PCI Compliance for Indiana Retail & Service: What You Actually Need

What PCI actually is

PCI DSS is a contractual standard imposed by the card networks (Visa, Mastercard, AmEx, Discover) on every business that accepts card payments. It's not a law in the US — it's a contract. Violation consequences include fines from your processor, increased per-transaction fees, and potentially loss of your ability to take card payments at all.

The four merchant levels

PCI applies differently depending on transaction volume:

• Level 4 (under 20,000 e-commerce or under 1M total transactions/year): Most Indiana SMBs. Annual self-assessment questionnaire (SAQ), quarterly external network scans if you have any internet-facing systems.
• Level 3 (20,000-1M e-commerce): SAQ + quarterly external scans + annual penetration test for some processor relationships.
• Levels 1-2: Annual on-site assessment by a Qualified Security Assessor (QSA). If you're at this level you already know it.

This article is about Level 4 — the level that includes most Indiana SMBs.

The big myth: "the processor handles it"

Most small businesses we audit operate under the assumption that their payment processor (Stripe, Square, Heartland, etc.) handles PCI for them. The reality is more nuanced.

If you've genuinely outsourced ALL card data handling — meaning you never see, store, or transmit cardholder data through your systems, and the processor's iframe or hosted page handles 100% of the card data flow — then yes, your PCI scope is dramatically reduced. You still have to complete an SAQ-A (the simplest form) and verify your vendors are PCI-compliant, but the technical bar is low.

If your business has any of the following, you have more PCI scope than you think:

• Card readers physically connected to a POS system on your network
• Phone orders where you write down card numbers (even temporarily)
• Website forms that touch the card data before passing it to the processor
• Email or paper records that contain card numbers
• Recurring billing systems where card data lives in your own database

The minimum technical bar for SMBs

For Level 4 merchants whose card data flow is mostly outsourced, the technical bar is achievable for any reasonably-managed Indiana business:

• Network segmentation — card data systems separated from general office network
• Firewall rules — documented, with quarterly review
• Strong passwords + MFA on every account that touches systems in scope
• Up-to-date antivirus and patching on POS and related systems
• Vulnerability scanning — quarterly external scans by an Approved Scanning Vendor (ASV)
• Annual self-assessment questionnaire (SAQ) appropriate to your environment
• Documented incident response plan covering card data breach scenarios
• Vendor management — written confirmation that any third party touching card data is PCI compliant themselves

Common Indiana SMB PCI gaps

Patterns we consistently see in Indiana small businesses that take card payments:

• Wi-Fi sharing the same network as the POS. Customer Wi-Fi and POS systems on the same flat network. PCI requires segmentation. Easy fix, often missed.
• Email with card numbers. Customer service team taking phone orders and emailing the card number internally for processing. Massive PCI exposure.
• Recurring billing in spreadsheets. Card numbers stored in Excel or Google Sheets for monthly billing. Borderline catastrophic.
• SAQ never completed. Or completed once, three years ago. SAQ is annual.
• Quarterly scans nobody runs. Required, often forgotten.

What it costs to comply

For a typical Indiana retail or service SMB with mostly-outsourced card flow, getting and staying PCI compliant typically runs $200-$1,000/month — covering scanning, monitoring, documentation, and assessment support. The cost is dramatically less than the per-transaction fee increases that come from non-compliance, and a tiny fraction of the cost of a card data breach.

What it costs to ignore it

Non-compliance fines from processors: $5,000-$100,000 per month. Fines for actual breaches: $50,000-$500,000+. Plus the operational costs of a breach (see our post on real breach costs). It is one of the highest-leverage compliance investments a card-accepting business can make.

How we help

If you take card payments and you're not sure where you stand, our cybersecurity service includes PCI assessment as part of standard onboarding. Free conversation if you want to know honestly whether you're compliant.