PCI Compliance Guide: Everything You Need to Know

All providers have been reviewed and tested by our Research team. By requesting a quote, we can match you with a potential supplier, and we may earn a small commission for this referral

PCI compliance is important for businesses that operate with card readers as it ensures transactions are kept safe and secure. Being PCI compliant protects your customers from fraud and ensures your reputation as a business is upheld.

This is no mean feat considering frauds now account for 41% of all crimes committed in England and Wales according to a parliamentary report published in March 2023, with costs to individuals estimated at £4.7 billion a year by the Home Office.

In this guide, we take you through everything you need to know about PCI compliance, including the levels of compliance, the costs associated, and the steps you need to take in order to comply. You’ll also discover whether your business must be PCI compliant and, if so, what you could incur should you fail to do so. To find all that out, just head below.

Keeping your customers' data safe is a must for your business to abide to the current legislation so...
Do you already have a PCI-compliant card machine provider?

What is PCI compliance?

PCI stands for payment card industry. PCI compliance is required by credit card companies to help protect credit card transactions.

Businesses have certain standards and procedures they must follow to be PCI compliant and most payment providers will come with built in PCI compliance, such as SumUp and Square.

A few, such as Retail Merchant Services, will require you to complete the process yourself to become PCI compliant. Some providers will also offer compliance at an extra cost, such as Worldpay, which charges £29.99 per year for PCI compliance.

What is needed for PCI compliance?

There are 12 PCI compliance requirements. These are:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

Does it apply to you?

If your business accepts any kind of card payment, you need to be PCI compliant. Do you use a small business credit card machine to take face-to-face payments? A virtual terminal to do business over the phone? Or maybe a payment gateway for online transactions?

If you answered ‘yes’ to any of these, then we repeat – yes, your business needs to be PCI compliant. PCI standards also apply to:

  • Electronic Point of Sale (EPOS) systems
  • Paper-based records of payment card data
  • Online shopping carts and payment applications
  • Wireless access routers and store networks

PCI compliance levels

There are four levels of PCI compliance, and your business will have to comply to one of them. Which level you fall under is worked out based on a few factors, including:

  • The size of your business
  • The amount of card payments you take every year (volume)
  • How you take these card payments (method)

If you take credit or debit cards with any of the PCI DSS credit card brands (Visa, Mastercard, American Express, JCB, and Discover), then you need to stay PCI compliant. What your requirements are – and the expected costs – can be found in the table below. Click the numbers in the table to navigate down the page to that specific level.

Swipe right to see more
0 out of 0

Level 1

Level 2

Level 3

Level 4

Who does it apply to?
  • Sellers that process more than 6 million transactions per year
  • Sellers that suffered a data breach which led to the compromise of account info
Who does it apply to?
  • Sellers that process between 1 million and 6 million transactions per year
Who does it apply to?
  • Sellers that process between 20,000 and 1 million ecommerce transactions per year
Who does it apply to?
  • Sellers that process less than 20,000 ecommerce transactions per year
  • All other sellers that process up to 1 million transactions per year
Cost of staying compliant

£50,000 + per year

Cost of staying compliant

£8,000 to £40,000 per year

Cost of staying compliant

£1,000 + per year

Cost of staying compliant

£60+ per month

Which PCI compliance level are you?

PCI Level 1

Level 1 is for businesses that process more than 6 million payments a year, so it’s basically just for large companies. As you can imagine, this level of PCI compliance is the most expensive; it comes with extra hardware and software costs to meet the standard, plus the fees involved with training an internal auditor.

To comply, businesses must complete an annual self-assessment questionnaire (SAQ), and face quarterly scans via a PCI-approved Approved Scanning Vendor (ASV).

Validation requirements

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or internal auditor
  • Quarterly network scan by an ASV
  • Attestation of Compliance Form

PCI Level 2

Level 2 is for businesses processing between 1 million and 6 million payments a year. To comply, businesses must complete an annual self-assessment. They will also get a quarterly ASV scan, plus an on-site assessment.

Validation requirements

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

PCI Level 3

Level 3 refers to businesses that take between 20,000 and 1 million ecommerce payments annually. Level 3 compliance involves an annual self-assessment, as well as a quarterly ASV security scan.

Validation requirements

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

PCI Level 4

Level 4 refers to businesses that process up to 20,000 payments a year via ecommerce, or up to 1 million payments via other channels.

Validation requirements

  • Annual SAQ recommended
  • Quarterly network scan by ASV, if applicable
  • Compliance validation requirements set by merchant bank
Did You Know?

72% of global businesses don’t meet minimum PCI compliance requirements. Are you one of them?

How do I stay compliant?

Earning (and maintaining) PCI compliance can be an elaborate and time-consuming process. How easy it is to do also depends on your business’ size, sales volume, and the current technology you have in place for payment security.

Among other things, PCI compliance may involve:

  • Completing annual self-assessment questionnaires
  • Implementing security controls
  • Hiring consultants to install hardware and anti-virus software
  • Building a firewall to protect cardholder data
  • Encrypting any cardholder data moving along public networks
  • Restricting access to data
  • Regularly monitoring and testing networks
  • Maintaining an information security policy

All this can add up to a long list of costs. And that’s on top of what you’re already paying in merchant account fees. That’s the bad news.

The good news, though, is that many merchant account providers can handle your PCI compliance requirements for you. This usually comes with a fee, but some providers offer PCI compliance for free when you choose to take payments through them.

The cost of PCI compliance

The more card transactions you take, the more expensive it is to stay compliant. PCI compliance is much easier to manage for smaller businesses, and sometimes comes with no cost at all.

That’s right – some providers, including Zettle (formerly iZettle), Square POS, and Handepay card payment solutions, will handle your PCI compliance for free. Another provider, Stripe, is PCI certified – which is a more stringent standard than compliance – and also provides this security for no extra fee. Its systems already feature anti-fraud and encryption features, so you don’t have to worry about them.

Many other merchant account suppliers will charge a fee for PCI compliance. Thankfully, it’s not massive, usually clocking in between £30 and £60 per year for small businesses. We recommend paying the fee that comes with PCI compliance. It’s just a few pounds a month, and it’ll help you avoid any PCI non-compliance fees.

This table gives a quick example of what you might pay your merchant account provider to keep you PCI compliant:

ProviderMonthly fee
Clover review£4.99
Lloyds£5.50
Barclaycard review£4.80 and £15
Worldpay£2.50

These fees are intended as guidelines only. 

The cost of non-compliance

Non-compliance with PCI standards is bad news, and merchants that don’t comply face big fines. If your business doesn’t comply, your merchant bank could face a fine upwards of £3,000. Your bank will then pass this fine down until it reached your business. 

Non-compliance stands to hit you in more than just the wallet. Your bank could also choose to terminate your account, and your customers could lose faith in your ability to keep their card data safe. You could also face a potential forensic audit, and an investigation into your business.

The moral of the story? Stay compliant!

Did You Know?

Only 28% of organisations have achieved full PCI compliance.

Next steps

PCI DSS may not be the easiest thing to understand (or the easiest acronym to remember), but it can be easy to comply with.

If you currently take card payments, talk to your merchant account provider to make sure you’re PCI compliant. Make sure you know exactly what fees you’re paying (if any) to stay compliant, too.

If you’re not accepting card payments right now, you should be – and we can help. Just fill out our quote comparison form to get merchant account quotes from the top suppliers. It’s free, takes less than a minute, and makes it easy for you to compare tailored quotes from providers that reflect the unique needs of your business.

FAQs

What do you mean by ‘cardholder data’?
Cardholder data is the information relating to the credit or debit card your customer pays with. It refers specifically to the cardholder’s name, the card’s expiry date, and the three-digit security code on the back.
What is a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?
The SAQ is a checklist provided by the PCI Security Standards Council. You fill it in yourself, to see if you’re ticking all the boxes – kind of like a tax return, but for PCI compliance. It measures between 19 and 87 pages, and the length of time it takes to complete will depend on the size of your business and your sales volume.
Do I need to fill one out?
This depends on which merchant account supplier you work with. If your PCI compliance is managed by your provider (either for free, or at a cost) then no, you’re fine. But if you’ve chosen to manage your own PCI compliance, you’ll need to fill out an SAQ every year.
What is an Approved Scanning Vendor (ASV)?
The PCI DSS requires bigger businesses to run internal and external vulnerability scans of their systems. These scans provide important info that help identify and improve any weak areas in a company’s network.

The ASV, then, is the agent appointed to conduct this scan on behalf of the business that's seeking PCI compliance.

Is PCI compliance required by law in the UK?
PCI compliance is not required by law. However, it is enforced through a contractual agreement between merchants, banks or card issues, and the payment processor.

Our site is reader-supported. Some featured providers are our partners, so we may earn a commission if you make a purchase through our site. This is at no extra cost to our readers, and this doesn’t affect the independence of our reviews. Whether or not we have a partnership with a company does not affect our rating and review of the service.

Written by:
Rob Binns
Rob writes mainly about the payments industry, but also brings to the table industry-specific knowledge of CRM software, business loans, fulfilment, and invoice finance. When not exasperating his editor with bad puns, he can be found relaxing in a sunny (socially-distanced) corner, with a beer and a battered copy of Dostoevsky.
Reviewed by:
Ruairi uses his 3+ years of research experience to uncover insights which can help Expert Market provide the best business solutions for their users. He has done this by meeting with business owners to find out what is important to them and what challenges they face on a daily basis. Ruairi specialises in tools that can be used to grow your business and has done research for a wide range of categories on Expert Market, such as EPOS, Website Builders, and Merchant Accounts.