Brewery PCI Compliance

Bottom Line Up Front

Most breweries need SAQ B or SAQ B-IP for their taproom POS systems, but if you sell online or distribute through retailers who process payments, your brewery PCI compliance requirements become more complex. The biggest mistake? Thinking your standalone Square terminal exempts you from compliance — it doesn’t, though it does dramatically simplify your requirements.

Here’s what catches breweries: mixing payment acceptance across your taproom, online store, beer garden mobile devices, and wholesale operations creates multiple compliance obligations. Each payment channel potentially requires its own assessment, and that food truck at your summer concert series? That’s another compliance consideration entirely.

How Breweries Process Payments

Your payment environment likely spans several channels, each with distinct compliance implications:

Taproom Point of Sale
Most breweries run Square, Toast, Clover, or similar integrated POS systems with standalone terminals. These devices connect via Ethernet or cellular (never Wi-Fi for compliance reasons) and process cards through the terminal itself — not through a connected computer. This setup typically qualifies for SAQ B if the terminals connect via dial-up or cellular, or SAQ B-IP if they use your network.

Online Sales and Beer Clubs
Your e-commerce platform — whether WooCommerce, Shopify, or a brewery-specific solution like Arryved or VinePair — determines your online compliance requirements. If you’re using hosted checkout pages where customers enter card data on the payment processor’s site, you’ll likely need SAQ A. If card data touches your servers or you customize the payment form, expect SAQ A-EP or even SAQ D.

Mobile and Event Processing
Beer gardens, festivals, and mobile sales create unique challenges. Those Square readers on iPads? If they’re on your Wi-Fi network, you’ve just expanded your compliance scope. Smart breweries use cellular-connected devices or P2PE-validated solutions to keep these transactions isolated.

Wholesale and Distribution
B2B payments often involve storing card data for recurring charges, manual key-entry over the phone, or emailed credit card authorization forms (stop doing this immediately). These practices push you toward SAQ C or SAQ D, depending on your storage and processing methods.

Industry-Specific Compliance Challenges

Breweries face a perfect storm of compliance complexity:

Distributed Operations
Your brewpub isn’t just one location — it’s the taproom, kitchen, production facility, beer garden, private event space, and possibly satellite locations. Each area that accepts payments needs proper network segmentation, and staff move between these areas constantly, often with shared credentials.

Seasonal and Event Staff
Summer beer garden season means hiring temporary staff who need payment system access. Your compliance program must account for rapid onboarding, training staff who might work three shifts total, and promptly removing access when they leave. Most breweries fail Requirement 7 (restrict access to cardholder data by business need-to-know) because they never revoke seasonal employee access.

Mixed Technology Environment
Production systems running your brewing operations often share networks with payment systems. That glycol monitoring system accessible from the Internet? If it’s on the same network as your POS, you’ve just expanded your CDE to include industrial control systems never designed for payment security.

Multi-Channel Inventory
Your POS likely integrates with inventory management, connecting taproom sales to production systems. These integrations create pathways between payment and operational networks that complicate segmentation efforts.

Partner and Vendor Access
Distributors accessing your wholesale portal, third-party delivery services integrated with your POS, and that local food truck using your payment infrastructure — each connection expands your compliance scope. The requirement to maintain a vendor inventory (Requirement 12.8) becomes critical when you realize how many third parties touch your payment ecosystem.

Your Compliance Roadmap

Step 1: Determine Your Merchant Level and SAQ Type

Your processor assigns your merchant level based on annual transaction volume:

• Level 4: Under 20,000 Visa transactions or under 1 million Mastercard/other transactions (most breweries)
• Level 3: 20,000 to 1 million e-commerce transactions annually
• Level 2: 1 to 6 million transactions
• Level 1: Over 6 million transactions

For SAQ type, map each payment channel:

• Taproom POS only with standalone terminals: SAQ B or B-IP
• Add online sales with hosted checkout: Now you need both SAQ B/B-IP and SAQ A
• Accept phone orders or store cards for wholesale: Add SAQ C or SAQ D

Step 2: Map Your Cardholder Data Flow

Create a diagram showing every point where card data enters your environment:

• Physical terminals in taproom and beer garden
• Online checkout processes
• Phone order procedures
• Mobile devices at events
• Any stored card data for recurring wholesale billing

Include all systems that connect to or communicate with payment systems, even if they don’t process cards directly. That iPad running your digital menu board that’s on the same network as your POS? It’s in scope.

Step 3: Identify Scope Reduction Opportunities

Before implementing controls, minimize what you need to protect:

• Replace connected POS systems with standalone P2PE terminals
• Move to hosted checkout pages for online sales
• Eliminate phone order card acceptance (use emailed payment links instead)
• Tokenize any stored card data
• Segment payment networks from production and guest Wi-Fi

Step 4: Implement Required Controls

Based on your SAQ type(s), implement required controls:

Network Security (Requirements 1-2)

• Firewall between payment and production networks
• Change default passwords on all payment equipment
• Document firewall rules and review quarterly

Protect Stored Data (Requirements 3-4)

• Encrypt any stored cardholder data
• Implement retention policies (don’t keep card data you don’t need)
• Securely destroy old receipts and authorization forms

Vulnerability Management (Requirements 5-6)

• Install POS software updates monthly
• Run quarterly ASV scans on any Internet-facing systems
• Deploy anti-virus on all Windows-based POS systems

Step 5: Complete Your SAQ and Schedule ASV Scans

Most breweries must complete multiple SAQs:

• One for your physical taproom payments
• Another for e-commerce if applicable
• Additional assessments for any other payment channels

Schedule quarterly ASV scans for any Internet-facing systems, including:

• Your website (even if it doesn’t process payments)
• Any cloud-based POS management portals
• VPN endpoints for remote access

Step 6: Submit Your AOC and Maintain Compliance Year-Round

Submit your completed SAQ(s) and AOC to your processor by their deadline. Then:

• Set quarterly reminders for ASV scans
• Review firewall rules every six months
• Update your data flow diagram when adding payment channels
• Train new staff on payment security
• Test your incident response plan annually

Timeline: Plan 2-3 months for initial compliance if you’re starting fresh, or 3-4 weeks if you’re already partially compliant. Budget $2,000-5,000 annually for ASV scanning, compliance tools, and potential network segmentation work.

Scope Reduction for Breweries

The fastest path to compliance? Reduce what you need to protect:

P2PE in Your Taproom
Point-to-point encryption validated terminals (like certain Ingenico or Verifone models) encrypt card data at the swipe/dip/tap point. Your POS never sees the actual card number, reducing your taproom compliance from potential SAQ D to simple SAQ B or B-IP.

Hosted Checkout for Online Sales
Never let card data touch your web server. Use payment processor-hosted pages where customers enter card details. Your site redirects to Stripe, Square, or your processor’s payment page, then receives back a token. This keeps your e-commerce compliance at SAQ A instead of SAQ A-EP or D.

Virtual Terminals for Phone Orders
Stop taking card numbers over the phone. Instead, email customers a payment link from your processor’s virtual terminal. They enter their own card data, you never hear it, and you’ve eliminated an entire compliance obligation.

Network Segmentation
Separate payment networks from everything else:

• Taproom POS on isolated VLAN
• No connection to production systems
• Guest Wi-Fi completely separated
• Beer garden payments on cellular, not your network

The math works out: spending $5,000 on P2PE terminals and network segmentation saves you from implementing dozens of SAQ D requirements that could cost $50,000+ annually to maintain.

Best Practices From Compliant Breweries

Successful breweries approach compliance strategically:

Technology Stack Optimization
Leading breweries standardize on integrated, cloud-based POS systems with P2PE terminals. They use solutions like Toast or Square for Restaurants with validated P2PE devices, keeping compliance requirements minimal while gaining operational insights through cloud reporting.

Staff Training That Sticks
Instead of generic security training, create brewery-specific scenarios: “A distributor calls asking you to email their card number for this month’s invoice — what do you do?” Train staff on social engineering attempts specific to breweries, like fake distributor payment updates or bogus health department officials asking for payment information.

Practical Network Segmentation
Smart breweries implement three separate networks:
1. Payment Network: POS terminals and payment processing only
2. Operations Network: Brewing systems, inventory, office computers
3. Guest Network: Customer Wi-Fi, completely isolated

This segregation costs roughly $2,000-3,000 to implement but dramatically reduces compliance scope.

Vendor Management
Maintain a simple spreadsheet of every vendor touching your payment environment:

• POS system provider
• Payment processor
• Any third-party integrations
• Delivery service integrations
• IT support providers

Require annual compliance attestations from each vendor — it’s easier than explaining to your processor why a breach through your untrained IT contractor is still your responsibility.

FAQ

Q: Our Square terminal handles everything — do we still need PCI compliance?
A: Yes. While Square reduces your compliance burden to SAQ B or B-IP, you still must complete annual self-assessment questionnaires, ensure physical terminal security, and maintain network controls if terminals use your Internet connection. Square handles the payment processing security; you handle the physical and network security around their devices.

Q: We use tablets for tableside ordering — what’s our compliance requirement?
A: If tablets access your POS system over Wi-Fi to enter orders (but customers pay at fixed terminals), the tablets don’t directly impact PCI scope. However, if you accept payments on tablets using card readers or manual entry, each tablet becomes a payment acceptance device requiring full compliance controls including encryption, access control, and network security.

Q: Can we store credit cards for our beer club members?
A: You can, but storing card data moves you from simple SAQ B to complex SAQ C or SAQ D with encryption, access control, and retention requirements. Instead, use your payment processor’s tokenization service — they store the actual card data and give you a token for recurring charges, keeping you at a simpler compliance level.

Q: Do food truck vendors using our space affect our compliance?
A: Only if they use your payment infrastructure. If food trucks process payments through their own independent systems and cellular connections, they maintain separate compliance. If they connect to your network or use your POS system, you’re responsible for their compliance as part of your environment.

Q: We’re opening a second location — does this change our compliance?
A: Each location processing payments needs assessment, but you typically submit one consolidated SAQ covering all locations using the same payment methods. If Location A uses standalone terminals (SAQ B) while Location B accepts online orders (requiring SAQ A), you’ll need to complete both SAQs. Maintain consistent security controls across all locations for easier compliance management.

Q: Our distributor wants to keep a card on file — is email secure enough?
A: Never accept credit card information via email. Unencrypted email violates PCI DSS requirements and exposes you to breach liability. Instead, use your payment processor’s card-on-file tokenization feature or send distributors a secure payment link where they can enter card data themselves through a PCI-compliant portal.

Conclusion

Brewery PCI compliance doesn’t have to be overwhelming. Start with understanding how you accept payments across all channels — taproom, online, wholesale, and events. Then reduce scope wherever possible through P2PE terminals, hosted payment pages, and network segmentation. Most breweries can achieve compliance with SAQ B for their taproom and SAQ A for online sales, investing a few thousand dollars in the right technology to avoid tens of thousands in complex security controls.

The key is starting now, not when your processor threatens to increase your rates or suspend your account. Map your payment flows, identify quick wins for scope reduction, and build compliance into your operations rather than bolting it on later. Your brewery’s growth depends on accepting payments efficiently — make sure you can keep accepting them by maintaining compliance.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team about building a compliance program that works for your brewery’s unique payment environment.