You will know if you are PCI compliant if you are signed-up with a scanning vendor, you are receiving scan reports at least quarterly, and you are certifying your PCI attestation quarterly. The most common scanning vendors are SecureTrust and SecurityMetrics. Most Ace stores fall into Tier 3 for PCI compliance which means you can self-attest. You must implement the things you are attesting to. The most common things we find are missing for Ace stores are: 1) An Information Security Policy, 2) An Incident Response Plan, 3) Annual and new hire employee training, 4) Network and Data Flows Diagrams, 5) Anti-virus protection on all computers (not just Epicor computers), and 6) Lack of business email.