Alterations Shop PCI

Bottom Line Up Front

If you run an alterations shop, PCI compliance is almost certainly simpler than you fear — but only if you make one key decision correctly. Most alterations businesses accept cards through a countertop terminal or a mobile card reader, don’t run their own e-commerce checkout, and never store card numbers. That combination usually lands you in the simplest SAQ categories (SAQ B, B-IP, or P2PE) with a modest annual self-assessment and no need for a full audit.

The one thing most alterations shop PCI efforts get wrong: writing down customer card numbers. When a customer calls to pay for a completed suit or wedding dress, staff often jot the PAN (Primary Account Number) on the work ticket or a sticky note. The moment that number lands on paper — or in a spreadsheet, a text, or an email — you’ve expanded your Cardholder Data Environment (CDE) and pulled yourself into far stricter requirements. Kill that habit and you’re most of the way to compliance.

How Alterations Shops Process Payments

Alterations and tailoring shops sit in a hybrid spot. You’re card-present (CP) for most walk-in transactions, but you also take a fair number of card-not-present (CNP) payments over the phone when garments are ready for pickup or shipping.

Typical payment environments

  • Countertop POS terminal — a standalone terminal from your acquirer or a processor, connected by phone line or IP.
  • Mobile card readers — a Square, Clover, or similar reader paired to a tablet or phone, common in small shops and at bridal fittings.
  • Phone orders — customers calling to pay a deposit or balance, keyed manually into the terminal or virtual terminal.
  • Occasional e-commerce — some shops sell gift cards, ready-made items, or accept deposits through a website checkout.

Where cardholder data lives — and where it shouldn’t

In a healthy alterations shop, card data lives only inside the payment terminal for the moment of the transaction, then travels encrypted to the processor. It should never live on:

  • Handwritten work tickets or order forms
  • A spreadsheet of “regular customers” and their cards
  • Email or text messages
  • Voicemails where customers leave card numbers

Remember: Sensitive Authentication Data (SAD) — the CVV/CVC security code, full track data, or PINs — must never be stored after authorization, full stop. And the PAN, wherever it’s stored, must be rendered unreadable. The cleanest answer for a small shop is to store card data nowhere.

How this maps to SAQ types

Your Setup Likely SAQ Why
Standalone dial-out terminal, no electronic storage SAQ B Terminal isn’t internet-connected; minimal scope
Standalone IP-connected terminal, no storage SAQ B-IP Terminal uses the internet but is isolated
Validated P2PE terminal SAQ P2PE Encryption at the terminal drastically cuts scope
Virtual terminal only, keyed on an isolated computer SAQ C-VT Web-based virtual terminal, no storage
Website checkout you partially control SAQ A-EP You touch the payment page
Any electronic storage of card data SAQ D Most complex — avoid this

Most alterations shops fit SAQ B, B-IP, or P2PE. If you take phone payments through a browser-based virtual terminal, you may be SAQ C-VT. Confirm your exact type with our free SAQ Wizard or your acquirer.

Industry-Specific Compliance Challenges

Legacy and mismatched equipment

Many alterations shops have run the same countertop terminal for a decade. Older terminals may lack modern encryption or use outdated connections. If your terminal can’t support P2PE or current TLS for data in transit, it’s dragging your scope up. A hardware refresh is often cheaper than the extra controls an older setup demands.

Small teams and seasonal staff

Wedding season, prom season, and holidays bring temporary staff who handle payments without formal training. That’s exactly when the “just write down the card number” habit creeps back in. Access control (Requirement 7 and 8) and staff awareness matter even in a two-person shop.

The phone-payment problem

Alterations shops live on phone payments — a bride’s mother paying the balance, a customer authorizing pickup by a family member. This is where card data most often gets recorded improperly. Build a no-writing-down rule: key the card directly into the terminal while the customer is on the line, then discard any temporary note immediately (and securely).

Multi-location shops

If you run several locations, each terminal, network, and staff group is in scope. Standardize equipment and procedures across sites so you’re assessing one repeatable environment, not five different ones.

Intersecting obligations

Alterations shops rarely face overlapping regulations like healthcare‘s HIPAA, but if you keep customer measurement and contact records, general data-privacy hygiene still applies. Keep that customer database separate from anything touching card data.

Your Compliance Roadmap

Step 1: Determine your merchant level and SAQ type

Nearly all alterations shops are Level 4 merchants (the lowest transaction volume tier), but your acquirer assigns your level based on annual transaction volume — confirm it with them. Then identify your SAQ type using the table above or our SAQ Wizard.

Step 2: Map your cardholder data flow

Draw how a card payment moves through your shop — walk-in swipe, phone order, website deposit. Mark every place a number could be seen, keyed, stored, or transmitted. This map defines your CDE.

Step 3: Identify scope reduction opportunities

Look for anything that touches card data and ask: can I eliminate this? Handwritten tickets, a shared “customer cards” file, an unencrypted terminal — each one is a target for removal.

Step 4: Implement required controls

For a typical SAQ B-IP or P2PE shop, expect to:

  • Change default passwords on terminals and routers (Requirement 2)
  • Protect stored data by simply not storing PANs (Requirement 3)
  • Use MFA and unique logins for any system access (Requirement 8)
  • Restrict physical access to terminals (Requirement 9)
  • Maintain an information security policy (Requirement 12)

Step 5: Complete your SAQ and schedule ASV scans

Fill out the SAQ matching your environment. If you have external-facing systems (an IP-connected terminal or website checkout), you’ll need a quarterly ASV scan from an Approved Scanning Vendor. Pure dial-out SAQ B setups typically don’t.

Step 6: Submit your AOC and maintain compliance year-round

Sign your Attestation of Compliance (AOC) and submit to your acquirer. Compliance is point-in-time and continuous — you validate at least annually and keep controls running every day in between.

Realistic timeline and budget

Phase Typical Timeline Typical Effort/Cost
Scoping & data-flow mapping 1–2 weeks Low — mostly your time
Equipment upgrade (if needed) 2–4 weeks Terminal cost varies by provider
Control implementation 1–3 weeks Low for small shops
SAQ + ASV scan setup 1 week Modest annual scanning fee

Most single-location alterations shops complete initial compliance in four to six weeks.

Scope Reduction for Alterations Shops

Scope reduction is the single biggest lever for lowering cost and effort. The less card data your systems touch, the fewer requirements apply.

Option What It Does Best For
Validated P2PE terminal Encrypts card data at the swipe/tap so your systems never see it in the clear Any shop wanting the smallest possible scope
Tokenization Replaces stored PANs with tokens for repeat/recurring customers Shops with regular clients on file
Hosted payment page Sends website checkout to a compliant third party Shops selling online
Outsourced processing Compliant processor handles card handling Nearly every alterations shop

The cost-benefit call

A P2PE-validated terminal may cost more upfront than a basic one, but it can move you to SAQ P2PE — the shortest questionnaire path with far fewer controls. For a small shop, spending a bit more on equipment almost always beats building and maintaining extra security controls yourself.

Best Practices From Compliant Alterations Shops

They store nothing. The top performers have a hard rule: no PAN ever touches paper, a screen note, or a spreadsheet. Everything runs through the terminal live.

They standardize equipment. One terminal model across all counters and locations means one environment to secure and assess.

They choose P2PE early. Rather than fight legacy terminals, they invest in validated P2PE devices and enjoy dramatically reduced scope year after year.

They train every hire — including seasonal staff. A five-minute onboarding covers three rules: never write down a card number, never store the CVV, and always key phone payments directly into the terminal. PCI awareness (Requirement 12) doesn’t require a technical background — it requires clear habits.

They track compliance year-round. Instead of scrambling once a year, they keep firewall reviews, scan results, and policy updates in one place so the annual SAQ is a formality.

FAQ

Do I need PCI compliance if I only take a few card payments a month?

Yes. PCI compliance applies to any business that accepts card payments, regardless of volume. The good news is that low-volume alterations shops usually qualify for the simplest SAQ types and the lightest validation.

Can I write down a customer’s card number for a phone order?

No — this is the most common mistake in the industry. Writing down the PAN or, worse, the CVV, pulls you into stricter requirements and creates breach risk. Key the number directly into your terminal while the customer is on the phone, then securely discard any temporary note.

What’s the difference between SAQ B and SAQ B-IP for my shop?

SAQ B covers standalone terminals that dial out over a phone line, while SAQ B-IP covers standalone terminals connected to the internet. If your terminal uses IP connectivity, you’re B-IP and will typically need a quarterly ASV scan.

Do I need an ASV scan for a small alterations shop?

It depends on your setup. If you have internet-connected systems — an IP terminal, a virtual terminal, or a website checkout — you’ll generally need quarterly ASV scans. A pure dial-out SAQ B terminal usually doesn’t.

Will a P2PE terminal really make compliance easier?

For most alterations shops, yes. A validated P2PE device encrypts card data at the point of interaction so your systems never handle it in the clear, moving you toward SAQ P2PE and eliminating many requirements. It’s often the most cost-effective path.

Does storing customer measurements and contact info affect PCI?

Not directly — measurements and contact details aren’t cardholder data. Just keep that customer database completely separate from any system that touches payment information so you don’t accidentally expand your scope.

Conclusion

PCI compliance for an alterations shop doesn’t have to be intimidating. Take card payments through modern terminals, store card numbers nowhere, train your team on a few simple habits, and pick the scope-reducing equipment that fits your counter. Do that, and you’ll land in one of the lightest SAQ categories with a manageable annual process — remembering always that compliance is continuous, not a one-time box to check.

PCICompliance.com gives you everything you need to achieve and maintain compliance in one place. Our free SAQ Wizard identifies exactly which questionnaire your shop needs, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round — all backed by expert remediation guidance and support trusted by thousands of merchants. Start with the free SAQ Wizard or talk to our compliance team to map your path today.

Leave a Comment

1,650 PCI scans completed this month