What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements established by Visa, Mastercard, American Express, Discover, and JCB to protect cardholder data throughout the payment ecosystem.
Unlike voluntary ISO standards, PCI DSS is a contractual mandate. If you process card payments through a UK merchant bank, you must demonstrate compliance.
PCI DSS v4.0 represents the most significant update in over a decade, with mandatory compliance required by March 2025.
The 12 PCI DSS Requirements
Install & Maintain Network Security Controls
Firewalls and network segmentation to protect the cardholder data environment.
Apply Secure Configurations
Remove vendor defaults and apply security hardening standards to all systems.
Protect Stored Account Data
Encryption, masking, and secure key management for stored cardholder data.
Protect Data in Transit
Strong cryptography for cardholder data transmitted over open networks.
Protect Against Malware
Anti-malware solutions and security awareness to protect systems and people.
Develop Secure Systems
Secure software development practices and vulnerability management.
Restrict Access by Business Need
Least privilege access controls based on job role and business requirements.
Identify & Authenticate Users
Strong authentication including MFA for access to the cardholder environment.
Restrict Physical Access
Physical security controls for systems and media containing cardholder data.
Log & Monitor Access
Comprehensive logging, monitoring, and alerting for security events.
Test Security Regularly
Vulnerability scans, penetration testing, and security assessments.
Support Security with Policies
Information security policy and organisational accountability.
PCI DSS Compliance Levels
6M+ transactions/year
Annual on-site QSA assessment, quarterly ASV scans, attestation of compliance
1M-6M transactions/year
Annual SAQ, quarterly ASV scans, may require on-site assessment
20K-1M e-commerce transactions
Annual SAQ, quarterly ASV scans
<20K e-commerce or <1M total
Annual SAQ, quarterly ASV scans recommended
Why PCI DSS Matters for UK Businesses
✓ Avoid Costly Penalties
Non-compliance can result in fines from £5,000 to £100,000+ per month from acquiring banks, plus liability for fraudulent transactions.
✓ Protect Your Customers
Implementing PCI DSS controls reduces the risk of data breaches that damage customer trust and result in regulatory action.
✓ GDPR Alignment
Card data is personal data under UK GDPR. PCI DSS compliance supports your data protection obligations and ICO accountability.
✓ Supply Chain Requirements
Large UK retailers and public sector bodies require proof of PCI compliance from vendors handling payment data.
✓ Maintain Merchant Account
Your acquiring bank can terminate your merchant account for persistent non-compliance, ending your ability to take card payments.
✓ Demonstrate Security
PCI DSS compliance demonstrates commitment to security, building trust with customers and business partners.
Who Needs PCI DSS Compliance?
Retailers
Online and physical stores accepting card payments
Hospitality
Hotels, restaurants, and leisure businesses
SaaS & Tech
Software platforms processing payments
Healthcare
Private clinics and healthcare providers
Call Centres
Telephone payment operations
Service Providers
Payment processors, gateways, hosting
Our PCI DSS Compliance Process
Scope Assessment
Define your cardholder data environment (CDE), map data flows, and identify systems in scope for PCI DSS compliance.
Gap Analysis
Assess current security controls against PCI DSS v4.0 requirements to identify gaps and remediation priorities.
Remediation
Implement technical controls, policies, and procedures to address identified gaps and achieve compliance.
Assessment & Attestation
Complete SAQ or support QSA assessment, ASV scanning, and submit attestation of compliance to your acquirer.
Frequently Asked Questions
What's changing with PCI DSS v4.0?
PCI DSS v4.0 introduces more flexibility with customised approaches, enhanced authentication requirements including MFA, and new requirements for targeted risk analysis. Full compliance is mandatory by March 2025.
Do I need PCI DSS if I use a payment gateway?
Yes, but your scope is significantly reduced. Using tokenisation and hosted payment pages means you may qualify for a simplified SAQ, but you still have compliance obligations.
What is a QSA and do I need one?
A Qualified Security Assessor (QSA) is certified by PCI SSC to perform on-site assessments. Level 1 merchants and service providers typically require QSA assessment; others may self-assess using SAQs.
How long does PCI compliance take?
This varies based on your current security posture and scope. Small businesses with limited scope may achieve compliance in weeks; larger organisations with complex environments may need several months.
How Much Does PCI DSS Cost?
The cost of PCI DSS certification varies based on several factors. Some consultants and certifiers adopt charging models based on the project's complexity, company size, and sometimes even the company's turnover.
At Certigence, our pricing is straightforward, calculated by multiplying an agreed day rate by the number of days work. This is based on the work to be done, mitigated by any the company has done already or will be doing internally. This ensures clarity and transparency, giving you a clear understanding of the commitment before the project commences.
We provide a free telephone or Zoom consultation with one of our consultants to find out enough about your organisation to be able to make a formal proposal without charge or obligation. This allows you to research costs for free before making any commitments!
How Can Certigence Consultants Help?
Certigence's extensive consultant network spans the entire UK and has been operating ISO systems expertise combined with industry know-how for over 25 years. This dual proficiency enables them to comprehend your unique needs and translate them into certifier-accepted procedures that genuinely suit your organisation's operations.
Our services encompass full or partial ISO system development and implementation, including GAP analysis and customised internal training to support system functionality. We craft organisation-specific reports tailored to your activities.
Beyond initial implementation, we conduct internal audits, facilitate management review meetings, and offer ongoing maintenance for short, medium, or long terms. Our presence during certification stages, if desired, ensures assessors avoid unnecessary complexity. Furthermore, we offer pre- and post-certification review services to address certifier-raised concerns, reinforcing your ISO system's effectiveness.
Process Overview
Initiation and Assessment Discussion
We engage in a free, no-obligation discussion to understand your existing systems and operations, allowing us to generate a formal proposal.
Work Commencement and Collaborative Development
Upon acceptance, collaborative work commences to create and install systems, involving you and your team to ensure alignment with your needs, your understanding and acceptance of the results and compliance with ISO standards.
Initial Assessment (Stage 1): Ensuring Systems Meet Standard
The certifier reviews that systems cover all relevant parameters correctly. You may choose to have our consultant present during the initial assessment to assist with any questions the certifier may have.
Final Evaluation (Stage 2): Achieving Certification
The consultant ensures internal audit, management review, and training aspects are covered. The certifier conducts the conclusive Stage 2 assessment, verifying operational systems' alignment with Standard requirements. Upon successful completion, you attain Certification.
Why Should You Use a Certigence Consultant?
At Certigence, we match your requirements with suitable consultants based on their industry expertise, proximity, and compatibility. In the event of a consultant's unavailability, a substitute can step in promptly, avoiding project disruptions and re-hiring expenses. Our consultants have often previously worked with certifiers, learning that side of the procedure – facilitating a seamless Certification process.
This commitment reflects in our track record – a 100% first-time certification success rate spanning over 25 years.
Ready to Speak? What Happens Next?
After contacting Certigence, you'll receive an email or a call from the Director or a consultant. Discussions about needs, timelines, reasons, and costs occur. A consultant will directly engage with you to understand your requirements and system alignment. A formal proposal is then presented for your consideration. Charges apply only from that point if you proceed with the proposal.
Achieve PCI DSS Compliance
Partner with our PCI DSS specialists to protect cardholder data, meet compliance requirements, and build customer trust.