Compliance Guide
What Is PCI DSS? Compliance Guide
A practical guide to PCI DSS for UK merchants — what it means, why it matters, and how to achieve compliance without the jargon.
What does PCI DSS stand for?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security requirements designed to protect cardholder data wherever it is processed, stored, or transmitted. The standard applies to every organisation that handles payment card information — from a single-terminal corner shop to a multinational retailer.
PCI DSS is not a law. It is a contractual obligation enforced by the card schemes (Visa, Mastercard, American Express, Discover, and JCB) through the acquiring banks that process your payments. If you accept card payments, you are required to comply — regardless of your business size or the number of transactions you process.
Why does PCI DSS exist?
In the early 2000s, card fraud was rising sharply as more transactions moved online and payment systems became interconnected. Each card scheme had its own security programme, creating a fragmented landscape that was confusing for merchants and ineffective at preventing breaches.
In 2004, Visa, Mastercard, American Express, Discover, and JCB came together to form the Payment Card Industry Security Standards Council (PCI SSC). They unified their individual security programmes into a single standard: PCI DSS version 1.0.
The standard has been updated regularly since then. The current version is PCI DSS v4.0.1, which was released in June 2024. Each update reflects evolving threats, new technologies, and lessons learned from real-world breaches. The goal remains the same: to reduce card fraud by ensuring that businesses handle cardholder data securely.
What are the 12 PCI DSS requirements?
PCI DSS is organised around 12 core requirements, grouped into six control objectives. Here is a plain-English summary of each:
Build and maintain a secure network
Install and maintain network security controls (firewalls, access control lists) to protect cardholder data from unauthorised access.
Do not use vendor-supplied default passwords or security settings. Change all defaults before deploying any system.
Protect account data
Protect stored cardholder data. If you must store card numbers, encrypt them. Better yet, do not store them at all.
Encrypt cardholder data when transmitting it across open or public networks (e.g. the internet).
Maintain a vulnerability management programme
Protect all systems and networks from malware. Use and regularly update anti-virus/anti-malware software.
Develop and maintain secure systems and software. Apply security patches promptly.
Implement strong access control
Restrict access to cardholder data to only those individuals whose job requires it (need-to-know basis).
Identify users and authenticate access. Every person with access must have a unique ID.
Restrict physical access to cardholder data. Secure terminals, servers, and paper records.
Regularly monitor and test networks
Log and monitor all access to network resources and cardholder data. Maintain audit trails.
Test security systems and processes regularly, including vulnerability scans and penetration testing.
Maintain an information security policy
Maintain a security policy that addresses information security for all personnel. Train staff on their responsibilities.
What are the 4 PCI DSS compliance levels?
The card schemes categorise merchants into four levels based on annual transaction volume. Your level determines how you validate compliance.
| Level | Annual transactions | Validation required |
|---|---|---|
| Level 1 | Over 6 million | Annual on-site audit by a QSA + quarterly network scan by an ASV |
| Level 2 | 1–6 million | Annual SAQ + quarterly ASV scan |
| Level 3 | 20,000–1 million (e-commerce) | Annual SAQ + quarterly ASV scan |
| Level 4 | Fewer than 20,000 (e-commerce) or up to 1 million (all other) | Annual SAQ (scan may be required by acquirer) |
The vast majority of UK small and medium businesses fall into Level 4. This means your compliance obligation is typically limited to completing an annual self-assessment questionnaire (SAQ) and ensuring your payment systems are secure. It is far simpler than many merchants expect.
How do UK businesses achieve PCI DSS compliance?
For Level 2, 3, and 4 merchants, compliance is validated by completing the appropriate Self-Assessment Questionnaire (SAQ). The SAQ you need depends on how you accept and process card payments:
- SAQ A — E-commerce merchants who fully outsource all payment processing to a PCI-compliant third party. No cardholder data touches your systems.
- SAQ B — Merchants using standalone, dial-out card terminals with no electronic cardholder data storage. The most common SAQ for face-to-face businesses.
- SAQ B-IP — Merchants using IP-connected (internet) payment terminals. Slightly more requirements than SAQ B because the terminal communicates over the internet.
- SAQ C — Merchants with payment application systems connected to the internet but no electronic cardholder data storage.
- SAQ D — All other merchants. This is the most comprehensive questionnaire with over 300 questions. Required when cardholder data is stored electronically.
The key takeaway: the less contact you have with cardholder data, the simpler your compliance requirements. Using a PCI-compliant terminal from a reputable provider and never storing card numbers yourself means you can usually complete SAQ B or SAQ B-IP in under an hour.
Common PCI DSS myths debunked
Myth: "I'm too small to need PCI compliance."
Reality: PCI DSS applies to every business that accepts card payments, regardless of size. Small businesses are actually targeted more often by fraudsters because their security is typically weaker.
Myth: "PCI compliance means I'm fully secure."
Reality: Compliance is a baseline, not a guarantee. It establishes minimum security standards. Businesses should treat PCI DSS as a foundation and build additional security practices on top of it.
Myth: "My payment processor handles PCI for me."
Reality: Your payment processor is responsible for their own PCI compliance. You are responsible for yours. However, using a PCI-compliant terminal significantly reduces your scope and simplifies compliance.
Myth: "PCI compliance is a one-time thing."
Reality: Compliance must be validated annually. Security controls must be maintained continuously. A business that was compliant last year is not automatically compliant this year.
Myth: "I only need PCI if I store card numbers."
Reality: PCI DSS applies to anyone who processes, stores, or transmits cardholder data. Even if you never store a card number, you are still processing data when you take a card payment.
What happens if you are not PCI DSS compliant?
Non-compliance exposes your business to two types of risk: financial penalties and breach liability.
Monthly non-compliance fees
Most acquiring banks charge a monthly surcharge (typically £30–£50) to merchants who have not completed their annual SAQ. This fee is applied until compliance is validated.
Card scheme fines
Visa and Mastercard can impose fines of £5,000 to £100,000+ per month on acquiring banks for non-compliant merchants. These fines are passed on to the merchant.
Breach investigation costs
If a breach occurs, you may be required to pay for a forensic investigation by a PCI Forensic Investigator (PFI). Costs typically range from £10,000 to £50,000.
Card reissue liability
If cardholder data is compromised, the card schemes may charge you for the cost of reissuing affected cards. This can run into tens of thousands of pounds.
Loss of card acceptance
In severe cases, the card schemes can revoke your ability to accept card payments entirely. For most businesses, this would be existential.
Reputational damage
A publicised data breach erodes customer trust. Rebuilding confidence after a breach is far more expensive than preventing one.
PCI compliance made simple
United Payments provides PCI DSS Level 1 certified terminals with end-to-end encryption. We handle the security, so you can focus on running your business. No PCI non-compliance fees, no complexity.
Get PCI-Compliant TerminalsFrequently Asked Questions
Yes. Any business that accepts, processes, stores, or transmits cardholder data must comply with PCI DSS, regardless of size or method. However, if you use a PCI-compliant terminal and never store card data yourself, your compliance requirements are minimal. You would typically complete SAQ B or SAQ B-IP, which are the simplest self-assessment questionnaires.
For most small businesses, the cost is minimal. Completing a self-assessment questionnaire (SAQ) is free. Some payment processors include PCI compliance support in their service. If you need vulnerability scanning (required for e-commerce), quarterly scans from an Approved Scanning Vendor (ASV) typically cost £100–£300 per year. Level 1 merchants requiring a full on-site audit can expect costs of £10,000–£50,000+.
If cardholder data is compromised, the card schemes (Visa, Mastercard) can impose fines on your acquiring bank, which will pass them to you. Fines typically range from £5,000 to £100,000+ depending on the severity. You may also face forensic investigation costs (£10,000–50,000), card reissue costs, and legal liability. Non-compliant merchants face significantly higher penalties than compliant ones.
An SAQ (Self-Assessment Questionnaire) is a validation tool for merchants and service providers to self-evaluate their PCI DSS compliance. There are several types: SAQ A (e-commerce with fully outsourced payment page), SAQ B (card-present terminals with no electronic data storage), SAQ B-IP (IP-connected terminals), SAQ C (payment application systems), and SAQ D (all others). Your payment processor can help you determine which SAQ applies to your business.
PCI DSS compliance must be validated annually. This means completing the appropriate SAQ every 12 months. If your business requires vulnerability scanning, scans must be conducted quarterly (every 90 days) by an Approved Scanning Vendor. Compliance is not a one-off exercise — it is an ongoing commitment to maintaining secure practices.
Get Started
Ready to Transform Your Business?
Call us directly or fill out the form — we'll find the perfect solution for you.
0333 567 3568
Free consultation call
Next-day setup
Get up and running in 24 hours
No lock-in contracts
Flexible terms, cancel anytime
24/7 UK support
Real people, real help