PCI DSS for UK Retailers: Compliance Requirements and How to Achieve Them
In 2022, a major UK retail chain suffered a card data breach that exposed 120,000 customer payment records — the result of malware injected into their point-of-sale systems by attackers who had been inside their network for six months undetected. The breach triggered a PCI DSS investigation, led to significant fines from their acquiring bank, and cost the company over £4 million in remediation and reputational damage. Every retailer that accepts card payments — from a single-site independent to a national chain — has PCI DSS obligations. The standard exists to prevent exactly this scenario.
PCI DSS non-compliance fines from acquiring banks range from £4,500 to £70,000 per month — and retailers that suffer a card data breach while non-compliant face additional forensic investigation costs averaging £50,000.
Understanding PCI DSS Requirements for Retailers
The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 requires any organisation that stores, processes, or transmits cardholder data to implement 12 requirements across 6 control objectives: build and maintain a secure network; protect cardholder data; maintain a vulnerability management programme; implement strong access control measures; regularly monitor and test networks; and maintain an information security policy. The compliance pathway depends on transaction volume and how you process payments — merchants are classified as Level 1 (over 6 million transactions per year) through Level 4 (under 20,000 e-commerce or 1 million other transactions) with different assessment requirements for each level.
Self-Assessment Questionnaires: Choosing the Right SAQ for Your Retail Business
Most retailers complete PCI DSS compliance through Self-Assessment Questionnaires (SAQs) rather than a full Qualified Security Assessor audit. The relevant SAQ depends on how you process payments: SAQ A (card-not-present merchants using fully outsourced payment processing — the simplest pathway for online-only retailers who use a hosted payment page); SAQ B (merchants using standalone dial-out terminals only — common for small physical retailers); SAQ B-IP (standalone IP-connected terminals that do not store cardholder data); SAQ C-VT (web-based virtual terminals, no storage of cardholder data); SAQ C (payment application systems connected to the internet); SAQ D (all other merchants and service providers). Retailers using integrated EPOS systems or storing any cardholder data face the most complex compliance pathway. The simplest route to PCI DSS compliance for most retailers is to use a payment processor that fully handles card data — removing scope from your systems entirely.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.