Last updated: Nov 26, 2025, 3:26 PM
Learn about PCI compliance, expectations, responsibilities, requirements, and costs.
| This document is provided for informational purposes only and is not intended as legal, compliance, or other professional advice. It may be advisable for you to consult with a professional such as a lawyer or other relevant advisor for advice specific to your circumstances. |
Every Toast customer that takes payment cards must be PCI compliant, so it is important to understand what this means. Toast is continually strengthening its payment systems and platform, and meeting more of these requirements on behalf of its customers. Recent updates to our PCI program make it even easier for customers to meet their PCI responsibilities. This article provides an overview of PCI, how to access responsibility documentation, and how these changes affect Toast customers.
“PCI” is shorthand for “PCI DSS,” which stands for Payment Card Industry Data Security Standard. This refers to a set of rules for handling your guests’ payment card information to minimize the risk of card data theft. Every business that takes card payments, even if only a few credit cards a month, must ensure they are doing so in a manner that complies with these requirements. This is what is meant by being “PCI compliant.”
To understand how to be PCI compliant, one must first understand why they have to be compliant, who is responsible for performing each of the PCI requirements, and what needs to be done each year. This article is intended to help reduce the confusion about PCI compliance at Toast and help you ensure you are meeting these requirements.
| For active customers and prospects, the PCI Responsibilities Guides are available on request through a Customer Care representative, Onboarding Consultant, or other sales representative. |
As a Toast customer, you are required to be PCI compliant. Toast is also required to be PCI compliant. Please note, if you have another agreement with another merchant payments provider (e.g., for an unrelated line of business ), they also may require you to be PCI compliant.
However, it is important to understand that these obligations do not overlap: any PCI requirements imposed on you by another merchant payments provider should not include your Toast devices or services, since our devices can only be used to process guest payment card data using Toast’s merchant processing services. Similarly, as you approach PCI compliance requirements for your guest payment card data intended for processing by Toast, your PCI compliance for Toast should not include devices or platforms provided by other merchant service providers.
This may sound obvious, but it is quite common for Toast customers to mistakenly assume that, because they have to submit a Self-Assessment Questionnaire (SAQ) or obtain a Report on Compliance (ROC) to meet obligations from another merchant payments provider, that they must include their Toast devices within this report. Toast offers a more technical discussion of this topic within our “QSA Guide,” which can be requested from a Customer Care representative.
Now, when it comes to this obligation to be PCI compliant on Toast devices and platforms, Toast is responsible for most of the PCI Requirements when using the Toast Platform and approved devices for accepting card payments.
The official document that spells this out is called a Responsibility Guide. Toast has several Responsibility Guides, covering our various products and capabilities relating to payment processing, which may be requested through your Onboarding Consultant, Customer Success and Services Team or Customer Support. Review the appropriate Responsibility Guide(s) for details of your responsibilities versus those responsibilities which Toast commits to meet on your behalf. There are also some responsibilities that are shared, and details are provided for each of these to understand what this means for your environment. Work with your management and IT team to implement policies outlined in these documents to satisfy your Toast PCI requirements.
Toast is excited to announce that it has obtained independent validation of its payment software, used within all Toast POS products, and completed migration of all supported card capture devices and POS devices to use hardened configurations, strong encryption, and microsegmentation. We have now completed independent third-party assessments of our payments ecosystem and confirmed that all payment devices meet or exceed PCI requirements, removing the need for many network-level controls. As a result of these improvements, Toast is pleased to pass along the benefits of these improvements by taking full responsibility for many of the PCI DSS requirements.
Finally, while many POS providers and merchant processors require their customers to submit documentation each year, called SAQs (Self-assessment Questionnaires) and/or AOCs (Attestations of Compliance), most Toast customers do not need to submit such PCI compliance documentation or engage a company to complete vulnerability scans. Toast does not send out emails asking you to complete any of these documents. If you receive such an email, examine it carefully to determine whether it is coming from another platform provider – perhaps you forgot to cancel your previous POS service provider or merchant account?
All this talk about PCI requirements, but what are they, exactly? The table below is a general overview of PCI DSS. Each of these requirements contain multiple sub-requirements, which, as stated above, may fall to Toast, you, or a combination of both to perform. Please review our Toast PCI Responsibility Guides for further information, including a breakdown of the full list of requirements by responsibility.
| Goals | PCI DSS Requirements |
| Build and Maintain a Secure Network and Systems | 1. Install and maintain network security controls 2. Apply secure configurations to all system components Protect Account Data |
| Protect Account Data | 3. Protect stored account data 4. Protect cardholder data with strong cryptography during transmission over open, public networks |
| Maintain a Vulnerability Management Program | 5. Protect all systems and networks from malicious software 6. Develop and maintain secure systems and software |
| Implement Strong Access Control Measures | 7. Restrict access to system components and cardholder data by business need to know 8. Identify users and authenticate access to system components 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | 10. Log and monitor all access to system components and cardholder data 11. Test security of systems and networks regularly |
| Maintain an Information Security Policy | 12. Support information security with organizational policies and programs |
Businesses that fail to maintain PCI compliance put themselves at risk of data breach, which can result in damage to their brand, fines, card replacement fees, forensic audit costs, and more. Businesses that use point-of-sale systems, e-commerce platforms, and other payment services that do not meet many of these requirements on their behalf must incur time and expense to protect these systems to avoid these outcomes. Using a platform that meets these needs just makes sense.
Fortunately, Toast is such a platform. It complies with almost all PCI requirements on behalf of its customers. This all but eliminates the need for additional PCI-related costs for Toast customers. Please review the Toast PCI Responsibility Guides to learn more. Active customers may request these guides through Customer Care, as applicable to their payment channels.