What PCI DSS compliance actually is
PCI DSS (Payment Card Industry Data Security Standard) is the security framework every business that stores, processes or transmits card data has to meet. It is maintained by the PCI Security Standards Council on behalf of Visa, Mastercard, Amex, Discover and JCB, and is enforced through your acquirer — not directly by the card schemes.
The current version, PCI DSS 4.0, replaced 3.2.1 in March 2024 and became fully mandatory in March 2025. Most UK small businesses meet compliance through a Self-Assessment Questionnaire (SAQ) rather than a full external audit.
Unsure what these charges mean on your own statement? Submit it for a free independent review.
Check If I'm OverpayingWhich SAQ applies to your business
There are nine SAQ types under PCI DSS 4.0. Which one you complete depends on how you take payments and how you handle card data. Most UK SMEs sit in one of the four below.
| SAQ | Who it's for | Typical UK example |
|---|---|---|
| SAQ A | Ecommerce merchants that fully outsource card handling to a PCI-compliant provider. | Shopify store using Shopify Payments, Stripe Checkout or PayPal-hosted checkout. |
| SAQ A-EP | Ecommerce merchants using a payment iframe or JavaScript that runs on their own site. | Custom checkout using Stripe Elements or Adyen Drop-in. |
| SAQ B | Merchants using only standalone dial-up or IP terminals; no electronic storage of card data. | Traditional PDQ machine in a shop or restaurant, not integrated with EPOS. |
| SAQ B-IP | Merchants using only standalone IP-connected terminals. | Modern Wi-Fi countertop terminal from Worldpay, Barclaycard or Global Payments. |
| SAQ C-VT | Merchants using only a virtual terminal in a browser on a dedicated computer. | Phone-order MOTO business keying transactions into a browser-based virtual terminal. |
| SAQ D | Merchants that don't fit any other SAQ, including anyone that stores card data electronically. | Larger merchants and any business handling card numbers in spreadsheets or CRM systems. |
What UK acquirers actually charge for
The 'PCI fee' on your statement usually covers two things: the cost of administering the annual SAQ process (reminders, portal access, vulnerability scans where required), and the acquirer's own compliance overhead. It typically ranges from £3–£6 per month for a small business.
The non-compliance fee is separate, and is the one that hurts. If the annual SAQ isn't completed by its deadline, most UK acquirers apply a recurring monthly charge of £15–£35 until the questionnaire is submitted. On a small business processing £5,000 a month, this alone can add 40–70 basis points to the effective rate.
The four merchant levels and what they mean
Card schemes classify every merchant into one of four levels based on annual card transaction volume. The level determines what evidence you need to file, not the standard itself.
- ●Level 1 — 6m+ transactions per year (per scheme). Annual on-site audit by a Qualified Security Assessor (QSA), plus quarterly network scans.
- ●Level 2 — 1m–6m transactions per year. Annual SAQ signed by an officer of the business, plus quarterly scans.
- ●Level 3 — 20,000–1m ecommerce transactions per year. Annual SAQ plus quarterly scans.
- ●Level 4 — under 20,000 ecommerce or under 1m total per year. Annual SAQ; scanning may be required depending on SAQ type.
How to stop paying non-compliance fees
Complete the SAQ on time
Set a calendar reminder for 30 days before the annual deadline. Most acquirers give a 90-day grace period; use it.
Keep contact details current
SAQ reminders go to the email on file. If your admin email has changed since sign-up, update it before the next renewal cycle.
Use the right SAQ type
A merchant on Shopify Payments shouldn't be completing SAQ D. Ask your acquirer to switch you to the correct (usually shorter) SAQ.
Consider a P2PE solution
Point-to-point encrypted terminals dramatically reduce SAQ scope — typically down to SAQ P2PE, which is much shorter.
Escalate stale non-compliance charges
If you completed the SAQ and are still being billed, log a formal complaint quoting the submission date.
Frequently asked questions
Is PCI DSS a legal requirement in the UK?
+
Do I need PCI compliance if I only take payments through Stripe or PayPal?
+
What is a PCI ASV scan?
+
How much can non-compliance actually cost?
+
Can I use a PCI service provider?
+
Key takeaways
- ●Most UK small businesses complete a single annual SAQ — usually SAQ A or B-IP.
- ●PCI admin fees are small; the recurring non-compliance fee is what genuinely inflates costs.
- ●PCI DSS 4.0 fully replaced 3.2.1 in March 2025 — SAQ content has changed.
- ●The correct SAQ depends on how you take payments, not just your business size.
- ●P2PE terminals significantly reduce PCI scope and are worth considering at renewal.