retailcardprocessing.com
← Blog[ Compliance ]8 MIN READ

PCI Compliance Checklist for Brick-and-Mortar Retailers (2026 Update)

A plain-English PCI DSS compliance checklist for in-store retailers — what SAQ to file, what to actually do, and how to avoid non-compliance fees.

PCI DSS compliance sounds intimidating: a 350-page standard, dozens of controls, threats of fines. The reality for most small and mid-sized retailers is much simpler. If your only card acceptance happens through a terminal that connects directly to your processor (not through your own POS server), you qualify for one of the lightest questionnaires available — and your processor probably gives you the tool to complete it in 30 minutes. This guide walks through what to do, what SAQ to file, and how to make sure you never pay another PCI non-compliance fee.

[ FOR_THIS_RETAILER ]
Any retailer accepting cards, especially shops with EMV terminals only (no online sales)

Most brick-and-mortar retailers are eligible for the simplest PCI questionnaire (SAQ B-IP or SAQ P2PE) and could complete compliance in under an hour — but they don't, and they pay $20–$50/month in PCI non-compliance fees indefinitely. This checklist gets you compliant without hiring a consultant.

What PCI compliance actually requires

PCI DSS (Payment Card Industry Data Security Standard) is a contract between merchants and the card brands. It says: if you accept cards, you must protect cardholder data according to a defined set of controls, and you must annually attest that you do. Failure to attest = monthly non-compliance fees from your processor. An actual data breach when you weren't compliant = much larger fines plus liability for fraud.

The good news for in-store retailers: if you never touch the cardholder's card number directly (the terminal handles it), most of the PCI requirements are technically the responsibility of your terminal provider, not you. You attest to a much shorter set of controls.

Step 1: Identify your SAQ type

Self-Assessment Questionnaires (SAQs) come in flavors. Most retailers fall into one of these:

  • SAQ B-IP — Standalone IP-connected EMV terminals (most common for small retail). 41 questions.
  • SAQ P2PE — Point-to-point encrypted terminals validated by the PCI Council. 33 questions, the easiest SAQ available. Ask if your terminal qualifies.
  • SAQ B — Dial-up or imprint-only terminals. Almost no retailer should still be using these.
  • SAQ C-VT — Web-based virtual terminals only (you key in card numbers on a web page). Common for phone orders.
  • SAQ C — Internet-connected POS systems where the cardholder data flows through your network. Larger checklist.
  • SAQ D — Custom integrations, ecommerce, or anything not covered above. The longest. Most multi-channel retailers end up here.
[ QUICK WIN ]

If your terminals are P2PE-validated and you don't have ecommerce, you qualify for SAQ P2PE — the shortest compliance pathway available. Ask your processor today if your hardware is on the PCI Council's validated P2PE list.

Step 2: Complete the questionnaire

Most processors provide a free PCI compliance portal — log in, the SAQ is pre-filled with what your processor already knows about your setup, and you answer the remaining questions. Honest answers; don't say 'yes' to controls you haven't actually implemented.

  1. 01Log into your processor's PCI portal (link is in your welcome email or account dashboard).
  2. 02Confirm or update your business profile (number of locations, terminals, ecommerce yes/no).
  3. 03Run the questionnaire. Save progress as you go.
  4. 04If a control isn't met, the portal usually links to remediation guidance. Fix the gap, then re-answer.
  5. 05Submit and download your Attestation of Compliance (AOC) and SAQ. Keep both for 3 years.

Step 3: The actual security controls

Even on the simplest SAQ, you'll be asked to confirm a handful of operational controls. Most are common sense; if you don't already do them, this is the prompt to start:

  • Change all default passwords on terminals, routers, and the POS. (Yes, even the WiFi router.)
  • Physically inspect terminals weekly for skimmers, tampering, or substitution. Photograph them so the team has a baseline.
  • Limit who can access terminals and the back office. Maintain a written list of authorized employees.
  • Use a dedicated network for payment terminals. Don't share WiFi between the POS and customer/staff devices.
  • Run anti-malware on any computer that touches the POS or the back office.
  • Train staff on basic skimmer awareness and what to do if a card terminal looks tampered with.
  • Maintain an incident response plan: who to call if you suspect a breach (processor, acquirer, your PCI portal, FBI Cyber).

Step 4: Quarterly external scans (only some merchants)

If your business is on SAQ C, SAQ C-VT, or SAQ D, PCI requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). Most processors include this in your account ($99–$249/year). If you're on SAQ B-IP, B, or P2PE, you do not need ASV scans.

Common compliance gotchas

[ SCENARIO ]
A bookstore caught by a hidden POS server

A small bookstore thought they were on SAQ B-IP because they used Clover terminals. A walkthrough revealed they also had a 6-year-old POS PC in the back office that ran their inventory system and occasionally processed phone orders by typing card numbers into the Clover dashboard. That moved them onto SAQ C-VT. Adding ASV scans and retraining the owner on tokenized phone-order workflows brought them back into compliance — and dropped their PCI fees from $39/month to $0.

How to never see another PCI non-compliance fee

  1. 01Calendar a 90-day reminder to refresh your SAQ if your setup changes (new terminal, new location, added ecommerce).
  2. 02Re-attest annually before the AOC expiration date. Most processors auto-email reminders.
  3. 03If you change processors, transfer your existing AOC to the new processor on day one — don't let them charge you a new non-compliance fee while you re-attest.
  4. 04If you genuinely cannot meet a control, document the compensating control you have in place and check with your processor's PCI team before submitting.
[ FAQ ]

Frequently Asked Questions

Do I really need to do PCI compliance if I'm a small retail store?
Yes. Every business that accepts payment cards is contractually required to maintain PCI DSS compliance, regardless of size. Non-compliance fees ($20–$50/month) are levied by your processor automatically if you don't have a valid Attestation of Compliance on file.
What's the simplest PCI questionnaire for a retail store?
SAQ P2PE if your terminals are point-to-point encrypted and validated by the PCI Council (33 questions). SAQ B-IP for IP-connected EMV terminals where you don't have any other card-data systems (41 questions). Both can usually be completed in under an hour.
How often do I have to renew PCI compliance?
Annually. Your Attestation of Compliance (AOC) is valid for 12 months from the date it's signed. Most processors send reminder emails 60 and 30 days before expiration.
What happens if I have a data breach and I wasn't PCI compliant?
Card brands can fine the acquirer/processor anywhere from $5,000 to $100,000+ per month, and that fine is contractually passed to the merchant. You're also liable for the cost of forensic investigation, customer notification, and credit monitoring. Maintaining compliance does not eliminate breach liability but dramatically reduces it.
Does using Square or Stripe make me PCI compliant automatically?
Mostly, but not entirely. Square and Stripe handle the technical PCI controls for the cardholder data environment. You're still responsible for confirming your usage attestation (a short form Square/Stripe will email you), keeping passwords secure, controlling who can access your dashboard, and inspecting hardware for tampering.

Ready to compare retail processing options?

Get a side-by-side comparison of pricing, hardware, and funding within one business day. No obligation.

Compare Retail Processing Options →
CallFree Quote →