What is PCI DSS?

Understanding PCI DSS

If your business accepts card payments — whether online, in person, or over the phone — there's a security standard you need to know about. It's called PCI DSS, which stands for the Payment Card Industry Data Security Standard. In simple terms, it's a set of rules designed to make sure that every organisation handling card payment data keeps that data safe.

PCI DSS isn't new. It's been around since 2004, when the five major card brands — Visa, Mastercard, American Express, Discover, and JCB — came together to create a single, unified security standard. Before that, each card brand had its own rules, which made compliance a nightmare for businesses. The PCI Security Standards Council (PCI SSC) was formed to manage and update the standard, and the current version is PCI DSS v4.0.1, released in 2024.

But here's the thing many business owners don't realise: PCI DSS applies to you regardless of your size. Whether you're a multinational retailer processing millions of transactions or a small charity taking donations over the phone, if card data touches your business, you're in scope.

Who Does PCI DSS Apply To?

The short answer is: every organisation that stores, processes, or transmits cardholder data. That's a broader group than most people think.

It includes obvious examples like online shops and high-street retailers. But it also covers:

• Contact centres that take payments over the phone
• Charities and non-profits accepting card donations
• Subscription businesses that store card details for recurring billing
• Hotels, venues, and booking services that take advance payments
• Professional services firms — solicitors, accountants, consultants — that invoice by card
• Government agencies and councils collecting payments from residents

If a customer's card number passes through your systems at any point — even briefly — PCI DSS applies to you. The standard doesn't care whether you store the data or just pass it along. The act of handling it, even momentarily, brings you into scope.

It's also worth noting that PCI DSS applies to your service providers too. If you use a third-party payment processor, a hosted payment page, or a telephone payment solution like Paytia, those providers must also be PCI DSS compliant. However, using a compliant provider doesn't remove your own obligations — you still need to demonstrate that your part of the process meets the standard.

Why PCI DSS Matters

You might be wondering: if PCI DSS isn't a law, why should I care? The answer comes down to three things: financial risk, business risk, and trust.

Financial risk is the most immediate concern. If your business suffers a data breach and you're found to be non-compliant, the card brands can impose fines through your acquiring bank. These fines can reach up to £100,000 per month. On top of that, you could be liable for the costs of the breach itself — forensic investigations, customer notifications, credit monitoring services, and the fraudulent transactions that result from stolen card data. For a small or mid-sized business, a single breach can be devastating.

Business risk goes beyond fines. Non-compliant businesses may face increased processing fees, more stringent monitoring requirements, or — in the worst case — termination of their merchant account. Losing the ability to accept card payments would cripple most modern businesses.

Trust is perhaps the most valuable thing at stake. Customers expect their card data to be handled securely. A breach erodes that trust in ways that are hard to measure but very real. In a world where data breaches regularly make headlines, demonstrating PCI compliance is a genuine competitive advantage.

The Six Goals and Twelve Requirements

PCI DSS is structured around six broad goals, each supported by specific requirements. There are 12 requirements in total, and we cover each one in detail in Guide 2: The 12 PCI DSS Requirements Explained. Here's a high-level overview:

• Goal 1: Build and maintain a secure network — Install firewalls and don't use vendor-supplied default passwords
• Goal 2: Protect cardholder data — Encrypt stored data and protect it during transmission
• Goal 3: Maintain a vulnerability management programme — Use antivirus software and develop secure systems
• Goal 4: Implement strong access control — Restrict access on a need-to-know basis, assign unique IDs, and control physical access
• Goal 5: Regularly monitor and test networks — Track access to data and regularly test security systems
• Goal 6: Maintain an information security policy — Have a formal policy that addresses security for all personnel

These goals are practical and logical. They represent good security practice that any business should follow, regardless of regulatory requirements. The 12 requirements simply provide the specific controls needed to achieve each goal.

How Compliance Is Validated

How you prove compliance depends on two factors: how many card transactions you process (your compliance level) and how you accept payments (which determines your Self-Assessment Questionnaire type).

Most small and mid-sized businesses fall into Level 3 or Level 4, which means they validate compliance by completing a Self-Assessment Questionnaire (SAQ) rather than undergoing a formal audit. We explain the four compliance levels in Guide 3 and the different SAQ types in Guide 4.

The key insight here is that the way you accept payments directly affects how much work compliance requires. A business that fully outsources its card processing — using hosted payment pages for online transactions and a DTMF masking solution like Paytia for telephone payments — can qualify for SAQ A, which has just 22 questions. A business that stores or processes card data on its own systems may need SAQ D, which has 326 questions and covers every one of the 12 requirements in detail.

This is why descoping — the practice of removing card data from your systems wherever possible — is such a powerful strategy. We cover this in depth in Guide 5: Descoping Your PCI Environment.

Common Misconceptions

There are several myths about PCI DSS that persist, and they can lead businesses into trouble:

"We're too small to worry about PCI DSS." Size doesn't matter. The standard applies to every business that handles card data, from sole traders to multinationals. Smaller businesses are actually more frequently targeted by attackers because they tend to have weaker security.

"Our payment processor handles compliance for us." Using a PCI-compliant payment processor helps enormously — it can reduce your scope significantly — but it doesn't eliminate your obligations. You still need to complete the appropriate SAQ and maintain your own security controls.

"We don't store card data, so we're not in scope." PCI DSS covers storing, processing, and transmitting card data. If a customer reads their card number to your agent over the phone, that's transmission. If the number appears on your screen, even momentarily, that's processing. You're in scope.

"PCI DSS is just an annual checkbox." Compliance is meant to be a continuous state, not a once-a-year exercise. PCI DSS v4.0.1 places even greater emphasis on this, requiring organisations to demonstrate that their security controls operate effectively throughout the year.

Key Takeaways

• PCI DSS is the global security standard for organisations that handle card payment data, managed by the PCI Security Standards Council
• It applies to every business that stores, processes, or transmits cardholder data — regardless of size or industry
• Non-compliance carries serious consequences including fines of up to £100,000/month, liability for breach costs, and potential loss of your merchant account
• The standard has 6 goals and 12 requirements covering everything from network security to information security policies
• How you validate compliance depends on your transaction volume (compliance level) and how you accept payments (SAQ type)
• Descoping your environment — removing card data from your systems — is the most effective way to simplify compliance
• The current version is PCI DSS v4.0.1, which emphasises continuous security over point-in-time compliance