PCI basics for accepting cards.
You don't need a CISO to handle PCI compliantly. Five practical habits cover most of what small businesses accepting cards actually need.
PCI-DSS — the rules for handling credit cards — sounds intimidating. For a small business processing cards the normal way, it boils down to five practical habits. You don't need a compliance department; you need a handful of rules that stick.
What PCI actually cares about
The goal of PCI is simple: don't store card numbers anywhere you don't need to, and protect the places where cards do flow. Where small businesses get into trouble is usually not the terminals — it's the post-it notes, the emails, the "just send me the last four" habits that accumulate over years.
Where small businesses trip
“A small medical office wrote down credit card numbers on patient intake forms, then stored the paper in a drawer.”
Red flag: Not compliant. Any paper with full card numbers is in scope for PCI and needs to be secured and destroyed on a schedule.
“A small business owner asked clients to email their credit card info to pay invoices.”
Red flag: Email is not a PCI-approved channel. A single breach of the owner's inbox exposes every card emailed in.
The five habits that cover most small businesses
- Use a point-to-point encryption (P2PE) terminal or tokenized payment processor — cards never touch your systems.
- Never store full card numbers anywhere — not email, not spreadsheets, not paper files.
- Annual SAQ (Self-Assessment Questionnaire) — most small businesses qualify for SAQ A or SAQ B.
- Train staff: never accept card numbers via email, text, or voicemail.
- Shred all receipts and paper with card info on a scheduled basis.
We do PCI for small businesses.
If you accept cards and have never completed an SAQ, we'll walk you through it in under a week. Ask us.
- 1Confirm your payment processor uses tokenization or P2PE. If not, switch.
- 2Ban email and text as channels for receiving card numbers — make it written policy.
- 3Shred or destroy any physical documents that contain full card numbers on a schedule.
- 4Complete your annual SAQ with your processor — it's usually a form, not a major project.
- 5Train new staff on the "never store, never email" card-handling rules.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
HIPAA basics for small teams.
You don't need a compliance department to run a HIPAA-aware practice. Five controls handle most of what regulators actually care about.
ReadTip #36 · ComplianceCyber insurance questions to ask.
Not all cyber insurance actually covers a cyber event. Here are the questions to ask your broker before you need the policy.
Read