PCI Compliance Guide: Everything You Need to Know

PCI compliance is important for businesses that operate with card readers as it ensures transactions are kept safe and secure. Being PCI compliant protects your customers from fraud and ensures your reputation as a business is upheld.

This is no mean feat considering frauds now account for 41% of all crimes committed in England and Wales according to a parliamentary report published in March 2023, with costs to individuals estimated at £4.7 billion a year by the Home Office.

In this guide, we take you through everything you need to know about PCI compliance, including the levels of compliance, the costs associated, and the steps you need to take in order to comply. You’ll also discover whether your business must be PCI compliant and, if so, what you could incur should you fail to do so. To find all that out, just head below.

What is PCI compliance?

PCI stands for payment card industry. PCI compliance is required by credit card companies to help protect credit card transactions.

Businesses have certain standards and procedures they must follow to be PCI compliant and most payment providers will come with built in PCI compliance, such as SumUp and Square.

A few, such as Retail Merchant Services, will require you to complete the process yourself to become PCI compliant. Some providers will also offer compliance at an extra cost, such as Worldpay, which charges £29.99 per year for PCI compliance.

What is needed for PCI compliance?

There are 12 PCI compliance requirements. These are:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

Does it apply to you?

If your business accepts any kind of card payment, you need to be PCI compliant. Do you use a small business credit card machine to take face-to-face payments? A virtual terminal to do business over the phone? Or maybe a payment gateway for online transactions?

If you answered ‘yes’ to any of these, then we repeat – yes, your business needs to be PCI compliant. PCI standards also apply to:

• Electronic Point of Sale (EPOS) systems
• Paper-based records of payment card data
• Online shopping carts and payment applications
• Wireless access routers and store networks

PCI compliance levels

There are four levels of PCI compliance, and your business will have to comply to one of them. Which level you fall under is worked out based on a few factors, including:

• The size of your business
• The amount of card payments you take every year (volume)
• How you take these card payments (method)

If you take credit or debit cards with any of the PCI DSS credit card brands (Visa, Mastercard, American Express, JCB, and Discover), then you need to stay PCI compliant. What your requirements are – and the expected costs – can be found in the table below. Click the numbers in the table to navigate down the page to that specific level.

Which PCI compliance level are you?

PCI Level 1

Level 1 is for businesses that process more than 6 million payments a year, so it’s basically just for large companies. As you can imagine, this level of PCI compliance is the most expensive; it comes with extra hardware and software costs to meet the standard, plus the fees involved with training an internal auditor.

To comply, businesses must complete an annual self-assessment questionnaire (SAQ), and face quarterly scans via a PCI-approved Approved Scanning Vendor (ASV).

PCI Level 2

Level 2 is for businesses processing between 1 million and 6 million payments a year. To comply, businesses must complete an annual self-assessment. They will also get a quarterly ASV scan, plus an on-site assessment.

PCI Level 3

Level 3 refers to businesses that take between 20,000 and 1 million ecommerce payments annually. Level 3 compliance involves an annual self-assessment, as well as a quarterly ASV security scan.

PCI Level 4

Level 4 refers to businesses that process up to 20,000 payments a year via ecommerce, or up to 1 million payments via other channels.

How do I stay compliant?

Earning (and maintaining) PCI compliance can be an elaborate and time-consuming process. How easy it is to do also depends on your business’ size, sales volume, and the current technology you have in place for payment security.

Among other things, PCI compliance may involve:

• Completing annual self-assessment questionnaires
• Implementing security controls
• Hiring consultants to install hardware and anti-virus software
• Building a firewall to protect cardholder data
• Encrypting any cardholder data moving along public networks
• Restricting access to data
• Regularly monitoring and testing networks
• Maintaining an information security policy

All this can add up to a long list of costs. And that’s on top of what you’re already paying in merchant account fees. That’s the bad news.

The good news, though, is that many merchant account providers can handle your PCI compliance requirements for you. This usually comes with a fee, but some providers offer PCI compliance for free when you choose to take payments through them.

The cost of PCI compliance

The more card transactions you take, the more expensive it is to stay compliant. PCI compliance is much easier to manage for smaller businesses, and sometimes comes with no cost at all.

That’s right – some providers, including Zettle (read our Zettle review), Square POS, and Handepay card payment solutions, will handle your PCI compliance for free. Another provider, Stripe, is PCI certified – which is a more stringent standard than compliance – and also provides this security for no extra fee (read our Stripe review). Its systems already feature anti-fraud and encryption features, so you don’t have to worry about them.

Many other merchant account suppliers will charge a fee for PCI compliance. Thankfully, it’s not massive, usually clocking in between £30 and £60 per year for small businesses. We recommend paying the fee that comes with PCI compliance. It’s just a few pounds a month, and it’ll help you avoid any PCI non-compliance fees.

This table gives a quick example of what you might pay your merchant account provider to keep you PCI compliant:

These fees are intended as guidelines only. 

The cost of non-compliance

Non-compliance with PCI standards is bad news, and merchants that don’t comply face big fines. If your business doesn’t comply, your merchant bank could face a fine upwards of £3,000. Your bank will then pass this fine down until it reached your business. 

Non-compliance stands to hit you in more than just the wallet. Your bank could also choose to terminate your account, and your customers could lose faith in your ability to keep their card data safe. You could also face a potential forensic audit, and an investigation into your business.

The moral of the story? Stay compliant!

Next steps

PCI DSS may not be the easiest thing to understand (or the easiest acronym to remember), but it can be easy to comply with.

If you currently take card payments, talk to your merchant account provider to make sure you’re PCI compliant. Make sure you know exactly what fees you’re paying (if any) to stay compliant, too.

If you’re not accepting card payments right now, you should be – and we can help. Just fill out our quote comparison form to get merchant account quotes from the top suppliers. It’s free, takes less than a minute, and makes it easy for you to compare tailored quotes from providers that reflect the unique needs of your business.