You are using an outdated browser. For a faster, safer browsing experience, upgrade for free today.

Loading...

logo

Take Card Payments | Merchant Services

Call 01366727140

Overview

This PCI Compliance Checklist for UK Merchants provides a comprehensive yet simplified guide to help businesses understand and implement the requirements of the Payment Card Industry Data Security Standard (PCI DSS). Designed for both new and established merchants, it covers everything from determining your merchant level and selecting the appropriate Self-Assessment Questionnaire (SAQ), to securing cardholder data, maintaining system security, and ensuring compliance with UK-specific regulations such as GDPR and, where applicable, Financial Conduct Authority (FCA) rules. The checklist is structured into clear categories with actionable steps, making it an essential tool for businesses seeking to protect payment data, meet regulatory obligations, and avoid costly security breaches or fines.

1. Determine Merchant Level

  • Estimate your annual card transaction volume

    • If you are a new business, estimate how many card transactions you expect to process in a year.

  • Contact your acquiring bank or payment services provider

    • Discuss your estimated volume to confirm your PCI merchant level.

  • Classify your PCI level
    • Level 1: Over 6 million transactions/year or history of a data breach
    • Level 2: 1–6 million transactions/year
    • Level 3: 20k–1M e-commerce transactions/year
    • Level 4: Less than 20k e-commerce AND less than 1M total transactions/year

2. Choose the Correct SAQ (Self-Assessment Questionnaire)

  • Identify how you process card payments

    • Do you use physical terminals, virtual terminals, or an e-commerce website?

  • Select the correct SAQ type

    • Classify your PCI level

    • SAQ A: Fully outsourced e-commerce/mail/phone
    • SAQ B: Standalone dial-out terminals
    • SAQ C: Systems with internet connectivity
    • SAQ D: All others (most complex)
  • Complete the SAQ

    • Answer all questions honestly. Keep evidence and documentation.

3. Secure Your Network

  • Install and maintain firewalls

    • Use firewalls to separate trusted and untrusted networks.

  • Change default passwords and settings

    • Replace default logins on all devices and software.

  • Secure wireless networks

    • Use WPA2 or better. Rename SSID and set a strong passphrase.

4. Protect Cardholder Data

  • Avoid storing sensitive card data

    • Don't store CVV, PIN, or full magnetic stripe data after payment.

  • Encrypt stored cardholder data

    • If storing card data is necessary, use strong encryption like AES.

  • Encrypt data in transit

    • Use TLS/SSL (e.g., HTTPS) when transmitting cardholder data.

5. Control Access to Card Data

  • Limit access to those who need it

    • Only authorised personnel should access card data.

  • Assign unique IDs to each user

    • No shared logins — use named accounts for traceability.

  • Use two-factor authentication (2FA)

    • Required for remote or admin access to systems.

6. Maintain Security Systems

  • Use antivirus and anti-malware

    • Install and regularly update across all devices.

  • Apply security updates and patches

    • Keep systems, apps, and plugins updated as soon as patches are available.

  • Have an incident response plan

    • Write a plan for responding to data breaches. Test it regularly.

7. Monitor and Test Systems

  • Log system activity

    • Keep detailed logs of access to cardholder data.

  • Run vulnerability scans every quarter

    • Use an Approved Scanning Vendor (ASV).

  • Perform penetration tests annually

    • Simulate attacks to identify weaknesses.

8. Maintain a Security Policy

  • Create and maintain a written policy

    • Outline data security responsibilities. Review annually.

  • Train employees regularly

    • Teach staff about PCI DSS, data safety, and how to spot threats.

  • Ensure GDPR compliance

    • Handle customer data under UK GDPR rules, including lawful processing and breach reporting.

9. Use PCI-Compliant Vendors

  • Choose PCI-compliant service providers

    • Ensure hosting providers, payment gateways, and software vendors are compliant.

  • Get written confirmation

    • Keep documentation showing each provider’s compliance.

10. Submit Compliance Reports

  • Send your SAQ and Attestation of Compliance (AOC)

    • Submit annually to your acquiring bank.

  • Use a QSA if required

    • Level 1 merchants must use a Qualified Security Assessor to submit a Report on Compliance (ROC).

11. Additional UK Requirements

  • Comply with UK GDPR

    • Secure personal data and report any serious data breaches to the Information Commissioner's Office (ICO) within 72 hours.

  • Follow FCA rules if regulated

    • Financial services must comply with FCA expectations on operational resilience and third-party risk.

Whatever the Size of Your Business

Takecards has the best payment solutions for you

Call01366727140