Navigating PCI Compliance

Maura Keller 

In today’s technology-driven business environment where credit and debit card transactions are the norm, data security is paramount. Enter the payment card industry data security standard (PCI DSS), also known as PCI compliance. The brainchild of the PCI Security Standards Council, this data-security protocol is an ever-changing mechanism used to decrease credit card fraud and increase consumer confidence in credit cards. Like any industry that accepts credit card payments, pest control companies need to pay diligent attention to their PCI compliance requirements.  

The Basics—and Why Comply 

At its core, PCI DSS is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.  

“The PCI compliance protocol was first established in December 2004 and was created to unify credit card companies’ separate security programs into one common standard to protect cardholder data,” says Todd Leyse, president of Adam’s Pest Control Inc. in Medina, Minnesota, and founder of Blu Star Field Service Management Systems, a client relationship management (CRM) system for the pest control industry. “The standard has since gone through several updates, with the most significant recent update being PCI DSS 4.0, released in March 2022, which became fully mandatory in March 2025. Whether you’re a solo operator or running a regional brand with dozens of technicians, if you take credit or debit cards, PCI rules apply.” 

Failure to meet PCI compliance rules can result in liability issues if there is a data breach; loss of the ability to process credit cards; fines from merchant processors; reputational harm; and even potential lawsuits or state enforcement actions. While there certainly are costs involved with noncompliance, those costs are specific to each business and each circumstance. The costs incurred will depend on the level of noncompliance and whether anything resulted from that noncompliance, such as repercussions from a data breach.  

“I remember it being a big question mark in our industry. Just three years prior, we were hand-entering credit card information into a terminal, but by 2004, we had moved to a web-based CRM with credit card processing that was PCI compliant,” Leyse says. “We had lists of credit card numbers and papers in hanging folders with credit card numbers on them, so when PCI came out, we had to look for and purge that old information.” 

Compliance Know-How 

How often have you seen your employees jot down credit card or bank information while taking payments over the phone?  

“Maybe it’s just temporary—jotted down on a sticky note to be entered into a system later. But it’s a major compliance violation,” Leyse says.  

Never writing down personal client data is paramount to being PCI compliant. Other key steps include letting trusted third-party tools handle payment collection, purging outdated records, and shredding anything handwritten.  

Of these, the company best practice that Leyse advises is having clients enter their payment details directly into a third-party, PCI-compliant gateway. If you must write down client payment information, shred it immediately after use. Or have employees use a keypad or gateway tool that bypasses your internal systems. “Those providers are designed to handle sensitive information securely,” Leyse says. “Your own systems—CRM, phone, files—should never see or touch that data in raw form.”  

Another big mistake Leyse sees pest control companies making is using unencrypted phone recordings that contain credit card information. Many pest control companies record phone calls for training or recordkeeping purposes, but if a client provides credit card or bank information during that call, the info must be encrypted and possibly redacted. Companies should also ensure no unencrypted copies are stored in a database, in the cloud, or in a CRM.  

“People turn on features and use them without understanding their ramifications,” Leyse says. “If your phone system is hacked or stolen, now what? Or if you are using a cloud-based system, do you know if your provider has good security and encrypts those recordings from the get-go?” 

That’s why it is vital for companies to review their legacy systems annually to ensure PCI compliance and that no problematic data is being kept. “You can keep data on file as long as that file is encrypted,” Leyse says. “But these days with AI and quantum computing coming, modern-day encryption will have to get stronger soon.”  

While some companies search for trusted third parties to handle payment collections, Leyse is hesitant to allow his clients’ credit card data to reside within a CRM’s proprietary system. “Who is looking over their shoulder? I prefer mine with a large, major gateway,” Leyse says. “They have a lot, and I mean a lot, to lose if they have a breach.” 

A Key Perspective 

According to Melissa Huson, CPA, chief financial officer at NPMA, the types of client information that PCI-complaint companies can keep on file include: 

• The primary account number (it must be rendered unreadable per PCI compliance standards, if stored)
• Cardholders’ names
• Security code
• Expiration date 

However, all of these must be protected per PCI DSS requirements if stored in conjunction with the primary account number.  

“For companies looking for the best, most-trusted third party to handle payment collection, they should find companies that offer strong client support, PCI DSS Level 1 compliance certification, documentation of compliance, and, if it has breach protocols, security practices such as tokenization and encryption,” Huson says.  

As part of its PCI compliance efforts, NPMA only uses third-party partners that are PCI compliant.  

“Our database provider does not store credit card data in the system but uses a tokenized reference transaction that is PCI compliant. Any unused tokens automatically expire in one year,” Huson says. “We also maintain a firewall, antivirus software, and have a secure network. We have audit logs and role-based access to data, and we minimize data collection to only what is necessary. If credit card data is received by mail, it must be shredded, and we highly discourage credit card information being sent by email or text for any of our services.”  

NPMA also conducts a yearly questionnaire for PCI compliance with SaferPayments, and the association also reviews the annual PCI-compliant certification from its CRM platform, which processes all payment transactions for the organization. 

“We also ensure our payment gateway and payment processor are PCI compliant,” Huson says.  

Addressing Compliance Issues 

Companies must always validate their compliance. This should occur annually, and the depth of the validation depends primarily on the volume of credit cards processed each year. If issues are found, in most cases companies will need to work with either their IT department or a third-party data security company and their merchant services provider to achieve true compliance. 

To ensure his company’s PCI compliance, Leyse receives a call annually from a service that his bank hires to audit his company.  

“I’m not that familiar with companies not being PCI compliant, but it is my understanding the credit card companies can remove your ability to charge your clients’ credit cards for some period of time, like a year or more,” Leyse says. “It’s a legal and ethical requirement, and yet many pest control companies, especially smaller operations, still treat PCI standards like a suggestion rather than a mandate. You don’t have to be a cybersecurity expert to do the right thing.” 

Cleaning Up Legacy Systems 

Todd Leyse, president of Adam’s Pest Control Inc., stresses the importance of companies conducting a thorough auditing of any stored paper files in which sensitive or proprietary data may be featured.  

“These include scanned PDFs or client forms that contain credit card numbers or bank routing and account numbers,” Leyse says. “This could also include any digital or physical storage of an unencrypted primary account number or banking info, as well as notes fields in your CRM with outdated sensitive information.”  

As a reminder, these types of sensitive card data can only be stored if they are rendered unreadable per PCI compliance standards:  

• Primary account numbers
• Bank account numbers (including routing numbers)
• Expiration dates
• Security codes