red and black love lock

TouchBistro PCI Compliance

by

TouchBistro PCI Compliance: A Complete Guide for Restaurant Owners

You just received a PCI compliance questionnaire from your payment processor, and suddenly you’re drowning in acronyms like SAQ, AOC, and ASV. Take a deep breath. For most restaurants using TouchBistro, PCI compliance is simpler than it seems. You’re not building Fort Knox — you’re just proving you handle credit cards safely. This guide walks you through exactly what you need to do, step by step, in plain English.

What Is PCI Compliance (In Plain English)

PCI DSS stands for Payment Card Industry Data Security Standard. Think of it as a security checklist created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) to protect credit card information. If you accept card payments — whether you’re a food truck, quick-service restaurant, or fine dining establishment — these rules apply to you.

The card brands created an organization called the PCI Security Standards Council to manage these standards, but they don’t enforce them directly. Your acquirer (the bank or payment processor that handles your card transactions) does the enforcement. They’re the ones who sent you that compliance questionnaire, and they’re the ones who can fine you or even terminate your ability to accept cards if you don’t comply.

Here’s what non-compliance can cost you:

  • Monthly fines from your processor ($5-$300 per month for small merchants)
  • If there’s a breach, you’re liable for fraud losses and card reissuance costs
  • In extreme cases, loss of card acceptance privileges
  • Damage to your reputation if customer data is compromised

But here’s the good news: most restaurants qualify for the simplest compliance requirements. If you use TouchBistro with integrated payment terminals that encrypt card data immediately, you’re already doing most of what’s required. The compliance process is just documenting what you’re already doing right.

Do You Need to Be PCI Compliant?

Simple answer: if you accept credit cards, yes. It doesn’t matter if you’re a single-location café or a restaurant chain. The moment you swipe, dip, tap, or key in a credit card number, PCI compliance requirements apply to you.

Your merchant level determines how much documentation you need to provide. Most restaurants are Level 4 merchants (processing fewer than 1 million Visa transactions annually). This means you complete a self-assessment questionnaire rather than hiring an expensive auditor.

When your payment processor sends that annual compliance questionnaire, they’re not trying to make your life difficult. They’re required by the card brands to verify that every merchant in their portfolio maintains basic security standards. That questionnaire is your opportunity to prove you’re handling customer card data responsibly.

Ignore it at your peril. Processors typically give you 30-90 days to complete your compliance requirements. Miss that deadline, and you’ll start seeing non-compliance fees on your monthly statement. Keep ignoring it, and those fees escalate until eventually, they can terminate your merchant account.

Which SAQ Do You Need?

The Self-Assessment Questionnaire (SAQ) comes in different versions based on how you accept and process payments. Think of it like tax forms — you don’t fill out a 1040EZ if you have a complex business structure. Similarly, you fill out the SAQ that matches your payment setup.

Here’s how to determine which SAQ applies to your TouchBistro setup:

Payment Scenario SAQ Type Questions Complexity
Stand-alone payment terminals (PAX, Ingenico) with no electronic storage SAQ B 41 questions Simple
Payment terminals connected to your network SAQ B-IP 82 questions Moderate
TouchBistro with integrated payments (no card data stored) SAQ C 160 questions Moderate
Taking phone orders and entering cards manually SAQ C-VT 86 questions Moderate
Storing card numbers (please stop doing this) SAQ D 329 questions Complex

Most TouchBistro users fall into SAQ B-IP or SAQ C categories. If you’re using TouchBistro’s integrated payment processing with EMV terminals that immediately encrypt card data, you’re likely SAQ C. If you have standalone terminals that aren’t connected to your POS, you might qualify for the simpler SAQ B.

Not sure which one applies? Use PCICompliance.com’s free SAQ Wizard. Answer a few questions about your payment setup, and we’ll tell you exactly which questionnaire you need. It takes less than five minutes and removes all the guesswork.

How to Complete Your SAQ

Your SAQ is a series of yes/no questions about your security practices. Don’t let the length intimidate you — many questions won’t apply to your business, and you can mark them as “N/A” with a brief explanation.

Here’s what “yes” actually means for common questions:

  • “Do you have a firewall?” — Your internet router’s built-in firewall counts
  • “Do you restrict access to cardholder data?” — Only managers can process refunds? That’s access restriction
  • “Do you have an incident response plan?” — A simple document stating who to call if something goes wrong counts

You’ll need to gather some basic documentation:

  • Your network diagram (can be hand-drawn showing how your terminals connect)
  • Security policies (even simple one-page documents work)
  • Evidence of your quarterly vulnerability scans (if required)
  • Your TouchBistro configuration showing you don’t store card data

The quarterly ASV scan trips up many merchants. If your SAQ type requires it (SAQ B-IP, C, C-VT, and D do), you need an Approved Scanning Vendor to scan your internet-facing systems four times per year. This automated scan looks for vulnerabilities hackers might exploit. Schedule your first scan as soon as you know your SAQ type — you can’t submit your compliance without a passing scan from the last 90 days.

Once everything is complete, you’ll generate an Attestation of Compliance (AOC). This is your official declaration that you meet PCI requirements. Submit this to your payment processor along with your completed SAQ and most recent ASV scan report (if required).

What It Costs

Let’s talk real numbers. PCI compliance costs vary based on your size and complexity, but here’s what most restaurants can expect:

Compliance platform and tools: $100-$300 annually for a solution that guides you through the SAQ, stores your documentation, and sends renewal reminders. Some payment processors include basic tools with your merchant account.

Quarterly ASV scanning: $200-$400 annually for four scans. Some compliance platforms bundle this with their annual fee. You must use a PCI-approved vendor — your nephew who “knows computers” doesn’t count.

If you need a QSA: Only required for Level 1 merchants (over 6 million transactions annually) or if you’ve had a breach. QSA assessments run $10,000-$50,000+ depending on complexity. Most restaurants never need this.

The cost of NON-compliance:

  • Monthly non-compliance fees: $20-$300
  • Data breach fines: $5,000-$500,000 depending on severity
  • Lost business during the weeks you can’t accept cards
  • Legal fees and notification costs if customer data is compromised

Put it in perspective: annual compliance for most restaurants costs less than a single month’s non-compliance fee. It’s not an expense — it’s insurance.

Staying Compliant Year-Round

PCI compliance isn’t a one-and-done checkbox. Your acquirer will ask for updated documentation every year, and you need quarterly ASV scans if your SAQ type requires them.

Set calendar reminders for:

  • Annual SAQ due date (usually the anniversary of your last submission)
  • Quarterly ASV scans (every 90 days)
  • Security training for new employees who handle cards
  • Review of your payment setup (new terminals or software might change your SAQ type)

Changes that trigger a reassessment:

  • Adding e-commerce to your TouchBistro setup
  • Switching payment processors or terminals
  • Starting to take phone orders
  • Adding new locations
  • Any breach or suspected compromise

PCICompliance.com’s compliance dashboard tracks all these dates for you, sends automatic reminders, and stores your documentation in one secure location. You’ll never scramble to find last year’s AOC or wonder when your next scan is due.

FAQ

What if I only process a few cards per month?

Volume doesn’t matter — if you accept even one credit card payment, PCI compliance requirements apply. The good news is your low volume makes you a Level 4 merchant with the simplest requirements.

Can’t I just use Square or PayPal and avoid all this?

Using integrated payment solutions like Square can simplify compliance (usually to SAQ A or B), but it doesn’t eliminate it. You still need to complete an annual SAQ and follow basic security practices.

What’s the difference between PCI compliance and EMV?

EMV (chip cards) is about fraud liability, while PCI compliance is about data security. You need both — EMV protects you from counterfeit card fraud, while PCI compliance protects stored and transmitted card data.

Do I really need those quarterly scans?

If your SAQ type requires them (check the table above), yes. Skipping scans is the fastest way to fail compliance. The scans are automated and usually take just minutes to complete.

What if I fail my vulnerability scan?

Don’t panic — most merchants fail their first scan due to minor issues. Your ASV provides a report showing what needs fixing. Common issues include outdated software or unnecessary services running on your router.

Can I just have my IT person fill this out?

Your IT support can help with technical questions, but as the business owner, you’re ultimately responsible for the accuracy of your responses. Many questions are about business processes, not just technology.

What if I’ve been non-compliant for years?

Start now. Most processors are more concerned with getting you compliant going forward than punishing past non-compliance. The longer you wait, the higher your risk and accumulated fees.

How do I know if I’m storing card data?

Check your TouchBistro reports and settings. Look for any spreadsheets, databases, or paper files with full card numbers. If you see them, stop storing them immediately and contact your compliance provider for remediation guidance.

Take Control of Your PCI Compliance Today

PCI compliance for your TouchBistro restaurant setup doesn’t have to be overwhelming. Most restaurants can complete their requirements in a few hours with the right guidance. The key is starting with the correct SAQ type and having a clear checklist of what you need.

PCICompliance.com simplifies the entire process. Our free SAQ Wizard identifies exactly which questionnaire matches your TouchBistro configuration. Our ASV scanning service handles your quarterly vulnerability scans automatically. And our compliance dashboard keeps all your documentation organized and sends renewal reminders so you never miss a deadline. Start with our free SAQ Wizard to identify your requirements, or talk to our compliance team for personalized guidance. With thousands of restaurants already using our platform, we’ve seen every TouchBistro setup and know exactly how to get you compliant quickly and keep you that way.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP