PCI DSS SAQ Wizard for Canadian Small Businesses
Five questions. Your correct SAQ level, what you actually need to do, and a blunt take on whether that PCI non-compliance fee on your Moneris or bank statement is legitimate โ or a shakedown.
What is a PCI DSS SAQ?
A Self-Assessment Questionnaire (SAQ) is the annual compliance form almost every Canadian small business needs to complete. Your processor requires it. The card networks (Visa, Mastercard) require it. And if you skip it, you'll get hit with a monthly PCI non-compliance fee โ usually $20โ$250/month โ until you do it.
There are several SAQ types. The one that applies to you depends on how you take payments and whether you store card data. Answer the questions on the left to find out which one is yours.
The four SAQ levels you're likely to hit as a small Canadian business
| SAQ | Who it applies to | Roughly how many questions | Difficulty |
|---|---|---|---|
| SAQ A | Fully outsourced card-not-present. Hosted checkout (Stripe Checkout, Shopify Payments). You never touch card data. | ~22 | ๐ข Easy |
| SAQ A-EP | E-commerce with payment page on your own domain/server, third party processes. Your server is in scope. | ~191 | ๐ก Moderate |
| SAQ B-IP | Card-present merchants using IP-connected standalone terminals not linked to other systems or data. | ~83 | ๐ก Moderate |
| SAQ C | Merchants with payment apps or POS connected to the internet. No stored cardholder data. | ~160 | ๐ Involved |
| SAQ D | Everyone else โ especially anyone who stores full card data. Also service providers. | ~329 | ๐ด Complex |
The non-compliance fee problem in Canada
PCI non-compliance fees are one of the most misunderstood charges on Canadian merchant statements. Here's the honest breakdown:
- Moneris charges $19.95โ$249/month for PCI non-compliance โ a range wide enough to feel arbitrary. Many merchants don't know why they're paying it or that they can get it removed.
- Bank-affiliated processors (TD, RBC, BMO, etc.) typically charge $25โ$100/month, buried in the statement as "PCI Non-Validated Fee" or similar.
- Square, Helcim, Stripe, and Shopify Payments typically do not charge a separate monthly PCI non-compliance fee โ their hosted payment infrastructure handles most compliance obligations for you, dramatically narrowing your scope.
- The fee is supposed to pass along risk to the merchant โ but processors have zero incentive to help you get compliant and remove the fee. The revenue disappears when you complete your SAQ.
A legitimate PCI non-compliance fee exists because processors face liability when merchants aren't validated. But the amount and opacity of how it's charged in Canada โ especially by Moneris and bank processors โ often crosses into pure profit extraction from merchants who don't know what they owe.
Related tools and guides
PCI Compliance Guide
The full picture: what PCI DSS requires, all 12 requirements, and how to stay compliant.
Read the guide โMoneris vs Helcim
Head-to-head comparison โ including how each handles PCI compliance and fees.
Compare โHelcim Review
Canada's most PCI-friendly processor for small businesses. Interchange-plus, no hidden fees.
Read review โStripe Canada Review
How Stripe's hosted checkout reduces your PCI scope to SAQ A โ the simplest possible.
Read review โPayment Gateway Fees Compared
Full fee breakdown across all major Canadian processors โ including the fees they hide.
Compare fees โMerchant Statement Fee Decoder
Translate the cryptic line items on your Canadian processor statement.
Decode your statement โTwo honest caveats
- SAQ type can be wrong if your setup is wrong. If your developer said "we use Stripe" but actually passes card data through your server first, you're not SAQ A โ you're SAQ A-EP or worse. The SAQ type depends on actual data flow, not just which processor you use.
- Completing the SAQ doesn't make you secure โ it makes you documented. PCI compliance is a baseline, not a guarantee. Real security requires ongoing practices like keeping software patched, using strong passwords, and limiting who can access payment systems.