What is PCI-DSS and why does it matter for my rental business?

PCI-DSS is a mandatory security standard for any business handling credit card data. Non-compliance can result in fines of $5,000-$100,000+ per month, liability for fraud, and loss of your ability to accept credit cards.

Am I currently violating PCI-DSS?

If you store card photos on personal phones, email card images, keep paper forms with full card numbers, or store card data in spreadsheets or regular cloud storage—yes, you likely are. These are the most common violations in the rental industry.

How does Rentalyst make me compliant?

Rentalyst integrates with Stripe Connect, so card data is tokenized and stored in Stripe's PCI Level 1 infrastructure—never on your systems. Card images are processed client-side to mask sensitive data before storage.

Do I need Stripe Connect to use Rentalyst's CC Auth forms?

Yes. To ensure the highest security standards and PCI compliance, Stripe Connect is required for CC Authorization forms. This protects both you and your customers.

What if I already have a merchant account with another provider?

You can keep your existing merchant account for processing payments. Stripe Connect is used specifically for securely collecting and storing card authorizations—it's complementary to your existing payment setup.

Security & Privacy

PCI-DSS Compliance: Protecting Your Rental Business

Learn why PCI-DSS compliance matters for equipment rental companies and how Rentalyst protects you from credit card company fines.

Understanding credit card security compliance is critical for any business that handles card information. For equipment rental companies, the risks of non-compliance are significant—but often overlooked.

What is PCI-DSS?

PCI-DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

These standards are not optional. Any business that handles credit card data must comply, regardless of size.

The Hidden Risk in Equipment Rental

Many equipment rental companies unknowingly violate PCI-DSS compliance every day through common practices:

Risky Practices That Violate PCI-DSS

Storing card photos on personal phones - Taking photos of customer cards with your phone and storing them in your camera roll is a direct violation
Emailing card images - Sending unencrypted card photos via email violates multiple PCI requirements
Keeping paper authorization forms - Paper forms with full card numbers in filing cabinets are a security liability
Storing card numbers in spreadsheets - Any unencrypted storage of full card numbers is prohibited
Using regular cloud storage - Dropbox, Google Drive, or iCloud are not PCI-compliant for card data

What Happens If You're Not Compliant?

The consequences of PCI-DSS non-compliance can be severe:

Violation Level	Monthly Fine
Level 4 (Small business)	$5,000 - $10,000
Level 3 (Medium business)	$10,000 - $50,000
Level 2 (Large business)	$50,000 - $100,000+

Beyond fines, non-compliant businesses face:

Liability for fraudulent charges - If a data breach occurs, you may be responsible for all fraudulent transactions
Loss of card processing ability - Your merchant account can be terminated
Legal action - Cardholders can sue for damages
Reputation damage - Data breaches become public knowledge

How Rentalyst Solves This

Rentalyst was built from the ground up with PCI-DSS compliance as a core requirement. Here's how we protect your business:

Stripe Connect Integration

When you set up Stripe Connect through Rentalyst, your customers' card data is:

Tokenized immediately - Card numbers are converted to secure tokens before ever reaching your systems
Never stored on your servers - The actual card data stays within Stripe's PCI-compliant infrastructure
Protected by Stripe's security - Stripe is a PCI Level 1 Service Provider, the highest level of certification

Secure Image Handling

For visual verification of physical cards (required for fraud prevention in equipment rental):

Client-side processing - Sensitive card data is detected and masked on the customer's device before upload
PCI-safe storage - Only masked images with sensitive data redacted are stored
Last 4 digits visible - You can still verify the card without storing the full number
Secure access controls - Images are encrypted and access is logged

Authorization Holds

When placing authorization holds on customer cards:

No manual card entry - Customers enter their card data directly into Stripe's secure form
Real-time authorization - Holds are placed instantly through Stripe's API
Capture or cancel anytime - Full control over the authorization lifecycle
Complete audit trail - Every action is logged for your records

Your Compliance Checklist

With Rentalyst and Stripe Connect properly configured, your business achieves:

✅ Card data never touches your systems (handled by Stripe)
✅ No storage of full card numbers
✅ Encrypted storage for any card-related images
✅ Access controls and audit logging
✅ Secure transmission of all data (TLS encryption)
✅ Regular security updates (handled by Rentalyst)

The Bottom Line

Every day that you handle credit card information without proper compliance measures is a day of unnecessary risk. The equipment rental industry has operated with lax card security practices for too long—but credit card companies are increasingly enforcing compliance.

Rentalyst provides enterprise-level security that was previously only available to large corporations, making it easy for rental houses of any size to protect themselves and their customers.

Getting Started

1. Set up Stripe Connect - Navigate to Settings → Stripe Connect in your Rentalyst dashboard 2. Complete verification - Stripe will verify your business information 3. Start accepting cards securely - Your CC Authorization forms will automatically use the secure flow

Once configured, every credit card authorization you collect will be fully PCI-compliant—protecting your business from fines and your customers from fraud.