Every UK online shop that takes card payments falls under the Payment Card Industry Data Security Standard (PCI DSS). It is a contractual requirement imposed by the card networks (Visa, Mastercard, Amex), not a UK law — but failure to comply exposes merchants to fines of £5k–£100k, loss of the ability to process cards at all, and increased liability after a breach. This guide walks UK merchants through the practical PCI DSS reality in 2026: which Self-Assessment Questionnaire (SAQ) applies to you, what your hosting must provide, the PCI DSS 4.0 changes that took full effect in 2025, and how to demonstrate compliance without over-engineering.
What PCI DSS is and who enforces it • PCI DSS 4.0 — what changed • The four merchant levels • Which SAQ applies to your store • What your hosting must provide • SAQ-A — the SME reality • TLS, encryption and the technical baseline • Quarterly scanning and penetration testing • Vendor selection and the DPA overlap • Common mistakes UK merchants make • PCI and UK GDPR — overlapping obligations • Frequently asked questions
PCI DSS is a security standard maintained by the PCI Security Standards Council. The card networks require every merchant to meet it as a condition of processing their cards. In practice:
The standard applies to any “cardholder data” — card number, cardholder name, expiration date, service code, sensitive authentication data. Even storing a card number in a spreadsheet “just for refunds” triggers full PCI DSS scope. The modern approach is to never touch cardholder data at all — use hosted payment forms from Stripe/PayPal that keep it out of scope.
PCI DSS 4.0 was published in 2022 with a phased transition. As of 31 March 2025, v3.2.1 is retired and v4.0 is the sole active version. For UK merchants, the practical changes:
For most SAQ-A merchants, v4.0 has modest practical impact. For SAQ-A-EP and higher tiers, script management (6.4.3) is the big operational change.
| Level | Annual card transactions | Typical UK merchant | Assessment |
|---|---|---|---|
| 1 | 6M+ Visa or Mastercard | Major retailers (John Lewis, ASOS) | External QSA audit annually |
| 2 | 1M–6M | Large UK chains | SAQ or external audit |
| 3 | 20k–1M | Mid-sized ecommerce (£1m–£50m revenue typical) | SAQ |
| 4 | Under 20k | Most UK SME online shops | SAQ |
Level is determined per card brand. A merchant processing 500k Visa and 100k Mastercard is Level 3 overall. Most UK SME merchants are Level 4 and complete the appropriate SAQ annually.
Nine SAQ variants. The four that matter for UK ecommerce:
UK rule of thumb:
Your hosting provider is a critical part of PCI DSS scope. They must provide:
SmartXHosting provides all of this by default on WooCommerce, Magento and PrestaShop plans: TLS 1.3, Imunify360, 90-day access logs (extensible), encrypted NVMe, monthly patching cycle, and documented responsibility matrix on request.
SAQ-A is where most UK SME shops live. Criteria:
SAQ-A involves around 20 yes/no questions covering: awareness of PCI DSS, service provider compliance, policy on cardholder data handling, incident response. Completion time: 2–4 hours once a year.
For a UK shop on WooCommerce/Magento/PrestaShop using Stripe Checkout or PayPal Standard redirect, SAQ-A is the path. Keep the annual SAQ on file; submit to acquirer on request.
PCI DSS 4.0 specifies technical minima that UK merchants must verify their hosting meets:
Verify TLS configuration at SSL Labs (ssllabs.com/ssltest). Target A or A+. SmartXHosting default configuration grades A+.
For SAQ-A-EP and higher, PCI DSS requires quarterly external vulnerability scanning by an Approved Scanning Vendor (ASV). Common ASV scanners: Qualys, Tenable, Nessus Professional, Trustwave, Security Metrics.
For SAQ-A, quarterly ASV scanning is not formally required but recommended as good practice.
Penetration testing: required annually and after significant changes. Either commission an external pentest (typical UK cost: £3k–£15k) or rely on your hosting provider’s program if it covers your environment.
PCI DSS and UK GDPR overlap heavily in hosting requirements. Both expect:
When selecting an ecommerce host, one set of due diligence questions covers both frameworks:
SmartXHosting provides documentation on all seven questions on request. For UK ecommerce merchants, this bundle of requirements is exactly what small shops need without having to commission bespoke audits.
Cardholder data is personal data. A PCI DSS breach is almost always also a UK GDPR breach. UK GDPR Article 33 requires ICO notification within 72 hours. PCI DSS requires notification to the card networks and acquirer. Both require customer notification if high risk.
Practical consequences:
For UK SME shops, running both frameworks in parallel is manageable because they align on most controls. Our GDPR compliance checklist covers the UK GDPR side in detail.
PCI-ready UK ecommerce hosting
TLS 1.3, Imunify360 WAF, encrypted NVMe storage, extended access logs and documented security controls — SmartXHosting Shop plans meet the hosting baseline PCI DSS expects.
See ecommerce hosting plansQ: Do I have to complete a SAQ every year?
A: Yes — PCI DSS requires annual self-assessment. Your acquirer (e.g. Stripe, Worldpay) will typically prompt you. Store the completed SAQ and the Attestation of Compliance (AoC) that accompanies it.
Q: My acquirer says I don’t need to do anything — are they right?
A: Sometimes. Stripe, PayPal and similar aggregators simplify PCI for merchants by making SAQ-A the baseline. They may not formally require the SAQ submission but ask anyway. Either way, having a completed SAQ-A on file protects you.
Q: What about stored card details for subscriptions?
A: If you tokenise via Stripe or PayPal (the standard approach), the token stored on your server is not cardholder data. You remain in SAQ-A scope. If you somehow store the raw card number, you’re in SAQ-D scope — avoid at all costs.
Q: Does PCI apply to Apple Pay and Google Pay?
A: Yes, but via the underlying card. The wallet abstracts the card but the transaction still touches the card networks. The gateway (Stripe, Square) handles wallet tokenisation inside its own PCI scope — you remain SAQ-A.
Q: Do I need a pentest?
A: SAQ-A-EP requires penetration testing annually and after significant changes. SAQ-A does not formally require it but is recommended. Typical UK pentest cost: £3k–£15k depending on scope.
Q: What does PCI cost?
A: SAQ-A is essentially free beyond your time. SAQ-A-EP adds £100–£500/year for quarterly ASV scanning. SAQ-D involves QSA audit at £10k–£50k/year plus ongoing compliance work. Most UK SMEs sit at zero direct PCI cost via SAQ-A.
Q: What happens if I’m breached?
A: Notify your acquirer within 24 hours. Commission a forensic investigation (PCI Forensic Investigator, PFI). Notify customers under UK GDPR within 72 hours. Expect fines (£5k–£100k depending on severity and volume), increased transaction fees, potential merchant account termination. Document everything.
Q: Does SmartXHosting hand me a “PCI compliant” button?
A: No host does. Hosting provides infrastructure compliant with PCI DSS hosting requirements. Compliance as a whole is always the merchant’s responsibility. SmartXHosting does provide the documentation, logs, TLS, WAF and DPA that make SAQ-A achievable.
Q: Can I do the SAQ myself?
A: For SAQ-A, yes — most UK SMEs complete it without external help. For SAQ-A-EP and higher, hire a PCI consultant (Approved Scanning Vendor or QSA) to ensure accuracy. Typical consultant cost: £500–£3,000 for SAQ-A-EP support.
Q: What’s the biggest PCI risk my hosting decision creates?
A: Using hosts without TLS 1.2+ or proper logging. Old shared hosts often fail PCI scans on TLS configuration. SmartXHosting’s default TLS 1.3 setup passes PCI scans by design.