Understanding PCI-DSS Compliance in 2026
We cover everything that you need to know to ensure your business is PCI-DSS compliance and also how to stay compliant.
Updated: April 2026
Table of Contents
PCI Compliance in the UK in 2026
PCI Compliance in the UK, What Every Business Must Know in 2026 Card payments are the lifeblood of modern UK business. Whether you’re running a high-street shop, an online store, or taking payments at farmers’ markets with a mobile reader, cards drive revenue and keep customers happy. But here’s the catch: every time you accept a card payment, you’re handling sensitive data that criminals would love to get their hands on. That’s where PCI DSS comes in—and ignoring it could cost you everything.
What Exactly is PCI-DSS Compliance?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a global security framework created by the major card schemes including Visa, Mastercard, American Express, Discover and JCB.
The purpose of PCI DSS is simple. It sets rules that businesses must follow to protect cardholder data and reduce the risk of fraud and data breaches. If your business accepts card payments in any form, PCI DSS applies to you. This includes in store terminals, ecommerce checkouts, mobile card readers, phone payments and subscription billing. Even if you use a third party provider to process payments, responsibility for compliance still sits with your business.
Why PCI Compliance Matters to Your Business
Many business owners see compliance as an administrative task, but PCI DSS plays a much bigger role in protecting your operation.
Protecting Your Business from Serious Risk
Data breaches are not limited to large corporations. Small and medium sized businesses are frequently targeted because they often have weaker security controls.
A breach involving card data can trigger regulatory investigations, legal costs, forensic audits and in severe cases the loss of your merchant account. Without the ability to accept card payments, many businesses struggle to survive.
Avoiding Costly Penalties
Non compliance often leads to higher processing fees, monthly penalty charges or fines imposed by card schemes. If a breach occurs while your business is non compliant, financial penalties can escalate quickly.
British Airways was fined £20 million following its 2018 data breach. Ticketmaster UK received a £1.25 million fine after failing to secure customer payment data. These cases demonstrate how costly weak data protection can be.
Maintaining Customer Trust
Customers assume their card details are safe when they pay. A breach damages trust instantly and recovery can take years. In competitive markets, reputational damage can be more harmful than financial loss.
Who Needs To Be Compliant?
Every business that accepts card payments must comply with PCI DSS.
This applies to sole traders using mobile card machines, ecommerce stores processing online payments, cafes with countertop terminals and service businesses taking payments over the phone. The difference lies in how complex compliance requirements are, not whether they apply.
The Four Levels of PCI Compliance
PCI DSS classifies all merchants into four compliance levels, depending on the number and type of card transactions they process annually. These levels determine how rigorous your validation requirements will be and whether you can self-assess or need formal audits.
Understanding which level you fall into is crucial, as it directly impacts your reporting obligations and the tools or services you’ll need to stay compliant.
Level 1: Over 6 Million Transactions Annually
PCI DSS classifies all merchants into four compliance levels, depending on the number and type of card transactions they process annually. These levels determine how rigorous your validation requirements will be and whether you can self-assess or need formal audits.
Understanding which level you fall into is crucial, as it directly impacts your reporting obligations and the tools or services you’ll need to stay compliant.
Level 1: Over 6 Million Transactions Annually
This is the highest level and applies to large scale merchants processing over six million Visa or Mastercard transactions per year, either in store or online. It also applies to any merchant that has suffered a data breach or is deemed high risk by a card network, regardless of volume.
What’s required?
Annual on-site audit conducted by a Qualified Security Assessor (QSA)
Quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
A formal Attestation of Compliance (AOC)
Detailed penetration testing and risk assessments
Who does this apply to?
Major retailers, airlines, hotel chains, large online marketplaces, and enterprises with extensive physical and ecommerce operations.
Level 2: Between 1-6 Million Transactions Annually
This level includes businesses processing between 1 million and 6 million card transactions per year. These merchants don’t require an on-site audit unless requested by their acquirer, but they must still provide strong evidence of compliance.
What’s required?
Annual Self-Assessment Questionnaire (SAQ)
Quarterly vulnerability scans by an ASV
Annual Attestation of Compliance (AOC)
Common examples:
Mid-sized ecommerce platforms, regional retail chains, and growing service businesses with high card turnover.
Level 3: Between 20,000 and 1 Million E-commerce Transactions
Level 3 is specific to businesses processing between 20,000 and 1 million online (e-commerce) card transactions annually. It does not include face to face or manually keyed transactions, making this level common for digital first businesses.
What’s required?
Annual SAQ (typically SAQ A or A-EP, depending on integration type)
Quarterly vulnerability scans (if applicable)
AOC signed by a company officer
Typical merchants:
Online subscription services, independent e-commerce retailers, SaaS platforms, digital booking tools.
Level 4: Fewer than 20,000 Ecommerce or Up to 1 Million Total Transactions
Level 4 is the broadest category and includes the majority of UK small businesses. It applies to merchants processing:
Fewer than 20,000 ecommerce transactions annually, or
Up to 1 million total card transactions across all channels (in-person, online, mail order, etc.)
What’s required?
Annual SAQ (usually a shorter version such as SAQ B or C-VT)
Vulnerability scans only if required by your acquirer or integration setup
No formal audits unless requested
Examples:
Independent cafés, hair salons, sole traders with mobile readers, market vendors, small retailers, and freelancers.
The 12 Core PCI DSS Requirements Explained
PCI DSS is built around twelve core security requirements, which are grouped into six broader control objectives. Together, these requirements form a framework designed to protect cardholder data at every stage of a transaction.
You do not need to be a security expert to comply, but you do need to understand how these requirements apply to your business and which parts your payment provider handles versus what you are responsible for.
Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration
Firewalls act as the first line of defence between your internal systems and external threats. Any system that touches card payments must be protected by properly configured firewalls to prevent unauthorised access.
Requirement 2: Do not use vendor supplied default passwords or settings
Default usernames, passwords, and security settings are well known to attackers. Businesses must change these immediately on routers, terminals, servers, and software to reduce exposure.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Businesses should avoid storing cardholder data wherever possible. If data is stored, it must be encrypted, masked, or tokenised. Sensitive authentication data such as CVV numbers must never be stored.
Requirement 4: Encrypt transmission of cardholder data across open networks
Any card data transmitted over public or open networks must be encrypted using strong cryptography. This applies to online payments, virtual terminals, and any remote connections.
Maintain a Vulnerability Management Programme
Requirement 5: Protect all systems against malware
Antivirus and anti-malware software must be installed, maintained, and regularly updated on systems that handle or connect to card payments.
Requirement 6: Develop and maintain secure systems and applications
Software must be kept up to date with security patches. Vulnerabilities in outdated plugins, operating systems, or applications are one of the most common causes of breaches.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
Only staff who absolutely require access to payment systems should have it. Permissions must be limited based on job role.
Requirement 8: Identify and authenticate access to system components
Every individual with system access must have a unique ID. Shared logins are not permitted. Strong passwords and authentication controls are required.
Requirement 9: Restrict physical access to cardholder data
Physical security matters as much as digital security. Servers, terminals, and paperwork containing payment information must be protected from unauthorised access.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Systems must log activity so suspicious behaviour can be detected. This helps identify breaches quickly rather than months later.
Requirement 11: Regularly test security systems and processes
Businesses may need to conduct vulnerability scans or penetration testing depending on their compliance level. This ensures defences remain effective over time.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Businesses must have documented security policies covering data protection, staff responsibilities, incident response, and acceptable use of systems. Staff should receive basic security awareness training.
Understanding PCI Compliance Fees
For many businesses, PCI compliance fees appear on monthly statements without much explanation. These charges often raise questions: What exactly are you paying for? Is the fee justified? Can it be avoided?
The truth is, PCI fees are not one size fits all, and understanding how they work can help you avoid unnecessary costs while ensuring your business remains secure and compliant.
What Do PCI Compliance Fees Actually Cover?
These fees typically fund the infrastructure and services that help you meet the Payment Card Industry Data Security Standard (PCI DSS). Common inclusions are:
Compliance Portals
Access to online platforms that guide you through your required Self-Assessment Questionnaire (SAQ), track your compliance progress, and provide status updates for acquirers.Vulnerability Scanning Tools
Some fees include quarterly external vulnerability scans, which are mandatory for many businesses and must be conducted by an Approved Scanning Vendor (ASV).Security Infrastructure Maintenance
This includes firewalls, tokenisation, encryption services, and fraud prevention tools your payment processor may maintain on your behalf to meet PCI standards.Customer Support & Guidance
Dedicated phone or chat support to help you complete your SAQ, respond to acquirer queries, or interpret scan results.Ongoing Monitoring & Alerts
Some providers include breach detection systems, alerts, or dashboard notifications to flag potential compliance risks in real time.
How Providers Handle PCI Fees Differently
There are three common approaches payment processors use:
Bundled Compliance
Some providers include PCI support services in their overall pricing. There is no separate line item charge, but you’re still paying for compliance through your general processing fees.
Itemised PCI Fees
Others break out a specific monthly or annual PCI compliance charge. This may range from £5 to £30 per month, depending on the level of service provided. It’s important to check what’s included.
Merchant Self Managed Compliance
A few providers offer minimal or no support and place the entire responsibility on the merchant. If you’re non-compliant, they may charge penalty fees (often called “non compliance fees”) until the issue is resolved.
Non Compliance Fees: The Silent Penalty
If your business fails to complete its PCI requirements, you may be hit with monthly non compliance fees, which can range from £15 – £100+, depending on your provider and acquirer. These are in addition to your normal processing charges.
Worse still, these fees may accumulate silently for months if you’re unaware your compliance status has lapsed. Some merchants only discover them when reconciling accounts or switching providers. This is also used as a way for some banks and ISO’s to make money as they both profit from PCI non compliance, so whilst they officially want you to be compliant you are unlikely to be actually chased and advised on how to become compliant.
Are PCI Fees Worth Paying?
Not necessarily. The key question isn’t “Am I paying a fee?” but rather “What level of support and protection am I getting for what I pay?”
A cheap provider that leaves you to handle everything yourself might cost you more in the long run through:
Fines for non-compliance
Increased risk of data breaches
Time lost navigating compliance portals with no help
On the other hand, a processor that includes full SAQ support, scanning, and breach assistance in the fee can save you thousands in risk reduction and operational efficiency.
How To Avoid PCI Compliance Overcharges
Review your statements carefully to identify PCI related charges or penalties.
Ask your provider what the fee includes, if it’s just for access to a portal, you may not be getting good value.
Choose a provider that simplifies compliance. Many acquirers Payments World partners with offer low cost or bundled solutions with built in support and minimal admin.
What happens If You ignore PCI Compliance?
Ignoring PCI compliance is far more than a technical mistake. It represents a serious commercial and financial risk for any UK business that accepts card payments. Whether you operate a physical shop, an online store, or use mobile card machines, failure to meet PCI DSS requirements can expose your business to significant penalties and long‑term damage.
One of the most immediate consequences of PCI non‑compliance is higher payment processing costs. Acquiring banks and payment processors view non‑compliant merchants as higher risk. As a result, they may increase transaction fees, apply risk surcharges, or move your account onto less favourable pricing structures. Over time, this can significantly erode profit margins, particularly for small and medium sized businesses.
Many providers also apply ongoing non‑compliance penalties. These are often charged monthly until compliance is restored and can quickly add up. In some cases, businesses are charged simply for failing to complete a Self Assessment Questionnaire, even if no security incident has occurred.
A more severe outcome is merchant account suspension or termination. Acquirers have the right to withdraw payment services if a business repeatedly fails to meet PCI requirements. Losing the ability to accept card payments can be catastrophic, especially in a market where customers increasingly expect contactless and digital payment options. For many businesses, card payments represent the majority of revenue.
The risks become even greater if a data breach occurs while your business is non‑compliant. In this scenario, card schemes such as Visa and Mastercard can impose substantial fines. These penalties are often higher for businesses that cannot demonstrate compliance at the time of the incident, as this is seen as negligence rather than bad luck.
Beyond card scheme fines, businesses may face legal action from customers, claims from partners, and investigations by regulatory bodies. Under UK data protection laws, including GDPR, inadequate protection of payment data can lead to enforcement action and additional financial penalties.
Perhaps the most damaging consequence is reputational harm. Customers trust businesses to protect their payment details. A breach linked to poor card payment security can destroy that trust overnight. Rebuilding confidence after a security incident is difficult, costly, and in some cases impossible. Lost customers, negative press coverage, and reduced future sales often follow.
For small and medium sized enterprises, these combined risks can be devastating. Many businesses never fully recover after losing payment facilities or suffering a major data breach. PCI compliance should therefore be seen not as an optional requirement, but as a fundamental part of running a secure, professional and sustainable card‑accepting business in the UK.
Real Examples of PCI Failures
Real world incidents show exactly what can happen when businesses fail to protect cardholder data or take PCI compliance seriously. These cases are not theoretical risks. They are well documented events that resulted in significant financial penalties, legal action, and lasting reputational damage.
British Airways (2018)
In one of the most high profile payment data breaches in the UK, British Airways suffered a cyberattack that compromised the personal and payment information of hundreds of thousands of customers. Attackers were able to intercept card details during the online checkout process due to weaknesses in security controls. The Information Commissioner’s Office fined British Airways £20 million under GDPR regulations. Investigations highlighted failures in data protection practices, and PCI compliance shortcomings were a contributing factor. Beyond the fine, the airline faced civil claims, customer distrust, and long term brand damage.
Ticketmaster UK
Ticketmaster UK was penalised after attackers exploited vulnerabilities in a third party chatbot used on its website. The integration allowed customer payment data to be harvested without adequate safeguards in place. As a result, Ticketmaster received a £1.25 million fine from the ICO. This case reinforced a key PCI principle: outsourcing payment functionality does not remove responsibility. Merchants remain accountable for ensuring that third party providers meet security and PCI DSS requirements.
Equifax
Although Equifax is a US based company, the scale of the breach makes it one of the most cited examples of poor data security and resulted in an £11m fine. The company failed to patch a known software vulnerability, which led to the exposure of personal and financial information for approximately 147 million people. The fallout included hundreds of millions of pounds in fines, settlements, and remediation costs. The breach demonstrated how ignoring basic security practices can escalate into a global crisis, regardless of company size or reputation.
These examples underline a critical point for UK businesses. PCI non-compliance is not limited to small traders or large corporations. Any organisation that processes, stores, or transmits cardholder data is vulnerable if security controls are weak or outdated. Card payment security failures often have consequences far beyond fines, including lost customers, disrupted operations, and long term loss of trust.
Taking PCI compliance seriously is not just about meeting card scheme rules. It is about protecting your business, your customers, and your future ability to accept card payments safely and reliably.
PCI Compliance for Online Businesses
If your business operates online, whether you run a small e-commerce shop or a large digital marketplace then PCI DSS compliance is not optional. In fact,the requirements for online merchants can often be more rigorous due to the increased exposure to cyber threats and the complex flow of cardholder data across digital platforms.
Online businesses are directly responsible for securing every part of their payment environment. This includes:
SSL Encryption:
All pages that handle payment data must be protected by a valid SSL certificate, ensuring that data is encrypted during transmission. A secure checkout page is essential not just for compliance, but also for customer trust.Regular Updates and Patching:
Your e-commerce platform, themes, plugins and extensions must be updated frequently to prevent exploitation of known vulnerabilities. Outdated software is a common entry point for attackers.Data Storage Practices:
Cardholder data should never be stored unless absolutely necessary. The safest option is to avoid storing it altogether. If your system stores even a fragment of this data, your PCI scope and risk increase significantly.Third Party Integrations:
From shopping carts to analytics tools, any third-party plugins or services you use must be securely integrated. They should also be updated regularly and verified to meet PCI standards.
One of the best ways to reduce your PCI compliance burden as an e-commerce business is to use hosted payment pages or redirect payment gateways, such as Stripe Checkout, PayPal Smart Payment Buttons, or Shopify Payments. These providers process and store sensitive data on your behalf, drastically minimising your PCI scope.
However, using a third party processor does not remove your responsibility entirely. You still need to:
Determine which Self-Assessment Questionnaire (SAQ) applies to your payment method
Complete and submit the SAQ annually to validate your compliance
Ensure that any integration between your website and the payment provider is implemented securely and maintained properly
Failing to do so not only puts your business at risk but could also lead to penalties or payment service interruptions. By following PCI-DSS best practices and choosing the right technology partners, online merchants can ensure secure, seamless payment experiences for their customers, while staying fully compliant.
Mobile Payments and PCI Compliance
Mobile payments have become essential for many UK businesses, particularly sole traders, mobile service providers, tradespeople, and market vendors. With compact card readers and smartphone apps, accepting payments on the go has never been easier. but convenience doesn’t remove the need for compliance.
PCI DSS still applies to businesses using mobile card readers, and it’s crucial to ensure your setup meets the necessary security standards.
Key Compliance Considerations for Mobile Payments:
Certified Devices:
Always use hardware that is PCI PTS (PIN Transaction Security) certified. Devices from reputable providers like Zettle, SumUp, Square, Dojo, and Teya meet these standards and are pre-configured for secure payments.End to End Encryption:
The mobile reader and app should encrypt cardholder data immediately upon entry. This ensures that no unencrypted data is stored or transmitted which is a critical PCI requirement.No Local Data Storage:
Your phone or tablet should never store sensitive cardholder data. Apps should be configured to avoid saving customer information locally, reducing the risk if the device is lost or stolen.App Security:
Always use the official apps provided by your payment provider. These apps are regularly updated to patch vulnerabilities and ensure PCI compliance. Avoid using jailbroken or rooted devices, which can compromise app security.Secure Network Use:
Accept payments on secure, private Wi-Fi or mobile networks. Public or open Wi-Fi connections increase the risk of data interception.Device Updates:
Keep your mobile OS, payment app, and security software up to date. Updates often include essential security fixes that help maintain compliance.
Using PCI-Compliant Mobile Providers
Most mobile payment providers build compliance into their offering. Providers like those supported by Payments World offer fully certified hardware, compliant software, and encrypted payment processing out of the box so it significantly reduces your burden. However, it’s still your responsibility to ensure your business processes, device usage, and staff behaviours align with PCI DSS standards. Mobile doesn’t mean exempt but it can mean easier, when done right.
PCI DSS Version 4.0: What’s New for 2026?
As of March 2025, PCI DSS version 4.0 is the new standard that all UK businesses accepting card payments must follow. It replaces the previous version 3.2.1, and brings some significant changes designed to modernise card data security and give businesses more flexibility in how they achieve compliance.
If your business hasn’t yet transitioned, 2026 is the year to act, enforcement is already underway.
Key Changes in PCI DSS v4.0:
1. Stronger Authentication Requirements:
Multi-factor authentication (MFA) is now required in more places, not just for admin access, but for anyone accessing systems with cardholder data. This change protects against compromised credentials, a leading cause of breaches.
2. Focus on Continuous Security Monitoring:
Gone are the days of “once a year compliance.” The new version promotes ongoing monitoring, threat detection, and real time logging. This means your business must implement tools and policies that regularly assess security, not just during an annual review.
3. Risk-Based Customisation Options:
PCI DSS 4.0 introduces a customised approach for meeting requirements. Instead of following only predefined controls, businesses can design their own controls, provided they meet the intent of the requirement and prove their effectiveness. This is especially useful for larger or more complex businesses.
4. Improved Password and Access Controls:
The new standard enforces stricter password practices. Legacy requirements like changing passwords every 90 days have been replaced with longer, more secure passwords and policies that encourage stronger, less guessable credentials.
5. Better Clarity for E-Commerce and Cloud Setups:
The updated framework includes clearer guidance on securing third-party services, cloud hosting, and modern e-commerce stacks. This is especially relevant for online merchants using platforms like Shopify, WooCommerce, or custom-built checkout systems.
Why Version 4.0 Matters
The shift to PCI DSS 4.0 reflects the evolving threat landscape. Cybercrime is more sophisticated, and static, checkbox-based compliance isn’t enough. The new standard aims to create a culture of active security management, where businesses continuously assess, improve and document their defences.
For most UK SMEs, the core requirements haven’t changed drastically, but the expectation for evidence, documentation and diligence has increased.
If you’re unsure whether your business meets the new standard, Payments World can help assess your current setup and guide you through the transition.
How Payments World Supports PCI Compliance
At Payments World, we understand that PCI compliance can feel like a complex and time consuming burden, especially for small businesses without in house technical teams. That’s why we don’t just sell payment solutions, we help you stay compliant, secure, and confident. Here’s how we make PCI compliance easier for UK businesses in 2026:
Smart Provider Matching:
Not all payment providers offer the same level of PCI support. We match you with acquiring banks and processors that offer bundled compliance tools, reduced PCI fees, or built in secure infrastructure that simplifies your obligations. This means you’re not just choosing based on cost, you’re choosing based on long term stability and protection.
SAQ Identification & Support:
The Self Assessment Questionnaire (SAQ) is a key part of annual compliance for most SMEs. We help you understand which version applies to your payment setup for example, whether you’re using, A fully hosted payment gateway, an e-commerce integration with third-party tools, a virtual terminal, Or just a mobile card reader
We then guide you through completion, so you’re not left second guessing your answers.
Access to Scanning & Monitoring Tools:
If your business requires quarterly vulnerability scans (common for those handling cardholder data on their own systems), we can point you toward Approved Scanning Vendors (ASVs) and ensure you understand the results. We also help you respond to findings and stay on track.
For larger businesses, we assist with broader monitoring frameworks and logging strategies in line with PCI DSS 4.0.
Ongoing Compliance Guidance:
The compliance landscape changes and PCI DSS v4.0 is proof of that. Payments World keeps our clients up to date with any changes, emerging threats, or new requirements, so you’re never caught off guard. As part of our broader service offering, we also support compliance in other areas like SCA (Strong Customer Authentication), 3D Secure, PSD2 regulations, Tokenisation and encryption standards.
Whether you’re a sole trader, retail chain, or e-commerce startup, our team is here to reduce your risk, protect your business, and keep you compliant without adding unnecessary costs.
Frequently Asked Questions
Yes. Even if you’re using a third-party gateway or hosted checkout, you’re still responsible for ensuring that setup is PCI compliant. These providers reduce your compliance burden, but you must still complete the relevant Self-Assessment Questionnaire (SAQ) and maintain secure integrations.
An SAQ is a tool used by merchants to validate their PCI DSS compliance. There are several types, depending on how your business accepts payments (e.g., online, via virtual terminal, mobile card reader, etc.). Payments World can help you determine which SAQ applies to your setup.
Some providers offer bundled pricing that includes PCI support, eliminating separate compliance fees. Others charge monthly PCI fees, especially if you’re not compliant. Payments World can help match you with providers who offer low or no PCI fees, depending on your setup.
Yes. PCI DSS applies to any business that processes, transmits, or stores cardholder data, even briefly. Even if you don’t store the data, if it’s handled by your systems (e.g. through a checkout page), you’re still in scope for compliance.
Compare payments in minutes
lower fees, better card machines. Join Us Today.
Price comparison for businesses who want to save money on their finances. No callbacks. No Sales pitch. Just pricing.
