The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that any business accepting, processing, storing, or transmitting credit or debit card information must comply with. It applies whether you handle cards online, over the phone, or in person.
PCI DSS was created by the major card brands (Visa, Mastercard, American Express, Discover, and JCB) to protect cardholder data from theft and fraud. Compliance is not optional – if you accept card payments, you must meet these standards, and your merchant services provider will require proof of compliance.
The standard covers 12 key requirements organised into six goals: maintaining secure networks, protecting cardholder data, managing vulnerabilities, implementing strong access controls, monitoring networks, and maintaining security policies. This includes practical measures like using firewalls, encrypting card data, never storing sensitive authentication data (like CVV codes), restricting access to cardholder information, and testing security systems regularly.
Non-compliance can result in significant consequences: fines from card brands (up to £70,000 per month in some cases), increased transaction fees, loss of ability to process card payments, and liability for fraud losses. If you suffer a data breach whilst non-compliant, you could face substantial financial penalties and reputational damage.
For UK SMEs, the compliance level depends on transaction volume. Most small businesses fall into Level 4 (fewer than 20,000 e-commerce transactions or 1 million total transactions annually) and can self-assess using a questionnaire, though you still need to implement all relevant security controls.
GoodChoice IT helps London and Surrey businesses achieve and maintain PCI DSS compliance through secure network design, encryption, access controls, regular security scanning, and documented policies. We guide you through the self-assessment process and ensure your systems meet all technical requirements.
« Back to Glossary Index