Written by Rob Binns Updated on 8 April 2021 On this page What does PCI stand for? PCI compliance levels PCI level 1 PCI level 2 PCI level 3 PCI level 4 How do I stay compliant? How much does PCI compliance cost? What happens if I don't comply? FAQs Expand Don’t stand by, you must comply: the how and why of PCI. Read on for our ultimate guide to understanding and embracing the nuances of PCI DSS in the UK.PCI compliance. As a merchant accepting card payments (or thinking about it!), you’ve probably already heard the term a lot. And rightly so – it’s hugely important for protecting your customers’ data, and helping cut out fraud. But what does PCI mean, and how do you comply?In this guide, we’re breaking down all you need to know about PCI compliance. What it is, how it relates to your business, and what the costs are for complying (or, if you’re feeling brave, not complying!).So read on, as we bust the jargon and answer your biggest PCI compliance questions. We’re also breaking down those pesky industry acronyms, starting with… PCI – what does it stand for?PCI is the quick way of saying PCI DSS, which stands for Payment Card Industry Data Security Standard. It’s an information security standard that all businesses that accept card payments must adhere to.PCI is there not only to protect your customers’ information, but to help keep you safe, too. By staying PCI compliant, you help safeguard your business from data breaches and costly fraudulent transactions.Does it apply to you?If your business accepts any kind of card payment, you need to be PCI compliant. Do you use a small business credit card machine to take face-to-face payments? A virtual terminal to do business over the phone? Or maybe a payment gateway for online transactions?If you answered ‘yes’ to any of these, then we repeat – yes, your business needs to be PCI compliant. PCI standards also apply to:Electronic Point of Sale (EPOS) systemsPaper-based records of payment card dataOnline shopping carts and payment applicationsWireless access routers and store networks PCI compliance levelsThere are four levels of PCI compliance, and your business will have to comply to one of them. Which level you fall under is worked out based on a few factors, including:The size of your businessThe amount of card payments you take every year (volume)How you take these card payments (method)If you take credit or debit cards with any of the PCI DSS credit card brands (Visa, Mastercard, American Express, JCB, and Discover), then you need to stay PCI compliant. What your requirements are – and the expected costs – can be found in the table below. Click the numbers in the table to navigate down the page to that specific level.LevelWho does it apply to?Cost of staying compliant1Sellers that process more than 6 million transactions per yearSellers that suffered a data breach or attack which led to the compromise of account info£50,000 + per year2Sellers that process between 1 million and 6 million transactions per year£8,000 to £40,000 per year3Sellers that process between 20,000 and 1 million ecommerce transactions per year£1,000 + per year4Sellers that process less than 20,000 ecommerce transactions per yearAll other sellers that process up to 1 million transactions per year£60+ per month Which PCI compliance level are you?PCI Level 1Level 1 is for businesses that process more than 6 million payments a year, so it’s basically just for large companies. As you can imagine, this level of PCI compliance is the most expensive; it comes with extra hardware and software costs to meet the standard, plus the fees involved with training an internal auditor.To comply, businesses must complete an annual self-assessment questionnaire (SAQ), and face quarterly scans via a PCI-approved Approved Scanning Vendor (ASV). Validation requirementsAnnual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or internal auditorQuarterly network scan by an ASVAttestation of Compliance Form PCI Level 2Level 2 is for businesses processing between 1 million and 6 million payments a year. To comply, businesses must complete an annual self-assessment. They also get a quarterly ASV scan, plus an on-site assessment. Validation requirementsAnnual SAQQuarterly network scan by ASVAttestation of Compliance Form PCI Level 3Level 3 refers to businesses that take between 20,000 and 1 million ecommerce payments annually. Level 3 compliance involves an annual self-assessment, as well as a quarterly ASV security scan. Validation requirementsAnnual SAQQuarterly network scan by ASVAttestation of Compliance Form PCI Level 4Level 4 refers to businesses that process up to 20,000 payments a year via ecommerce, or up to 1 million payments via other channels. Validation requirementsAnnual SAQ recommendedQuarterly network scan by ASV, if applicableCompliance validation requirements set by merchant bank Did You Know? 65% of small businesses don’t meet minimum PCI compliance requirements. Are you one of them? How do I stay compliant?Earning (and maintaining) PCI compliance can be an elaborate and time-consuming process. How easy it is to do also depends on your business’ size, sales volume, and the current technology you have in place for payment security.Among other things, PCI compliance may involve:Completing annual self-assessment questionnairesImplementing security controlsHiring consultants to install hardware and anti-virus softwareBuilding a firewall to protect cardholder dataEncrypting any cardholder data moving along public networksRestricting access to dataRegularly monitoring and testing networksMaintaining an information security policyAll this can add up to a long list of costs. And that’s on top of what you’re already paying in merchant account fees. That’s the bad news.The good news, though, is that many merchant account providers can handle your PCI compliance requirements for you. This usually comes with a fee, but some providers offer PCI compliance for free when you choose to take payments through them. Let’s take a look at what you might expect to pay to stay compliant. The cost of PCI complianceThe more card transactions you take, the more expensive it is to stay compliant. PCI compliance is much easier to manage for smaller businesses, and sometimes comes with no cost at all.That’s right – some providers, including Zettle (formerly iZettle), Square, and Handepay, will handle your PCI compliance for free. Their systems already feature anti-fraud and encryption features, so you don’t have to worry about them.Many other merchant account suppliers, though, will charge a fee for PCI compliance. Thankfully, it’s not massive, usually clocking in between £30 and £60 per year for small businesses. We recommend paying the fee that comes with PCI compliance. It’s just a few pounds a month, and it’ll help you avoid PCI non-compliance fees.This table gives a quick example of what you might pay your merchant account provider to keep you PCI compliant.ProviderMonthly feeClover (formerly Fiserv)£4.99Lloyds£5.50Paymentsense£4.95Worldpay£2.50These fees are intended as guidelines only. Updated 8th April 2021. The cost of non-complianceNon-compliance with PCI standards is bad news, and merchants that don’t comply face big fines. If your business doesn’t comply, your merchant bank could face a fine upwards of £3,000.And, in true bank fashion, your bank would then pass this fine down until it reached (you guessed it!) your business. Which is… not fun.Plus, non-compliance stands to hit you in more than just the wallet. Your bank could also choose to terminate your account, and your customers could lose faith in your ability to keep their card data safe. You could also face a potential forensic audit, and an investigation into your business.The moral of the story? Stay compliant! Did You Know? 30% of small businesses don’t know what the penalties for failing to comply with PCI DSS are. Next stepsPCI DSS may not be the easiest thing to understand (or the easiest acronym to remember), but it can be easy to comply with. If you currently take card payments, talk to your merchant account provider to make sure you’re PCI compliant. Make sure you know exactly what fees you’re paying (if any) to stay compliant, too.If you’re not accepting card payments right now, you should be – and we can help. Just fill out our quote-finding form to get merchant account quotes from top suppliers. It’s free, takes less than a minute, and makes it easy for you to compare tailored quotes from providers that reflect the unique needs of your business. FAQsWhat do you mean by ‘cardholder data’?Cardholder data is the information relating to the credit or debit card your customer pays with. It refers specifically to the cardholder’s name, the card’s expiry date, and the three-digit security code on the back.What is a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?The SAQ is a checklist provided by the PCI Security Standards Council. You fill it in yourself, to see if you’re ticking all the boxes – kind of like a tax return, but for PCI compliance. It measures between 19 and 87 pages, and the length of time it takes to complete will depend on the size of your business and your sales volume (and the amount of coffee you’ve consumed, too!).Do I need to fill one out?This depends on which merchant account supplier you work with. If your PCI compliance is managed by your provider (either for free, or at a cost) then no, you’re fine. But if you’ve chosen to manage your own PCI compliance, you’ll need to fill out an SAQ every year.What is an Approved Scanning Vendor (ASV)?The PCI DSS requires bigger businesses to run internal and external vulnerability scans of their systems. These scans provide important info that help identify and improve any weak areas in a company’s network.The ASV, then, is the agent appointed to conduct this scan on behalf of the business that's seeking PCI compliance. Rob Binns Senior Writer Rob writes mainly about the payments industry, but also brings to the table industry-specific knowledge of CRM software, business loans, fulfilment, and invoice finance. When not exasperating his editor with bad puns, he can be found relaxing in a sunny (socially-distanced) corner, with a beer and a battered copy of Dostoevsky.