Bottom Line Up Front
If you run a tanning salon, tanning salon PCI compliance is probably more manageable than you fear — but only if you’ve set up your payment environment the right way. Most tanning salons accept cards in person at a front-desk POS and run recurring monthly memberships, and that recurring billing is exactly where the biggest mistake happens.
The one thing most tanning salons get wrong: storing customer card numbers to bill memberships every month. Whether it’s a spreadsheet, a note in your salon management software, or a paper file in a drawer, storing the full PAN (Primary Account Number) to re-bill members dramatically expands your Cardholder Data Environment (CDE) — and pushes you toward the most demanding SAQ D.
The good news: when you let your payment processor handle recurring billing through tokenization, you can usually qualify for a much simpler SAQ. Get that one decision right, and most of your compliance burden disappears.
How Tanning Salons Process Payments
Tanning salons typically run a few payment streams at once, and each one has different PCI implications.
- Card-present (CP) walk-in sales — single sessions, packages, and lotion/retail purchases at a front-desk terminal.
- Recurring membership billing — the financial backbone of most salons, charging members monthly on a stored payment method.
- E-commerce — online package or membership sign-ups, retail product sales.
- Phone orders — occasional card-not-present (CNP) sales when someone calls to renew or buy a package.
Common technology stacks
Most salons use an integrated salon/tanning management platform (booking, memberships, retail, and payments in one system) paired with a card terminal from a payment processor. These platforms are convenient, but how they handle stored cards determines your PCI scope.
Where cardholder data lives — and where it shouldn’t
Sensitive Authentication Data (SAD) — the CVV, full track data, or PIN — must never be stored after a transaction is authorized. No exceptions. If a staff member writes a CVV on a membership form, that’s a violation.
The PAN may only be stored if it’s rendered unreadable (truncation, tokenization, or strong encryption per the current standard). For most salons, the right answer is simple: don’t store the PAN at all. Let your processor store a token that represents the card for recurring billing.
How this maps to SAQ types
| Your Setup | Likely SAQ | Why |
|---|---|---|
| Standalone dial-out terminal, no electronic CHD storage | SAQ B | Card data never touches your network |
| Standalone IP-connected terminal, no electronic storage | SAQ B-IP | Internet-connected but isolated terminal |
| P2PE-validated terminal | SAQ P2PE | Encryption at swipe drastically cuts scope |
| Internet-connected POS, no electronic CHD storage | SAQ C | Payment app connected to the internet |
| Virtual terminal only (browser-based) | SAQ C-VT | Manual keying into a hosted page |
| Fully outsourced/hosted online payments | SAQ A | Payment page redirected to a compliant provider |
| Any electronic storage of card data | SAQ D | The most demanding questionnaire |
Most tanning salons land in SAQ B-IP, SAQ C, or SAQ P2PE depending on terminal type — provided they don’t store card data themselves. Confirm your exact SAQ with your acquirer or use the free SAQ Wizard.
Industry-Specific Compliance Challenges
Recurring billing temptation
The single biggest challenge is the membership model. Salons need to charge members every month, and the wrong way to do that is keeping card numbers on file. The right way is processor-managed tokenization, where your system stores only a meaningless token.
Legacy and integrated POS systems
Many salons run older salon management software that was never designed with PCI scope reduction in mind. Some of these systems pass card data through your local network or PC, which expands your CDE. Ask your vendor directly: does our card data ever touch our own systems, or is it encrypted at the terminal?
Front-desk staff turnover
Tanning salons often run with part-time, seasonal, and high-turnover front-desk staff. PCI requires security awareness training, and that’s genuinely harder when you’re onboarding new employees every few months. Untrained staff are the most common source of bad habits — writing card numbers on forms, sharing logins, or emailing card details.
Multi-location and franchise complexity
If you operate multiple locations or a franchise, each site is part of your compliance picture. Standardizing terminals, software, and procedures across locations is far easier than managing a patchwork. Franchisees should clarify with the franchisor who owns the merchant account and who’s responsible for validation.
Shared back-office computers
The front-desk PC that runs your booking software is often the same one used for email, web browsing, and music streaming. If that machine touches card data, every requirement applies to it. Keeping card handling off general-purpose computers is a major scope win.
Your Compliance Roadmap
Step 1: Determine your merchant level and SAQ type
Your merchant level (1–4) is assigned by your acquirer based on annual transaction volume. Most single and small multi-location salons fall into the lower-volume levels and self-assess with an SAQ. Confirm your level with your acquirer, then identify your SAQ type.
Step 2: Map your cardholder data flow
Draw exactly how a card payment moves through your business — from the moment a member hands over their card to where the transaction is authorized. Pay special attention to recurring billing: where is the stored payment method kept, and in what form? This map defines your scope.
Step 3: Identify scope reduction opportunities
Look for every place card data lives and ask whether it needs to. Moving to P2PE terminals, tokenized recurring billing, and hosted/redirected online payments removes whole categories of requirements.
Step 4: Implement required controls
Apply the controls your SAQ requires. For most salons that means strong terminal configuration, unique user IDs for each staff member, multi-factor authentication (MFA) on administrative and remote access, regular patching, and a written security policy.
Step 5: Complete your SAQ and schedule ASV scans
Fill out your SAQ honestly. If your environment has any external-facing systems (most internet-connected setups do), you’ll need quarterly ASV scans from an Approved Scanning Vendor.
Step 6: Submit your AOC and maintain compliance year-round
Submit your Attestation of Compliance (AOC) to your acquirer. Remember: compliance is point-in-time and continuous — you validate at least annually, scan quarterly, and maintain controls every day in between.
Realistic timeline and budget
| Scenario | Typical Effort | Cost Drivers |
|---|---|---|
| P2PE / simple terminal setup, no stored data | Days to a few weeks | Terminal swap, ASV scan, staff training |
| Internet-connected POS (SAQ C/B-IP) | Several weeks | Network controls, scans, policy work |
| Stored card data (SAQ D) | Months | Full requirement set, encryption, logging, pen testing |
The cheapest path to compliance is almost always eliminating stored card data first.
Scope Reduction for Tanning Salons
P2PE terminals
A PCI-validated P2PE solution encrypts card data at the moment of swipe/dip/tap, so plaintext card data never reaches your terminal’s operating system or your network. This is the single most powerful scope-reduction lever for a card-present salon and can move you to SAQ P2PE.
Tokenization for memberships
Instead of storing PANs to bill members, your processor stores the card and returns a token. Your system charges the token each month — and since you never hold real card data, your CDE shrinks dramatically.
Hosted payment pages for e-commerce
If you sell packages or memberships online, use a redirect or hosted payment page so the card is entered directly on your provider’s compliant environment. Done correctly, this can qualify you for SAQ A.
Cost-benefit analysis
| Approach | Upfront Cost | Ongoing Burden | Best For |
|---|---|---|---|
| Scope reduction (P2PE, tokenization, hosted) | Moderate (new terminals/setup) | Low | Nearly all salons |
| Build controls around stored data (SAQ D) | High | High (logging, encryption, pen tests) | Rarely justified |
For a tanning salon, investing in scope reduction almost always beats building out the full SAQ D control set.
Best Practices From Compliant Salons
Top-performing salons standardize on processor-managed billing. They never store a PAN themselves — the processor’s vault and tokens do all the work, so memberships rebill automatically without compliance risk.
They isolate card handling. Terminals are dedicated to payments, and the front-desk PC is never used to type, email, or store card numbers.
They keep training simple and constant. Because staff turnover is high, the best salons bake a short PCI awareness lesson into onboarding: never write down a CVV, never share logins, never email card data, and know how to spot a tampered terminal.
They inspect terminals regularly. Physical terminal tampering and skimming are real risks at a busy front desk. A quick routine check for swapped or modified devices supports Requirement 9.
They lean on tooling instead of spreadsheets. Tracking SAQ progress, scan results, and renewal dates in a compliance dashboard keeps year-round compliance from slipping through the cracks.
FAQ
Can I store member card numbers to bill memberships each month?
You shouldn’t store the actual PAN yourself. Use your processor’s tokenization so the card is stored securely on their side and you bill a token — this keeps you compliant and out of SAQ D.
Which SAQ does a typical tanning salon need?
Most salons use SAQ B-IP, SAQ C, or SAQ P2PE depending on their terminal type, as long as they don’t store card data electronically. Run the free SAQ Wizard or confirm with your acquirer.
Do I need quarterly ASV scans?
If any part of your payment environment is internet-facing — which most internet-connected POS and online sign-up setups are — then yes, quarterly ASV scans are required. Fully outsourced or P2PE-only setups may have reduced scan obligations.
What happens if a staff member writes down a customer’s CVV?
That’s a serious violation — Sensitive Authentication Data like the CVV can never be stored after authorization, even on paper. Train staff that CVVs are entered once and never recorded.
Does P2PE really reduce my compliance work?
Yes. A validated P2PE solution encrypts card data at the device so it never reaches your systems, which can move you to SAQ P2PE and eliminate many requirements that otherwise apply.
How do multi-location salons handle PCI?
Standardize terminals, software, and procedures across every location, and confirm with your acquirer how your locations roll up under your merchant level. Consistent setups make a single compliance program possible instead of managing each site separately.
Conclusion
Tanning salon PCI compliance comes down to one principle: don’t hold card data you don’t need to hold. Push recurring billing into your processor’s tokenization, use P2PE or properly isolated terminals, keep card data off your general-purpose computers, and train your front-desk team well. Do that, and you’ll likely land in one of the simpler SAQ types — turning a reputation-heavy obligation into a routine annual task.
PCICompliance.com gives you everything you need to achieve and maintain compliance in one place. Our free SAQ Wizard identifies exactly which questionnaire your salon needs, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team — and turn PCI from a worry into a checkbox you confidently tick every year.