What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for any business that accepts, processes, or stores card payments.
Created by: Visa, Mastercard, American Express, Discover, and JCB
Applies to: Every business that takes card payments - no exceptions
Purpose: Protect customer card data from theft and fraud
⚠️ Non-compliance can result in:
- Monthly fines: £50-200/month from your payment provider
- Account suspension: Loss of ability to accept cards
- Data breach liability: £10,000s in fines and legal costs
- Reputation damage: Customer trust destroyed
PCI Compliance Levels
| Level |
Transaction Volume |
Requirements |
| Level 1 |
6M+ transactions/year |
Annual onsite audit by QSA (Qualified Security Assessor) |
| Level 2 |
1M-6M transactions/year |
Annual SAQ + quarterly network scans |
| Level 3 |
20K-1M e-commerce transactions/year |
Annual SAQ + quarterly network scans |
| Level 4 |
Under 20K e-commerce OR under 1M total |
Annual SAQ (most UK small businesses are here) |
💡 Good News: 95%+ of UK small businesses are Level 4, which has the simplest compliance requirements - usually just an annual questionnaire.
Self-Assessment Questionnaire (SAQ)
Most small businesses complete SAQ-A or SAQ-A-EP:
SAQ-A (Simplest - 22 questions)
For businesses that:
- Use payment terminals provided by their processor
- Don't store, process, or transmit card data on their systems
- Don't have online payments OR use fully outsourced solution
SAQ-A-EP (117 questions)
For businesses with:
- Online payments with partial e-commerce hosting
- Website payments that touch your server
How to Complete Your SAQ
- Your payment provider will send annual reminder (usually email)
- Log into their compliance portal
- Answer questions honestly (typically Yes/No/N/A)
- Submit attestation of compliance
- Keep copy for your records
Time required: 15-30 minutes for SAQ-A
💡 Pro Tip: Set a calendar reminder for 11 months from now. Complete it early to avoid last-minute fees.
The 12 PCI DSS Requirements (Simplified)
1. Install and Maintain Firewalls
What it means: Use a router/firewall to protect your business network
Action: Most modern routers include firewalls - ensure it's turned on. Change default password.
2. Don't Use Default Passwords
What it means: Change default passwords on all equipment
Action: Change passwords on: WiFi router, card terminal, EPOS system, computers
3. Protect Stored Cardholder Data
What it means: Don't store full card numbers
Action: NEVER write down card numbers. NEVER store CVVs. Use tokenization if needed.
4. Encrypt Transmission of Card Data
What it means: Card data must be encrypted when sent over networks
Action: Use modern terminals (they encrypt automatically). Use HTTPS for website (SSL certificate).
5. Use and Regularly Update Anti-Virus
What it means: Protect computers from malware
Action: Install antivirus on all computers. Enable automatic updates. Windows Defender is acceptable.
6. Develop and Maintain Secure Systems
What it means: Keep software updated
Action: Enable automatic updates for Windows, Mac, terminals, EPOS. Don't ignore update prompts.
7. Restrict Access to Card Data
What it means: Only authorized people handle card data
Action: Train staff. Don't share terminal PINs. Deactivate accounts when staff leave.
8. Assign Unique IDs to Users
What it means: Each staff member has own login
Action: No shared passwords. Each person has unique EPOS/system login.
9. Restrict Physical Access
What it means: Secure equipment from unauthorized access
Action: Lock terminals when closed. Don't leave terminals unattended. Secure back office.
10. Track and Monitor Access
What it means: Keep logs of who accessed what
Action: Most terminals log automatically. Review transaction reports monthly for anomalies.
11. Test Security Systems
What it means: Regularly check security is working
Action: Level 4: No action needed (provider handles). Higher levels: Quarterly scans required.
12. Maintain Security Policy
What it means: Document your security procedures
Action: Write simple policy: "We don't write down card numbers. We keep systems updated. We change passwords quarterly."
Simple Compliance Checklist for Small Businesses
Use certified payment terminals - Buy/rent from reputable providers
Never store full card numbers - Anywhere, ever
Never write down CVV codes - It's illegal
Use strong passwords - Min 12 characters, change every 90 days
Keep WiFi secure - WPA3, strong password, separate guest network
Update software regularly - Enable auto-updates
Train staff - 15-minute security briefing annually
Complete annual SAQ - Takes 20 minutes
Secure physical equipment - Lock up terminals when closed
Use HTTPS for website - SSL certificate (often free)
Common Compliance Mistakes
| Mistake |
How to Fix |
| Writing card numbers on order forms |
Use "Last 4 digits" only (e.g., **** **** **** 1234) |
| Emailing card details |
NEVER email full card numbers or CVV. Use secure payment links instead |
| Using same WiFi for customers and payments |
Create separate network for business systems |
| Ignoring software updates |
Enable automatic updates, or update monthly |
| Not completing SAQ |
Set annual reminder, complete within 1 week of reminder |
| Sharing terminal PINs |
Each staff member gets unique login credentials |
PCI Compliance Fees
Many providers charge PCI compliance fees:
| Fee Type |
Typical Cost |
Can You Avoid It? |
| Annual compliance fee |
£100-200/year |
Sometimes included in package |
| Monthly compliance fee |
£10-30/month |
Waived if you complete SAQ on time |
| Non-compliance fee |
£50-200/month |
YES - complete your SAQ! |
💡 Save Money: Completing your SAQ on time typically waives monthly compliance fees - saving £120-360/year!
What to Do If There's a Data Breach
⚠️ Immediate Actions:
- Contain the breach - Disconnect affected systems
- Call your payment provider - Immediately (24/7 breach hotline)
- Preserve evidence - Don't delete logs or wipe systems
- Report to ICO (Information Commissioner's Office) - Within 72 hours if personal data exposed
- Notify affected customers - If card data was compromised
- Engage forensics - PCI Forensic Investigator (PFI) required for Level 1-2
- Implement fixes - Close security gaps
- Submit compliance report - Prove you've fixed issues
Potential costs of a breach:
- Forensic investigation: £5,000-£50,000
- Card reissuance costs: £3-5 per card
- Fines from card schemes: £5,000-£500,000
- Legal costs: £10,000-£100,000+
- Reputation damage: Priceless
💡 Prevention is Cheaper: Investing £500/year in proper security is far cheaper than a £50,000 breach.
Quick Reference: Am I Compliant?
You're likely compliant if you can answer YES to all:
- ✓ I use a certified payment terminal from my provider
- ✓ I don't store full card numbers anywhere
- ✓ I never write down or email card details
- ✓ My WiFi has a strong password
- ✓ My computers have antivirus software
- ✓ I keep all software up to date
- ✓ I completed my annual SAQ this year
- ✓ My staff know not to share card details
If you answered NO to any: Fix it immediately to avoid fees and security risks.
Helpful Resources
- PCI Security Standards Council: pcisecuritystandards.org
- UK Information Commissioner (ICO): ico.org.uk
- Action Fraud: actionfraud.police.uk (to report breaches)
- Your payment provider: Compliance support team
💡 Bottom Line: PCI compliance sounds complicated, but for most small UK businesses, it's actually simple: Use proper equipment, don't store card data, keep systems updated, and complete your annual questionnaire. That's 90% of it.