Businesses accepting card payments must be Payment Card Industry (PCI) compliant to maintain customer trust and security. This guide sets out the facts.
Any business that accepts credit or debit card payments from customers is handling sensitive personal and financial information, so it’s vital that this data is protected and unauthorised access is prevented.
To do that, businesses must comply with the Payment Card Industry Data Security Standard (PCI DSS), and ensure future compliance with the new version of PCI DSS that will be introduced on 31 March, 2024.
PCI DSS ensures that cardholder data is dealt with securely and isn’t compromised by cyber security breaches such as malware attacks that could impact the business and the customer.
The business becomes a member of the payment network operator’s scheme and becomes subject to PCI DSS via an agreement with the payment operator, as this agreement typically places a requirement on the business to be PCI DSS compliant.
What does PCI DSS require?
The standard consists of the following six goals and 12 requirements:
Build and maintain a secure network and systems:
- install and maintain a firewall configuration to protect cardholder data
- do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data:
- protect stored cardholder data
- encrypt the transmission of cardholder data across open, public networks.
Maintain a vulnerability management program:
- protect all systems against malware and regularly update antivirus software or programs
- develop and maintain secure systems and applications.
Implement strong access-control measures:
- restrict access to cardholder data only to approved and necessary data processors
- identify and authenticate access to system components
- restrict physical access to cardholder data.
Regularly monitor and test networks:
- track and monitor all access to network resources and cardholder data
- regularly test security systems and processes.
Maintain an information security policy:
- maintain a policy that addresses information security for all personnel.
Who needs to be PCI compliant?
Compliance with PCI DSS is mandatory for any organisation that accepts or processes payment cards.
This is likely to be due to a contractual obligation between the business and their network operator requiring PCI DSS compliance. PCI DSS is not law.
It applies to all businesses, from the smallest e-commerce start-ups processing a few hundred card transactions each year to large international brands, attracting millions of card payments annually.
The level of assessment that needs to be carried out to ensure the rules are followed varies according to the organisation’s size.
More details are outlined in the ‘getting started with PCI compliance’ section below.
PCI compliance and the law
Compliance with PCI DSS is not an official legal requirement in the UK, but by accepting card payments from customers, it is mandatory under the contract a business enters into with the card issuer.
Businesses must also follow UK data protection regulations.
Failure to comply with PCI DSS could result in fines which are imposed until the business can prove it is compliant.
They range from $5,000 to $100,000 (around £4,000 to £80,000) a month, depending on the company’s size and the non-compliance scale.
Fines are usually imposed on the bank, which then passes them on to the business.
In addition, a bank may penalise a non-complying business by raising card transaction fees or terminating their account, while the company could also be in breach of the UK data protection law.
Breaches of UK data protection law could result in fines and penalties from the Information Commissioner’s Office (ICO).
For the most severe data breaches, the ICO can issue fines of up to £17.5 million or 4% of global annual turnover.
Getting started with PCI compliance
To prove your PCI compliance, there are various steps you need to take.
These vary according to the size of your business and the number of card transactions you process each year.
The thresholds may vary depending on the card brand, but the four levels are generally as follows:
- level 1: Merchants processing more than six million card transactions
- level 2: Merchants processing between one and six million transactions
- level 3: Merchants processing 20,000 to one million transactions
- level 4: Merchants processing fewer than 20,000 transactions.
Levels 2, 3 and 4 involve completing an annual self-assessment questionnaire (SAQ).
Answering the questions will highlight whether you need to act to ensure you comply with PCI DSS.
There are several types of SAQs. The one you need to use depends on how you process payment card information. The official PCI DSS guidance outlines the SAQs as follows:
- SAQ validation 1 (SAQ type A) – Card-not-present (e-commerce, mail order or telephone order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants
- SAQ validation 2 (SAQ type B) – Imprint-only merchants with no cardholder data storage
- SAQ validation 3 (SAQ type B) – Standalone dial-up terminal merchants, no cardholder data storage
- SAQ validation 4 (SAQ type C) – Merchants with payment application systems connected to the internet, no cardholder data storage
- SAQ validation 5 (SAQ type D) – All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a Card brand as eligible to complete an SAQ.
You should contact your bank or card issuer to check if you are eligible or required to submit an SAQ, and if so, which SAQ you should complete.
If your business deals with many card transactions, you may need to employ the services of a qualified security assessor (QSA) to check you are PCI-compliant.
These security experts are accredited by the PCI Security Standards Council and perform on-site assessments to check compliance.
You can find a list of QSAs here.
When selecting a qualified security assessor, you should choose one with a strong understanding of your business and the sector in which you operate and having experience assessing the security of similar organisations.
You may also need to use an approved scanning vendor (ASV) who checks whether an organisation meets PCI DSS external scanning requirements and is vulnerable to cyber security attacks.
You can find a list of ASVs here.
PCI compliance for business
Offering card payments is a necessity for most modern businesses.
Customers want convenience and speed when making purchases, and access to paying by card could be the difference between making a sale and losing a potential customer.
Security is a concern though, and with cybercriminals consistently looking for vulnerabilities, businesses must take the necessary steps to ensure PCI compliance and protect customers’ personal details and their own operations.
Thinking of starting a business? Check out our free online courses in partnership with the Open University on being an entrepreneur.
- Entrepreneurship – from ideas to reality opens in new window opens in new window
- First steps in innovation and entrepreneurship opens in new window opens in new window opens in new window
- Entrepreneurial behaviour opens in new window opens in new window opens in new window
Plus free courses on finance and accounting, project management, and leadership.
Reference to any organisation, business and event on this page does not constitute an endorsement or recommendation from the British Business Bank or the UK Government. Whilst we make reasonable efforts to keep the information on this page up to date, we do not guarantee or warrant (implied or otherwise) that it is current, accurate or complete. The information is intended for general information purposes only and does not take into account your personal situation, nor does it constitute legal, financial, tax or other professional advice. You should always consider whether the information is applicable to your particular circumstances and, where appropriate, seek professional or specialist advice or support.