates real security risk. Use your processor's card-on-file or virtual terminal tools instead.
3. Using the wrong SAQ
Some processors default all merchants to SAQ D, which is the most comprehensive and time-consuming questionnaire. If your payment setup qualifies for SAQ A, B, or C, you are doing unnecessary work and potentially exposing yourself to requirements that don't apply to your environment.
4. Treating compliance as one-and-done
PCI compliance resets annually. Completing your SAQ in January 2025 does not make you compliant in February 2026. If your processor's compliance portal shows your status as expired, the non-compliance fees start again. Set a calendar reminder.
5. Sharing terminal login credentials
PCI DSS 4.0 places stronger emphasis on unique user authentication. Sharing a single login across all employees on your POS system or payment terminal may violate requirement 8 — and it makes it impossible to trace activity if something goes wrong.
PCI compliance fees vs. PCI non-compliance fees
These are two different charges, and the distinction matters.
PCI compliance fee: A monthly fee your processor charges, typically $5 to $30, ostensibly to cover the cost of providing compliance tools, SAQ access, and support. Some processors include meaningful services — a compliance portal, scanning tools, support staff. Others charge the fee and provide nothing. Ask your processor what the fee covers before accepting it as a cost of doing business.
PCI non-compliance fee: A penalty charged when you have not completed your annual SAQ. This is separate from and in addition to the compliance fee. Non-compliance fees range from $20 to $50 per month and are entirely avoidable. Complete your SAQ, and the fee stops.
Look for line items labeled "PCI Non-Compliance," "PCI NC Fee," or "Non-Validation Fee." If you see one, log into your processor's compliance portal and complete your SAQ. The fee should stop within one to two billing cycles.
Some merchants pay non-compliance fees for months or even years without realizing it. At $30 per month, that is $360 per year — for not filling out a questionnaire that takes most people 20 to 45 minutes.
How to complete your annual self-assessment
The process is straightforward once you know where to go:
- Identify your SAQ type. Use the table above, or ask your processor. They should be able to tell you based on your terminal and payment setup.
- Log into your processor's compliance portal. Most processors partner with a compliance vendor (SecurityMetrics, Trustwave, ControlScan, Sysnet, etc.) and provide a portal link. Check your processor's website or call their support line for the URL.
- Answer the questions honestly. The SAQ is not a test. It is a checklist. Questions ask things like "Do you use a firewall?" and "Do you change default passwords on your systems?" If you answer "no" to a question, the portal will explain what you need to fix.
- Complete any required scans. If your SAQ type requires quarterly network vulnerability scans, the compliance portal will typically include a scanning tool. You'll enter your business IP address and the scan runs automatically.
- Submit and save your attestation. Once submitted, your compliance status updates with your processor. Keep a copy of the completed SAQ for your records.
The entire process takes 20 to 45 minutes for SAQ A or SAQ B. SAQ C takes a bit longer — plan for an hour. SAQ D is significantly more involved and may benefit from professional assistance.
What happens if you have a data breach while non-compliant
This is where PCI compliance stops being a paperwork exercise and becomes a financial survival issue.
If your business suffers a data breach — card numbers are stolen, customer data is compromised — and you are not PCI compliant at the time, the consequences escalate dramatically:
- Card network fines: Visa and Mastercard can levy fines of $5,000 to $100,000 per month against your acquiring bank, which will pass those costs to you.
- Card reissuance costs: You may be liable for the cost of reissuing every compromised card — typically $3 to $10 per card. A breach affecting 5,000 cards could mean $15,000 to $50,000 in reissuance costs alone.
- Forensic investigation: The card networks will require a forensic investigation by a PCI Forensic Investigator (PFI). These investigations typically cost $20,000 to $50,000 or more.
- Fraud liability: Any fraudulent transactions made with stolen card data may be charged back to you.
- MATCH list placement: In severe cases, your merchant account can be terminated and your business placed on the MATCH list, which makes it extremely difficult to open a new merchant account with any processor for five years.
A compliant business that suffers a breach still faces consequences — but the fines are dramatically lower, and the card networks treat the situation very differently when you can demonstrate that you had proper controls in place.
PCI compliance is simpler than you think
For the majority of small businesses, PCI compliance means completing a questionnaire once a year. The questionnaire for a typical retail merchant is 40 to 80 questions. Most of those questions have straightforward yes-or-no answers about your terminal setup, network configuration, and basic security practices.
The hardest part is usually finding the right portal and logging in for the first time. After that, it's routine maintenance — the kind of thing you do once, set a reminder for next year, and stop worrying about.
PayPros Worldwide helps merchants identify the correct SAQ for their setup, provides access to compliance tools through our processing partnerships, and makes sure you're not paying non-compliance fees for an obligation that takes less than an hour to fulfill. If you're unsure about your compliance status — or if you're paying fees you shouldn't be — send us your statement and we'll walk you through it.