Resources · PCI DSS Compliance
★★★★★ 5.0  ·  Tampa Bay merchants compliant, year after year

Protect cardholder data.
Keep your business
compliant.

PCI compliance is not optional for businesses that accept, process, transmit, or store cardholder data. We help merchants understand what it means, who it applies to, and how to stay on top of it without making it more confusing than it needs to be.

Get PCI Help → Contact Support
Free consult · Real help, not just paperwork · No marked-up "PCI fees"
4 merchant levels 12 PCI DSS requirements SAQ guidance included Annual compliance support
4
PCI Merchant Levels
6
PCI Security Goals
12
PCI DSS Requirements
5.0★
Google Rating
Scroll
What Is PCI Compliance?

PCI compliance is the security standard for handling cardholder data

The Payment Card Industry — including Visa, Mastercard, American Express, Discover, and JCB — requires businesses and service providers to follow strict security guidelines. These standards are designed to reduce fraud, protect cardholder data, and create a safer payment environment for everyone involved.

PCI DSS requirements apply to organizations that accept, transmit, process, or store cardholder data. That means this isn't just for giant companies or banks. If your business touches payment card information in any meaningful way, PCI compliance matters.

It also applies to phone payments, online payments, and other workflows where card data is being handled. If cardholder data enters your process, PCI rules are in play.

PCI standards generally include:
1Building and maintaining a secure network
2Protecting cardholder data
3Maintaining a vulnerability management program
4Implementing strong access control measures
5Regularly monitoring and testing networks
6Maintaining an information security policy
Know Your Level

Four PCI levels. Most small businesses don't know which one applies to them.

PCI DSS assigns every merchant to one of four levels based on annual card transaction volume. Your level determines what compliance documentation you need to submit and how often you need to validate. Most small businesses are Level 4 — the lightest compliance lift — but many don't realize that.

Higher-volume merchants face more rigorous requirements, including outside auditor validation for Level 1.

Find My Level → Get Compliance Help
Level 1 Merchant
6M+ transactions/year · On-site assessment by QSA required
Strictest
Level 2 Merchant
1M-6M transactions/year · SAQ + quarterly ASV scans
High volume
Level 3 Merchant
20K-1M e-commerce transactions/year · SAQ + ASV scans
E-commerce
Level 4 Merchant
Under 20K e-com / under 1M total · Annual SAQ only
Most TBP merchants
Tampa Bay Pay Compliance Help
SAQ guidance + ASV coordination + annual reminder · No markup
Built in
PCI In Plain English
Eight things to understand
about staying compliant
The compliance topics every merchant should know — without the regulatory jargon.
1 / 8
Topic 01Your Level
Foundation
Annual Transaction Volume
Level 16M+
Level 21M - 6M
Level 320K - 1M e-com
Level 4 (most SMBs)< 20K e-com
Topic 01 — Find Your Level First
Know Your Merchant Level
Your compliance scope depends on it
PCI assigns every merchant to one of four levels based on annual transaction volume. Most Tampa Bay small businesses are Level 4, which has the lightest documentation requirements. Levels 1-3 require additional validation, including outside auditor (QSA) assessments at the top level. Knowing your level is step one — it tells you exactly what documentation you owe.
  • Level 1: 6M+ annual transactions — annual QSA on-site audit
  • Level 2: 1M-6M transactions — SAQ + quarterly ASV scans
  • Level 3: 20K-1M e-commerce transactions — SAQ + scans
  • Level 4: Under 20K e-commerce / under 1M total — annual SAQ
The Quick Answer
If you don't know your level, you're almost certainly Level 4. We can confirm based on your processing statements.
Find My Level → Get a Free Review
Topic 02The SAQ
Annual Form
SAQ Types · 9 Total
SAQ A — Outsourced e-com
SAQ A-EP — Hybrid e-com
SAQ B — Dial terminal
SAQ B-IP — IP terminal
SAQ C — Payment app
SAQ C-VT — Virtual term
SAQ D — Everything else
SAQ P2PE — Encrypted
Topic 02 — Pick the Right SAQ
The Self-Assessment Questionnaire
Pick the right one or your compliance is wrong
The SAQ is the form you complete to attest to PCI compliance. There are nine SAQ types and using the wrong one means your validation is technically invalid. The right one depends on how you accept payments — fully outsourced e-commerce, in-person terminal, phone, virtual terminal, etc. Most small retailers use SAQ B-IP or SAQ C. Most online businesses use SAQ A or A-EP.
  • SAQ A: Fully outsourced e-commerce (Stripe-style hosted)
  • SAQ A-EP: Partially outsourced (your site, their iframe)
  • SAQ B-IP: IP-connected payment terminal (most retail)
  • SAQ C: Payment application connected to internet
  • SAQ D: Anything that doesn't fit the others
The Quick Answer
If you're unsure which SAQ applies, ask. The wrong SAQ means you're technically non-compliant even after filling it out. We help merchants identify the right one during onboarding.
Get SAQ Help → Contact Support
Topic 03Network
Tech Setup
Network Hygiene Checklist
Firewall enabled on POS network
Default passwords changed
Separate WiFi: business vs. guest
WPA2/WPA3 encryption
POS firmware up to date
Topic 03 — Secure Your Network
Network & System Security
Your WiFi is part of PCI scope
If your POS system connects to the internet, your network setup is in PCI scope. The biggest gaps we see in Tampa Bay merchants: default router passwords still active, no separation between business and guest WiFi, and POS firmware that hasn't been updated in years. None of these are complicated to fix, but unfixed they're real PCI violations.
  • Firewall enabled on the network with your POS
  • Change default router and admin passwords on day one
  • Separate guest WiFi from your business network
  • WPA2 or WPA3 encryption on all WiFi networks
  • Keep POS and gateway firmware updated
The Quick Answer
If your guest WiFi password is the same as your business network, that's a fixable gap. Set up a separate guest network on your router (every modern router supports this) and you've eliminated one of the most common PCI issues.
Network Setup Review → POS Solutions
Topic 04Data Protection
What Not to Store
What You Can vs. Can't Store
First six and last four of card
Cardholder name (encrypted)
Expiration date (encrypted)
Full PAN unencrypted — never
CVV/CVV2 — never, anywhere
PIN/PIN block — never
Topic 04 — Protect Cardholder Data
Protecting Cardholder Data
Some data you can store. Some you absolutely can't.
PCI is specific about what you can and can't keep. You can store the first six and last four of the card number, the cardholder name, and the expiration date (encrypted). You can never store the CVV, CVV2, the PIN, or the full card number unencrypted — not even temporarily, not even in customer service notes, not even handwritten on a sticky note. These rules are absolute.
  • Never write down or store CVV/CVV2 codes — ever
  • Never store PINs or full PIN blocks
  • Never keep card numbers unencrypted (paper or digital)
  • Truncate stored card numbers to first 6 + last 4 max
  • Use tokenization for recurring billing, not raw card storage
The Quick Answer
If you're keeping customer card numbers in a spreadsheet, paper file, or your CRM notes — that's an immediate violation, and a serious breach risk. Tokenization (storing a reference code instead of the actual number) solves this.
Set Up Tokenization → Recurring Billing
Topic 05Access Control
Who Can See What
Role-Based Permissions
CashierSales + receipts
Manager+ Refunds, voids
Owner+ Settings, reports
BookkeeperView-only reports
Topic 05 — Role-Based Access
Access Control & User Permissions
Everyone uses their own login
PCI requires that anyone with access to cardholder data has a unique user ID and that access is restricted to business need-to-know. Translation: stop sharing one POS login among the whole staff. Each cashier needs their own login with permissions matched to their role. Managers can do voids and refunds; cashiers can't. Bookkeepers can pull reports; they can't void transactions. Setting this up is a 30-minute job that's a major compliance gap if skipped.
  • Every user has a unique ID and password
  • Permissions matched to role (cashier, manager, owner)
  • No shared logins across multiple staff members
  • Remove access immediately when staff leave
  • Quarterly review of who still has access
The Quick Answer
Pull up your POS user list right now. If you see "Manager," "Counter," or other generic logins shared across multiple people, that's the fix. Every person who touches the POS needs their own account.
POS Permission Setup → POS Solutions
Topic 06Phone Payments
⚠ Often Missed
Phone Order Workflow
Writing card number on sticky note
Storing card numbers in CRM notes
Repeating card aloud in office
Virtual terminal with key-in encryption
Text-to-Pay link sent to customer
Topic 06 — Phone PCI Gaps
Phone Payments & PCI
The most overlooked compliance gap
Phone orders feel innocent, but they create some of the worst PCI gaps in small businesses. Staff hear card numbers, repeat them back, write them down, type them into a CRM "notes" field — all of which violates PCI. The fix isn't to stop taking phone orders; it's to use the right tools. Virtual terminals with key-in encryption move cards directly from customer to processor with no human storage in between. Text-to-Pay links are even better.
  • Never write down card numbers — even temporarily
  • Never store card numbers in CRM, email, or notes fields
  • Use virtual terminal for in-the-moment phone orders
  • Use Text-to-Pay links for repeat customers
  • Train staff: PCI rules apply to phone orders too
The Quick Answer
If your office takes phone orders and writes them down to process later, that workflow is a PCI violation. Virtual terminal or Text-to-Pay both eliminate the gap. We help merchants set these up at no extra cost.
Set Up Virtual Terminal → Mobile & Text-to-Pay
Topic 07Annual Cycle
Not One-Time
Annual PCI Cycle
Q1 — Complete annual SAQ
Q2 — Quarterly scan (if Level 1-3)
Q3 — Mid-year staff training refresh
Q4 — Quarterly scan + policy review
Ongoing — Network monitoring
Topic 07 — Annual PCI Cycle
PCI Is Ongoing, Not One-Time
Compliance doesn't stay compliant
Filling out the SAQ once doesn't make you compliant forever. PCI is annual at minimum, with quarterly requirements for higher-volume merchants. Networks change, staff turns over, software updates roll out, new payment methods get added — and each of those can shift your compliance status. The merchants who stay compliant are the ones with a calendar reminder, not the ones who hope it just keeps working.
  • Annual SAQ completion — required for all levels
  • Quarterly ASV scans for Levels 1-3
  • Staff training refresh whenever team changes
  • Policy review after any system or workflow change
  • Ongoing network monitoring for connected systems
The Quick Answer
Set a calendar reminder for your SAQ renewal date. Most merchants miss compliance simply because they forgot. We send annual reminders to every merchant we work with so this never happens.
Get Annual Reminders → Compliance Support
Topic 08Costs of Failing
⚠ Worth Knowing
Cost of Non-Compliance
Monthly non-compliance fee$30-$50/mo
Breach fine (small)$5K-$50K
Breach fine (significant)$50K-$500K+
Lose ability to accept cardsPossible
Topic 08 — Real Costs of Non-Compliance
What Non-Compliance Costs
The math of skipping the SAQ
Skipping PCI doesn't make it cheap — it makes it expensive in three stacking ways. First: processors charge $30-$50/month non-compliance fees until you complete the SAQ. Second: if a breach happens while non-compliant, fines range from $5,000 to $500,000+ depending on scope. Third: the card brands can revoke your ability to accept their cards. Completing the SAQ properly is almost always a one-hour job. The cost of skipping it is years of fees, plus catastrophic exposure if anything goes wrong.
  • Monthly non-compliance fees from processor ($30-$50/mo)
  • Breach fines starting at $5K-$50K for small incidents
  • Larger breaches: $50K-$500K+ in penalties and remediation
  • Possible loss of ability to accept Visa/Mastercard
  • Reputational damage and customer trust loss
The Quick Answer
If you're paying $30+ per month in "non-compliance fees" on your statement right now, you can stop that fee in about an hour by completing your SAQ. Call us — we'll walk you through it for free.
Stop Non-Compliance Fees → Free Statement Review
Not sure where you stand on PCI? Send us your most recent processing statement. We'll identify your level, the right SAQ, and any non-compliance fees you can stop today.
Free Compliance Audit →
Who It Applies To

If your business touches cardholder data, PCI compliance applies

PCI DSS requirements apply to all organizations or merchants who accept, transmit, process, or store cardholder data. This includes more businesses than many owners realize, especially when payments are accepted by phone, online, or through multiple systems.

Who PCI compliance applies to
Any business that accepts, transmits, stores, or processes cardholder data should assume PCI compliance requirements apply in some form.
What counts as cardholder data
Cardholder data includes information that can personally identify or be associated with the cardholder, such as names, addresses, account numbers, and related payment information.
Phone payments still count
If your business accepts card payments over the phone, PCI compliance still matters. Phone transactions don't create some magical loophole just because there's no countertop terminal involved.
Compliance is ongoing
PCI compliance isn't a one-time box you check and forget. It's an ongoing responsibility tied to how your business handles sensitive payment data.
How to Become PCI Compliant

You have a few ways to complete and maintain compliance

The right path depends on your setup, portal, and how your account is configured. If you're unsure, getting help is usually smarter than guessing your way through security compliance paperwork.

Ways to complete your PCI compliance:
1Call PCI Customer Support at (877) 277-0998 for PayBright iAccess users.
2Call PCI Customer Support at (877) 276-9929 for PayBright InStore Portal users.
3Contact Tampa Bay Pay and let us help point you in the right direction.
4Complete the process yourself by visiting pciapply.com/ipmt for PayBright iAccess users.
5Complete the process yourself by visiting pciapply.com/paymentprocessing for PayBright InStore Portal users.
Frequently Asked Questions

PCI compliance — answered

What's my PCI merchant level?
PCI assigns merchants to one of four levels based on annual card transaction volume. Level 1 (6M+ transactions/year) has the strictest requirements including annual on-site assessments. Level 2 (1M-6M) requires a Self-Assessment Questionnaire plus quarterly scans. Level 3 (20K-1M e-commerce transactions) needs an SAQ plus quarterly scans. Level 4 (under 20K e-commerce / under 1M total) requires an annual SAQ. Most Tampa Bay small businesses fall into Level 4, which has the lightest compliance lift.
What's an SAQ and which one do I need?
The Self-Assessment Questionnaire (SAQ) is the document you complete to attest to your PCI compliance. There are nine SAQ types — which one you use depends on how you accept payments. SAQ A is for fully outsourced e-commerce (Stripe-style). SAQ A-EP is for partially outsourced e-commerce. SAQ B is for in-person dial-out terminals (no internet). SAQ B-IP is for IP-based terminals. SAQ C is for payment apps connected to the internet. SAQ C-VT is for virtual terminals. SAQ D is the comprehensive one for everything else. SAQ P2PE is for point-to-point encrypted systems. We help merchants identify the right SAQ during onboarding.
Do I need to scan my website?
If you store, process, or transmit cardholder data on your own systems (your website handles credit card numbers, not just redirects to a processor), then quarterly vulnerability scans by an Approved Scanning Vendor (ASV) are required. If your e-commerce site only uses a hosted payment page or iframe from a PCI-compliant processor (where card data never touches your server), the scan requirement is much lighter. We help merchants understand which category they fall into.
What happens if I'm not PCI compliant?
Three layers of consequences. First, your processor charges non-compliance fees (typically $30-$50/month until you're compliant). Second, if a data breach occurs and you weren't compliant, you're liable for the fines and remediation costs — which can range from $5,000 to over $100,000 depending on the breach scope. Third, the card brands can revoke your ability to accept their cards entirely. Most merchants who get non-compliance fees just need help completing their SAQ properly — that's usually a one-hour fix.
Does my POS terminal automatically make me PCI compliant?
No. Using PCI-compliant equipment is part of compliance, but it doesn't make you compliant on its own. You still need to complete your SAQ, train your staff on data handling, secure your network (if your POS is internet-connected), and maintain documented security policies. The terminal itself being PCI-PTS approved is one box checked out of many.
Are phone payments PCI compliant by default?
No — and this is one of the most overlooked PCI gaps in small businesses. Taking card numbers over the phone means the staff member is hearing, repeating, and possibly writing down full card numbers. Without secure handling procedures (no written-down card numbers, immediate destruction of any notes, recording compliance for call centers), phone payments can create significant PCI risk. Virtual terminals with key-in encryption are the safer path.
How much does PCI compliance actually cost?
Industry pass-through cost is typically $5-$10/month, often including SAQ assistance. Many processors charge $20-$45/month for "PCI compliance," which is marked up significantly. Add quarterly scans (if required for your level) at $25-$100 each. For Level 4 merchants doing an SAQ A or A-EP, total annual PCI cost should be under $200. If you're paying significantly more, the markup is profit, not cost — and we can fix that during a rate review.
Who's responsible if there's a data breach?
The merchant. Even if a third-party processor or POS vendor is involved, PCI compliance and breach liability fall on the merchant. The processor handles the transaction; the merchant is responsible for the systems and procedures that handle cardholder data on their end. This is why PCI compliance matters — it's not just paperwork, it's your liability protection if something goes wrong.
⭐⭐⭐⭐⭐
The highest-rated payment solutions team in Tampa Bay
157+ five-star Google reviews · 172 total across platforms
See What You'd Save →
Related Resources

More tools and reading

Merchant Account Checklist Chargeback Management Recurring Billing Mobile & Text-to-Pay POS Solutions Interchange Plus Pricing Merchant Services Blog
Need Help With PCI Compliance?
Let Tampa Bay Pay help you make sense of the process
If you're unsure what applies to your business, what portal you use, or how to complete the next step, we can help point you in the right direction so you're not left guessing.
Book a Free Consult → Contact Support
Call or Text: (727) 732-3292  ·  [email protected]  ·  By Appointment Only
Real Merchants · Real Results

What Our Clients Are Saying

Tampa Bay businesses share their experience working with Tampa Bay Pay — from setup through ongoing support.

Joto's Pizza
Jodi Whitcomb, Owner  ·  jotospizza.com
Family-owned for 52 years. Upgraded to FigurePOS — caller ID integration, customizable menus, and a system staff learn fast without extensive training.
Restaurant FigurePOS Seminole, FL
Florida Orange Groves Winery
Lance Shooks, Owner  ·  floridawine.com
When QuickBooks stopped processing credit cards, Tampa Bay Pay provided a seamless integration — keeping their existing QuickBooks setup without an expensive POS replacement.
Winery & Retail QuickBooks Integration St. Pete Beach, FL
Plumbing by Paul
Paul & Alycia Alves, Owners  ·  plumbingbypaulllc.com
Tampa Bay Pay goes beyond payment processing — always reachable by phone, text, or email, and a valuable partner for Google SEO, social media, and web support.
Plumbing & Trade Dual Pricing Tampa Bay, FL
Plumbing by Paul
Paul Alves  ·  plumbingbypaulllc.com
Previous provider had frequent errors and slow funding. New setup processes payments reliably in the field and at the office — with next-day funding that's critical for a small business.
Plumbing & Trade Next-Day Funding Mobile Payments
Wrenchmasters
Kenny Gehringer, Owner  ·  wrenchmastersauto.com
Previous processor only offered a 1-800 number. Switched for local support and streamlined technology — now sends invoices and processes tap-to-pay even when internet is spotty.
Auto Service Tampa Bay, FL
Read all 157 five-star reviews on Google →
Google Reviews · Tampa Bay Pay

The Highest Rated Payment Team in Tampa Bay

Don't take our word for it — here's what local business owners say after switching to Tampa Bay Pay.

5.0
★★★★★
Google Rating
Verified Reviews
Ready to switch? Get a free rate analysis →