What is PCI DSS?
PCI DSS stands for the Payment Card Industry Data Security Standard. It is a set of standards and guidelines put together by the Payment Card Industry Security Standards Council (PCI SSC) in order to protect sensitive customer data.
It sets out practices for businesses that process or require payment card information (or other sensitive personal information) to follow.
This industry standard was created to enable all businesses to follow a consistent set of rules to ensure the safety and security of user information, to help protect against ‘hacks’ and data breaches, and to minimise credit card fraud.
The 12 Requirements of PCI DSS Compliance
Below are the 12 requirements within the 6 core goals set out by the Payment Card Industry Security Standards council. These requirements apply to all businesses who collect, process and store payment card information, and may also be mandatory for companies that keep personal information in their websites or their IT systems, depending on factors such as the terms in your insurance cover, the membership bodies or associations you belong to and their requirements, and the accreditations (such as ISO certifications) you have.
| Goals | Requirements |
| Build and maintain a secure network and systems | 1. Install and maintain network security controls. 2. Apply secure configurations to all system components. |
| Protect account data | 3. Protect stored account data. 4. Protect cardholder data with strong cryptography during transmission over open, public networks. |
| Maintain a vulnerability management program | 5. Protect all systems and networks from malicious software. 6. Develop and maintain secure systems and software. |
| Implement strong access control measures | 7. Restrict access to system components and cardholder data by business need to know. 8. Identify users and authenticate access to system components. 9. Restrict physical access to cardholder data. |
| Regularly monitor and test networks | 10. Log and monitor all access to system components and cardholder data. 11. Test security of systems and networks regularly. |
| Maintain an information security policy | 12. Support information security with organisational policies and programs. |
Information taken from the PCI DSS: v4.0.1 document available from the PCI SSC.
How do these requirements affect your website?
Before April 2024, businesses had to adhere to the standards set out in the PCI DSS v3.2.1 to ensure they were compliant. On the 31st March 2024 these standards were retired and the PCI DSS 4.0 standard (already released more than a year earlier) became the only valid standard.
Merchants taking payments online (typically via their website) since April 2024 have to submit a Self-Assessment Questionnaire A (SAQ A) to confirm they are PCI DSS v4.0 compliant, even when they are taking money externally through a payment gateway like PayPal, WorldPay, Stripe etc.
More detailed questionnaires are necessary if payments are being taken directly by code that lives on the website, or card data is being stored in the website, as that is considered to place the data at higher risk.
Part of the standard involves having external vulnerability scans done to test the website every quarter – those can pick up a variety of issues that need resolving in order to be compliant. It can take some time and work with your hosting and website provider to pass those checks, but is worth doing to remain compliant – the costs of non-compliance can include loss of protection from chargebacks or fraud, as well as potentially paying higher rates to take online card payments.
The change in the standard now means that PCI DSS applies to many more businesses, in some cases including simple brochure websites. In the past aspects of compliance like penetration testing were necessary only if your site had to be more secure e.g. if you were storing credit card numbers or sensitive cardholder information on your website.
The requirements may effectively now apply to simple websites which store personal and sensitive data, or ones that only take occasional small payments in an external window on a payment service provider’s website. It is worth checking whether the V4 standard applies to your own site, and checking the steps you would need to take to ensure you are compliant, so you won’t be caught out.
Although the work involved could seem like an unnecessary task if your businesses deals with occasional small payments, the risks involved in not being compliant may outweigh this.
PCI DSS v.4.0.1 was released in June 2024 and, rather than major changes from 4.0, some points were clarified and minor changes made. V4.0 was retired on December 31st 2024. V.4.0.1 at the time of writing is the one to follow to ensure compliance.
The deadline for compliance with the new requirements was the March 31st 2025. If you are a business taking card payments and processing or storing card data, please speak to your website developers or web agency to ensure that the guidelines have been followed, and that you are compliant with the current standard. Your admin team or finance director should also ensure the self-assessment has been submitted.
The risks of non-compliance
Whilst at this time compliance is not being policed, the risks of non-compliance include a variety of penalties if something bad does happen. This might be a hack or a data breach of your website, which may lead to cards or personal data used or stored on your website being leaked onto the dark web and used for fraudulent purposes.
Here are some of the potential penalties or negative consequences.
Brand reputation
First and foremost, the reputation of your brand can be affected. The aims set out in the guidelines include a number of items that will help to keep your systems secure, by not adhering to these the risk of hackers getting into your website and data breaches occurring will increase.
Customers will not respond favourably to finding out their credit card details have been used fraudulently in unauthorised transactions due to failings by a business whose website they have put their trust in or made a purchase from.
This will lead to customers no longer feeling confident submitting their details and making purchases on your website, resulting in a loss of business. It is also likely that this could have a knock-on effect to other customers and potential customers through word-of-mouth and poor online reviews.
Financial penalties
Financial penalties are also likely. Once a fraudulent transaction is made on a customer’s credit card, they will likely spot the transaction and request a chargeback from the bank as it wasn’t their purchase.
If this happens a number of times, the charges faced by the bank for refunding a large number of customers will grow. If the bank find that your website was compromised, which resulted in the fraudulent purchases, because it did not comply with the PCI DSS guidelines, your business may be liable for the chargebacks incurred.
Higher percentage prices and fees on transactions
A data breach due to non-compliance could also lead to increased transaction charges from your payment gateway.
You will likely be using a payment gateway such as Stripe, Paypal, Braintree, WorldPay or SagePay / Opayo and depending on their terms you will be paying a transaction fee along with a percentage of the item purchased. For example, Stripe typically charges 1.5% of the sale cost, plus 20p per purchase for UK standard cards.
If you are non-compliant with PCI-DSS and experience a data leak, your payment gateway may charge you more to continue using their services or even discontinue their online payment service for your website. A rise in business costs can potentially have a huge impact on your margins, and profitability and hence the health of the business itself.
Conclusion
Regardless of the size of your business, if you handle any kind of customer payment card information (or sensitive customer information) as an online merchant, then PCI DSS is likely to apply to you.
It can seem like there is a lot of red tape you have to get through to achieve compliance for your business, but this set of standards is there to protect both customers and businesses in the long term and make it harder for fraudsters and criminals to use your website for criminal ends.
We hope this has given you a clearer idea on what is necessary for PCI DSS compliance.
If you would like assistance in improving the security of your site and working towards compliance, we would be happy to help.
