Never store full card numbers, CVV codes, or PINs

PCI DSS prohibits storing sensitive authentication data after a transaction is authorized. If your system retains any of this data — even in a spreadsheet or notepad — it must be securely deleted.

Use strong, unique passwords on all payment-related systems

Change default passwords immediately on any new device or software. Use passwords that are at least 8 characters and include a mix of letters, numbers, and symbols. Never use the same password across systems.

Keep payment terminals and POS software updated

Apply security patches and software updates promptly. Outdated systems are one of the most common entry points for payment data breaches.

Restrict physical access to payment terminals

Keep terminals in view at all times during transactions. Inspect terminals regularly for signs of tampering or skimming devices — especially if your terminals are in a high-traffic or self-service location.

Separate your payment network from your general business network

If possible, use a dedicated network or VLAN for payment processing rather than sharing it with guest Wi-Fi or general office devices. This limits your compliance scope and reduces risk.

Know your incident response plan

Have a documented, accessible plan for what to do if you suspect a breach — who to call, what to preserve, and how to notify your processor. You don't need a complex plan, but you do need one.

Keep your contact info current with your processor

Compliance reminders, renewal notices, and fee alerts are sent to the email address on file. Make sure it's current and monitored — missing a renewal notice is one of the most common reasons merchants get hit with fees.

Run an ASV vulnerability scan (if required by your SAQ type)

Merchants with internet-facing systems (SAQ B-IP, C, and D) are typically required to run quarterly external vulnerability scans through a PCI-approved Approved Scanning Vendor (ASV). Your compliance portal will indicate whether this applies to you.

Review access logs and user accounts

Audit who has access to your payment systems each quarter. Remove access for any employees who no longer need it, and verify that each user has their own unique login — no shared credentials.

Complete your Self-Assessment Questionnaire (SAQ)

Log into your compliance portal and complete the SAQ type that applies to your business. Most small merchants use SAQ A, B-IP, or C. See our SAQ guide if you're unsure which applies to you.

Submit your Attestation of Compliance (AOC)

After completing your SAQ, sign and submit the AOC to confirm your compliance status with your processor. This is typically done within the same portal.

Review and update your security policies

PCI DSS requires merchants to maintain a written information security policy. Review it annually and update it to reflect any changes in how your business handles payments.

Train employees on cardholder data security

Anyone who handles payment transactions or has access to cardholder data should receive annual security awareness training. Document that training took place.

Verify your payment hardware and software are PCI-certified

Confirm that your terminals, POS software, and payment applications appear on the PCI SSC's list of approved devices and applications. Contact NEXSYS if you need help verifying this.