Skip to main content
Compliance

PCI compliance in plain English

Processors collect a non-compliance fee every month you ignore PCI. They'd rather you keep ignoring it.

Published Apr 14, 2026 6 min read By PayMullet Editorial

The standard that nobody reads

The Payment Card Industry Data Security Standard has been around since 2004. It has 12 top-level requirements, hundreds of sub-requirements, and a library of documentation that rivals a graduate syllabus. Most small business owners have never read a page of it. Most processors prefer it that way — the non-compliance fee averages $30/month and is pure margin.

Here's the short version: PCI DSS exists to protect cardholder data — your customers' card numbers, expiration dates, and security codes — from being stolen, stored unsafely, or transmitted over insecure networks. The requirements aren't arbitrary. They map to real attack vectors that have cost merchants and banks billions of dollars in fraud losses.

The PCI Security Standards Council is the governing body. They publish all SAQ forms, the full DSS, and guidance documents — all free. If a processor tells you compliance costs $299/year for their "compliance program," know that the standard itself costs nothing to access.

The 12 requirements, translated

The PCI DSS 12 requirements organize into six control objectives. Here's what they actually mean for a small merchant:

Build and maintain a secure network

  1. Install and maintain a firewall — even a basic one on your router counts if configured correctly.
  2. Don't use vendor default passwords — change the factory password on every device that touches payments.

Protect cardholder data

  1. Don't store cardholder data you don't need — most small merchants store nothing, which is fine.
  2. Encrypt card data in transit — use TLS 1.2 or higher on any payment page or API call.

Maintain a vulnerability management program

  1. Use and update antivirus software on all systems.
  2. Develop and maintain secure systems — patch your software and your point-of-sale application.

Implement strong access control

  1. Restrict access to cardholder data to people who need it.
  2. Assign unique IDs to every person with computer access — shared logins fail this requirement.
  3. Restrict physical access to cardholder data — lock the server room, lock the network closet.

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data — logs matter.
  2. Regularly test security systems — vulnerability scans, penetration tests at higher merchant levels.

Maintain an information security policy

  1. Maintain a policy that addresses information security — write it down, distribute it, review it annually.

For most small merchants using a certified terminal or a hosted payment page, requirements 3, 4, 9, 10, and 11 are largely handled by your technology. The ones that bite small businesses are the ones requiring active behavior: default passwords (requirement 2), unique logins (requirement 8), and maintaining documentation (requirement 12).

SAQ types: pick the right one

The Self-Assessment Questionnaire is your annual compliance certification. The type you use depends entirely on how your business accepts cards. Using the wrong SAQ — either underestimating your environment or overcomplying — wastes time.

SAQ A — Applies to card-not-present merchants (e-commerce, phone orders) where all payment processing is outsourced to a PCI-compliant third party. No card data touches your servers. This is the simplest SAQ: 22 questions.

SAQ A-EP — Applies to e-commerce merchants where the payment page is served from your server but card data is processed by a third party. If you have a JavaScript snippet that sends data to Stripe or Authorize.Net, you're here. 191 questions.

SAQ B — Applies to merchants using imprinters (yes, those still exist) or standalone dial-up terminals that don't store electronic card data. 41 questions.

SAQ B-IP — Applies to merchants using certified IP-connected payment terminals (think Dejavoo QD5 or PAX A35) that are isolated from all other systems. 82 questions. This is the right SAQ for most counter-service retail and restaurant environments.

SAQ C — Applies to merchants using payment application systems connected to the internet (like a POS system on your local network). 160 questions.

SAQ D — Applies to everyone else. 329 questions. If you're here, you probably need a consultant.

If you're not sure which SAQ applies, review your terminal setup. Our terminal comparison guide identifies which terminals qualify for SAQ B-IP — the simplest path for most physical retail and restaurant environments.

The non-compliance fee is a revenue line

Let's be direct: the non-compliance fee on your processing statement is not paid to the PCI SSC. It's not a card-network fee. It goes to your processor. It is charged when you have not completed your annual SAQ and, where required, your quarterly Approved Scanning Vendor (ASV) network scan.

The fee is legal. The processor did (in most cases) notify you — buried in your welcome kit and statement footnotes. But the business model is obvious: a $30/month fee on a million merchants who never complete their SAQ is $360 million per year. Processors have little incentive to remind you how easy it is to comply.

Most processors use compliance program portals like Trustwave, ControlScan, or SecurityMetrics. Log in, answer the appropriate SAQ honestly, and the fee goes away. For a simple SAQ B-IP merchant, this takes about 30 minutes.

For the full statement fee breakdown — including where the non-compliance fee appears alongside PCI annual fees, monthly minimums, and batch fees — see how to read your processing statement like an auditor.

Bottom line

PCI compliance is not complicated for most small businesses. Complete your SAQ annually, use a certified terminal, don't store card data you don't need, and change every factory default password. That covers 90% of the requirements for a typical brick-and-mortar or simple e-commerce merchant.

The non-compliance fee is the most avoidable line on your statement. Don't pay it. If you're unsure which SAQ applies to your setup, talk to us — we've helped hundreds of merchants through the process at no cost.

This is general business information, not legal or financial advice.

Want PayMullet to do this math for you?

Drop your last processing statement. We audit it line by line and come back with a plan — free, zero obligation.

Get a free audit

Frequently asked

What is PCI compliance and who requires it?

PCI DSS (Payment Card Industry Data Security Standard) is a set of 12 security requirements created by Visa, Mastercard, Discover, and Amex through the PCI Security Standards Council. Every merchant that accepts cards must comply — the card networks enforce it through acquirers, who can fine or terminate merchants that fail.

What SAQ type does a small retail store need?

A brick-and-mortar retail store that uses a certified payment terminal and never stores card data likely qualifies for SAQ B (if using a standalone dial-up or IP-connected terminal) or SAQ B-IP (if the terminal connects over IP to a payment application). These are among the shortest SAQs — SAQ B has 41 questions versus 329 for SAQ D.

What is the non-compliance fee on my statement?

The non-compliance fee — typically $19.95–$49.95/month — is charged by processors to merchants who have not completed their annual SAQ or passed a quarterly network scan (if required). It's not a card-network fee. It's a processor revenue line. Completing your SAQ eliminates it.

Do I need a QSA to become PCI compliant?

Most small merchants (Level 3 and Level 4) can self-certify using the appropriate SAQ — no Qualified Security Assessor required. QSAs are typically required for Level 1 merchants processing more than 6 million transactions per year and for merchants that have experienced a data breach.

How often do I need to re-certify?

Annual SAQ completion is required for all merchant levels. Merchants required to run Approved Scanning Vendor (ASV) scans must do so quarterly. If anything in your payment environment changes — new terminal, new gateway, new network — you should re-assess which SAQ applies.

Keep reading

Processing fundamentals9 min read

Read your processing statement like an auditor

Your statement is engineered to be unreadable. Here is the six-pass read — interchange, assessments, markup, surcharges, junk fees, reserves — that exposes every dollar you are not supposed to notice.

Read
Processing fundamentals9 min read

Interchange plus vs. tiered pricing, decoded

Interchange plus passes the card networks’ published rate through at cost with one transparent markup. Tiered pricing buries it in three buckets — and the processor decides the bucket. Here is the math that ends the conversation.

Read
Processing fundamentals12 min read

Clover vs. Valor vs. Dejavoo vs. PAX: pick your terminal

Clover charges you for its ecosystem. Valor gives you back-office control. Dejavoo owns full-service restaurants. PAX wants developers. We rank them by the only metric that matters — what happens when you want to leave.

Read