What Is PCI DSS: Meaning and Implications for Businesses

Every time a customer taps, inserts, or enters their card details, that data needs to be handled securely, and there are formal standards that govern exactly how. If you accept card payments in any form, PCI DSS is one of the most important compliance frameworks you need to understand.

In the following sections, we explain the basics of PCI DSS as well as PTS and how they affect your business.

What Is PCI DSS?  

PCI DSS stands for Payment Card Industry Data Security Standard. In short, it’s a set of technical and operational requirements, policies, procedures and tools to protect cardholder data.

PCI DSS standards are created and maintained by the PCI Security Standards Council (PCI SSC) and consist of 12 basic requirements grouped in six categories. 

Their goal is to create a highly secure global payment environment and protect merchants and consumers from security breaches and theft of cardholder data.

Anyone storing, processing or transmitting cardholder information (or accepting card payments) has to comply with PCI DSS. This includes financial institutions, point-of-sale payment providers and merchants of all sizes. 

What Does PCI DSS Protect?  

PCI DSS protects cardholder data, authentication data, and overall – the cardholder data environment. 

Cardholder data includes the primary account number (PAN) printed or encoded on a payment card, alongside the cardholder’s name, expiry date, and service code. This is the core category of data PCI DSS is built to protect.

Sensitive authentication data, on the other hand, covers security-critical information used to verify card transactions, including full magnetic stripe data, chip data, PINs, and CVV/CVC codes. 

This data should not be stored after a transaction is authorised, under any circumstances.

The cardholder data environment refers to the people, processes, and systems that take part in storing, processing, or transmitting cardholder information. PCI DSS applies to everything within this environment, including connected systems that could affect its security.

Who Needs To Comply With PCI DSS?  

As noted earlier, PCI DSS applies to every organisation that stores, processes, or transmits cardholder data. 

This includes:

• Merchants – any business that accepts card payments, no matter the size or sector;
• Payment service providers – companies that process transactions on behalf of merchants;
• Financial institutions – banks and card issuers involved in the payment chain;
• Third-party service providers – any organisation that handles or has access to cardholder data environments on behalf of another business;
• Software developers – companies building payment applications or devices used in card transactions.

Overall, if card data passes through your business in any form, PCI DSS standards apply to you.

Does PCI DSS Apply to Small Businesses?  

PCI DSS is mandatory for all businesses that accept card payments. There is no size threshold below which it stops applying.

The PCI SSC uses, however, a tiered system known as PCI compliance levels, based on annual transaction volumes:

• Level 1 – over 6 million transactions per year and require an annual on-site audit by a Qualified Security Assessor (QSA);
• Level 2 – 1 to 6 million transactions per year and requires an annual Self-Assessment Questionnaire (SAQ);
• Level 3 – 20,000 to 1 million e-commerce transactions per year and requires an annual SAQ;
• Level 4 – fewer than 20,000 e-commerce transactions or up to 1 million transactions across all channels; requires an annual SAQ and may require quarterly network scans.

Most small businesses fall into Level 4, which means the compliance process is proportionate, but the requirement to comply is not optional. 

Smaller businesses are frequently targeted by attackers precisely because their defences tend to be less developed than those of larger organisations. From April 2025 to April 2026, 46% of UK businesses experienced a cyber breach. 

Why PCI DSS Matters for Businesses  

Understanding PCI DSS guidelines matters not just as a compliance exercise, but because the consequences of weak card payment security are real and serious.

Data breach risk

If your payment environment is compromised, cardholder data can be stolen at scale. A single breach can expose hundreds or thousands of customer records. 

Beyond the immediate harm to customers, the reputational damage can be long-lasting – customers who lose confidence in how their data is handled rarely return.

Fraud exposure

Stolen card data is used to commit payment fraud, often across multiple merchants. 

According to the Crime Survey for England and Wales, there were an estimated 4.4 million incidents of fraud in the year ending December 2025. 

Once data leaves your environment, you have no control over how it is used, and your business may bear partial liability depending on the circumstances.

Financial and contractual consequences

Non-compliance with PCI DSS can result in fines issued by card networks, higher transaction fees, and, in serious cases, the loss of your ability to accept card payments altogether. 

If a breach occurs and you were not compliant at the time, the financial liability for fraud losses may fall on you rather than the card issuer.

Loss of customer trust

Customer data security is increasingly a factor in purchasing decisions. 

Businesses that suffer publicised breaches face not only lost customers but potential regulatory scrutiny under wider data protection frameworks, including the Data Protection Act.

Operational disruption

Responding to a breach – forensic investigation, customer notification, system remediation – is expensive and time-consuming. 

Data breach prevention is almost always cheaper than breach response.

What Are the Main PCI DSS Requirements?  

PCI DSS is built around 12 requirements. Together they define what a secure payment environment looks like in practice.

Build and maintain a secure network infrastructure

• Requirement 1: Install and maintain network security controls, including firewalls configured to protect the cardholder data environment.
• Requirement 2: Apply secure configurations to all system components – default passwords and vendor-supplied settings must be changed before deployment.

Protect account data

• Requirement 3: Protect stored cardholder data; implement encryption of cardholder data where storage is necessary and ensure sensitive authentication data is never retained post-authorisation.
• Requirement 4: Protect cardholder data transmitted across open or public networks using strong cryptography.

Maintain a vulnerability management program

• Requirement 5: Protect all systems against malware; maintain anti-virus software updates and deploy anti-malware tools across relevant environments.
• Requirement 6: Develop and maintain secure systems and applications; apply security patches promptly and follow secure development practices.

Implement strong access control

• Requirement 7: Restrict access to cardholder data to only those with a legitimate business need.
• Requirement 8: Identify and authenticate all users accessing system components; enforce unique IDs and appropriate authentication controls.
• Requirement 9: Restrict physical access to systems and media that store or process cardholder data.

Regularly monitor and test networks

• Requirement 10: Log and monitor all access to network resources and cardholder data; maintaining monitoring security systems is essential for detecting and responding to anomalies.
• Requirement 11: Test the security of systems and networks regularly, including vulnerability scans and penetration testing.

Maintain an information security policy

• Requirement 12: Support information security through organisational policies, risk assessments, and staff awareness – this includes maintaining up-to-date PCI DSS documentation and training staff on their responsibilities.

How PCI DSS Compliance Works in Practice  

Meeting PCI DSS is not a one-time task – it is a continuous process that looks like this.

Map your cardholder data environment

Before you can secure card data, you need to know where it lives. 

Identify every point at which card data enters your business – at the terminal, through your website, via telephone orders – and trace where it goes from there. 

Many businesses store or transmit more data than they realise.

Reduce your scope wherever possible

The less cardholder data your environment handles directly, the simpler and less costly compliance becomes. 

Using a PCI DSS-compliant payment provider that processes card data on your behalf, rather than routing it through your own systems, can significantly reduce your compliance burden. 

This approach is one of the most effective payment security best practices available to small and mid-sized businesses.

Complete the appropriate PCI DSS assessment

Depending on your compliance level, this will involve completing a Self-Assessment Questionnaire (SAQ) . This is a structured set of yes/no questions that map to the 12 requirements.

It’s also likely to commission quarterly vulnerability scans from an Approved Scanning Vendor (ASV). 

Level 1 merchants require a full on-site audit by a QSA. PCI DSS validation must be renewed annually.

Understand PCI DSS costs

For most small businesses, the direct costs of compliance are modest – primarily the time taken to complete an SAQ and, if required, the fee for an ASV scan. In the UK, ASV scans can cost from £150 to £500 per year for small businesses. 

Costs increase with transaction volume and the complexity of your payment environment. 

The cost of non-compliance – fines, breach remediation, and potential loss of card acceptance – is considerably higher.

Treat compliance as ongoing

Payment environments change – new software, new staff, new hardware, new services. Each change has the potential to introduce new vulnerabilities. 

Meeting PCI DSS over the long term means building compliance into normal business operations rather than treating it as an annual checkbox exercise.

What Is PTS?  

PIN Transaction Security, or PTS, is a separate but related security standard maintained by the PCI SSC.

Where PCI DSS governs the broader data environment, PTS focuses specifically onthe security of payment terminals and point-of-interaction (POI) devices.

PTS requirements cover the physical and logical security of these devices, including tamper resistance, encryption of PIN data at the point of entry, and the integrity of the device firmware. 

Any device used to accept PIN-based transactions must be PTS-approved.

PCI DSS vs PTS: What Is the Difference?  

Both standards exist to protect card payment security, but they operate at different layers.

PCI DSS is a broad framework governing how cardholder data is handled across an organisation’s entire payment environment – systems, networks, processes, and people. 

It applies to any entity involved in card data handling.

PTS, on the other hand, is a hardware-focused standard that governs the security of the physical devices through which card transactions are initiated. It ensures that terminals, PIN pads, and contactless readers meet specific tamper-resistance and encryption requirements before they are approved for use.

For a merchant, both matter. 

PCI DSS governs how your business handles card data end-to-end, while PTS ensures that the device your customer taps or inserts their card into is itself secure. 

Using a PTS-approved terminal is a prerequisite for secure in-person payment acceptance. It’s also a core component of identity theft prevention at the point of sale.

How PCI DSS and PTS Support Safer Card Payments  

Together, PCI DSS and PTS address the two most vulnerable points in the card payment chain – the data environment and the device.

When both standards are met, businesses benefit from:

• Safer handling of card data across all payment channels, reducing the risk of exposure at every stage of the transaction;
  
• More secure in-person payment acceptance, with hardware that resists tampering and protects PIN entry;
  
• Stronger trust in payment infrastructure, both from customers and from card networks and acquiring banks;
  
• Reduced exposure to avoidable security weaknesses that are routinely exploited in fraud attacks.

The PCI compliance benefits extend beyond avoiding penalties and translate directly into a more resilient, trustworthy payment operation.

What Businesses Should Do To Strengthen Payment Security  

Use PCI DSS-aligned payment solutions. Choose payment providers that are themselves PCI DSS compliant and that handle card data on your behalf where possible. 

This reduces the scope of your own compliance obligations and puts security responsibility in the hands of specialists.

Choose PTS-compliant payment terminals and make sure you only use devices that appear on the PCI SSC’s list of approved PTS devices to avoid security gaps.

Implement strong access control measures so that only staff with a clear business need can access systems involved in payment processing. Use unique user IDs, enforce strong authentication, and revoke access promptly when staff leave or change roles.

Outdated software is one of the most common vectors for payment system attacks. Keep software and devices updated. Apply security patches promptly, maintain anti-virus software updates, and replace end-of-life hardware and software before it becomes a liability.

Keep in mind that human error remains a leading cause of security incidents. Train staff on payment data security. Staff who handle payments should understand the basics – not storing card data, recognising social engineering attempts, knowing how to report suspected incidents – as a matter of routine.

Review your payment processes at least annually, whenever you change systems or providers, and whenever the PCI SSC publishes updates to the standard. Maintain current PCI DSS documentation as a living record of your compliance posture.

Beyond PCI DSS itself, layer in additional fraud prevention measures – transaction monitoring, velocity checks, address verification – to catch suspicious activity before it becomes a confirmed breach.

How myPOS Supports Secure Payment Acceptance  

Security infrastructure is one of the most significant operational decisions a business accepting card payments will make. 

myPOS is built with security standards compliance as a foundation, not an afterthought:

• PCI DSS-certified payment environment – myPOS operates a fully PCI DSS-compliant payment processing environment, meaning that card data handled through myPOS solutions meets the industry’s highest security requirements.
  
• PTS-compliant payment devices – all myPOS payment terminals are PTS-approved, ensuring that every point-of-interaction device meets the hardware security requirements for safe card and PIN acceptance.
  
• Encryption of cardholder data – card data is encrypted at the point of entry and throughout transmission, ensuring that sensitive information is protected at every stage of the transaction lifecycle.
  
• Fraud monitoring and transaction security – myPOS deploys advanced fraud prevention measures and real-time monitoring security systems to identify and respond to suspicious activity.
  
• Operational support for secure payment acceptance – beyond technology, myPOS provides merchants with the tools and account management support needed to maintain reliable, secure payment operations – whether in-store, online, or across multiple channels.

Thanks to innovative technologies, we’ve developed and implemented advanced fraud-detecting mechanisms and security-monitoring systems to protect merchants and customers.

Conclusion  

Meeting PCI DSS and PTS standards does not require deep technical expertise, but it does require a clear understanding of where card data lives in your business, a commitment, and a habit of reviewing and maintaining your payment security practices over time. 

No matter how small or large your business is, staying compliant with PCI DSS is essential to maintain the safety of your customers and your operations. 

Frequently Asked Questions 

Which PCI DSS self-assessment questionnaire should a UK SME complete?

It depends on how you accept payments. SAQ A covers fully outsourced card processing, while SAQ A-EP applies to e-commerce sites that could affect payment security. SAQ C, on the other hand, covers internet-connected terminals. Your acquiring bank can confirm which applies to your business.

Do online shops face different PCI DSS duties from in-person merchants?

Yes. Online merchants carry broader obligations, particularly around payment page security, third-party scripts, and checkout integrity. In-person merchants using certified terminals and a compliant payment provider typically qualify for simpler compliance validation.

What changed for e-commerce merchants after 31 March 2025?

From this point forward, all best-practice requirements introduced in PCI DSS 4.0 became fully mandatory and subject to compliance assessment. Prior to this deadline, organisations were expected to work toward these controls, but adherence was not formally required for validation purposes.

Do SMEs need PCI DSS compliance if they never store card details?

Yes. PCI DSS applies to any business that stores, processes, or transmits card data – storage is only one trigger. However, fully outsourcing card processing to a certified provider minimises your scope and may qualify you for SAQ A, the simplest validation route.

Can taking card payments over the phone increase PCI DSS obligations?

Yes. Card details read aloud bring your telephony systems into scope. Call recordings must not capture card data – most compliant setups use pause-and-resume recording or DTMF masking. Phone-based merchants should complete SAQ C-VT or SAQ B depending on how processing is handled.

What card data should a UK business never store after a payment?

Never store the CVV/CVC, full magnetic stripe or chip data, or PIN under any circumstances. The full card number may only be stored if properly encrypted or tokenised, and only where there is a clear business reason – for most SMEs, storing any card data at all is unnecessary.