PCI Compliance Guide 2022: Everything You Need to Know

Don’t stand by, you must comply: the how and why of PCI. Read on for our ultimate guide to understanding and embracing the nuances of PCI DSS in the UK.

PCI compliance. As a merchant accepting card payments (or thinking about it!), you’ve probably already heard the term a lot. And rightly so – it’s hugely important for protecting your customers’ data, and helping cut out fraud. But what does PCI mean, and how do you comply?

In this guide, we’re breaking down all you need to know about PCI compliance. What it is, how it relates to your business, and what the costs are for complying (or, if you’re feeling brave, not complying!).

So read on, as we bust the jargon and answer your biggest PCI compliance questions. We’re also breaking down those pesky industry acronyms, starting with…

PCI – what does it stand for?

PCI is the quick way of saying PCI DSS, which stands for Payment Card Industry Data Security Standard. It’s an information security standard that all businesses that accept card payments must adhere to.

PCI is there not only to protect your customers’ information, but to help keep you safe, too. By staying PCI compliant, you help safeguard your business from data breaches and costly fraudulent transactions.

Does it apply to you?

If your business accepts any kind of card payment, you need to be PCI compliant. Do you use a small business credit card machine to take face-to-face payments? A virtual terminal to do business over the phone? Or maybe a payment gateway for online transactions?

If you answered ‘yes’ to any of these, then we repeat – yes, your business needs to be PCI compliant. PCI standards also apply to:

  • Electronic Point of Sale (EPOS) systems
  • Paper-based records of payment card data
  • Online shopping carts and payment applications
  • Wireless access routers and store networks

PCI compliance levels

There are four levels of PCI compliance, and your business will have to comply to one of them. Which level you fall under is worked out based on a few factors, including:

  • The size of your business
  • The amount of card payments you take every year (volume)
  • How you take these card payments (method)

If you take credit or debit cards with any of the PCI DSS credit card brands (Visa, Mastercard, American Express, JCB, and Discover), then you need to stay PCI compliant. What your requirements are – and the expected costs – can be found in the table below. Click the numbers in the table to navigate down the page to that specific level.


Who does it apply to?

Cost of staying compliant

  • Sellers that process more than 6 million transactions per year
  • Sellers that suffered a data breach or attack which led to the compromise of account info
£50,000 + per year
  • Sellers that process between 1 million and 6 million transactions per year
£8,000 to £40,000 per year
  • Sellers that process between 20,000 and 1 million ecommerce transactions per year
£1,000 + per year
  • Sellers that process less than 20,000 ecommerce transactions per year
  • All other sellers that process up to 1 million transactions per year
£60+ per month

Which PCI compliance level are you?

PCI Level 1

Level 1 is for businesses that process more than 6 million payments a year, so it’s basically just for large companies. As you can imagine, this level of PCI compliance is the most expensive; it comes with extra hardware and software costs to meet the standard, plus the fees involved with training an internal auditor.

To comply, businesses must complete an annual self-assessment questionnaire (SAQ), and face quarterly scans via a PCI-approved Approved Scanning Vendor (ASV).

Validation requirements

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or internal auditor
  • Quarterly network scan by an ASV
  • Attestation of Compliance Form

PCI Level 2

Level 2 is for businesses processing between 1 million and 6 million payments a year. To comply, businesses must complete an annual self-assessment. They also get a quarterly ASV scan, plus an on-site assessment.

Validation requirements

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

PCI Level 3

Level 3 refers to businesses that take between 20,000 and 1 million ecommerce payments annually. Level 3 compliance involves an annual self-assessment, as well as a quarterly ASV security scan.

Validation requirements

  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

PCI Level 4

Level 4 refers to businesses that process up to 20,000 payments a year via ecommerce, or up to 1 million payments via other channels.

Validation requirements

  • Annual SAQ recommended
  • Quarterly network scan by ASV, if applicable
  • Compliance validation requirements set by merchant bank
Did You Know?

65% of small businesses don’t meet minimum PCI compliance requirements. Are you one of them?

How do I stay compliant?

Earning (and maintaining) PCI compliance can be an elaborate and time-consuming process. How easy it is to do also depends on your business’ size, sales volume, and the current technology you have in place for payment security.

Among other things, PCI compliance may involve:

  • Completing annual self-assessment questionnaires
  • Implementing security controls
  • Hiring consultants to install hardware and anti-virus software
  • Building a firewall to protect cardholder data
  • Encrypting any cardholder data moving along public networks
  • Restricting access to data
  • Regularly monitoring and testing networks
  • Maintaining an information security policy

All this can add up to a long list of costs. And that’s on top of what you’re already paying in merchant account fees. That’s the bad news.

The good news, though, is that many merchant account providers can handle your PCI compliance requirements for you. This usually comes with a fee, but some providers offer PCI compliance for free when you choose to take payments through them.

Let’s take a look at what you might expect to pay to stay compliant.

The cost of PCI compliance

The more card transactions you take, the more expensive it is to stay compliant. PCI compliance is much easier to manage for smaller businesses, and sometimes comes with no cost at all.

That’s right – some providers, including Zettle (formerly iZettle), Square, and Handepay, will handle your PCI compliance for free. Their systems already feature anti-fraud and encryption features, so you don’t have to worry about them.

Many other merchant account suppliers, though, will charge a fee for PCI compliance. Thankfully, it’s not massive, usually clocking in between £30 and £60 per year for small businesses. We recommend paying the fee that comes with PCI compliance. It’s just a few pounds a month, and it’ll help you avoid PCI non-compliance fees.

This table gives a quick example of what you might pay your merchant account provider to keep you PCI compliant.

ProviderMonthly fee
Clover (formerly Fiserv)£4.99

These fees are intended as guidelines only. Updated 8th April 2021.

The cost of non-compliance

Non-compliance with PCI standards is bad news, and merchants that don’t comply face big fines. If your business doesn’t comply, your merchant bank could face a fine upwards of £3,000.

And, in true bank fashion, your bank would then pass this fine down until it reached (you guessed it!) your business. Which is… not fun.

Plus, non-compliance stands to hit you in more than just the wallet. Your bank could also choose to terminate your account, and your customers could lose faith in your ability to keep their card data safe. You could also face a potential forensic audit, and an investigation into your business.

The moral of the story? Stay compliant!

Did You Know?

30% of small businesses don’t know what the penalties for failing to comply with PCI DSS are.

Next steps

PCI DSS may not be the easiest thing to understand (or the easiest acronym to remember), but it can be easy to comply with.

If you currently take card payments, talk to your merchant account provider to make sure you’re PCI compliant. Make sure you know exactly what fees you’re paying (if any) to stay compliant, too.

If you’re not accepting card payments right now, you should be – and we can help. Just fill out our quote-finding form to get merchant account quotes from top suppliers. It’s free, takes less than a minute, and makes it easy for you to compare tailored quotes from providers that reflect the unique needs of your business.


What do you mean by ‘cardholder data’?

Cardholder data is the information relating to the credit or debit card your customer pays with. It refers specifically to the cardholder’s name, the card’s expiry date, and the three-digit security code on the back.

What is a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?

The SAQ is a checklist provided by the PCI Security Standards Council. You fill it in yourself, to see if you’re ticking all the boxes – kind of like a tax return, but for PCI compliance. It measures between 19 and 87 pages, and the length of time it takes to complete will depend on the size of your business and your sales volume (and the amount of coffee you’ve consumed, too!).

Do I need to fill one out?

This depends on which merchant account supplier you work with. If your PCI compliance is managed by your provider (either for free, or at a cost) then no, you’re fine. But if you’ve chosen to manage your own PCI compliance, you’ll need to fill out an SAQ every year.

What is an Approved Scanning Vendor (ASV)?

The PCI DSS requires bigger businesses to run internal and external vulnerability scans of their systems. These scans provide important info that help identify and improve any weak areas in a company’s network.

The ASV, then, is the agent appointed to conduct this scan on behalf of the business that's seeking PCI compliance.

Rob Binns Expert Market
Rob Binns Senior Writer

Rob writes mainly about the payments industry, but also brings to the table industry-specific knowledge of CRM software, business loans, fulfilment, and invoice finance. When not exasperating his editor with bad puns, he can be found relaxing in a sunny (socially-distanced) corner, with a beer and a battered copy of Dostoevsky.