Do I Need PCI Compliance If I Only Use a Card Machine?
Yes — using a card machine does not exempt you from PCI DSS. Here is exactly what terminal-only businesses need to do, which SAQ applies, and how to stay compliant with minimal effort.
It is one of the most common misconceptions in UK retail and hospitality: 'I just use a card machine, so PCI compliance does not apply to me.' Unfortunately that is not true. If you accept card payments through a terminal, PCI DSS does apply — but the good news is that for most terminal-only businesses, becoming compliant is genuinely straightforward.
Why a card machine still needs PCI compliance
PCI DSS applies to any business that accepts, processes, stores or transmits cardholder data. A card machine does exactly that — it captures and transmits your customers' card details to your acquirer. The fact that a third party supplied the terminal does not transfer your compliance obligation to them. You are still the merchant taking the payment, so you are still responsible for validating compliance each year.
What does change with a terminal-only setup is how little you usually have to do. Modern, PCI-approved card machines are designed so that raw card data never reaches your own computers or network. That dramatically reduces your scope — meaning fewer requirements and a much shorter questionnaire.
Which SAQ applies to card machines?
Terminal-only businesses typically validate using one of the simpler Self-Assessment Questionnaires:
- SAQ B — for businesses using standalone, dial-out or PSTN terminals with no electronic cardholder data storage.
- SAQ B-IP — for businesses using standalone, PCI-approved terminals connected over IP (internet).
- SAQ P2PE — for businesses using a validated point-to-point encryption terminal solution, which has the shortest questionnaire of all.
The exact SAQ depends on how your specific terminal connects and whether it uses validated encryption. Getting this right matters: businesses are often pushed towards the long, complex SAQ D when a much shorter questionnaire would have been perfectly valid.
What you actually need to do
- Confirm your terminal is a current, PCI-approved device.
- Make sure you are not writing down or storing full card numbers anywhere.
- Protect the physical terminals from tampering and swapping.
- Complete the correct SAQ for your terminal type.
- Keep terminal firmware and any related software up to date.
- Validate your compliance with your acquirer every year.
What about phone and online payments?
Many businesses that use a card machine also take the occasional payment over the phone or send a payment link. The moment you do that, your situation changes — phone (MOTO) payments in particular can pull you into a different SAQ and add requirements around call handling and recording. If you take payments in more than one way, it is worth getting your scope reviewed so nothing is missed.
Making it simple
For a terminal-only business, PCI compliance should take very little of your time. A managed compliance service will confirm the correct SAQ for your devices, complete it with you, handle any scan requirements, and file your validation with your acquirer — usually within a day. That keeps you compliant, stops any non-compliance fees on your statement, and means you can get back to running your business. If you are not sure whether your card machine setup is compliant, a free assessment will give you a clear answer.