{"id":8710,"date":"2026-05-04T12:08:35","date_gmt":"2026-05-04T16:08:35","guid":{"rendered":"https:\/\/geasypay.com\/pci-dss-compliance-in-canada-2026-a-merchants-guide\/"},"modified":"2026-05-04T12:12:37","modified_gmt":"2026-05-04T16:12:37","slug":"pci-dss-compliance-in-canada-2026-a-merchants-guide","status":"publish","type":"post","link":"https:\/\/geasypay.com\/en\/pci-dss-compliance-in-canada-2026-a-merchants-guide\/","title":{"rendered":"PCI DSS compliance in Canada 2026: a merchant&#8217;s guide"},"content":{"rendered":"<p><strong>If your business accepts credit or debit cards, even just one payment per month, you are legally required to be PCI DSS compliant. And yet, according to industry estimates, more than 6 out of 10 Canadian merchants don&#8217;t know exactly what this means for them. <\/strong>  Worse still, in the event of a data breach, penalties can run into tens of thousands of dollars in fines, not to mention the cost of customer notification and civil proceedings.<\/p>\n<p>The good news? For the vast majority of SMEs, restaurants, clinics and boutiques in Quebec and Canada, PCI DSS compliance is easier than you might think, especially when your payment service provider, like us, does most of the work. <\/p>\n<p>In this guide, we demystify PCI DSS compliance in 2026: the 4 merchant levels, the 12 requirements to be met, the concrete penalties, and how point-to-point encryption (P2PE), tokenization solutions and certified terminals radically simplify compliance.<\/p>\n<h2>What is PCI DSS compliance and why is your business concerned?<\/h2>\n<p><a href=\"https:\/\/www.pcisecuritystandards.org\/\" target=\"_blank\" rel=\"noopener\"><strong>PCI DSS<\/strong><\/a> stands for <em>Payment Card Industry Data Security Standard<\/em>. It is a set of security standards developed by the major card networks (Visa, Mastercard, American Express, Discover, JCB) and managed by the <strong>PCI Security Standards Council (PCI SSC)<\/strong>. <\/p>\n<p>In concrete terms, PCI DSS defines how you must protect your customers&#8217; payment card data: card number, expiry date, CVV code, magnetic stripe, etc. This data is collectively known as cardholder data, and must be encrypted, securely stored (or not stored at all) and transmitted over protected channels. This data is collectively known as <em>cardholder data<\/em>, and must be encrypted, securely stored (or not stored at all) and transmitted over protected channels. <\/p>\n<h3><strong>Who needs to be PCI DSS compliant in Canada?<\/strong><\/h3>\n<p>Any business that accepts, processes, stores or transmits payment card data, regardless of volume. This includes : <\/p>\n<ul>\n<li><strong>Restaurants<\/strong> that take cards in person or for telephone orders<\/li>\n<li><strong>Retail stores<\/strong> with a physical terminal or an online store<\/li>\n<li><strong>Medical, dental, veterinary and beauty clinics<\/strong><\/li>\n<li><strong>Non-profit organizations<\/strong> collecting card donations<\/li>\n<li><strong>Independent professionals<\/strong> billing by card<\/li>\n<li><strong>E-businesses<\/strong> of all sizes<\/li>\n<\/ul>\n<p>Even if you only process one card transaction per month, the obligation still applies. Compliance isn&#8217;t a government law in the strict sense of the word; it&#8217;s a contractual obligation imposed by your payment processor and card networks. But the consequences of non-compliance (fines, suspension of card payments, civil liability in the event of a leak) are very real.  <\/p>\n<p><strong>The version in force in 2026<\/strong> is PCI DSS 4.0.1, which definitively replaced version 3.2.1 in June 2024. This new version imposes enhanced requirements for multi-factor authentication (MFA), continuous monitoring and script management on online payment pages. <\/p>\n<h2>The 4 levels of PCI DSS compliance &#8211; what&#8217;s yours?<\/h2>\n<p>PCI DSS standards apply differently depending on the <strong>annual volume of card transactions<\/strong> processed by your business. There are 4 levels, determined mainly by annual Visa transactions (other networks generally follow the same thresholds). <\/p>\n<p><strong>Level 1: More than 6 million transactions per year<\/strong><\/p>\n<ul>\n<li>Annual audit by a Qualified Security Assessor (QSA)<\/li>\n<li>Quarterly scan by an Approved Scanning Vendor (ASV)<\/li>\n<li>Attestation of compliance (AOC) signed by an executive<\/li>\n<\/ul>\n<p><strong>Level 2: Between 1 million and 6 million transactions per year<\/strong><\/p>\n<ul>\n<li>Annual audit or self-assessment questionnaire (SAQ) depending on network<\/li>\n<li>ASV quarterly scan<\/li>\n<li>Signed certificate of conformity<\/li>\n<\/ul>\n<p><strong>Level 3: Between 20,000 and 1 million e-commerce transactions per year<\/strong><\/p>\n<ul>\n<li>Self-evaluation questionnaire (SAQ)<\/li>\n<li>ASV quarterly scan for online systems<\/li>\n<li>Certificate of conformity<\/li>\n<\/ul>\n<p><strong>Level 4: Less than 20,000 e-commerce transactions or less than 1 million total transactions per year<\/strong><\/p>\n<ul>\n<li>Self-assessment questionnaire (SAQ), usually SAQ A for businesses that outsource processing entirely<\/li>\n<li>ASV scan recommended for e-commerce sites<\/li>\n<li>Certificate of conformity<\/li>\n<\/ul>\n<p><strong>The vast majority of Canadian SMEs (over 95%) fall into Level 4.<\/strong>  For you, compliance mainly means filling in a self-assessment questionnaire every year (SAQ A most often, which takes 15 to 20 minutes). It&#8217;s manageable, provided you use a payment provider who has already done most of the work for you. <\/p>\n<h2>The 12 PCI DSS requirements explained simply<\/h2>\n<p>PCI DSS 4.0.1 organizes its obligations around <strong>12 main requirements<\/strong>, grouped into 6 categories.<\/p>\n<p><strong>Building and maintaining a secure network and systems<\/strong><\/p>\n<p><strong>1.<\/strong> Install and maintain a firewall to protect payment data (your corporate router must be configured correctly, not in factory mode).<\/p>\n<p><strong>2.<\/strong> Never use manufacturers&#8217; default passwords on your terminals, POS or Wi-Fi router.<\/p>\n<p><strong>Protecting cardholder data<\/strong><\/p>\n<p><strong>3.<\/strong> Protect stored card data. Ideally, don&#8217;t store them at all (best is to delegate everything to your processor). <\/p>\n<p><strong>4.<\/strong> Encrypt card data transmitted over public networks (HTTPS mandatory for all e-commerce sites, secure Wi-Fi in stores).<\/p>\n<p><strong>Maintain a vulnerability management program<\/strong><\/p>\n<p><strong>5.<\/strong> Use up-to-date antivirus software on all computers that handle payment data.<\/p>\n<p><strong>6.<\/strong> Develop and maintain secure systems, i.e. install security updates for your POS, terminal, computer, etc.<\/p>\n<p><strong>Implement strict access controls<\/strong><\/p>\n<p><strong>7.<\/strong> Restrict access to payment data to strictly necessary personnel.<\/p>\n<p><strong>8.<\/strong> Identify each user uniquely. Each employee must have his or her own account and password, and since PCI DSS 4.0, multi-factor authentication (MFA) is mandatory for access to systems containing card data. <\/p>\n<p><strong>9.<\/strong> Restrict physical access to card data (no paper with card number lying around the cash register).<\/p>\n<p><strong>Regular network monitoring and testing<\/strong><\/p>\n<p><strong>10.<\/strong> Track and monitor all access to resources and payment data (logs).<\/p>\n<p><strong>11.<\/strong> Regularly test security systems and processes (vulnerability scans, penetration tests for levels 1-2).<\/p>\n<p><strong>Maintaining a safety policy<\/strong><\/p>\n<p><strong>12.<\/strong> Maintain a written policy covering information security for all personnel.<\/p>\n<p><strong>For a Level 4 (the majority of SMEs)<\/strong>, most of these requirements are <strong>automatically covered<\/strong> when you use a certified payment provider like Geasy Pay. Your provider takes care of encryption, secure storage, cloud firewalls and infrastructure compliance. You remain responsible for the security of your user accounts, passwords and Wi-Fi.  <\/p>\n<h2>Penalties for non-compliance (and hidden costs)<\/h2>\n<p>Many merchants believe that PCI DSS non-compliance has no real consequences as long as they have no data leakage.  <strong>This is not true.<\/strong>  Sanctions apply on several levels, some of which are already active without you even realizing it.<\/p>\n<p><strong>1. Monthly PCI non-compliance fee on your statement<\/strong><\/p>\n<p>This is the most common. Your payment processor charges you between <strong>$20 and $80 a month<\/strong> if you haven&#8217;t filled out your annual SAQ questionnaire. Cumulated over 12 months, that&#8217;s $240 to $960 a year, simply because you didn&#8217;t take 20 minutes to fill out a form. Check your statement: the line is often called <em>PCI Non-Compliance Fee<\/em> or <em>PCI Compliance Fee<\/em>.   <\/p>\n<p><strong>2. Card network fines for violations<\/strong><\/p>\n<p>If a data breach occurs and it&#8217;s shown that your business wasn&#8217;t PCI DSS compliant, the networks can impose fines ranging from <strong>$5,000 to $100,000 per month<\/strong> until compliance is achieved. For a small business, this can be existential. <\/p>\n<p><strong>3. Costs associated with a data breach<\/strong><\/p>\n<p>Beyond the fines, a data leak leads to :<\/p>\n<ul>\n<li><strong>Investigation costs<\/strong> ($15,000 to $50,000) to identify the cause and extent of the leak<\/li>\n<li><strong>Notification costs for affected customers.<\/strong>  In Quebec, mandatory since Bill 25<\/li>\n<li><strong>Credit monitoring fees<\/strong> offered to affected customers ($10 to $30 per customer)<\/li>\n<li><strong>Permanent increase in transaction costs<\/strong> for you, as your business becomes an increased risk<\/li>\n<li><strong>Potential civil suits<\/strong> by affected customers<\/li>\n<li><strong>Damage to reputation<\/strong> difficult to quantify but often devastating for a small local business<\/li>\n<\/ul>\n<p><strong>4. Loss of right to accept payment cards<\/strong><\/p>\n<p>In serious or repeated cases, your processor may <strong>terminate your contract<\/strong> and place you on the <em>MATCH<\/em> (Member Alert to Control High-Risk) list &#8211; a list shared by all North American processors. Once on this list, it becomes extremely difficult to find a new processor, and this for a minimum of 5 years. <\/p>\n<p><strong>It&#8217;s easy to calculate:<\/strong> investing 20 minutes a year in an SAQ questionnaire and using a certified terminal costs infinitely less than the least of the above consequences.<\/p>\n<h2>How does Global Payments via Geasy Pay simplify your PCI compliance?<\/h2>\n<p><strong>Geasy Pay is an official partner of Global Payments, one of the world&#8217;s largest payment service providers, operating in over 100 countries.<\/strong>  This global infrastructure means that almost all the technical burden of PCI DSS compliance is already absorbed by Global Payments before you even put your terminal on the counter.<\/p>\n<h3>1. Point-to-point encryption (P2PE)<\/h3>\n<p>With a PCI SSC-approved P2PE solution, your customer&#8217;s card data is encrypted <strong>from the moment it is inserted or approached at the terminal<\/strong>, and remains encrypted throughout processing, right up to final decryption in Global Payments&#8217; ultra-secure environment.<\/p>\n<p><strong>The direct consequence for you is that<\/strong> your systems (POS, computer, Wi-Fi, server) never see card data in clear text. They only receive unreadable encrypted data. This drastically reduces your <strong>PCI compliance perimeter,<\/strong> making you eligible for the shortest and easiest SAQ P2PE questionnaire (~10 minutes per year).  <\/p>\n<h3>2. Tokenization<\/h3>\n<p>When a customer pays with their card, Global Payments immediately replaces the card number (PAN) with a random <em>token<\/em>, unique to that payment and to your business. If someone were to steal this token from your systems, they couldn&#8217;t do anything with it, because it doesn&#8217;t give access to any information that can be used elsewhere. <\/p>\n<p><strong>Particularly useful for :<\/strong><\/p>\n<ul>\n<li><strong>Recurring payments<\/strong> (subscriptions, NPO dues)<\/li>\n<li><strong>Loyal customers<\/strong> whose payment method you want to keep<\/li>\n<li><strong>Online retailers<\/strong> who don&#8217;t want to have to ask for a new card number every time they make a purchase<\/li>\n<\/ul>\n<h3>3. PCI PTS-certified terminals<\/h3>\n<p>All terminals supplied by Geasy Pay (Ingenico Desk 5000, Ingenico Move 5000, Genius terminals, etc.) are <strong>PCI PTS<\/strong> (PIN Transaction Security) <strong>certified<\/strong>. This certification guarantees that : <\/p>\n<ul>\n<li>Keypad is resistant to PIN code extraction attempts<\/li>\n<li>Data never leaves the terminal unencrypted<\/li>\n<li>The terminal automatically detects attempts at physical tampering and locks itself.<\/li>\n<\/ul>\n<p>See our <a href=\"https:\/\/geasypay.com\/en\/payment-solutions\/payment-terminals\/\">complete Machine Interac refresh<\/a> to compare available terminals, and our <a href=\"https:\/\/geasypay.com\/en\/payment-solutions\/point-of-sale-pos\/\">POS system guide in Quebec<\/a> for integrated solutions.<\/p>\n<h3>4. Secure cloud platform<\/h3>\n<p>The Global Payments infrastructure is hosted in ISO 27001-certified data centers that comply with the world&#8217;s highest security standards. All firewalls, intrusion detection systems and access logs are managed 24\/7 by Global Payments security teams &#8211; not by you. <\/p>\n<h3>5. Human support from Geasy Pay<\/h3>\n<p>Our local team in Quebec can help you with :<\/p>\n<ul>\n<li>Identify your PCI DSS level and the right SAQ questionnaire to complete<\/li>\n<li>Guide you through the SAQ in French<\/li>\n<li>Check the secure configuration of your Wi-Fi and user accounts<\/li>\n<li>Alert you if a major security update is required<\/li>\n<\/ul>\n<h2>Assess your PCI compliance today!<\/h2>\n<p>Here are the practical steps you need to take to bring your business into compliance (or check that you already are):<\/p>\n<p><strong>Step 1 &#8211; Identify your PCI DSS level<\/strong><\/p>\n<p>Estimate your annual number of card transactions (all categories: credit, debit, in-store, online). If you&#8217;re below 1 million total transactions per year, you&#8217;re most likely Level 4. <\/p>\n<p><strong>Step 2 &#8211; Identify the right SAQ questionnaire<\/strong><\/p>\n<p>There are several SAQ questionnaires to choose from, depending on your situation:<\/p>\n<ul>\n<li><strong>SAQ A<\/strong> &#8211; You completely outsource the processing (you only use a physical terminal or a certified provider for your online payment). Simplest, ~15-20 minutes. <\/li>\n<li><strong>SAQ A-EP<\/strong> &#8211; E-commerce site where the payment page is hosted by a third party but the customer types his number on your site (with redirection or iframe).<\/li>\n<li><strong>SAQ B<\/strong> &#8211; Stand-alone terminal (no connection to a POS).<\/li>\n<li><strong>SAQ B-IP<\/strong> &#8211; Terminal connected via IP but without local storage.<\/li>\n<li><strong>SAQ C-VT<\/strong> &#8211; Virtual terminal (payment by phone or link).<\/li>\n<li><strong>SAQ C<\/strong> &#8211; Payment system integrated into your business, but not connected to the Internet.<\/li>\n<li><strong>SAQ D<\/strong> &#8211; All other cases (the most comprehensive and demanding).<\/li>\n<\/ul>\n<p>If you&#8217;re using a standard Geasy Pay terminal, you&#8217;ll most likely fill either the <strong>SAQ A<\/strong> or <strong>SAQ B-IP<\/strong> &#8211; the two shortest.<\/p>\n<p><strong>Step 3 &#8211; Complete your SAQ and sign your Attestation of Compliance (AOC)<\/strong><\/p>\n<p>The SAQ is a yes\/no questionnaire about your business&#8217;s security practices. Once completed, you sign the Attestation of Compliance (AOC) and send it to your payment processor (Geasy Pay). Valid for 12 months.  <\/p>\n<p><strong>Step 4 &#8211; Perform ASV scans if applicable<\/strong><\/p>\n<p>If you have an online store, quarterly scans by an <em>Approved Scanning Vendor<\/em> (ASV) are mandatory. These scans automatically check your site for exploitable vulnerabilities. Typical cost: $50 to $200 per quarter. Geasy Pay can recommend an ASV partner if required.   <\/p>\n<h2>PCI DSS and Bill 25: what Quebec merchants need to know<\/h2>\n<p>In Quebec, PCI DSS obligations are added to a broader regulatory framework: <strong>Bill 25<\/strong> (An Act to modernize legislative provisions respecting the protection of personal information), which comes into force progressively between 2022 and 2024. All its provisions will be in force by 2026. <\/p>\n<h3><strong>What Bill 25 requires of Quebec businesses  <\/strong><\/h3>\n<ul>\n<li><strong>Designate a privacy officer<\/strong> for your organization<\/li>\n<li><strong>Maintain a<\/strong> public <strong>privacy policy<\/strong> on your website<\/li>\n<li><strong>Notify the Commission d&#8217;acc\u00e8s \u00e0 l&#8217;information (CAI) and affected individuals<\/strong> in the event of a confidentiality incident presenting a serious risk of harm<\/li>\n<li><strong>Keep a register of<\/strong> confidentiality <strong>incidents<\/strong>, even minor ones<\/li>\n<li><strong>Conduct a Privacy Impact Assessment (PIA)<\/strong> prior to any information system project involving personal information<\/li>\n<\/ul>\n<p><strong>Penalties Act 25:<\/strong> Up to <strong>$25 million<\/strong> or <strong>4% of worldwide sales<\/strong> (whichever is greater), with criminal fines and civil action also possible.<\/p>\n<h3><strong>The overlap with PCI DSS<\/strong><\/h3>\n<p>Payment card data contains personal information within the meaning of Bill 25 (cardholder name, card number). Your PCI DSS compliance therefore contributes directly to your Loi 25 compliance in terms of <em>payment security<\/em>. But Bill 25 goes further: it covers <strong>all the<\/strong> personal information you collect (customer e-mail addresses for loyalty purposes, telephone numbers for appointment reminders, etc.), not just payment data.  <\/p>\n<p><strong>Our recommendation:<\/strong> Treat PCI DSS compliance as the <strong>foundation for payment security<\/strong>, and Law 25 as <strong>the overall framework for managing personal data<\/strong> in your business. The two are complementary and must be respected in parallel. <\/p>\n<h2>Frequently asked questions about PCI DSS compliance in Canada<\/h2>\n<h3>Does my business really have to be PCI DSS compliant in Canada?<\/h3>\n<p>Yes, any business that accepts, processes, stores or transmits payment card data (Visa, Mastercard, Amex, Interac debit) must be PCI DSS compliant, regardless of volume &#8211; even a single transaction per month is enough to trigger the obligation. This obligation is imposed by the card networks and your payment processor, not by government law, but the financial penalties are very real: monthly fines for non-compliance, fees in the event of violation, even loss of the right to accept cards.  <\/p>\n<h3>How can I secure card payments in my restaurant or store?<\/h3>\n<p>Three concrete actions in 2026: 1) Use a PCI PTS-certified terminal connected to a certified payment provider (such as Geasy Pay via Global Payments) that supports P2PE encryption and tokenization; 2) Secure your Wi-Fi with WPA3 and a complex password &#8211; never use Wi-Fi for payments if possible; 3) Complete your SAQ questionnaire annually and keep proof of compliance up to date. For most SMEs, these 3 actions cover the essentials of PCI DSS compliance. <\/p>\n<h3>What does PCI DSS compliance mean for SMEs?<\/h3>\n<p>For a Canadian SME (generally Level 4 PCI), compliance mainly consists of: completing an annual self-assessment questionnaire (SAQ A most often, 15-20 minutes), using certified terminals and payment solutions, securing the business&#8217;s Wi-Fi network, not storing card numbers on local or paper files, and applying security updates to systems (POS, computers). Most of the technical work is absorbed by your payment service provider. <\/p>\n<h3>How much does PCI DSS compliance cost for a small business?<\/h3>\n<p>If you use a certified payment service provider such as Geasy Pay, the cost of PCI DSS compliance for an SME is generally limited to a minimal administrative fee &#8211; often included in your monthly package. Additional costs appear only for e-commerce businesses (quarterly ASV scans at $50-200) or Level 1-2 businesses (QSA audits at $5,000-50,000\/year). Conversely, not being compliant costs $20-80\/month in PCI non-compliance fees on your statement &#8211; paying to do nothing.  <\/p>\n<h3>What are the 4 levels of PCI DSS compliance?<\/h3>\n<p>Level 1: over 6 million Visa transactions\/year (mandatory annual audit). Level 2: 1 to 6 million (audit or SAQ). Level 3: 20,000 to 1 million e-commerce transactions (SAQ + ASV scan). Level 4: less than 20,000 e-commerce transactions or less than 1 million total transactions (SAQ + ASV scan recommended). Over 95% of Canadian SMEs are in Level 4, and only have to complete an annual self-assessment questionnaire.    <\/p>\n<h3>What happens in the event of a payment data breach?<\/h3>\n<p>In the event of a breach : 1) Mandatory notification to your payment processor and, in Quebec, to the Commission d&#8217;acc\u00e8s \u00e0 l&#8217;information (Bill 25); 2) Forensic investigation ($15,000 to $50,000) to determine cause; 3) Notification to affected customers and offer of credit monitoring ($10-30\/customer) ; 4) Possible fines from card networks ($5,000 to $100,000\/month until brought into compliance); 5) Risk of civil action; 6) Possible placement on MATCH list if the business is found responsible, which prevents accepting cards for 5 years.<\/p>\n<h3>What is the SAQ (Self-Assessment Questionnaire)?<\/h3>\n<p>The SAQ is an annual self-assessment questionnaire that you complete to validate your PCI DSS compliance. There are 9 different versions of the SAQ, depending on your situation (online presence, terminal type, etc.). For the majority of SMEs using a certified terminal like those supplied by Geasy Pay, SAQ A applies: around 22 yes\/no questions, 15-20 minutes to complete.  <\/p>\n<h3>What is payment tokenization and why is it important?<\/h3>\n<p>Tokenization immediately replaces your customer&#8217;s card number with a unique, random token, which serves only to identify this specific payment to your processor. If someone were to steal this token from your systems, they couldn&#8217;t do anything with it: it doesn&#8217;t give access to the real card number. Tokenization is particularly useful for recurring payments (subscriptions, NPO donations), online stores and loyalty programs &#8211; it allows you to retain a customer&#8217;s payment method without ever having the real card data in your systems.  <\/p>\n<h3>How does Global Payments help with PCI DSS compliance?<\/h3>\n<p>Global Payments (via Geasy Pay in Quebec) absorbs most of the technical burden of PCI DSS by providing: 1) An ISO 27001 and PCI DSS Level 1-certified cloud platform; 2) PCI SSC-validated point-to-point encryption (P2PE) that reduces your compliance perimeter; 3) Automatic tokenization of all transactions; 4) PCI PTS-certified terminals; 5) A local Geasy Pay team to guide you through the SAQ. Result: you remain responsible only for the security of your user accounts, passwords and Wi-Fi. <\/p>\n<h3>Are PCI DSS and Quebec&#8217;s Bill 25 compatible?<\/h3>\n<p>Yes, and even complementary. PCI DSS specifically protects card payment data. Quebec&#8217;s Bill 25, in force in all its provisions since September 2024, covers all the personal information you collect (payments, but also e-mail addresses, telephone numbers, customer files). Your PCI DSS compliance contributes to your Loi 25 compliance on the payment side, but Loi 25 adds additional obligations: appointing a privacy officer, publishing a privacy policy, keeping an incident log, notifying the Commission d&#8217;acc\u00e8s \u00e0 l&#8217;information in the event of a leak. Law 25 penalties can reach $25 million or 4% of worldwide sales.    <\/p>\n<h2>Assess your PCI compliance with Geasy Pay<\/h2>\n<p>Not sure if you&#8217;re PCI DSS compliant? See a <em>PCI Non-Compliance Fee<\/em> line on your monthly statement and don&#8217;t know what to do? Just want peace of mind that your business is protected?  <\/p>\n<p><strong>Geasy Pay offers you a free assessment of your PCI compliance:<\/strong><\/p>\n<p>\u2705 <strong>Complete diagnosis of<\/strong> your current situation (PCI level, SAQ required, risk exposure)<br \/>\n\u2705 <strong>Concrete recommendations<\/strong> to close identified gaps<br \/>\n\u2705 <strong>French-language support<\/strong> from our local team in Quebec<br \/>\n\u2705 <strong>Seamless migration<\/strong> to our Global Payments-certified terminals if you change providers<br \/>\n\u2705 <strong>Elimination of monthly PCI non-compliance fees<\/strong> (often $20-$80\/month) upon compliance.<\/p>\n<p><strong>Contact us today:<\/strong><\/p>\n<ul>\n<li><strong>+1 438-806-0450<\/strong><\/li>\n<li>Request a free quote via <a href=\"https:\/\/geasypay.com\/en\/contact-geasy-pay\/\">our contact form<\/a><\/li>\n<li>Live chat with an advisor in less than 15 minutes<\/li>\n<\/ul>\n<p><strong>To find out more about security and payment costs in Quebec :<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/geasypay.com\/en\/how-to-accept-contactless-payment-in-your-business-complete-guide-for-entrepreneurs\/\">Contactless payment in Quebec in 2026: a complete guide<\/a><\/li>\n<li><a href=\"https:\/\/geasypay.com\/en\/barometre-2026-des-frais-de-transaction-au-quebec-combien-vous-pay-vraiment\/\">2026 Barometer of transaction costs in Quebec<\/a><\/li>\n<li><a href=\"https:\/\/geasypay.com\/combien-coute-terminal-paiement-quebec\/\">How much does a payment terminal REALLY cost in Quebec?<\/a><\/li>\n<\/ul>\n<p><script type=\"application\/ld+json\">{\"@context\":\"https:\/\/schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"Mon commerce doit-il vraiment \u00eatre conforme PCI DSS au \n  Canada ?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Oui. Tout commerce qui accepte, traite, stocke ou transmet des donn\u00e9es de cartes de paiement (Visa, Mastercard, Amex, Interac d\u00e9bit) \n  doit \u00eatre conforme PCI DSS, peu importe le volume \u2014 m\u00eame une seule transaction par mois suffit \u00e0 d\u00e9clencher l'obligation. Cette obligation est impos\u00e9e par les r\u00e9seaux de cartes et votre \n  processeur de paiement, pas par une loi gouvernementale, mais les sanctions financi\u00e8res sont bien r\u00e9elles : amendes mensuelles de non-conformit\u00e9, frais en cas de violation, voire perte  \n  du droit d'accepter les cartes.\"}},{\"@type\":\"Question\",\"name\":\"Comment s\u00e9curiser les paiements par carte dans mon restaurant ou ma boutique \n  ?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Trois actions concr\u00e8tes en 2026 : 1) Utiliser un terminal certifi\u00e9 PCI PTS connect\u00e9 \u00e0 un fournisseur de paiement certifi\u00e9 (comme Geasy Pay\n  via Global Payments) qui prend en charge le chiffrement P2PE et la tokenisation ; 2) S\u00e9curiser votre Wi-Fi avec WPA3 et un mot de passe complexe \u2014 ne jamais utiliser le Wi-Fi pour les\n  paiements si possible ; 3) Remplir annuellement votre questionnaire SAQ et garder une preuve de conformit\u00e9 \u00e0 jour. Pour la plupart des PME, ces 3 actions couvrent l'essentiel de la\n  conformit\u00e9 PCI DSS.\"}},{\"@type\":\"Question\",\"name\":\"Qu'est-ce que la conformit\u00e9 PCI DSS pour une PME ?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Pour une PME canadienne (g\u00e9n\u00e9ralement\n  Niveau 4 PCI), la conformit\u00e9 consiste principalement \u00e0 : remplir un questionnaire d'auto-\u00e9valuation annuel (SAQ A le plus souvent, 15-20 minutes), utiliser des terminaux et des solutions\n   de paiement certifi\u00e9s, s\u00e9curiser le r\u00e9seau Wi-Fi du commerce, ne pas stocker les num\u00e9ros de carte sur des fichiers locaux ou papier, et appliquer les mises \u00e0 jour de s\u00e9curit\u00e9 aux\n  syst\u00e8mes (POS, ordinateurs). La majorit\u00e9 du travail technique est absorb\u00e9e par votre fournisseur de services de paiement.\"}},{\"@type\":\"Question\",\"name\":\"Combien co\u00fbte la conformit\u00e9 PCI\n  DSS pour un petit commerce ?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Si vous utilisez un fournisseur de services de paiement certifi\u00e9 comme Geasy Pay, le co\u00fbt de la conformit\u00e9 PCI\n  DSS pour une PME se limite g\u00e9n\u00e9ralement \u00e0 des frais administratifs minimes \u2014 souvent inclus dans votre forfait mensuel. Les co\u00fbts additionnels n'apparaissent que pour les commerces\n  e-commerce (scans ASV trimestriels \u00e0 50-200 $) ou les commerces de Niveau 1-2 (audits QSA \u00e0 5 000-50 000 $\/an). \u00c0 l'inverse, ne pas \u00eatre conforme co\u00fbte 20 \u00e0 80 $\/mois en frais de\n  non-conformit\u00e9 PCI sur votre relev\u00e9 \u2014 payer pour ne rien faire.\"}},{\"@type\":\"Question\",\"name\":\"Quels sont les 4 niveaux de conformit\u00e9 PCI DSS\n  ?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Niveau 1 : plus de 6 millions de transactions Visa par an (audit annuel obligatoire). Niveau 2 : 1 \u00e0 6 millions (audit ou SAQ). Niveau 3 :\n  20 000 \u00e0 1 million de transactions e-commerce (SAQ + scan ASV). Niveau 4 : moins de 20 000 transactions e-commerce ou moins d'1 million de transactions totales (SAQ + scan ASV\n  recommand\u00e9). Plus de 95 % des PME canadiennes sont en Niveau 4 et n'ont \u00e0 remplir qu'un questionnaire d'auto-\u00e9valuation annuel.\"}},{\"@type\":\"Question\",\"name\":\"Que se passe-t-il en cas de\n   violation de donn\u00e9es de paiement ?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"En cas de violation : 1) Notification obligatoire \u00e0 votre processeur de paiement et, au Qu\u00e9bec, \u00e0 la\n  Commission d'acc\u00e8s \u00e0 l'information (Loi 25) ; 2) Enqu\u00eate forensique (15 000 \u00e0 50 000 $) pour d\u00e9terminer la cause ; 3) Notification aux clients touch\u00e9s et offre de surveillance de cr\u00e9dit\n  (10-30 $ par client) ; 4) Amendes possibles des r\u00e9seaux de cartes (5 000 \u00e0 100 000 $\/mois jusqu'\u00e0 mise en conformit\u00e9) ; 5) Risque de poursuites civiles ; 6) Possible mise sur la liste\n  MATCH si le commerce est jug\u00e9 responsable, ce qui emp\u00eache d'accepter les cartes pendant 5 ans.\"}},{\"@type\":\"Question\",\"name\":\"Qu'est-ce que le SAQ (Self-Assessment Questionnaire)\n  ?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Le SAQ est un questionnaire d'auto-\u00e9valuation annuel que vous remplissez pour valider votre conformit\u00e9 PCI DSS. Il existe 9 versions\n  diff\u00e9rentes du SAQ selon votre situation (pr\u00e9sence en ligne, type de terminal, etc.). Pour la majorit\u00e9 des PME utilisant un terminal certifi\u00e9 comme ceux fournis par Geasy Pay, c'est le\n  SAQ A qui s'applique : environ 22 questions \u00e0 choix oui\/non, 15-20 minutes \u00e0 compl\u00e9ter.\"}},{\"@type\":\"Question\",\"name\":\"Qu'est-ce que la tokenisation des paiements et pourquoi c'est\n  important ?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"La tokenisation remplace imm\u00e9diatement le num\u00e9ro de carte de votre client par un jeton unique, al\u00e9atoire, qui ne sert qu'\u00e0\n  identifier ce paiement sp\u00e9cifique chez votre processeur. Si quelqu'un volait ce jeton dans vos syst\u00e8mes, il ne pourrait rien en faire : il ne donne pas acc\u00e8s au vrai num\u00e9ro de carte. La\n  tokenisation est particuli\u00e8rement utile pour les paiements r\u00e9currents (abonnements, dons OBNL), les boutiques en ligne et les programmes de fid\u00e9lit\u00e9 \u2014 elle vous permet de conserver le\n  mode de paiement d'un client sans jamais avoir les vraies donn\u00e9es de carte dans vos syst\u00e8mes.\"}},{\"@type\":\"Question\",\"name\":\"Comment Global Payments aide-t-il \u00e0 la conformit\u00e9 PCI DSS\n  ?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Global Payments (via Geasy Pay au Qu\u00e9bec) absorbe la majeure partie du fardeau technique de PCI DSS en fournissant : 1) Une plateforme\n  infonuagique certifi\u00e9e ISO 27001 et PCI DSS de niveau 1 ; 2) Le chiffrement point \u00e0 point (P2PE) valid\u00e9 par le PCI SSC qui r\u00e9duit votre p\u00e9rim\u00e8tre de conformit\u00e9 ; 3) La tokenisation\n  automatique de toutes les transactions ; 4) Des terminaux certifi\u00e9s PCI PTS ; 5) Une \u00e9quipe locale Geasy Pay qui vous guide dans le SAQ. R\u00e9sultat : vous restez responsable seulement de\n  la s\u00e9curit\u00e9 de vos comptes utilisateurs, mots de passe et Wi-Fi.\"}},{\"@type\":\"Question\",\"name\":\"PCI DSS et Loi 25 du Qu\u00e9bec sont-ils compatibles\n  ?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Oui, et m\u00eame compl\u00e9mentaires. PCI DSS prot\u00e8ge sp\u00e9cifiquement les donn\u00e9es de paiement par carte. La Loi 25 qu\u00e9b\u00e9coise, en vigueur dans toutes\n   ses dispositions depuis septembre 2024, couvre l'ensemble des renseignements personnels que vous collectez (paiements, mais aussi adresses courriel, t\u00e9l\u00e9phones, dossiers clients). Votre\n   conformit\u00e9 PCI DSS contribue \u00e0 votre conformit\u00e9 Loi 25 sur le volet paiement, mais la Loi 25 ajoute des obligations suppl\u00e9mentaires : d\u00e9signer un responsable de la protection des\n  renseignements personnels, publier une politique de confidentialit\u00e9, tenir un registre d'incidents, notifier la Commission d'acc\u00e8s \u00e0 l'information en cas de fuite. Les sanctions Loi 25\n  peuvent atteindre 25 millions de dollars ou 4 pour cent du chiffre d'affaires mondial.\"}}]}<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If your business accepts credit or debit cards, even just one payment per month, you are legally required to be PCI DSS compliant. And yet, according to industry estimates, more than 6 out of 10 Canadian merchants don&#8217;t know exactly what this means for them. Worse still, in the event of a data breach, penalties [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8711,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37],"tags":[],"class_list":["post-8710","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/posts\/8710","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/comments?post=8710"}],"version-history":[{"count":1,"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/posts\/8710\/revisions"}],"predecessor-version":[{"id":8714,"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/posts\/8710\/revisions\/8714"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/media\/8711"}],"wp:attachment":[{"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/media?parent=8710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/categories?post=8710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/geasypay.com\/en\/wp-json\/wp\/v2\/tags?post=8710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}