Getting Started

PCI Compliance for E-commerce & Online Stores (UK)

Selling online means card data is in play even if you never see it. Here's how PCI DSS applies to UK e-commerce, which SAQ you need, and how to keep it simple.

Fraud Defence First
27 June 2026
6 min read

If you sell online, PCI DSS applies to you — even if a third-party gateway handles the actual payment and you never see a full card number. How you integrate that payment, though, makes an enormous difference to how much compliance work you face.

How your checkout decides your SAQ

The single biggest factor is whether card data ever touches your website. The two common e-commerce scenarios are:

  • Redirect or hosted iframe — the customer enters card details on the provider's page, either by being redirected to it or through an iframe embedded in yours, so the data never reaches your servers. This is the simplest, lowest-risk option and usually qualifies for SAQ A — though an embedded iframe still sits on your page, so it remains a skimming target that a full redirect avoids.
  • Direct-post / JavaScript integration — your page collects or influences the card data before it reaches the provider. This pulls you into the longer SAQ A-EP, with more requirements.

Choosing a hosted checkout is the easiest way to shrink your PCI scope. For how the questionnaires compare, see SAQ A vs SAQ D explained.

Watch out for web skimming

Even with a hosted checkout, attackers increasingly target online stores with 'Magecart'-style skimming scripts injected through compromised plugins or third-party code. PCI DSS v4.0 added requirements — mandatory since 31 March 2025 — for managing and monitoring the scripts on payment pages, which especially matter when you embed the provider's form in an iframe; see PCI DSS v4.0.1: what changed. Keeping your platform, themes and plugins updated is now part of staying compliant.

Practical steps for an online store

  • Use a reputable payment provider with a hosted checkout where possible.
  • Never store card numbers in your database, order emails or logs.
  • Keep your e-commerce platform, plugins and themes patched.
  • Complete the correct SAQ (usually A or A-EP) and any required scan.
  • Validate with your acquirer each year.

If you'd rather not work out the details, our free assessment identifies your SAQ from your setup, and our managed service takes care of the rest.

Get your online store compliant — free assessment

Need Expert PCI Compliance Help?

Our PCI compliance specialists are here to guide your business through the certification process. Get personalised advice and ensure your business stays compliant.

Get Free ConsultationBook Assessment Call
Back to All Resources