What is PCI DSS Compliance?

Why Compliance Matters

Any business that accepts, processes, stores, or transmits card payment data is required to comply with PCI DSS. This is not optional -- it is a condition of your merchant agreement with your acquiring bank and the card brands. Non-compliance can result in fines, higher processing fees, and ultimately the loss of your ability to accept card payments.

Beyond avoiding penalties, compliance protects your customers. A data breach exposing card details can cause significant financial harm to cardholders and irreparable damage to your organisation's reputation. The cost of dealing with a breach -- forensic investigations, notification requirements, legal exposure, and lost business -- almost always exceeds the cost of achieving and maintaining compliance.

The Compliance Process

Achieving PCI DSS compliance typically follows three stages:

1. Scope Assessment

First, identify every system, process, and person that touches cardholder data. This includes payment terminals, servers, databases, network segments, call recordings, agent workstations, and any third-party services involved in the payment flow. Everything in scope must meet PCI DSS requirements.

Scope assessment is often the most underestimated phase. Many organisations discover that card data touches far more systems than they initially assumed -- particularly in telephone payment environments where call recordings, screen captures, and agent notes may all contain card details.

2. Implement Controls

Once you know your scope, implement the security controls required by PCI DSS. The standard contains 12 high-level requirements organised into six categories:

• Build and maintain a secure network Firewalls, secure configurations
• Protect cardholder data Encryption, secure storage policies
• Maintain a vulnerability management programme Anti-virus software, secure development practices
• Implement strong access controls Role-based access, unique user IDs, physical security
• Monitor and test networks Logging, penetration testing, regular reviews
• Maintain an information security policy Documented policies, staff training, incident response plans

3. Validate Compliance

How you validate depends on your merchant level:

• Level 1 merchants and service providers Annual on-site assessment by a QSA, plus quarterly vulnerability scans
• Levels 2-4 Annual Self-Assessment Questionnaire (SAQ), plus quarterly vulnerability scans where required

Compliance is not a one-time achievement. It requires continuous monitoring, regular testing, and annual revalidation.

The Cost of Non-Compliance

The consequences of failing to comply with PCI DSS are significant and can come from multiple directions:

• Financial penalties Card brands can impose fines of 5,000 to 100,000 GBP per month on acquiring banks, which pass these costs to the non-compliant merchant
• Increased processing fees Acquirers may increase your transaction fees or add non-compliance surcharges
• Breach liability If a breach occurs while you are non-compliant, you may be liable for all fraud losses, card replacement costs, and forensic investigation fees
• Loss of card acceptance In severe cases, the card brands can revoke your ability to accept their cards entirely
• Reputational damage News of a data breach can permanently erode customer trust

Simplifying Compliance Through Descoping

The most effective way to reduce the cost and complexity of PCI DSS compliance is to reduce your scope. The fewer systems that touch card data, the fewer systems need to meet PCI DSS requirements.

Common descoping strategies include:

• Tokenisation: Replacing card numbers with tokens that have no exploitable value
• Point-to-point encryption (P2PE): Encrypting card data at the point of capture so it is never available in the clear within your environment
• DTMF masking: Preventing card data from entering the telephone environment by masking keypad tones and routing data directly to the payment processor
• Hosted payment pages Using a third-party hosted checkout so card data never passes through your web servers

Each of these approaches removes systems from PCI DSS scope, potentially allowing you to complete a simpler SAQ type and avoiding the need for expensive security controls on systems that no longer handle card data.

PCI DSS Compliance for Telephone Payments

Contact centres and businesses that take payments over the phone face some of the most complex PCI DSS challenges. In a typical telephone payment scenario, card data can exist in:

• The voice conversation between customer and agent
• Call recordings that capture spoken card details or DTMF tones
• Agent screens and virtual terminal interfaces
• CRM systems where agents may note card details
• Network segments carrying the voice traffic

Every one of these touchpoints brings the associated infrastructure into PCI DSS scope. The most practical approach is to prevent card data from entering the agent environment altogether, using DTMF masking or IVR payment systems that keep sensitive data entirely outside the contact centre.

PCI DSS v4.0 -- What Has Changed

The latest version of the standard -- PCI DSS v4.0 -- was released in 2022 and became mandatory in 2025. Key changes include a greater emphasis on continuous security processes rather than point-in-time assessments, more flexibility in how organisations can meet requirements through customised approaches, and stronger requirements for multi-factor authentication, password policies, and encryption. Organisations should review their compliance programmes against the updated standard and ensure all controls meet the new requirements.