PCI DSS Compliance in the UK: The Complete Guide

What is PCI DSS?

PCI DSS — the Payment Card Industry Data Security Standard — is a global set of security rules that protect customers' card details. It is maintained by the PCI Security Standards Council, founded by the major card brands (Visa, Mastercard, American Express, Discover and JCB). Any business that stores, processes or transmits cardholder data is expected to comply.

For a plain-English primer, read what is PCI DSS compliance?

Who needs to be PCI compliant?

Almost every business that accepts card payments — from a single-terminal café to a national retailer. Using a card machine or an outsourced checkout does not remove the obligation; it usually just makes compliance simpler.

See do I need PCI compliance if I only use a card machine? and PCI compliance for small UK businesses.

The 12 PCI DSS requirements

PCI DSS is built around six goals and twelve requirements — in business terms: secure your network, protect (or avoid storing) card data, encrypt data in transit, keep software patched, restrict access to those who need it, authenticate users, control physical access, log and monitor activity, test your security regularly, and maintain a security policy.

• Build and maintain a secure network
• Protect stored cardholder data — ideally store none
• Encrypt cardholder data across open networks
• Restrict access on a need-to-know basis
• Regularly monitor, test and document security

Merchant levels 1–4

Your merchant level is set by annual card transaction volume and decides how you validate. Level 1 (6M+ transactions) needs a formal audit by a Qualified Security Assessor; Levels 2–4 generally validate with a Self-Assessment Questionnaire. Almost every small UK business is Level 4 (under 20,000 e-commerce transactions a year). See PCI DSS merchant levels explained.

SAQ types — and the costly mistake

There are several Self-Assessment Questionnaires. SAQ A (around 30 questions) is for fully outsourced e-commerce; SAQ D (around 250 questions) is the catch-all for anyone handling or storing card data. Many businesses complete SAQ D when a far shorter SAQ would have been valid. Read which SAQ do I need? SAQ A vs SAQ D explained.

What PCI compliance costs

For most small UK businesses, compliance costs a small, predictable annual amount — far less than the non-compliance fees acquirers add when you don't validate. See how much PCI compliance costs in the UK and what's that PCI fee on your statement? Ignoring it carries real risk — see PCI non-compliance fines.

PCI DSS v4.0.1 — what changed

PCI DSS v4.0.1 is now the only active version, and a set of previously "best practice" controls became mandatory on 31 March 2025. It shifts from a rigid checklist toward outcome-based security. Full detail in PCI DSS v4.0.1: what changed and the 2025 deadline.

How to get compliant

Map how card data flows through your business, complete the correct SAQ, fix any gaps, run a scan if required, and file your validation with your acquirer — then repeat annually. A fully managed service does all of this for you, usually within 24 hours.

Related guides

• What is PCI DSS compliance?
• How much does PCI compliance cost in the UK?
• Do I need PCI compliance if I only use a card machine?
• Which SAQ do I need? SAQ A vs SAQ D
• PCI DSS merchant levels (1–4) explained
• PCI compliance for small UK businesses
• PCI compliance for e-commerce
• PCI compliance for phone (MOTO) payments
• PCI DSS v4.0.1: what changed
• The PCI fee on your statement
• PCI non-compliance fines
• PCI DSS vs GDPR vs Cyber Essentials

Frequently asked questions