Bottom Line Up Front
If you run a print shop, PCI compliance is almost certainly simpler than you fear — but only if you’ve set up your payment environment correctly. Most print shops take in-store payments through countertop terminals, accept online orders through a web storefront, and handle a fair number of phone orders for custom jobs. That mix is exactly where things go wrong.
The single most common mistake we see in print shop PCI assessments isn’t a missing firewall or a weak password — it’s writing card numbers down on order forms and job tickets. When a customer calls to order 500 business cards and reads you their card number, and you jot it on a paper invoice (or type it into your design/order management software), you’ve just pulled cardholder data into your environment and dramatically expanded your scope.
Get your payment handling right and most print shops qualify for the simplest self-assessment questionnaires. Get it wrong and you’re suddenly facing the full SAQ D with dozens of requirements that have nothing to do with printing.
How This Industry Processes Payments
Print shops tend to run a hybrid payment model, which is what makes scoping interesting. A typical shop handles several payment channels at once:
- Card-present (CP) counter sales — walk-in customers paying for copies, prints, signage, or finished orders at a POS terminal.
- Card-not-present (CNP) phone orders — a huge volume for custom work, where customers call to approve a proof and pay by phone.
- E-commerce orders — online ordering portals for business cards, banners, brochures, and document uploads.
- Recurring or account billing — corporate clients with standing orders or monthly statements.
Where cardholder data lives — and where it shouldn’t
In a well-designed print shop, cardholder data (CHD) should only ever touch your payment terminal or your payment gateway — never your design software, your order management system, your email, or a paper job ticket.
The danger zone in this industry is the order workflow. Print jobs generate a paper trail: quotes, proofs, job tickets, invoices. If a PAN (Primary Account Number) ends up on any of those, it’s now in scope and must be protected per the current standard. Worse, if staff write the CVV on an order form, that’s storage of Sensitive Authentication Data (SAD) — which is never permitted after authorization, full stop.
How this maps to SAQ types
| Your payment setup | Likely SAQ | Why |
|---|---|---|
| Standalone IP-connected terminal, no electronic CHD storage | B-IP | Terminal connects over IP but you don’t store/process card data on your systems |
| Dial-out or imprint terminal only | B | No internet-connected processing |
| Virtual terminal (browser-based) for phone orders, nothing else | C-VT | Card data keyed into a hosted virtual terminal |
| E-commerce fully outsourced to a hosted page/redirect | A | Provider handles the entire payment page |
| E-commerce with an iframe/direct-post you partially control | A-EP | Your site touches the payment flow |
| P2PE-validated terminals | P2PE SAQ | Validated point-to-point encryption shrinks scope dramatically |
| Any electronic storage of CHD, or a complex blended environment | D | The catch-all when nothing simpler applies |
Most print shops that handle phone orders carefully through a virtual terminal and outsource their e-commerce land in a combination of C-VT and A — or qualify for the P2PE SAQ if they invest in validated terminals. Confirm your exact path with your acquirer or run our free SAQ Wizard.
Industry-Specific Compliance Challenges
Legacy POS and design-shop tech debt
Many print shops run on equipment and software that’s been in place for a decade or more. Old order management systems, integrated POS tied to estimating software, and aging terminals create real risk. If your terminal or POS application is no longer supported by the vendor, you can’t patch it — which collides directly with Requirement 6 (maintain secure systems).
The phone-order problem
Phone orders are the defining PCI challenge for print shops. Staff need to capture payment quickly while juggling proofs and deadlines. The temptation to write the card number on the job ticket “just for a second” is constant. This is your highest-risk workflow and where most of your training and process controls should focus.
Multi-location and franchise complexity
Print and sign franchises (and multi-location independents) face the challenge that each location may have set up payments slightly differently. One store uses a virtual terminal, another keys orders into the POS, a third still writes things down. Inconsistent payment handling across locations multiplies your scope and your risk. Standardize the payment workflow everywhere.
Seasonal and high-turnover staff
Back-to-school, tax season, holiday card rushes — print shops staff up temporarily. Seasonal employees handling payments need PCI awareness training before they touch a card, which is a frequent gap.
Stored design files with embedded card data
A subtle one: if a customer uploads a document to be printed and it happens to contain a PAN (think a form, a statement, an order template), or if staff scan a paper order with a card number on it, that data now lives in your file storage. Build a habit of redacting or refusing such files.
Your Compliance Roadmap
Step 1 — Determine your merchant level and SAQ type
Your merchant level (1–4) is assigned by your acquirer based on annual transaction volume. The vast majority of print shops are Level 4 and self-assess. Confirm your level with your acquirer, then identify your SAQ type using the table above or our SAQ Wizard.
Step 2 — Map your cardholder data flow
Document every place a card number enters, moves through, or rests in your business — counter terminal, phone order process, e-commerce checkout, invoices, email, file storage. You cannot secure what you haven’t mapped. This is where you’ll spot the paper job-ticket problem.
Step 3 — Identify scope reduction opportunities
This is your biggest lever. Move phone orders to a virtual terminal, adopt P2PE-validated terminals, and confirm your e-commerce is fully outsourced. Each step removes systems — and entire requirements — from your CDE (Cardholder Data Environment).
Step 4 — Implement required controls
Based on your SAQ, implement the applicable controls: unique user IDs and MFA for any remote/admin access (Requirement 8), rendering any stored PAN unreadable (Requirement 3), encrypting data in transit with TLS (Requirement 4), patching and anti-malware (Requirements 5 and 6), and an incident response plan (Requirement 12).
Step 5 — Complete your SAQ and schedule ASV scans
Fill out your SAQ honestly. If your environment includes any external-facing systems (e-commerce, IP-connected terminals), you’ll need a quarterly ASV scan from an Approved Scanning Vendor.
Step 6 — Submit your AOC and maintain compliance year-round
Sign and submit your Attestation of Compliance (AOC) to your acquirer. Remember: compliance is point-in-time and continuous, not a one-and-done. You re-validate at least annually and run scans quarterly.
Realistic expectations
| Scenario | Typical effort | Notes |
|---|---|---|
| Single shop, P2PE terminals + hosted e-commerce | Low | Shortest SAQ, minimal controls |
| Single shop, virtual terminal + standalone terminals | Low–moderate | Process controls for phone orders matter most |
| Multi-location, mixed setups | Moderate–high | Standardize before assessing |
| Any electronic CHD storage (SAQ D) | High | Avoid this by not storing card data |
Scope Reduction for This Industry
For print shops, scope reduction is almost always cheaper than building controls. Here’s how the main levers stack up:
| Approach | What it does | Scope impact |
|---|---|---|
| P2PE-validated terminals | Encrypts card data at the point of swipe/tap so it’s never readable in your environment | Largest reduction — may qualify you for the P2PE SAQ |
| Tokenization | Replaces stored PANs with tokens for recurring/account billing | Removes PAN storage from your systems |
| Hosted payment pages | Provider serves the entire checkout for e-commerce | Can move you toward SAQ A |
| Virtual terminal for phone orders | Card keyed directly into a hosted browser tool — never written down | Eliminates the paper-trail problem; supports SAQ C-VT |
The cost-benefit math is straightforward: a P2PE terminal or a virtual terminal subscription costs a modest monthly fee, while implementing the full set of SAQ D controls — segmentation, file integrity monitoring, extensive logging, internal scanning — costs far more in time, tools, and ongoing effort. Invest in scope reduction first; you’ll recover the cost in reduced compliance burden.
Best Practices From Compliant Print Shops
They never let a card number touch paper. Top-performing shops route every phone order straight into a virtual terminal while the customer is on the line, then discard nothing because nothing was written. If a number must briefly be captured, it’s entered immediately and the note is cross-cut shredded.
They standardize across locations. Multi-site operators pick one payment workflow — typically P2PE terminals plus a single hosted e-commerce platform — and deploy it identically everywhere.
They keep terminals current. They use vendor-supported, validated devices and retire legacy equipment that can no longer be patched.
They train every employee who touches payments — including seasonal hires — on the basics: never store the CVV, never email card numbers, recognize phishing, and know who to call if something looks wrong. PCI awareness for non-technical staff doesn’t need to be complicated; it needs to be consistent.
They treat compliance as year-round, not annual. They track ASV scan dates, policy reviews, and access changes continuously rather than scrambling before their AOC is due.
FAQ
How should my print shop handle phone orders for custom jobs?
Key the card directly into a virtual terminal while the customer is on the phone, and never write the number on a job ticket or invoice. If you must note payment status, record only an authorization confirmation — never the PAN or CVV.
We write card numbers on order forms — is that a PCI violation?
Storing the PAN on paper pulls those forms into scope and they must be protected and securely destroyed; writing the CVV down is never permitted after authorization. Stop the practice and switch to a virtual terminal to remove the risk entirely.
Do I need an ASV scan if I only use standalone terminals?
If your terminals are IP-connected (SAQ B-IP) or you accept e-commerce, yes — you’ll need a quarterly ASV scan of your external-facing systems. Purely dial-out terminals with no internet processing (SAQ B) typically don’t.
What if a customer’s uploaded print file contains a card number?
Treat it like any other CHD that’s entered your environment — redact it, don’t retain it, and ideally configure your intake process to reject files containing payment data. Storing that file unprotected would expand your scope.
Which SAQ applies if I have both a counter terminal and an online store?
You may need to satisfy more than one SAQ pathway — for example B-IP or C-VT for in-store/phone and A for fully outsourced e-commerce. Run the SAQ Wizard or confirm with your acquirer to map your exact obligations.
Will P2PE terminals really reduce my compliance work?
Yes — validated P2PE encrypts card data before it ever reaches your systems, which can qualify you for the much shorter P2PE SAQ and remove most technical requirements. It’s the single most effective scope-reduction step for a typical print shop.
Conclusion
Print shop PCI compliance comes down to one principle: keep cardholder data out of your business entirely. Route counter sales through validated terminals, key phone orders into a virtual terminal, outsource your e-commerce checkout, and make sure no card number ever lands on a job ticket. Do that, and you’ll qualify for the simplest assessments and spend your time printing instead of patching.
PCICompliance.com gives you everything you need to get there and stay there. As an end-to-end platform serving thousands of merchants — from single-location print shops to multi-site enterprises — we make the process navigable: our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, our remediation guidance closes the gaps, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team — and turn PCI from a once-a-year scramble into a quiet, well-managed part of running your shop.