Getting Started

What Is PCI DSS Compliance? A Plain-English Guide for UK Businesses

PCI DSS is the security standard every business that takes card payments must follow. Here is what it means, who it applies to, and how to become compliant without the jargon.

Fraud Defence First
27 June 2026
7 min read

If your business takes card payments — in a shop, online, or over the phone — you have almost certainly come across the term 'PCI DSS'. It can sound technical and intimidating, but the core idea is simple: it is a set of security rules designed to keep your customers' card details safe. This guide explains what PCI DSS is, who it applies to, and what you actually need to do, without the jargon.

What does PCI DSS stand for?

PCI DSS stands for the Payment Card Industry Data Security Standard. It is a global standard created and maintained by the major card brands — Visa, Mastercard, American Express, Discover and JCB — through the PCI Security Standards Council. Any business that stores, processes or transmits cardholder data is expected to comply with it.

Importantly, PCI DSS is not a UK law in itself. It is a contractual requirement: when you signed up with your bank or payment provider (your 'acquirer'), you agreed to handle card data securely. Compliance is how you prove you are keeping that promise. Fail to comply and you can face monthly non-compliance fees, higher liability if a breach occurs, and in serious cases the loss of your ability to take card payments at all.

Who needs to be PCI compliant?

The short answer: almost every business that accepts card payments. It does not matter whether you are a one-person café with a single card machine, an online shop, or a national retailer. If card data passes through your business in any way, PCI DSS applies to you. The amount of work involved varies enormously depending on how you take payments — but the obligation itself does not disappear just because you are small.

The 12 PCI DSS requirements, simplified

PCI DSS is built around six goals and twelve high-level requirements. In business terms, they boil down to:

  • Build and maintain a secure network (firewalls, no default passwords).
  • Protect stored cardholder data — and ideally do not store it at all.
  • Encrypt card data when it travels across networks.
  • Use and update anti-virus and secure software.
  • Restrict access to card data to only those who genuinely need it.
  • Identify and authenticate everyone who accesses your systems.
  • Restrict physical access to card data and devices.
  • Log and monitor all access to systems and data.
  • Regularly test security systems and processes.
  • Maintain a written information security policy.

For a large enterprise, meeting these requirements is a significant project. For a typical small UK merchant who uses a card terminal or a hosted online checkout, most of them are either handled by your provider or satisfied with a few straightforward steps.

What is an SAQ?

Most smaller businesses validate their compliance using a Self-Assessment Questionnaire (SAQ) rather than a full external audit. There are several SAQ types, and the right one depends on exactly how you take payments. For example, a business using a fully hosted payment page where card data never touches its own systems usually qualifies for the simplest questionnaire, SAQ A. A business that handles card data directly may need the much longer SAQ D. Choosing the correct SAQ is one of the most common places businesses go wrong — completing a harder questionnaire than necessary wastes time and money.

How do you become PCI compliant?

At a high level, becoming compliant means identifying how card data flows through your business, completing the correct SAQ, fixing any gaps it reveals, running a vulnerability scan if your setup requires one, and filing your validated compliance with your acquirer. You then repeat this validation every year.

This is exactly where a managed compliance partner saves time. Rather than working out which SAQ applies, wrestling with security terminology and chasing your acquirer's portal yourself, a specialist completes the assessment with you, produces the documentation, manages any scans, and files everything on your behalf — often within 24 hours. Fraud Defence First provides this fully managed service for a flat annual fee, so compliance becomes one less thing to worry about.

Key takeaways

  • PCI DSS is the security standard for any business that takes card payments.
  • It is a contractual requirement from your bank, not optional.
  • Most small businesses validate compliance with a Self-Assessment Questionnaire.
  • Choosing the right SAQ type is critical to keeping it simple and cheap.
  • A managed service can make you compliant quickly and keep you compliant year-round.
Read the complete PCI DSS compliance guide

Need Expert PCI Compliance Help?

Our PCI compliance specialists are here to guide your business through the certification process. Get personalised advice and ensure your business stays compliant.

Get Free ConsultationBook Assessment Call
Back to All Resources