Blogs

PCI Compliance for Restaurants: POS, Online Ordering, and Delivery Apps

author
Fayyaz Makhani
Published
July 16, 2026

Restaurants process card payments across a variety of channels - such as POS (Point of Sale), delivery apps, and online ordering - each with its own data security risks. Therefore, all card-handling restaurants must adhere to PCI DSS compliance, regardless of size, to ensure cardholder data is protected.

In this guide, we explore what restaurant PCI compliance means, how it differs between payment channels, and what access controls and staff training are necessary to meet requirements.

What PCI compliance means for restaurants.

Restaurant PCI compliance refers to card data protection and security standards required by payment brands, processors, and acquiring banks. It is not a legal requirement, but failure to comply can lead to financial consequences, reputational damage, and potential litigation.

Restaurants must adhere to PCI DSS standards defined by specific compliance levels for merchants. These four levels are based on the number of card transactions a restaurant processes in 12 months, with lower transaction volumes requiring different validation and compliance requirements.

For instance, smaller restaurants will typically need to submit Self-Assessment Questionnaires (SAQs) and an Attestation of Compliance (AOC) each year.

Here’s how these levels break down:

Merchant Compliance Level Yearly Transactions Requirements
Level 1 More than six million An on-site audit, a ROC, an AOC, and quarterly vulnerability scanning
Level 2 Between one and six million An SAQ, an AOC, or potentially a ROC, and quarterly vulnerability scanning
Level 3 Between 20,000 and one million An SAQ, an AOC, or potentially a ROC, and quarterly vulnerability scanning
Level 4 Fewer than 20,000 e-commerce transactions per year, or up to 1 million total transactions across all channels An SAQ, an AOC, and potentially quarterly vulnerability scanning

Regardless of the compliance level, all restaurants must adhere to the 12 PCI compliance requirements, established to ensure cardholder data is as protected as possible.

POS system security and PCI DSS.

When handling in-restaurant transactions, restaurant owners should use POS hardware that is recognized and validated.

The technologies used to ensure this compliance include:

  • P2PE (Point-to-Point Encryption), which renders cardholder and authentication data unreadable (and therefore worthless to criminals) until it can be decrypted by the payment processor or bank.

POS hardware can pose a major compliance risk when:

  • Its firmware and software are outdated and, therefore, more vulnerable to attacks
  • Card data is stored locally with zero encryption
  • Terminals and access controls are shared by multiple users

These failures also mean a restaurant is non-compliant. To check if your POS system is recognized by PCI SSC, we recommend consulting its list of validated products and solutions.

PCI compliance for online ordering platforms.

When accepting online orders, restaurants must consider PCI compliance scope depending on how their payment pages operate. For example, when working with a third-party vendor, restaurants have less internal compliance scope, while using a custom-built system requires more responsibility and governance. Regardless, restaurants must ensure their partners comply with PCI.

Additionally, depending on how card data is captured through an online platform, the restaurant must submit a specific SAQ. For example:

  • When using a fully hosted payment gateway or checkout, SAQ A is required
  • When holding card data on-site, or using multiple payment locations and payment methods (falling outside of full hosting), SAQ D is usually required

Most importantly, when working with a third-party online ordering platform, a restaurant must request an AOC from the third-party to show its PCI compliance.

Delivery apps and third-party payment risk.

When working with third parties in general, restaurants should validate that they are fully compliant with PCI DSS. However, when using delivery apps and similar programs, payment data is handled by the delivery company and does not have PCI bearing on the restaurant.

While not required, it is good practice to communicate openly with any third parties they partner with regarding PCI security measures. In addition, recording contractual agreements regarding data handling, even if scope falls outside the restaurant, can support PCI.

Access controls and authentication.

PCI DSS 4.0 Requirement 7 states that restaurants must restrict access to cardholder data on a need-to-know basis; i.e., employees must have unique credentials and explicit authority to handle it. Shared account holding is not permitted, and user permissions must be regularly reviewed every six months.

Moreover, there must be different permissions set for specific POS users in the restaurant setting (e.g., defined permissions for hosts, servers, and floor managers).

The requirement also states that any physical authentication systems, such as smart cards used to access data, must be assigned to specific, individual user profiles:

“Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data.”

PCI SSC

Should staff leave the business for any reason, their security access should be immediately revoked.

Staff training and security awareness.

Regular training and PCI DSS requirement awareness refreshers ensure that restaurant staff always know how to process card data securely, how to spot fraudulent activity (and report it), and what not to do with cardholder information.

PCI DSS’s PCI Awareness course provides a helpful introduction to its principles and requirements; however, we recommend that restaurant owners adapt their own internal training to address potential data insecurities.

For example, servers and managers must know and understand:

  • The risks involved when sharing POS logins or other access credentials, and when writing cardholder data down (neither is acceptable)
  • How to spot card-skimming techniques when working at POS terminals
  • The reporting chain of command (who do they notify if terminals behave strangely, or if customers appear to be acting suspiciously?)

As per PCI DSS Requirement 12.6.3.1, security awareness training must include guidance on how to recognize and respond to phishing and social engineering attempts. Separately, Requirement 5.4.1 mandates that restaurants implement automated technical mechanisms — such as email spam blockers — to actively detect and block phishing attacks before they reach staff.

For example, would-be criminals may use confidence tricks to gain access to sensitive payment records, and staff must recognize how to address these techniques.

How to achieve and maintain PCI compliance.

There are five key steps restaurants must take to both achieve and maintain PCI compliance, and thus keep cardholder data safe:

  1. Ascertain the applicable merchant compliance level based on annual card transaction volumes (e.g., a small cafe processing fewer than 20,000 transactions is a Level 4 merchant).
  2. Find and complete the appropriate SAQ (e.g., a restaurant may use SAQ B for a standalone dial-out terminal, or SAQ C for an internet-connected POS). Consult our guide to choosing the right PCI SAQ for more information.
  3. If required, run approved quarterly vulnerability scans and obtain reports, ready to submit on request.
  4. Thoroughly document all security policies, data protection standards, access control procedures, incident response planning, and staff training logs. Doing so will help to keep processes clear and offer additional proof of data protection.
  5. Frequently re-evaluate compliance and controls across the year, with a complete re-analysis and resubmission of SAQs taking place annually.

When running a cafe, bar, or restaurant, managing these compliance steps can take time away from the everyday running of your business.

However, with the support of SecureTrust PCI Manager, PCI compliance for restaurants is simpler than ever - with complete compliance coverage across online and in-house terminals, automated vulnerability scanning, and guidance tailored to your specific needs.

What happens if a restaurant is not PCI compliant.

Failure to comply with PCI DSS requirements means a restaurant faces monthly non-compliance fees from payment processors and potential fines in the event of a data breach. In severe cases, processors may restrict a restaurant’s card acceptance, too.

Additionally, a restaurant that suffers data breaches through non-compliance is likely to damage its reputation and lose diners in the long-term. The extreme outcome of this is that customers may even file lawsuits against non-compliant restaurants.

It’s not only vital to adhere to PCI compliance, but also to respond to and contain security incidents promptly to mitigate data leakage, reputational damage, and loss of business. In the event of a breach, a restaurant manager must:

  • Take steps to contain the emerging issue
  • Notify their processor immediately
  • Fix/remediate the vulnerability that allowed the breach to occur
  • Complete and submit proof of compliance to processors to remove fees and recover

Navigating PCI DSS requirements as a restaurant, cafe, or bar owner may seem daunting, but even as a small business, it’s vital to ensure cardholder information is kept secure.

With SecureTrust PCI Manager, you’re always in control and up to speed with compliance expectations - giving you more time to serve customers and grow your business.

Frequently Asked Questions

Let’s close this guide by covering some commonly asked questions about restaurant PCI compliance.

Do small restaurants need to be PCI compliant?

Yes, restaurants of all sizes must be PCI compliant to keep cardholder data safe and to avoid fines and penalties.

Which SAQ does a restaurant typically need to complete?

The SAQ a restaurant needs to complete depends on how it processes card payments. For example, it may require SAQ B (for standalone terminals), SAQ B-IP (for connected points of interaction), SAQ C (for integrated POS), or SAQ D (if data is held on-site).

Are third-party delivery apps covered under PCI?

Third-party delivery apps handle data within their own ecosystems and protections and therefore do not impact restaurants’ PCI compliance directly. However, it is important for restaurants to carefully vet all vendors to minimize risk.

What should a restaurant do if its POS system is compromised?

All POS connections should be disabled, and threats should be contained and mitigated immediately. The restaurant should then inform payment processors of the breach, take steps to fix vulnerabilities, and only reconnect systems once threats have been removed.

How often does a restaurant need to renew PCI compliance?

Restaurants must renew PCI SAQs every year,  to ensure data security standards are robust against evolving threats. Restaurants should also run in-depth vulnerability scans four times a year.

Sources

Brown, C. (2025). PCI DSS Compliance Levels and What They Mean for Your Business. In SecureTrust. Retrieved March 26, 2026, from https://www.securetrust.com/blog/pci-compliance-levels

Brown, C. (2025a). PCI Compliance Requirements: A Complete Guide. In SecureTrust. Retrieved March 26, 2026, from https://www.securetrust.com/blog/pci-compliance-requirements

Brown, C. (2025c). What is an SAQ (Self-Assessment Questionnaire)? In SecureTrust. Retrieved March 26, 2026, from https://www.securetrust.com/blog/saq-self-assessment-questionnaire

Brown, C. (2026). How to Determine Which PCI SAQ You Need for Your Business. In SecureTrust. Retrieved March 26, 2026, from https://www.securetrust.com/blog/pci-compliance-assessment

Cybersecurity for Restaurants & Food Service. (N.d.). In SecureTrust. Retrieved March 26, 2026, from https://www.securetrust.com/industries/restaurants

List of Validated Products and Solutions. (N.d.). PCI Security Standards Council. Retrieved March 26, 2026, from https://listings.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement

PCI Awareness Training. (2026). PCI Awareness Training. In PCI Security Standards Council. Retrieved March 26, 2026, from https://www.pcisecuritystandards.org/program_training_and_qualification/requirements_awareness

PCI Compliance for Small Business. (N.d.). In SecureTrust. Retrieved March 26, 2026, from https://www.securetrust.com/solutions/pci-compliance-for-small-business

PCI DSS Quick Reference Guide. (2015). PCI Security Standards Council. Retrieved March 26, 2026, from https://listings.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf

author

Global Security Architect

SecureTrust

More Blogs

Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.
View All Blogs
July 9, 2026
PCI Non-Compliance Fee: Cost and How to Avoid
June 4, 2026
Travel Agency PCI Compliance in 2026: Closing the Payment Security Gap
May 4, 2026
PCI DSS Compliance: Everything You Need to Know
Get the Guide

PCI DSS Compliance Getting Started Guide

Step-by-step walkthrough to help your business achieve and maintain PCI DSS compliance.
Get the Guide