Embroidery Shop PCI

Bottom Line Up Front

If you run an embroidery shop, embroidery shop PCI compliance is almost certainly simpler than you fear — but only if you set up your payment environment the right way. Most embroidery businesses take custom orders, deposits, and final payments across a mix of in-store card swipes, phone orders, and an online storefront. That mix is exactly what trips people up.

Here’s the one thing most embroidery shops get wrong: taking card numbers over the phone and writing them down on the order ticket. When a customer calls to order 200 branded polos and reads you their card number while you jot it on a sticky note or type it into an email, you’ve just pulled cardholder data into your environment in the worst possible way. That single habit can drag you from a short, easy questionnaire into the most demanding one — and expose you to real breach liability.

The good news: with the right terminals and a hosted online checkout, most embroidery shops qualify for one of the simplest SAQ types and can validate compliance with modest effort.

How This Industry Processes Payments

Embroidery and custom-decoration shops have a distinctive payment pattern because so much of the work is custom, quoted, and deposit-based.

Typical payment touchpoints include:

  • Card-present (CP) counter sales — walk-in customers paying for finished goods at a POS terminal.
  • Phone orders (card-not-present / CNP) — corporate and team clients calling to place bulk orders and pay deposits.
  • E-commerce — an online store selling blanks, stock designs, or accepting custom-order deposits.
  • Recurring or milestone billing — a deposit up front, balance on delivery for large jobs.
  • Mobile / event sales — a tablet reader at a trade show, fair, or on-site team fitting.

Where cardholder data lives — and where it shouldn’t

Your PAN (Primary Account Number) and other cardholder data (CHD) should live in as few places as possible — ideally none of your own systems. In too many embroidery shops, card numbers end up in order-management software notes, emailed quotes, printed work tickets, or a spreadsheet of “repeat customer” cards. Sensitive Authentication Data (SAD) — the CVV, full track data, or PIN — must never be stored after a transaction is authorized. Writing a CVV on an order form is a violation, full stop.

How this maps to SAQ types

Your setup Likely SAQ Why
Standalone IP-connected terminals, no e-commerce, no stored CHD SAQ B-IP Terminals connect over IP but you don’t store card data electronically
Older standalone dial-out terminals only SAQ B No electronic storage, phone-line terminals
Fully outsourced online store (hosted checkout / redirect) SAQ A Payment page entirely handled by a compliant third party
Online store where your site touches the payment page (iframe/direct-post) SAQ A-EP You control elements of the checkout even if data goes to a processor
Virtual terminal only, one PC, no e-commerce SAQ C-VT Manual entry into a browser-based virtual terminal
Any electronic storage of CHD, or a complex mixed environment SAQ D The catch-all when other conditions aren’t met

Most single-location embroidery shops that use modern terminals and a hosted online store land in SAQ B-IP and SAQ A — the simpler end of the spectrum. Use the free SAQ Wizard to confirm your exact fit, because the details of your online checkout matter.

Industry-Specific Compliance Challenges

Phone orders are the biggest one. Bulk and corporate embroidery work naturally drives CNP phone payments. If you take card numbers verbally and enter them into a virtual terminal without writing them down anywhere, you can keep this manageable. The moment card data lands on paper, in email, or in a text message, your scope expands.

Legacy POS and order software. Many shops run production-management software (order tracking, art approval, invoicing) that was never designed with PCI in mind. If staff paste card numbers into a customer notes field, that database is now in your Cardholder Data Environment (CDE) — and subject to encryption, access control, and logging requirements.

Seasonal and part-time staff. Embroidery volume spikes around sports seasons, holidays, and corporate events. Temporary staff handling orders need the same PCI awareness training as full-time employees — a common gap.

Multi-location and mobile sales. If you run a storefront plus a mobile setup for trade shows and team fittings, each payment channel needs to be in scope and documented. Tablet card readers introduce Wi-Fi and mobile-device considerations you don’t have at a fixed counter.

Contract decorators and drop-ship partners. If a third party handles any part of your payment flow, you need their AOC (Attestation of Compliance) on file and a written understanding of who’s responsible for which controls.

Your Compliance Roadmap

Step 1: Determine your merchant level and SAQ type

Your merchant level (1–4) is assigned by your acquirer based on annual card transaction volume. Most embroidery shops are Level 4. Confirm your level with your acquiring bank, then identify your SAQ type — the SAQ Wizard walks you through this in minutes.

Step 2: Map your cardholder data flow

Draw every place a card number enters, moves through, and leaves your business: the counter terminal, the phone-order process, the website checkout, and any storage. You cannot secure — or reduce — what you haven’t mapped. This diagram is also the first thing a QSA asks to see if you ever get assessed.

Step 3: Identify scope reduction opportunities

This is where you save the most money and effort. Every card channel you can push onto a compliant third party shrinks your CDE and cuts the number of requirements that apply to you.

Step 4: Implement required controls

Depending on your SAQ, expect controls around strong passwords and MFA (Requirement 8), restricting access to CHD (Requirement 7), physical security of terminals (Requirement 9), anti-malware (Requirement 5), and a written information security policy (Requirement 12). Simpler SAQs like B-IP and A apply far fewer of these.

Step 5: Complete your SAQ and schedule ASV scans

Fill out your SAQ honestly. If your environment has any external-facing systems (like an e-commerce site or IP terminals), you’ll need a quarterly ASV scan from an Approved Scanning Vendor.

Step 6: Submit your AOC and maintain compliance year-round

Sign and submit your AOC to your acquirer. Remember: compliance is point-in-time and ongoing — you re-validate at least annually, keep scans running quarterly, and maintain controls every day in between.

Realistic timeline and budget

Scenario Typical effort Ongoing cost drivers
SAQ A (fully hosted store) Days to a couple of weeks ASV scan if applicable, annual SAQ
SAQ B-IP (IP terminals) A few weeks Quarterly ASV scan, terminal management
SAQ A-EP or D Weeks to months ASV scans, pen testing, broader controls

Most well-set-up embroidery shops complete their first validation within a few weeks and keep annual costs modest — the biggest expense is usually the one-time move to better payment technology.

Scope Reduction for This Industry

Scope reduction is the single biggest lever for lowering your compliance burden. Here are the moves that work best for embroidery shops:

Approach What it does Effect on scope
P2PE terminals Encrypt card data at the point of swipe/tap so it’s never readable in your environment Eliminates most technical requirements; enables the P2PE SAQ
Tokenization Replaces stored PANs with meaningless tokens for repeat customers Removes CHD from your systems
Hosted payment page / redirect Your online checkout is served by a compliant processor Moves e-commerce to SAQ A
Virtual terminal for phone orders Type card data directly into the processor’s browser page — never write it down Keeps phone orders out of your storage

The cost-benefit is lopsided in favor of scope reduction. A P2PE-validated terminal or a hosted checkout costs far less over time than implementing and auditing the dozens of controls that apply when card data sits in your own systems. For a repeat corporate client base, tokenization lets you rebill without ever storing a real card number.

Best Practices From Compliant Businesses in This Vertical

Kill the sticky note. Top-performing shops have a hard rule: card numbers are never written down, emailed, or texted. Phone orders go straight into a virtual terminal or P2PE device while the customer is on the line.

Use one payment path per channel. Consistency reduces mistakes. A single P2PE terminal at the counter, one hosted checkout online, and one virtual terminal for phone orders is far easier to secure than a patchwork.

Separate order management from payment. Keep your production software and your payment system distinct so card data never touches your order database.

Train every hire — including seasonal staff. A 20-minute onboarding covering “never store card data, spot skimmers, lock terminals, report anything suspicious” prevents the mistakes that cause breaches. Document that training for Requirement 12.

Inspect terminals regularly. Physical tampering and skimming are real risks for card-present businesses. Assign someone to visually check devices and record it.

FAQ

Do I really need to be PCI compliant if I only take a few card payments a month?

Yes. PCI DSS applies to any business that accepts, processes, transmits, or stores cardholder data, regardless of volume. Low volume may put you at a lower merchant level with a simpler SAQ, but it doesn’t exempt you.

Can I keep a customer’s card number on file for repeat corporate orders?

Not on paper or in a spreadsheet — that pulls you into the most demanding scope and creates real liability. Instead, use your processor’s tokenization feature, which lets you rebill repeat clients without ever storing the actual PAN.

We take a lot of phone orders. Which SAQ does that put us in?

It depends on how you handle those card numbers. If you type them directly into a virtual terminal and never store them, you may qualify for SAQ C-VT; if card data ends up in your systems, you likely fall to SAQ D. The SAQ Wizard can pinpoint your exact fit.

Does adding an online store change my compliance requirements?

Yes. A fully hosted checkout typically keeps you at SAQ A, the simplest option. But if your site touches the payment page — an embedded iframe or direct-post form — you likely move to SAQ A-EP, which adds requirements and a quarterly ASV scan.

What’s the difference between SAQ B and SAQ B-IP for my terminals?

SAQ B covers older standalone dial-out (phone-line) terminals, while SAQ B-IP covers standalone terminals that connect over an IP network. Because IP terminals touch a network, B-IP includes an ASV scan requirement that B does not.

Do my seasonal employees need PCI training?

Yes. Anyone who handles payments or has access to your payment environment needs security awareness training under Requirement 12 — including part-time and seasonal staff. A short, documented onboarding session satisfies this and meaningfully reduces your risk.

Conclusion

For most embroidery shops, PCI compliance comes down to a few smart decisions: use P2PE terminals at the counter, a hosted checkout online, a virtual terminal for phone orders, and a firm rule that card numbers never get written down. Do that, and you’ll likely land in one of the simplest SAQ types and validate with modest effort — while genuinely reducing your breach risk. Remember that compliance is continuous: validate annually, scan quarterly, and maintain your controls year-round.

PCICompliance.com gives you everything you need to achieve and maintain compliance in one place. Our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress all year. As an end-to-end platform serving thousands of merchants — from single-location shops to multi-site operations — we back it all with remediation guidance and expert support. Start with the free SAQ Wizard, or talk to our compliance team to map the fastest path for your shop.

Leave a Comment

1,650 PCI scans completed this month