PCI Compliance Guide: Everything You Need to Know for 2026

Getting a card reader is just one of the several requirements for processing card payments. Before you can swipe, dip, or tap a customer’s card, you need to ensure your business has security measures in place to prevent card information from being stolen or misused.

The process of adopting these security measures is known as Payment Card Industry (PCI) compliance, and it’s absolutely essential for every business that accepts card payments. Failure to achieve PCI compliance can result in severe penalties from your merchant account provider and leave your business exposed to data theft.

In this guide, we’ll explain what PCI compliance involves, including the costs, consequences, and tips to ensure your business is fully compliant

Key Takeaways

• PCI compliance involves meeting a set of 12 security standards to protect customers’ card data from theft. If your business accepts card payments in person, online, or over the phone, PCI compliance is mandatory.
• Businesses fall into one of four PCI compliance levels, namely Level 1 to Level 4, depending on their card transaction volume. Each level has its own requirements for validating PCI compliance.
• PCI compliance costs vary from a few hundred pounds to £40,000 per year, depending on the size of your business and your validation requirements.
• Failure to comply with PCI requirements can result in steep penalties and leave your business vulnerable to costly data breaches.

What Is PCI Compliance?

PCI compliance refers to a set of 12 security standards (detailed below) that businesses must adopt in order to accept payments. They’re designed to protect customers’ card information against hacks and data breaches.

PCI compliance standards, also known as Payment Card Industry Data Security Standard (PCI DSS), are written by the PCI Security Standards Council, an organisation created in 2006 by Visa, Mastercard, American Express, Discover, and JCB. The standards are enforced by merchant account providers.

What Is PCI DSS 4.0.1?

PCI DSS version 4.0.1 is the current standard for securing payment card data, and any organisation that stores, processes, or transmits cardholder data should now align its controls with this version.

Published in June 2024, PCI DSS v4.0.1 superseded version 4.0, which was officially retired on 31 December 2024.

On 31 March 2025, 51 requirements that were previously treated as best practice became mandatory for applicable companies, including:​

• Expanded multi-factor authentication (MFA): MFA is now generally required for access to the Cardholder Data Environment (CDE), not just for remote access or privileged administrators.
• Stronger password rules: Where systems support it, the minimum password length is now 12 characters, with an 8-character minimum permitted only where longer passwords are not technically feasible.
• Automated web protection: Public-facing web applications, such as ecommerce checkout pages, generally must have automated firewall protections rather than relying solely on periodic manual reviews.
• Script monitoring and control: To reduce the risk of “digital skimming” attacks, ecommerce merchants must authorise and monitor scripts executing on payment pages, ensuring only trusted scripts can run.

Essentially, the latest version of the standard tightened security requirements for businesses that handle card data.

Who Does PCI Compliance Apply To?

PCI compliance is required for all businesses that accept card payments in any form. Compliance applies if you:

• Take card payments in person using a card reader or point-of-sale system
• Take card payments online using a payment gateway
• Take card payments over the phone using a virtual terminal

Even if your business only processes a few card transactions per month, you must still be PCI compliant. PCI compliance is also required regardless of whether you store customers’ card information.

The 12 Standards of PCI Compliance

To be PCI compliant, your card payment system must meet the following 12 requirements:

1. Use firewalls: You must use a firewall on your corporate computer network. A firewall prevents unauthorised access to your network and serves as the first line of defence against the theft of customers’ card data.
2. Use strong passwords: You must not use the default password for software or equipment used to process card payments, such as routers, modems, and point-of-sale systems. In addition to changing the default passwords, you must maintain a list of all devices and software that rely on passwords for security.
3. Protect stored card data: Your business should only store essential cardholder data needed to process recurring transactions. Furthermore, any card data you store must be protected using a combination of encryption, and you must have a plan for the safe disposal of data that is no longer needed.
4. Encrypt card data during transmission: When sending card data over public networks — such as sharing card information between devices — that data must be encrypted. Never send unencrypted card data by email, text, or a messaging app.
5. Use malware controls: You must use antivirus software on any devices that store customers’ card information and run periodic malware scans.
6. Maintain secure systems: You must have processes in place to identify and address software vulnerabilities. This could include installing updates, running antivirus scans, and requiring new passwords every few months.
7. Restrict access to cardholder data: Cardholder data should only be accessible to employees who need to view it for a specific purpose. You can assign varying levels of permissions to different users, and you must document who in your business has access to cardholder information.
8. Create a unique ID for each employee: Employees with access to a computer that stores card information (including your point-of-sale system) must have a unique login ID. You can’t use a single user ID and password that multiple employees share.
9. Restrict physical access to devices: Devices that store cardholder data should be kept in secure locations, such as in a locked room or drawer. Consider using security systems like CCTV. You should also keep a log of access to physical storage devices such as hard drives.
10. Monitor access to cardholder data: You are required to use audit logs to track when cardholder information is accessed and by whom within your organisation.
11. Perform regular vulnerability tests: Update your device and password inventory, perform vulnerability scans, and test wireless access points at least once per quarter.
12. Document your security policies: You must have written documentation of your company’s security practices and policies for PCI compliance.

PCI Compliance Levels

While all businesses that process credit card payments must be PCI compliant, the requirements for proving compliance vary. For example, large businesses with high annual card transaction volumes are subject to more rigorous compliance checks than small businesses that only process a low number of card payments.

There are four PCI compliance levels with different validation requirements.

“Think of PCI levels as security milestones that become more important as the number of card transactions increases,” said Vatsal Bhandari, a Certified Anti-Money Laundering Specialist (CAMS). “Level 4 is ideal for small businesses with fewer transactions, often involving a straightforward questionnaire and quarterly scans. Levels 3 and 2 are well-suited to growing companies and involve a few more formal steps. Level 1 is for the largest merchants processing millions of payments, which require annual audits by specialised firms.”

Level 1

For Visa and Mastercard, Level 1 applies to businesses that process more than six million card transactions per year. This level also includes companies that suffered a data breach exposing cardholder information. American Express uses a lower threshold: 2.5 million or more Amex transactions annually.

To validate compliance, businesses in Level 1 must complete an independent, external PCI compliance audit, known as Report on Compliance (ROC), at least once per year, as well as an Attestation of Compliance (AOC). They must also undergo quarterly network vulnerability scans by an external security vendor.

Level 2

Level 2 includes businesses that process between one and six million Visa and Mastercard card transactions per year. American Express sets this level at 50,000 to 2.5 million Amex transactions annually.

These businesses must undergo a quarterly network scan by an external security vendor and an annual internal evaluation via the Self-Assessment Questionnaire (SAQ). They must also complete the AOC.

Level 3

For Visa and Mastercard, Level 3 includes businesses that process between 20,000 and one million online card payments per year. American Express classifies Level 3 as 10,000 to 50,000 Amex transactions annually.

Businesses in Level 3 must undergo a quarterly network scan by an external security vendor and complete an annual self-assessment questionnaire.

Level 4

Level 4 includes businesses that process fewer than 20,000 online card payments per year, or up to one million card payments across channels (for Visa and Mastercard). American Express sets Level 4 at fewer than 10,000 Amex transactions annually. This means that high-volume Amex merchants may face stricter validation requirements than expected.

The Level 4 validation requirements are set by the acquirer bank/card network programme. Many banks require an annual SAQ and AOC, plus external quarterly scans of internet-facing systems. However, for lower-volume merchants (Levels 3 and 4), Mastercard does not require merchants to submit their compliance documents directly to Mastercard.

Cost of PCI Compliance

PCI compliance costs can vary widely depending on the size of your business, the PCI level you fall into, and the merchant account provider you choose.

In general, larger businesses will pay more for PCI compliance because they have larger networks that require more security measures. For instance, antivirus software for hundreds of computers costs more than for just a few. Similarly, quarterly network scans — required for all PCI levels — become more expensive the bigger your company’s network is.

Here’s a rough guideline of PCI compliance costs based on PCI level, which correlates with business size:

• Level 1: £40,000 or more per year
• Level 2: £4,000 to £30,000 per year
• Level 3: £750 to £3,500 per year
• Level 4: £150 to £375 per year

Small businesses in Level 4 may be able to lean on their merchant account provider to achieve PCI compliance at no additional cost. For example, Square and Zettle both offer free PCI compliance assistance with your merchant account. Other merchant account providers offer access to PCI consultants, network scanning, and digital access controls for a small monthly fee.

Comparing PCI Compliance Levels

*American Express thresholds differ.

Consequences of Non-Compliance

Failure to meet PCI compliance requirements can result in fines from your merchant account provider. These are expensive, and they increase for every month your business remains out of compliance.

However, there is no fixed PCI fine structure. Card networks may impose escalating monthly penalties for non-compliance, which are typically passed on under the contract. In practice, these penalties range from several thousand to tens of thousands of pounds per month, escalating with longer durations, higher risks, and the occurrence of a data breach.

Worse, repeated issues with PCI non-compliance can cause your merchant account to be suspended. If that happens, your business will no longer be able to accept card payments.

In addition to penalties for non-compliance, there are other potentially huge costs. For instance, if your business is hacked and suffers a data breach because of weak or non-compliant security measures, it’s likely your customers may lose trust in your business. It also puts your business at risk of costly lawsuits.

PCI non-compliance: a real-world example

“Non-compliance often develops gradually rather than suddenly,” Bhandari said. “It can be seen in small habits such as using outdated terminals, sharing login credentials, skipping critical security updates, or temporarily storing card numbers in spreadsheets. Many merchants believe their account provider handles everything, but that isn’t always the case.”

Consider this fictional scenario based on common compliance failures: Sarah runs a boutique hotel in Manchester with 15 staff members. To save time, she allows employees to share a single login for the point-of-sale system. The hotel’s payment terminal software hasn’t been updated in over a year because “it still works fine.” One staff member keeps a spreadsheet of regular guests’ card details for convenience when booking repeat stays.

After a routine check by her acquiring bank, Sarah discovers that her business has been non-compliant for eight months. The monthly non-compliance fees have already accumulated to over £600. But the real blow comes when a malware infection is discovered on the hotel’s network. A forensic investigation (which Sarah must pay for) reveals that 340 customer card numbers were exposed.

The forensic investigation runs to £15,000. Her acquiring bank issues additional fines of £25,000. She’s reclassified as a Level 1 merchant, meaning she’ll need expensive annual audits going forward. Several regular guests leave negative reviews after receiving fraud alerts on their cards. The hotel’s reputation takes months to recover, and Sarah estimates lost bookings cost her another £10,000 or more.

All of this stemmed from habits that seemed harmless: shared logins, skipped updates, and a helpful spreadsheet.

Choosing Between Self-Assessment and a Qualified Security Assessor

For many small businesses, deciding whether to complete a Self-Assessment Questionnaire (SAQ) or hire a Qualified Security Assessor (QSA) is confusing.

“Your choice largely depends on your specific circumstances, including the complexity, risk level, and how you handle card data,” Bhandari said. “If you use hosted checkout pages, terminals, or gateways where card data doesn’t touch your systems, an SAQ is usually sufficient. It’s a cost-effective solution for simpler configurations.”

However, he noted that “if you store, process, or transmit card data yourself, run custom integrations, or operate on a larger scale, consulting a QSA may be advisable. Although this incurs additional costs, it provides greater confidence and credibility with banks and other partners.”

Tips for Maintaining PCI Compliance

There are a few actions you can take to make PCI compliance easier.

1. Get PCI compliance through your merchant account. Choose a merchant account provider that offers help with PCI compliance. Even if there’s a monthly fee, it’s well worth ensuring your business is compliant and safe from costly penalties.
2. Implement strong digital hygiene. It’s important to be diligent about your business’ cybersecurity. For example, always use strong passwords and require employees to change them frequently. Ensure software is up to date with the latest security patches. Educate employees about phishing and install monitoring software to detect unusual activity on your network.
3. Use an end-to-end point-of-sale system. Using a point-of-sale system and card readers from a single hardware provider can make it easier to integrate equipment in a way that’s PCI-compliant. For example, hardware from a single provider is usually designed to keep data encrypted during transfer. If you mix and match different pieces of hardware and software to process payments, it’s a good idea to hire a PCI consultant to ensure your configuration is secure.
4. Limit what data you store: Only store card data that’s essential for your business to operate smoothly. This can reduce the number of devices you need to manage for PCI compliance and your potential liability in the event of a data breach.