All you need to know about PCI compliance

When your business accepts credit or debit cards and other electronic payments, it becomes part of a complex transaction ecosystem involving multiple parties. As digital payments have grown rapidly, fraud and cybercrime have evolved too, posing increasing risks to merchants and customers alike. To address these threats, the Payment Card Industry Data Security Standard (PCI DSS) was established, a set of security requirements designed to protect cardholder data, prevent fraud and ensure that businesses maintain secure payment environments.

In the UK alone, criminals stole around GBP 1.17 billion through payment fraud in 2024, with around 40% of it being authorised push payment fraud. Remote purchase fraud, where stolen card details are used to make online purchases, continued to rise sharply, highlighting how adept fraudsters have become at exploiting weak security points in the payment chain. Banks and financial institutions prevented around GBP 1.45 billion of attempted fraud last year, showing the scale of the threat facing businesses and consumers alike.

So how have payment security standards responded to rising threats from data breaches and card fraud? Every merchant that collects, stores or transmits cardholder data must comply with the PCI DSS. PCI compliance is essential to protect your customers’ information, reduce fraud risk and avoid costly penalties and reputational damage.

In this guide, we explain what PCI compliance is, how to identify your PCI level, and practical steps to maintain compliance so you safeguard your revenue and strengthen trust in your brand.

Watch our video to learn all you need to know about the PCI DSS standard.

What is the PCI DSS?

PCI DSS, meaning Payment Card Industry Data Security Standard, is a protocol set up by the card schemes (Visa, Mastercard, American Express, Discover and JCB) in 2006 to manage data security standards for businesses that store, transfer and process cardholder data. The standard aims to ensure protection for consumers and banks within the online payments ecosystem, where sensitive data is susceptible to fraudulent misuse.

The PCI DSS includes 12 high-level requirements with 300+ sub-requirements that fall under the following categories:

1. Build and maintain a secure network

• Install and maintain a firewall configuration to protect data
• Do not use vendor-supplied defaults for system passwords and other security parameters

2. Protect cardholder data

• Protect stored data with encryption
• Encrypt transmission of cardholder data and sensitive information across public networks

3. Maintain a vulnerability management programme

• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications

4. Implement strong access control measures

• Restrict access to data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data

5. Regularly monitor and test networks

• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes

6. Maintain an information security policy

• Maintain a policy that addresses information security

What is PCI compliance?

PCI DSS compliance (PCI compliance for short) adheres to PCI DSS requirements and has infrastructure and processes in place to protect consumers' card information against data breaches and fraud. It's worth pointing out that PCI compliance is a standard made by the major card schemes. Ensuring PCI compliance is relevant to any merchant that accepts card payments, regardless of vertical and transaction volumes. The full PCI DSS document can be accessed here.

These are the three main areas that PCI involves:

Handling card data

If your customers input their sensitive credit card details on a payment page which is hosted on your server, you'll be required to be PCI compliant and meet each of the 300+ security controls outlined in PCI DSS. In essence, your company will most probably need to purchase, apply and maintain security software and hardware while having a robust security system.

If your customers enter their card details on a page hosted by your payment service provider (PSP) or acquirer, the PCI compliance liability shifts to the payment service provider who handles your payments and your PCI costs are reduced to a great extent.

Securely storing data

If your organisation handles and stores payment card data, you will need to define the scope of your Cardholder Data Environment (CDE). According to PCI DSS, CDE includes all people, processes and technology involved in the processing, storing and transmitting of payment card data. This means that your organisation must limit the payment environment from the rest of the business to contain the CDE scope. Otherwise, you risk applying all 300+ security controls to each computer and device within your company, which only increases your expenses and infrastructure burden.

Annual PCI compliance validation

Every organisation that deals with sensitive card data is required to complete a PCI validation form every year. There might be merchants who don't feel they're fully in line with PCI standards or they may have concerns that their infrastructure could expose data not only to external fraudsters but also internally across their organisation.

In such cases, you may consider hiring a qualified independent consultant who can provide objective consultation as to how you can achieve PCI compliance, along with a Qualified Security Assessor (known as QSA) who can audit to test your internal security (more of this below).

The latest version 4.0 of the PCI DSS further revises data security standards for every organisation that deals with sensitive payment card information. Although the current version (3.2.1) remains valid until March 2024, organisations that are subject to the PCI DSS should prepare for the update as soon as possible (Find everything you need to know about the updated regulation here).

Is there a penalty if a merchant is not PCI compliant?

As mentioned, PCI is not a law. However, card schemes are responsible for administering fines to acquirers who process payments for merchants involved in a data breach and who do not comply with PCI DSS. As a contractual rule, the acquirer transfers the fine to the merchant potentially alongside other costs, including payment card replacement costs, increased fees per transaction and so forth.

Why does PCI compliance matter?

PCI compliance matters because it helps protect cardholder data, prevent payment fraud and reduce the risk of costly data breaches. Businesses that accept card payments must follow PCI DSS requirements to safeguard sensitive information and maintain secure payment environments.

Failing to meet PCI compliance standards can result in financial penalties, higher processing fees and reputational damage. In serious cases, merchants may face restrictions from their acquirer or lose the ability to accept card payments altogether, directly impacting revenue and customer trust.

Beyond risk reduction, PCI compliance supports long term business continuity. It demonstrates a commitment to payment security, builds customer confidence and ensures merchants can continue to process card transactions safely and reliably in an increasingly digital payments landscape.

PCI levels and how to achieve compliance

All merchants fall into one of the following levels of PCI compliance, typically based on the volume of credit and debit card transactions they process during a year, either online or face-to-face.

PCI compliance Level 1

PCI compliance Level 1 is the strictest in terms of requirements. It applies to any organisation that processes more than six million transactions annually, has undergone several data breaches or is classed as Level 1 by the card schemes.

The requirements related to Level 1 involve:

• Filing Level 1 on-site assessment – an annual Report on Compliance (ROC) by a QSA or Internal Security Assessor (ISA) if signed by an officer of the company. These auditors will review your documentation and technical information to determine whether the PCI DSS's requirements are being met.
• Undergoing a quarterly network scan by Approved Scan Vendor (ASV). (Here's a list of approved scanning vendors by PCI DSS).
• Completing the Attestation of Compliance (AoC) for on-site assessments.

PCI compliance Level 2

PCI compliance Level 2 applies to every organisation that processes between one to six million card transactions annually.

The requirements related to Level 2 involve:

• Completing the annual PCI DSS Self-Assessment Questionnaire (SAQ) (There are nine SAQ types shown briefly further down below).
• Completing and obtaining evidence of a passing vulnerability quarterly scan with an ASV.
• Completing the Attestation of Compliance (AoC) according to their SAQ classification.
• Submitting SAQ, AoC, along with any other requested documentation, to their acquirer.

PCI compliance Level 3

PCI compliance Level 3 applies to organisations that process between 20,000 to one million online transactions annually.

The requirements related to Level 3 involve:

• Completing the annual PCI DSS SAQ. (There are nine SAQ types shown briefly further down below).
• Completing and obtaining evidence of a passing vulnerability quarterly scan with an ASV.
• Completing the AoC according to their SAQ classification.
• Submitting SAQ, AoC, along with any other requested documentation, to acquirer.

PCI compliance Level 4

PCI compliance Level 4 applies to organisations that process fewer than 20,000 online transactions annually or organisations that process up to one million transactions in total, annually.

The requirements related to Level 4 involve:

• Completing the annual PCI DSS SAQ. (There are nine SAQ types shown briefly further down below).
• Completing and obtaining evidence of a quarterly vulnerability scan with an ASV.
• Completing the AoC according to their SAQ classification.
• Submitting SAQ, AoC, along with any other requested documentation to their acquirer.

What is PCI SSF?

The PCI Software Security Framework (PCI SSF) is the current standard from the PCI Security Standards Council that replaces PA DSS. It is designed for modern payment software environments, including cloud based and frequently updated applications.

PCI SSF focuses on embedding security throughout the software lifecycle, from development to ongoing maintenance. Instead of one off validations, it promotes continuous security, secure coding practices and shared responsibility between software providers and merchants.

Using payment software aligned with PCI SSF helps reduce security risk, supports PCI DSS compliance and ensures cardholder data remains protected as technologies and threats evolve.

Self-Assessment Questionnaire (SAQ)

For PCI compliance Levels 2, 3 and 4, PCI has created nine different forms of Self-Assessment Questionnaires (SAQs). There are different SAQs for each compliance level and different AoC forms for each level. It can prove challenging to identify which SAQ form to use. Your payment service provider or acquirer will help you determine which are the right documents based on your payment integration method (Watch our video about payment integration or read our relevant article to find out which integration best suits your business).

Here's a brief description of the SAQ types:

SAQ A covers card not present merchants (eCommerce and mail/telephone orders – MOTO – payments) who have outsourced all cardholder data functions to a PCI-compliant payment service provider and do not process, store or transmit any cardholder data on their system premises. ASV scanning is not required for SAQ A.

SAQ A-EP covers only eCommerce merchants who use a client-encryption integration method – that is, they have outsourced all cardholder data functions to a PCI-compliant payment service provider SAQ A-EP requires ASV scanning.

SAQ B covers merchants (excluding eCommerce) using only imprint machines with no digital cardholder data storage and/or basic dial-out terminals which connect directly to the phone line rather than electronically. SAQ B doesn't require ASV scanning.

SAQ B-IP covers merchants (excluding eCommerce) using only standalone approved PIN Transaction Security (PTS) POS terminals with an IP connection to the payment service provider with no electronic cardholder data storage. SAQ B-IP requires ASV scanning.

SAQ C covers merchants (excluding eCommerce) with payment applications connected to the internet with no electronic cardholder data storage. SAQ C requires ASV scanning.

SAQ C-VT covers merchants (excluding eCommerce) who manually input a single transaction at a time via a keyboard into a web-based virtual payment terminals provided by a PCI-compliant third-party payment service provider.

SAQ P2PE covers merchants (excluding eCommerce) using only hardware-based payment terminals managed by a validated, PCI SSC-listed point-to-point encryption (P2PE) payment solution without electronic cardholder data storage.

SAQ D covers PCI-compliant merchants who use a server to server integration; namely, they have a direct connection to the payment gateway of their payment service provider and store card details on their server. It also covers all payment service providers defined by a payment card brand as eligible to complete an SAQ.

PCI compliance checklist

Below we outline actions that are integral to the annual PCI compliance checklist for merchants who do not use a hosted payment solution. Bear in mind that you also need to undertake security scans by an ASV every quarter.

1. Complete the annual Risk Assessment on the website page where the card data is handled or relates to the CDE.

2. Ensure third parties that store, process and/or transmit card data or are connected to the CDE, provide evidence that they are PCI compliant and are registered with the card schemes.

3. If using a hosted payment page for your website, you must ensure the product and the version you are using are PA DSS compliant (Payment Application Data Security Standard, which applies to developers of payment applications). Also, make sure you fully adhere to the guidelines provided by the supplier.

4. Train your staff to follow PCI-DSS procedures.

5. Make sure that you are only keeping payment data that is essential and ensure that it's encrypted when transmitted across public networks.

6. Set up security controls to monitor and control access to your eCommerce CDE.

7. Safeguard sensitive cardholder information by positioning and maintaining firewalls and up-to-date antivirus software.

8. Ensure that the shopping cart integration is the most up-to-date version available.

9. Protect your website security and discuss with your web hosting provider to ensure that they have secured their infrastructure. Merchants should encourage their web host provider to adopt system hardening standards and disable default settings.

10. Run annual Pin Entry Device (PED) tests and after any significant change to the CDE.

11. Make sure that the vendor of the software or hardware you use to process transactions has product approval from the Payment Card Industry Security Standards Council (PCI SSC).

How can emerchantpay help with PCI compliance?

PCI compliance is a fundamental requirement for any business that accepts card payments. By prioritising secure transactions, merchants not only protect sensitive cardholder data but also strengthen customer trust and reduce the risk of non compliance fees, penalties and reputational damage.

emerchantpay is a PCI Level 1 compliant payment service provider and acquirer, helping merchants reduce the complexity and operational burden of PCI compliance through flexible integration options.

Our hosted payment page can offer the lowest PCI requirement for merchants, classified under SAQ A. With this solution, all cardholder data is fully handled on emerchantpay systems, meaning no card data is stored, processed or transmitted within the merchant’s environment. This approach delivers a high level of security while allowing businesses to minimise infrastructure costs and focus resources on other business areas like their growth.

For eCommerce merchants seeking greater control over the checkout experience, our client encryption solution can reduce PCI scope to SAQ A-EP. While more robust than SAQ A, it remains significantly less demanding than SAQ D. This integration allows merchants to securely accept payments, maintain control over the payment page and lower ongoing security and compliance costs.

Our server to server integration is designed for merchants that require full control over their payment flows. As this approach involves direct handling of card data, it requires full PCI DSS compliance under SAQ D, the most comprehensive level of PCI validation, ensuring maximum security for online transactions.

It’s important to note that the PCI requirements can differ based on factors such as transaction volumes and values, so the above should be viewed as indicative guidance rather than definitive criteria.

To find out how emerchantpay can support your PCI compliance strategy through our PCI Level 1 payment gateway and acquiring services, speak to our payments experts today.