PCI-DSS for Small Businesses Taking Cards
PCI-DSS is the global card-industry security standard. Most UK SMEs never touch raw card numbers — they use P2PE terminals or gateways — but you still complete an annual SAQ attestation and follow basic policies. This guide cuts through acronym soup.
Next step: Review acquiring bundles that include PCI tooling. Contact us if your portal keeps nagging for an overdue SAQ.
Which SAQ path applies
If you only use standalone terminals that never store PAN on your network, you likely fall into a lighter SAQ (commonly SAQ B or related variants depending on setup). MOTO or e-commerce where staff type cards into PCs widens scope dramatically — align with online vs in-person acquiring. Your acquirer letter tells you which SAQ they expect; treat that as authoritative over blog advice.
P2PE and integrated EPOS
Listed P2PE solutions reduce scope because encryption starts inside the terminal. If you change firmware, add a keyboard wedge scanner, or let Wi-Fi share guest and POS VLANs incorrectly, you can accidentally void assumptions. Document changes — auditors and acquirers ask “what changed since last SAQ?”
People and process
Ban writing PANs on sticky notes, photograph policies for delivery drivers, and restrict who can refund high values — social engineering targets small shops. Tie training to chargeback evidence habits.
If you fail a scan
Acquirers may levy monthly non-compliance fees until you file. Fix the root cause (open router ports, default passwords on CCTV, ancient Windows tills) rather than ticking boxes. If you are mid-office move, reschedule vulnerability scans until the new LAN is stable.
Related guides
Ready to compare? Start the card machine quote path on our homepage or message the team.