Most small businesses, such as coffeehouses, travel agencies, car repair shops and stores, use 1-2 POS terminals to receive payments from customers. Most commonly, these terminals process a small number of payments.
Even with low payment volumes, a recipient partner (usually a bank) requires compliance with PCI DSS.

Moreover, compliance with PCI DSS may also be required by an external regulator. For example, the International Air Transport Association (IATA) is such an external regulator in the travel business.

In 2016, the IATA put forward a requirement for all travel companies operating through an online booking system. That requirement was quite simple — all IATA members had to be certified for PCI DSS compliance by 3/1/2018.

Every owner or manager of a small business should realize that compliance with the PCI DSS is essential as a requirement of partners or regulators depending on the nature and specificity of the business. So, the small number of payments via terminals doesn’t matter. Even if it is just one payment, the PCI DSS requirements still apply.

Business owners often wonder whether having a payment terminal that is not connected to the company network and communicates with the bank via 4G Internet, as well as not storing any payment card data, eliminates the need for PCI DSS certification.

When the payment volume is small and the risk of card data leakage is minimal, it makes sense that business managers and owners have such questions.
Even if business processes are set up in this way, it is still necessary to comply with the PCI DSS, as these are the requirements of payment systems. If a company needs to accept payments from bank cards for doing business, it will have to comply with all the requirements.

Low payment volume is taken into consideration when choosing a certification procedure and also affects the level of responsibility for non-compliance with the PCI DSS.
The above-mentioned types of business and those similar to them can be certified under the simplified procedure. Let’s talk about this process in detail.
If a company only accepts payments through a POS terminal and the number of transactions does not exceed 20,000 per year, this company is in the 4th merchant category in the payment system.

In this case, successful PCI DSS certification requires three simple steps:
1. Make sure that the installed terminal is certified as a PIN Transaction Security device. The terminal can be verified on the PCI DSS website.
2. Download and fill out two documents: the SAQ B-IP self-report questionnaire and the corresponding AOC SAQ B-IP certificate. To facilitate this, we will provide a link where you can download these two documents.
3. Contact us to verify the accuracy of your completed documents and obtain a QSA auditor’s signature. If the auditor has no questions or comments, the company will receive a PCI DSS compliance certificate.

These three simple steps are the roadmap to obtaining a PCI DSS certificate for a small business with 1-2 POS terminals in use.
Each business is different, so you may have some questions during this process. We will be happy to answer all your questions as you undergo PCI DSS certification.

Contact our consultants via the follow-up form.