Jordan Polasek's Complete Guide to PCI DSS Compliance for Texas Retail Businesses

If your Texas retail business accepts a credit card — at the register, online, over the phone, at a pop-up market — the Payment Card Industry Data Security Standard applies to you. Not "maybe." Not "above a certain revenue." It applies from the first transaction. The question is not whether you are in scope. The question is how much scope you have, and whether the network your point-of-sale runs on is doing anything to limit it.

I wrote this guide because a significant slice of BVTech's client base in Texas retail — restaurants, boutiques, auto services, salons, specialty shops across First Colony and Sugar Land Town Square, storefronts in San Antonio and Austin — arrived at us having been told that PCI compliance was handled by "their processor." Processors handle what they handle. Everything on the merchant's side of the card-swipe is the merchant's responsibility, and it is the part that most commonly fails.

What PCI DSS actually is

The Payment Card Industry Data Security Standard is a contractual framework — not a law — published by the PCI Security Standards Council, which was established jointly by Visa, Mastercard, American Express, Discover, and JCB. Every merchant who accepts those cards agrees to PCI DSS compliance as a term of their merchant account. The current version as I'm writing this is PCI DSS v4.0.1, which has been in force for new requirements since March 2025.

PCI DSS is built around twelve core requirements grouped into six control objectives: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control, regularly monitor and test networks, and maintain an information security policy. If that reads as sensible rather than exotic, it is because the standard is essentially a consolidation of basic information-security hygiene with specific emphasis on the cardholder data environment.

Merchant levels and what actually applies to you

PCI DSS sorts merchants into four levels based on annual transaction volume, and the level determines the attestation process you are required to follow.

Level 4 merchants — fewer than 20,000 e-commerce transactions annually, or up to 1 million total card transactions — are where almost every small Texas retail business lives. Level 4 merchants typically self-attest using one of the Self-Assessment Questionnaires (SAQs), and your acquiring bank dictates whether attestation is required annually and what specific SAQ applies.

The SAQ you fill out depends on how your business handles cards. If your cardholder data never touches your systems — you use a processor-hosted payment page and nothing else — you may qualify for SAQ A, which is the shortest. If you have a card terminal that is connected only to a processor and never touches your business network, SAQ B-IP. If you have a full integrated POS that handles card data on your premises, you are in SAQ C or SAQ D territory, and the number of questions jumps from twenty to several hundred.

The first concrete thing any retail owner should do is ask their merchant services provider which SAQ they are expected to complete. Half of the Texas retailers I audit do not know.

The twelve requirements, translated

What follows is a practitioner's reading of the twelve PCI DSS requirements — how they show up in the life of a small Texas retail business, not the standards-body phrasing.

1. Install and maintain a firewall configuration

A real firewall at your perimeter, configured to block inbound traffic that is not explicitly needed, and to segment your point-of-sale network from everything else. A Comcast-supplied modem-router combo does not count. A pfSense box, a UniFi Dream Machine Pro, a Meraki MX, a Fortinet FortiGate — any of these, properly configured, does.

2. Do not use vendor-supplied defaults

Every device — firewall, switch, wireless access point, POS terminal, camera — must have its default administrative credentials changed, its default SSIDs and SNMP strings replaced, and its unused services disabled. This is tedious, boring work and it is almost never done completely by the initial installer.

3. Protect stored cardholder data

If your systems store cardholder data — and the honest question is whether you need to store it, because the standard answer is no — the data must be rendered unreadable through encryption, truncation, hashing, or tokenization. The best PCI-DSS scope-reduction strategy is not better encryption; it is not storing the data in the first place.

4. Encrypt transmission of cardholder data across public networks

TLS 1.2 at minimum, TLS 1.3 preferred. No cardholder data over email. No card data over unencrypted Wi-Fi. Obvious, and routinely violated by terminals that have been configured with old firmware and never updated.

5. Use and maintain anti-malware software

Every system in scope — including every register, every back-office PC, every server — must run current anti-malware. In 2026 that should be endpoint detection and response, not signature-based antivirus from 2014. Guardz, SentinelOne, Microsoft Defender for Business are all reasonable choices at Texas small-business price points.

6. Develop and maintain secure systems and applications

Every operating system, every POS application, every firmware on every device must be patched on a defined schedule. This is where smaller retailers fall off the rails — the POS vendor releases updates quarterly, the owner is reluctant to approve them during business hours, and six quarters later the system is running firmware with known vulnerabilities.

7. Restrict access by business need-to-know

The cashier does not get administrative access to the POS. The accountant does not get remote access to the cardholder data environment. Access is granted based on job function, documented, and reviewed quarterly. This is mostly a policy and process problem, not a technology problem, but it requires a provider who will actually do the reviews.

8. Assign a unique ID to each user

Shared accounts are forbidden. Every cashier, manager, and administrator logs in with their own credential. MFA on administrative access. Passwords meeting current PCI requirements (15 characters minimum for v4.0, or 12 with MFA).

9. Restrict physical access to cardholder data

The back office where the POS server lives must be locked. The network closet must be locked. Security cameras must cover sensitive areas. Employee access badges where the business warrants them.

10. Track and monitor all access

Logging — real logging — on every system in scope. Retention of at least one year, with ninety days immediately available for investigation. Log review. Alerting on suspicious events. This is the requirement that most often lives only on paper in small retail.

11. Regularly test security systems and processes

Quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). Annual internal penetration testing. Wireless access-point inventory and rogue-AP scanning. For a Texas small-business retailer, the external ASV scan is the one you will most directly feel, because your processor will sometimes refuse to process transactions if your scan report is overdue.

12. Maintain a policy that addresses information security

A written policy, reviewed annually, distributed to staff, with documented acknowledgement. This is the lightest-weight requirement to satisfy on paper and the one most commonly skipped because it feels bureaucratic. Do it anyway.

Scope: the single most valuable concept in PCI

Scope is what determines how much of the standard applies to your environment. Your PCI scope includes every system that stores, processes, or transmits cardholder data, plus every system connected to those systems without adequate segmentation.

The practical meaning: if your flat network has the POS on it, and the office computer on it, and the employee Wi-Fi on it, and the security cameras on it, all of them are in scope. Every one of those systems must satisfy the applicable PCI requirements. Conversely, if your POS sits on its own VLAN, firewalled from the rest of the network, the office computer and the cameras are out of scope and you have dramatically less work to do.

Network segmentation is the single most cost-effective PCI investment a Texas retail business can make. A managed firewall with a few well-designed VLANs typically costs less than the IT time saved every year on compliance documentation.

The five failures I see most often in Texas retail

Flat networks. The POS shares one VLAN with the office, the guest Wi-Fi, and sometimes the cameras. Every one of those systems is now in PCI scope.

Consumer-grade Wi-Fi on the PCI network. A twenty-dollar router providing the only access point for the POS. No segmentation, no monitoring, default administrative credentials, and often WPA2-Personal with a password shared among staff.

Remote access set up by the POS vendor and forgotten. Every POS vendor I deal with has a remote-access tool they use to support the system. These tools are typically set up with a single shared credential and never rotated. If the POS vendor is breached, every retailer they support is exposed.

No quarterly ASV scans, or scans that keep failing. The merchant is supposed to receive a passing ASV scan report quarterly. I encounter retailers who have scan reports from eighteen months ago that failed and were never remediated.

No incident response plan. PCI v4.0 is increasingly explicit about incident response. A small retailer with no plan for what to do if they suspect a breach is non-compliant and, more importantly, is going to make every wrong decision in the heat of an actual incident.

What compliance actually costs for a Texas retail operation

For a typical small Texas retail business — one location, one POS, under a million card transactions per year — the cost of being genuinely PCI compliant is not enormous if you get it right from the beginning. A proper managed firewall with the subscription for threat intelligence runs roughly $800 to $1,500 annually. ASV scans from a reputable vendor are a few hundred dollars a year. The managed IT relationship to keep everything patched, logged, and documented is the same managed IT agreement the business should already have.

Where compliance gets expensive is when a business has been non-compliant for years and has to remediate an accumulation of issues all at once. A proper PCI posture built in from the start is cheaper than a retroactive remediation by a factor of roughly three.

A short plan for a Texas retail owner reading this

1. Call your merchant processor and ask them which SAQ type you are required to complete and whether your last ASV scan passed.
2. Have your IT provider (or, if you don't have one, a PCI-aware consultant) produce a current network diagram showing where cardholder data flows through your environment.
3. Segment the POS network from everything else. If you can't, put that at the top of your IT roadmap.
4. Turn on MFA for every administrative account across your POS, processor portal, and IT systems.
5. Replace any consumer-grade firewall or access point currently on the PCI network.
6. Document your written security policy and have staff acknowledge it annually.
7. Put the next ASV scan on the calendar. Follow through if it fails.

None of this is dramatic. It is the ordinary discipline of running a retail business that takes cards in 2026. If it feels overwhelming, that is usually because the existing environment has accumulated more technical debt than the owner realized. The way through it is one item at a time, and the way to start is to stop deferring it.

If you'd like an honest read on where your Texas retail operation currently stands, reach out. BVTech has done this walkthrough with dozens of retailers across the state, and the first conversation never costs anything.