PCI DSS

The cheapest way to pass PCI DSS is to have less of it apply to you. Most small Wichita merchants we look at are trying to secure card data their business doesn't actually need to hold, and the work of protecting it is harder and more expensive than the work of getting it out of the environment entirely. The first question we ask isn't "how do we lock this down," it's "why is raw card data touching your systems at all." Answer that one well and the rest of PCI gets a lot smaller.

PCI DSS isn't a government regulation. It's a standard the card brands require through your merchant agreement, which means the enforcement isn't a federal agency, it's your processor, your acquiring bank, and the fees and liability that land on you after a breach. That distinction matters less than people think. The obligation is real, the annual attestation is real, and a card-data breach at a small business that signed a clean self-assessment it couldn't back up is a bad place to be. This page covers what the standard requires, how scope reduction changes the math, and where we fit, which is the technology side, not the audit.

What PCI DSS requires

The Payment Card Industry Data Security Standard is a set of requirements for any business that stores, processes, or transmits payment card data. It's organized into twelve requirements covering network security, protection of stored cardholder data, access control, monitoring and testing, and a maintained information security policy. The current edition is version 4.0, refined in version 4.0.1, and its future-dated requirements became mandatory on March 31, 2025, so the full standard is in force now, not coming later.

How you prove compliance depends on your size. The card brands sort merchants into four levels by annual transaction volume. The large majority of Wichita businesses are Level 4, the smallest tier, which validates through a Self-Assessment Questionnaire rather than an on-site audit. There are several versions of the questionnaire, and which one you fill out depends entirely on how you take payments. That's the lever most merchants don't realize they're holding.

Scope is the whole game

The Self-Assessment Questionnaire has a short version and a long version, and the difference between them is whether card data ever touches your systems. A merchant who routes every transaction through a validated payment processor, so the card number goes straight from the customer to the processor and never lands in the merchant's environment, fills out the short questionnaire and answers for a fraction of the controls. A merchant who keys card numbers into a PC, stores them in a spreadsheet, or runs payments through software sitting on their own network answers for all of it, and has to secure every system that card data can reach.

So the cardholder data environment, the set of systems in scope, is the number that sets the cost of everything. The play for almost every small merchant is to shrink it. Route card data through processors that tokenize it or encrypt it at the point of sale, so your business handles a token instead of a real card number and the sensitive data never sits on a machine you own. Done right, this takes whole systems out of scope, drops you to the short questionnaire, and shrinks both the work and the breach liability at the same time. Getting it wrong, leaving one forgotten system that still touches raw card data, quietly pulls everything back into scope. Scoping it correctly is the part worth paying attention to, and it's the part we do before anyone talks about controls.

Where we fit, and where we don't

We work the technology side of PCI. We're not a Qualified Security Assessor and we don't sign off on a Report on Compliance, which is the formal validation a Level 1 merchant needs from an accredited assessor. What we do is the engineering and the operations that make the standard achievable: scoping the cardholder data environment, designing payment flows that keep card data off your network, implementing the technical controls the questionnaire asks about, and keeping your honest answers honest as the business changes. If your situation genuinely needs a QSA, we'll tell you, and we'll work alongside one rather than pretend to be one.

That line matters for the same reason the RPO-versus-C3PAO line matters on the CMMC side. Knowing where your provider's role ends is part of getting compliance right, and a provider who blurs it is a provider to watch.

How the work gets done

PCI work folds into a Managed IT Services engagement rather than running as a side project, for the reason that runs through everything on our Compliance Services hub: the questionnaire is an attestation about live systems, and when one firm answers for systems another firm runs, the answer drifts from the truth fast. The annual self-assessment is where that gap surfaces, and a breach is where it gets expensive.

In practice that means we scope your environment, redesign the payment flows to pull card data out of it where we can, implement the network segmentation, access controls, monitoring, and patching the standard requires, and support the person who signs the annual questionnaire so they're attesting to something real. When you change a point-of-sale system or add a location, the scope gets re-checked, because the team making the change is the team that knows what it did to the cardholder data environment. The security controls underneath this live on our Cybersecurity Services page.

Where to start

A short call is enough to figure out how you actually take payments, how much of PCI really applies to you, and whether your scope can be cut. Bring your current Self-Assessment Questionnaire if you have one, or the name of your payment processor if you don't. Thirty minutes, no commitment.

Book an exploratory call

Frequently asked questions

Does PCI DSS apply to a business as small as ours?

Yes. There's no minimum transaction count that exempts a merchant. If you accept payment cards at all, the standard applies, and your merchant agreement obligates you to it. What changes with size is how you validate. Almost every small Wichita business is Level 4 and validates through a Self-Assessment Questionnaire rather than an on-site audit, and with the right payment setup that questionnaire can be the short one.

Are you a QSA? Can you certify our PCI compliance?

No. We're not a Qualified Security Assessor and we don't issue a Report on Compliance, which is the formal validation a Level 1 merchant needs. We handle the technology side: scoping, payment flow design, the technical controls, and supporting your annual self-assessment. If your situation requires a QSA, we'll say so and work alongside one. A provider who claims to be both the engineer and the assessor is a provider to be careful with.

How do we make PCI cheaper and simpler?

Get card data out of your environment. Route every transaction through a processor that tokenizes or encrypts the card number at the point of capture, so your systems handle a token and never the real number. That pulls whole systems out of scope, drops you to the short Self-Assessment Questionnaire, and shrinks your breach liability at the same time. Scoping it correctly is the work, and it's the first thing we do.

We use a payment processor already. Are we automatically compliant?

Not automatically, but you're probably most of the way there if card data truly never touches your systems. The catch is the word truly. A single overlooked spot where someone keys a card number into a PC, or a piece of software on your network that still sees raw card data, pulls systems back into scope and changes which questionnaire you owe. We verify where card data actually flows before assuming the processor took it all off your plate.

What happens if we have a card breach and our self-assessment was wrong?

That's the expensive scenario. A breach plus a self-assessment attesting to controls you didn't have exposes you to card brand fines, forensic costs, and liability passed down through your acquiring bank, and it can put your ability to accept cards at risk. The point of doing the scoping and the controls properly is that your attestation is true, so a bad day stays a contained incident instead of a compounding one.

Book an exploratory call