Bottom Line Up Front
If you run a distillery, distillery PCI compliance touches more of your business than you probably realize — your tasting room point-of-sale, your direct-to-consumer (DTC) bottle shop website, your wine-and-spirits club subscriptions, your event ticketing, and the phone orders you take for cases and gift sets all process cardholder data. Most distilleries fall under SAQ A or SAQ B-IP, depending on how their tasting room and online sales are set up, and the validation effort is far smaller than the reputation of PCI suggests — if you’ve architected your payments correctly.
Here’s the one thing distilleries get wrong most often: treating the tasting room POS and the e-commerce store as one compliance problem. They’re usually two different cardholder data environments (CDEs) with two different SAQ types and two different sets of controls. Bundle them mentally, and you’ll either over-build controls you don’t need or — far worse — miss the requirements that actually apply. Get the scoping right first, and the rest of compliance becomes a manageable annual checklist.
How Distilleries Process Payments
Distilleries are unusual because they straddle card-present (CP) and card-not-present (CNP) worlds at once. A single brand might take a tasting-room tap on a terminal, sell bottles through Shopify, run a recurring spirits club, and take a phone order for a wedding all in the same week.
Typical payment environments
| Channel | How it works | Card-present or CNP |
|---|---|---|
| Tasting room / bottle shop | Countertop or mobile POS terminal | Card-present |
| DTC e-commerce | Hosted checkout or embedded payment page | Card-not-present |
| Spirits/bottle club | Recurring billing on stored tokens | Card-not-present |
| Phone & event orders | Staff key in PAN manually | Card-not-present |
| Festivals & pop-ups | Mobile readers (Square, etc.) | Card-present |
Where cardholder data lives — and where it shouldn’t
In a well-designed distillery setup, you should never store the Primary Account Number (PAN) yourself. Your POS provider and payment gateway handle the card; you handle bottles. The danger zones are predictable:
- Phone orders written on paper with full card numbers and card verification codes (CVV2/CID). Storing the CVV after authorization is never permitted — shred those notes immediately.
- Spreadsheets of club members’ card numbers for “easy” rebilling. Don’t. Use tokenized recurring billing through your gateway instead.
- Email inboxes where a customer sent their card number to place an order. That inbox is now in scope. Delete it and tell customers never to email card data.
How this maps to SAQ types
- Fully outsourced e-commerce (you embed a hosted checkout and never touch card data) → SAQ A.
- E-commerce where your site partially controls the payment page (a direct-post or scripted integration where your servers influence the checkout) → SAQ A-EP.
- Standalone IP-connected terminals in the tasting room, no electronic storage → SAQ B-IP.
- Dial-out or imprint terminals only → SAQ B.
- Virtual terminal for phone orders, nothing stored → SAQ C-VT.
Most modern distilleries land on SAQ A for the website plus SAQ B-IP for the tasting room. Your acquirer may let you validate the higher-effort SAQ that covers everything, but separating them usually means less work overall. When in doubt, run our free SAQ Wizard — it asks how each channel works and tells you which questionnaire applies.
Industry-Specific Compliance Challenges
Seasonal staff and high turnover
Tasting rooms surge during harvest, holidays, and festival season, bringing in temporary and part-time staff who handle terminals and phone orders. The current standard requires that anyone with access to the CDE receives security awareness training and has unique user credentials (Requirement 8). A pile of seasonal hires sharing one POS login is a classic finding — and a real risk.
Pop-ups, festivals, and remote sales
That mobile reader you use at a whiskey festival is part of your payment environment. Mobile card acceptance can be perfectly compliant, but it depends entirely on the P2PE or tokenization model of the provider. Confirm your mobile solution is on the processor’s validated list — don’t assume.
Multi-location and distribution complexity
Distilleries with multiple tasting rooms, or those selling through a DTC platform plus a third-party marketplace, multiply their scope. Each location’s network, each terminal, and each integration is a potential entry point. Consistent hardware and a single processor across sites dramatically simplifies your annual validation.
State alcohol regulations intersecting with PCI
Three-tier distribution laws, age-verification at delivery, and state-by-state DTC shipping rules don’t change PCI requirements, but they do add data you collect (date of birth, signature on delivery) that should be stored separately from any payment flow. Keep compliance scope clean: payment data goes to the gateway, regulatory data goes to your compliant order system — never mingle them in the same spreadsheet.
Your Compliance Roadmap
Step 1: Determine your merchant level and SAQ type
Your merchant level (1–4) is assigned by your acquiring bank based on your annual card transaction volume. Most distilleries are Level 4, the lowest-volume tier, which means self-assessment rather than a full ROC. Confirm your level with your acquirer, then identify your SAQ type per channel.
Step 2: Map your cardholder data flow
Draw every path a card takes: tasting room tap → terminal → processor; website checkout → hosted page → gateway; phone order → virtual terminal. This diagram is the single most useful document you’ll produce, and your QSA or acquirer will ask for it.
Step 3: Identify scope reduction opportunities
Before implementing controls, ask how you can remove systems from scope entirely (covered in detail below). Every system you take out of the CDE is a system you don’t have to secure, scan, or document.
Step 4: Implement required controls
Depending on your SAQ, this typically includes strong access control and MFA (Requirement 8), firewall/router configuration for any in-scope network (Requirement 1), anti-malware (Requirement 5), patching and vulnerability management (Requirement 6), and audit logging (Requirement 10).
Step 5: Complete your SAQ and schedule ASV scans
If your environment has any external-facing systems (most e-commerce does), you’ll need a quarterly ASV scan from an Approved Scanning Vendor. Our ASV scanning service handles these and walks you through any required remediation.
Step 6: Submit your AOC and maintain compliance year-round
Complete the Attestation of Compliance (AOC) and submit it to your acquirer. Then remember: PCI compliance is point-in-time and continuous — it’s validated annually but must be maintained every day in between.
Realistic timeline and budget
| Scenario | Typical effort | Validation |
|---|---|---|
| SAQ A (fully hosted e-commerce) | Days to a couple of weeks | SAQ + AOC, possible ASV scan |
| SAQ B-IP (standalone IP terminals) | A few weeks | SAQ + AOC, often no ASV scan |
| SAQ A-EP (partially controlled page) | Several weeks | SAQ + AOC + quarterly ASV scan |
| Mixed channels / SAQ D | One to several months | SAQ D + AOC + ASV + pen test |
Most Level 4 distilleries keep annual compliance costs modest when they lean into scope reduction. The expensive path is almost always the avoidable one — storing card data or running a sprawling, un-segmented network.
Scope Reduction for Distilleries
This is the single biggest lever you have. Every dollar spent shrinking your CDE saves you several in controls and assessment effort.
| Technique | What it does | Best fit for |
|---|---|---|
| P2PE terminals | Encrypts card data at the point of swipe/tap so your network never sees readable PAN | Tasting rooms, multi-location |
| Tokenization | Replaces stored PAN with a useless token for recurring billing | Spirits clubs, subscriptions |
| Hosted payment pages | Card data goes straight to the gateway, never your server | DTC e-commerce → SAQ A |
| Validated mobile readers | Encrypted mobile acceptance for events | Festivals, pop-ups |
A validated P2PE solution in your tasting room can move you toward the SAQ P2PE questionnaire — one of the shortest paths available, because the encryption removes most systems from scope. For your website, an embedded hosted checkout keeps you on SAQ A, the lightest e-commerce SAQ.
The cost-benefit math is simple: a P2PE terminal or a hosted checkout integration usually costs less, over a year, than implementing and documenting the full slate of controls you’d otherwise need. Reduce scope first, then secure what remains.
Best Practices From Compliant Distilleries
Standardize your hardware across locations. Distilleries with three tasting rooms on identical P2PE terminals and one processor validate far faster than those with a different setup at each site.
Use tokenized recurring billing for your spirits club. Never store card numbers for rebilling. Your gateway stores a token; you store nothing sensitive.
Kill the paper trail. Replace handwritten phone-order slips with a virtual terminal keyed directly into the gateway. No card number ever lands on paper or in an inbox.
Train every tasting-room employee — including seasonal staff. PCI awareness doesn’t have to be technical: don’t write down card numbers, don’t accept card data by email, recognize a skimmer on a terminal, and know who to call if something looks wrong. Build this into your seasonal onboarding.
Run a change-detection and logging routine on any in-scope POS network, and review your firewall rules periodically. Even a small distillery benefits from knowing when something on the payment network changes unexpectedly.
FAQ
Does my distillery need PCI compliance if I only take a few card payments?
Yes. Any business that accepts, processes, or stores cardholder data must comply, regardless of volume. Low-volume distilleries are usually Level 4 and can self-assess with an SAQ rather than undergo a full assessment.
My tasting room and website are different — do I need two SAQs?
Often, yes, and that’s a good thing. A hosted e-commerce store typically falls under SAQ A while standalone tasting-room terminals fall under SAQ B-IP. Validating each channel separately usually means less total work than forcing everything into one comprehensive SAQ.
Can I store my spirits club members’ card numbers for recurring billing?
No — not in a spreadsheet or your own database. Use tokenized recurring billing through your payment gateway, which stores a token instead of the real PAN. This keeps card data out of your environment and dramatically reduces your scope.
Are the mobile readers I use at festivals PCI compliant?
They can be, but it depends entirely on the provider’s encryption and tokenization model. Confirm your mobile solution uses P2PE or end-to-end encryption and is on your processor’s validated list before relying on it.
Do I need an ASV scan if I only sell in person?
Generally only if you have external-facing systems in scope, which most card-present-only setups with standalone terminals avoid. If you also run e-commerce, you’ll typically need quarterly ASV scans for the website. Confirm with your acquirer.
What happens if a customer emails me their card number to place an order?
That email — and the inbox storing it — is now part of your CDE. Delete the message, ask customers never to send card data by email, and route phone and email orders through a virtual terminal instead.
Conclusion
Distillery PCI compliance is far more navigable than its reputation suggests once you separate your channels, map your card data flows, and aggressively reduce scope with P2PE terminals, tokenization, and hosted checkout pages. Get the architecture right, and your annual validation becomes a predictable checklist rather than a fire drill — though remember, compliance is continuous, not a one-time certificate.
PCICompliance.com gives you everything you need to achieve and maintain compliance in one place. Our free SAQ Wizard identifies exactly which questionnaire each of your channels needs, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round — backed by the same end-to-end platform trusted by thousands of merchants from single-location shops to multi-site enterprises. Start with the free SAQ Wizard, or talk to our compliance team to map your distillery’s path to compliance today.