Is a salon required to be PCI compliant?

Yes. Any business that accepts credit or debit cards is required to comply with PCI DSS under their merchant agreement with their payment processor. Non-compliance doesn't always result in immediate action, but a data breach while non-compliant can trigger fines of $5,000–$100,000/month from card networks plus liability for fraudulent charges. Most processors also charge a monthly non-compliance fee if an annual SAQ isn't completed.

What PCI SAQ does a salon need to complete?

Most salons complete SAQ A (for those using fully outsourced, hosted payment pages with no cardholder data on their systems) or SAQ B-IP (for those using IP-connected terminals like PAX A920 or A80). Salons using a PCI-validated P2PE solution may qualify for SAQ P2PE, which is shorter. Your payment processor should specify which SAQ type applies to your configuration — ask them directly.

What cardholder data can a salon store?

Salons can store tokenized card references provided by their payment processor — these are meaningless strings that the processor maps to an underlying card, used for rebooking or charging no-show fees. What salons must never store: full card numbers (PAN), CVV2/CVC2 security codes, magnetic stripe data, or PINs. Modern payment software handles this correctly, but confirm with your vendor that no sensitive data appears in logs or exports.

What is P2PE and does it reduce my PCI scope?

Point-to-Point Encryption (P2PE) means cardholder data is encrypted inside a certified device before it ever reaches your software or network. PCI-validated P2PE solutions significantly reduce compliance scope because there's no unencrypted cardholder data in your environment. NMI in combination with PAX terminals supports P2PE. If your processor offers a validated P2PE solution, using it is worth the setup effort — it simplifies your annual SAQ considerably.

How should a salon secure its Wi-Fi for payment terminals?

Payment terminals should be on a dedicated VLAN or separate Wi-Fi network isolated from general-use internet access. This prevents a compromised laptop or guest device from being on the same network as card readers. A managed switch and basic VLAN configuration accomplish this. Have a network professional set it up and document the configuration — this is a one-time task that narrows your PCI scope.

What is a skimming device and how do I detect one?

A skimming device is a physical overlay that criminals attach to card readers to capture card data. They're designed to look like the original hardware. Inspect your terminals daily before opening: feel around the card slot and keypad for anything that doesn't feel solidly attached, compare it to a reference photo of how the terminal looks when clean, and pull gently on the card reader area. Tampered devices often wiggle slightly. Register terminal serial numbers so you can verify you have the right hardware.

Who handles PCI compliance in a booth-rent salon?

Responsibility is split. Each stylist using their own merchant account is the merchant of record for their transactions and bears primary PCI compliance responsibility for those accounts. The salon owner is responsible for physical security of shared terminals, network segmentation, and any equipment or software they control. If the salon routes transactions through its own gateway on behalf of renters, the salon owner carries broader compliance responsibility.

What happens if my salon has a data breach?

Notify your payment processor immediately — delays compound liability. The processor will engage a Qualified Incident Response Assessor (QIRA) to investigate. If cardholder data was compromised, the card brands determine fines and remediation costs. You may be required to reissue cards, cover fraudulent charges, and fund enhanced monitoring. Cyber liability insurance helps — it's worth having for any business accepting card payments.

PCI Compliance for Salons: A Plain-English Guide

May 6, 20268 min readSalonPay Editorial

Quick answer

Most salons are PCI Level 4 merchants, requiring an annual Self-Assessment Questionnaire (SAQ) completed through their payment processor. The specific SAQ type depends on how payments are accepted — salons using certified card-present terminals and third-party-hosted checkout pages typically complete SAQ A or SAQ B-IP. The core requirement is simple: don't store sensitive cardholder data (card numbers, CVVs, track data), keep payment terminals on a segmented network, and inspect hardware regularly for tampering.

What PCI DSS Actually Is

PCI DSS stands for Payment Card Industry Data Security Standard. It's a set of security requirements created by the major card networks — Visa, Mastercard, American Express, Discover, and JCB — to protect cardholder data. It's not a law, but it functions like one: your merchant agreement with your payment processor requires compliance, and failing an audit or experiencing a data breach while non-compliant can result in fines from $5,000 to $100,000 per month, plus liability for fraudulent charges.

The good news for most salons: if you're using a modern payment processor with certified hardware, most of the heavy lifting is done for you. The bad news: there's still a self-assessment questionnaire (SAQ) you need to complete annually, and some operational practices you need to maintain.

What PCI Level Are You?

Merchants are sorted into four levels based on annual transaction volume:

Level 1: Over 6 million Visa/Mastercard transactions per year. Requires an on-site audit by a Qualified Security Assessor (QSA). This is not you.
Level 2: 1–6 million transactions/year. Annual SAQ plus quarterly network scans. Also unlikely to be you.
Level 3: 20,000–1 million e-commerce transactions/year. Mostly relevant if you have significant online booking with card storage.
Level 4: Fewer than 20,000 e-commerce transactions or up to 1 million total transactions. This is most salons. Annual SAQ, possibly quarterly scans depending on your processor's requirements.

As a Level 4 merchant, your primary obligation is completing the right SAQ type for your payment setup, typically annually, and submitting it to your processor. Many processors include this in their portal.

SAQ Types and Which One Applies to You

There are several SAQ variants. The one you fill out depends on how you accept payments:

SAQ A: Card-not-present merchants who have outsourced all cardholder data functions to PCI-compliant third parties. If you use a hosted checkout page for online booking (hosted processor checkout, etc.) and don't store any card data yourself, this is often your path. It's the simplest — roughly 22 questions.
SAQ B: Merchants using standalone dial-up or IP-connected terminals that don't store cardholder data. If you have a physical terminal like a PAX A920 or A80 connected through a certified gateway, this often applies to card-present operations.
SAQ B-IP: Similar to SAQ B but for IP-connected terminals with more network complexity.
SAQ P2PE: Merchants using a PCI-validated Point-to-Point Encryption (P2PE) solution. If your processor offers certified P2PE (NMI + PAX combination supports this), this SAQ is significantly shorter because the encryption happens in certified hardware before data ever touches your network.

Most salons running modern cloud-based payment software with certified terminals end up on SAQ A or SAQ B-IP. Ask your processor which one they expect from you — this is not something to guess at.

Cardholder Data: What You Should Never Store

The first rule of PCI compliance is don't store cardholder data unless you absolutely have to, and if you do, protect it with everything the standard requires. For most salons, there's no reason to ever see a full card number. Modern processors tokenize card data — what your system stores is a meaningless string (a token) that the processor can map back to the underlying card. The token alone is useless to a thief.

What you must never store under any circumstances:

Full magnetic stripe data (track data)
CVV2/CVC2 security codes — even temporarily, even in logs
PINs or PIN blocks

If your point-of-sale software logs card numbers anywhere — in debug logs, audit trails, exports — that's a compliance failure. Check with your software vendor. Reputable ones certify their software under PA-DSS (now SSVS) and can confirm they don't log sensitive authentication data.

Network Segmentation for Salons

If your payment terminals share the same Wi-Fi network as your client-facing equipment, or worse, the same network your staff uses for personal browsing, that's a scope expansion problem. PCI scope means everything connected to your payment environment is potentially in scope for compliance. The easiest solution is network segmentation: put your payment terminals on a separate VLAN or dedicated Wi-Fi network that doesn't touch anything else.

Most consumer-grade routers support VLANs. A managed switch costs $80–150. For a salon, this is a one-time setup that dramatically narrows your PCI scope and reduces your SAQ complexity. Have a network person do it correctly once and document what they did.

Physical Security

PCI also covers physical security. Your terminals should be:

Inspected regularly for skimming devices — small overlays criminals attach to card readers. Know what your terminal looks like when it's clean.
Secured when unattended — don't leave a PAX A920 sitting on a counter overnight unlocked.
Logged — know which terminals you have, their serial numbers, and who is authorized to access them.

Skimming is not hypothetical. Salons in high-foot-traffic areas are targets. A quick visual and tactile inspection of the card reader each morning takes 10 seconds.

Booth-Rent Salons: Who's Responsible?

In a booth-rent setup where each stylist has their own merchant account, PCI compliance responsibility falls primarily on each stylist as the merchant of record. The salon owner's exposure is reduced, but not eliminated — you still control the physical space, the network, and any shared equipment.

Practically: if a renter is using their own account with a processor-provided reader, the processor handles the compliance infrastructure and the renter's SAQ is minimal. If you're running a shared PAX terminal with multiple merchant credentials routed through an application, the security of that terminal and the network it sits on is your responsibility.

The Short Checklist

Confirm with your processor which SAQ type you're required to complete.
Complete it annually and keep a copy.
Use only PCI-certified terminals and software.
Segment your payment network from general-use Wi-Fi.
Never store sensitive authentication data (CVVs, full track data).
Inspect terminals physically, regularly.
Train staff to not write card numbers down, ever.
If you experience a breach or a terminal compromise, notify your processor immediately — delays make the fines worse.

Frequently asked questions

Is a salon required to be PCI compliant?: Yes. Any business that accepts credit or debit cards is required to comply with PCI DSS under their merchant agreement with their payment processor. Non-compliance doesn't always result in immediate action, but a data breach while non-compliant can trigger fines of $5,000–$100,000/month from card networks plus liability for fraudulent charges. Most processors also charge a monthly non-compliance fee if an annual SAQ isn't completed.
What PCI SAQ does a salon need to complete?: Most salons complete SAQ A (for those using fully outsourced, hosted payment pages with no cardholder data on their systems) or SAQ B-IP (for those using IP-connected terminals like PAX A920 or A80). Salons using a PCI-validated P2PE solution may qualify for SAQ P2PE, which is shorter. Your payment processor should specify which SAQ type applies to your configuration — ask them directly.
What cardholder data can a salon store?: Salons can store tokenized card references provided by their payment processor — these are meaningless strings that the processor maps to an underlying card, used for rebooking or charging no-show fees. What salons must never store: full card numbers (PAN), CVV2/CVC2 security codes, magnetic stripe data, or PINs. Modern payment software handles this correctly, but confirm with your vendor that no sensitive data appears in logs or exports.
What is P2PE and does it reduce my PCI scope?: Point-to-Point Encryption (P2PE) means cardholder data is encrypted inside a certified device before it ever reaches your software or network. PCI-validated P2PE solutions significantly reduce compliance scope because there's no unencrypted cardholder data in your environment. NMI in combination with PAX terminals supports P2PE. If your processor offers a validated P2PE solution, using it is worth the setup effort — it simplifies your annual SAQ considerably.
How should a salon secure its Wi-Fi for payment terminals?: Payment terminals should be on a dedicated VLAN or separate Wi-Fi network isolated from general-use internet access. This prevents a compromised laptop or guest device from being on the same network as card readers. A managed switch and basic VLAN configuration accomplish this. Have a network professional set it up and document the configuration — this is a one-time task that narrows your PCI scope.
What is a skimming device and how do I detect one?: A skimming device is a physical overlay that criminals attach to card readers to capture card data. They're designed to look like the original hardware. Inspect your terminals daily before opening: feel around the card slot and keypad for anything that doesn't feel solidly attached, compare it to a reference photo of how the terminal looks when clean, and pull gently on the card reader area. Tampered devices often wiggle slightly. Register terminal serial numbers so you can verify you have the right hardware.
Who handles PCI compliance in a booth-rent salon?: Responsibility is split. Each stylist using their own merchant account is the merchant of record for their transactions and bears primary PCI compliance responsibility for those accounts. The salon owner is responsible for physical security of shared terminals, network segmentation, and any equipment or software they control. If the salon routes transactions through its own gateway on behalf of renters, the salon owner carries broader compliance responsibility.
What happens if my salon has a data breach?: Notify your payment processor immediately — delays compound liability. The processor will engage a Qualified Incident Response Assessor (QIRA) to investigate. If cardholder data was compromised, the card brands determine fines and remediation costs. You may be required to reissue cards, cover fraudulent charges, and fund enhanced monitoring. Cyber liability insurance helps — it's worth having for any business accepting card payments.