Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- Overview
Practical Steps And Common Mistakes
- Map your payment flow properly
- Choose lower risk payment architecture where possible
- Review your supplier contracts
- Align PCI work with privacy and data security documents
- Train staff on real world behaviour
- Do not treat the self assessment as a box ticking task
- Keep records of decisions and responsibilities
- Watch for website changes that expand your risk
- Common mistakes UK businesses make
- Key Takeaways
If your business takes card payments, stores payment details, or relies on third party checkout tools, PCI DSS is not something you can ignore. A common mistake is assuming your payment provider handles everything for you. Another is thinking PCI DSS only applies to large retailers, or only matters if you store full card numbers yourself. A third is treating it as an IT issue alone, then signing contracts, launching online, or rolling out point of sale systems without checking who is responsible for what.
That can create real risk. Card scheme fines, higher processing costs, contractual disputes with payment partners, and data security failures can all follow if your setup does not match your compliance obligations. For startups and SMEs in the UK, the challenge is usually less about jargon and more about knowing what actually applies to your business, what documents and controls you need, and where founders often get caught before they spend money on setup.
This guide explains what PCI DSS means in practice, when it comes up, the practical steps to take, and the common mistakes to avoid if you accept card payments in the UK.
Overview
PCI DSS is the payment card industry data security standard. It is not a UK Act of Parliament, but it is still effectively mandatory for businesses that store, process, or transmit cardholder data because it is built into card scheme rules and payment processing arrangements.
For most UK businesses, the legal and commercial question is not whether PCI DSS exists, but how it fits with your payment flow, your supplier contracts, your cyber practices, and your privacy obligations.
- Check whether your business stores, processes, or transmits any cardholder data directly.
- Work out which PCI DSS level, self assessment process, or validation route may apply to your setup.
- Review your contracts with payment service providers, gateways, developers, hosting providers, and point of sale vendors.
- Confirm whether your website, app, checkout, or terminals introduce extra PCI scope.
- Align PCI DSS controls with your wider UK GDPR, data security, and incident response practices.
- Train staff so payment data is handled properly and risky workarounds do not creep in.
What PCI DSS Means For UK Businesses
PCI DSS sets security standards for businesses that handle payment card data, and in the UK it usually reaches you through your merchant bank, payment processor, gateway, card acquirer, or platform terms.
In plain English, PCI DSS is a set of technical and operational requirements designed to reduce card fraud and protect cardholder data. If your business accepts Visa, Mastercard, or other major payment cards, your arrangements with payment partners will usually require compliance to some level.
It is not just for large retailers
Small ecommerce brands, hospitality venues, clinics, charities, SaaS businesses, agencies taking deposits, and subscription businesses can all fall within scope. The scale of your obligations may differ, but the issue is not limited to national chains or businesses with an in house security team.
This is where founders often get caught. They outsource checkout and assume PCI DSS no longer matters. Outsourcing can reduce your compliance burden, but it does not always remove it. The exact payment journey matters.
What data is PCI DSS concerned with?
PCI DSS focuses on cardholder data and related authentication data. That generally includes payment card numbers and certain other payment details used in processing card transactions.
If your systems, staff, or suppliers can access that data, even briefly, PCI DSS may be relevant. Scope can also expand if your website hosts checkout scripts, your staff enter card details on behalf of customers, or your business records card information in tickets, emails, call notes, or spreadsheets.
How PCI DSS differs from UK GDPR
PCI DSS and UK GDPR overlap, but they are not the same thing. UK GDPR is a legal framework governing personal data, transparency, lawful use, and security. PCI DSS is an industry standard tied to card payments and contractually enforced through the payments ecosystem.
A business can have a privacy policy and still fail PCI DSS requirements. Equally, a business can focus on PCI DSS and still miss broader UK GDPR duties, such as explaining how customer data is used, putting proper processor terms in place, or managing personal data breaches correctly.
Why this matters commercially
The main risk is not only a regulator knocking on your door. More often, the practical consequences show up in contracts, fees, and incidents.
Potential consequences can include:
- fines or assessments passed down through your acquirer or payment provider after a security incident
- higher transaction fees or extra compliance charges
- requirements to undergo security reviews, remediation work, or forensic investigation
- suspension of card processing privileges in serious cases
- disputes with suppliers over who was responsible for a weak point in the payment flow
- reputational damage and customer trust issues after a card data incident
That is why PCI DSS should be looked at before you sign a payment contract, before you launch online, and before you give a developer freedom to design a checkout experience without legal and compliance input.
When This Issue Comes Up
PCI DSS usually becomes relevant the moment your business accepts card payments, changes its payment setup, or introduces a system that touches card data.
Many businesses first hear about it when a provider sends a compliance questionnaire or asks them to complete a self assessment. In practice, the issue often starts earlier than that.
Launching an ecommerce site
If you are selling online in the UK, your website build can change your PCI scope. A fully hosted payment page run by an established provider may reduce what you need to handle. A custom checkout, embedded payment fields, or poorly controlled scripts can increase exposure.
Before you spend money on setup, make sure your developer, platform provider, and payment processor all describe the payment flow clearly. You need to know whether card details ever touch your site or server, who controls the checkout environment, and what security responsibilities sit with each party.
Using virtual terminals or taking payments over the phone
Businesses in professional services, healthcare, events, and membership organisations often take card details by phone. That can create PCI DSS issues if staff write details down, email them internally, or enter them into systems that are not designed for secure card handling.
Phone payments need process controls, staff training, and a setup that avoids creating unnecessary records. A quick workaround by one team member can create a much larger compliance problem.
Installing card machines at a physical location
Retailers, cafes, salons, clinics, and pop up businesses often focus on transaction fees and terminal rental. PCI DSS should also feature in the conversation, especially where the business uses connected point of sale systems, shared networks, or third party support providers.
The issue is not only the card machine itself. It is also how your network is configured, who can access payment systems, how devices are maintained, and whether your contracts deal with security incidents and support responsibilities.
Changing payment providers or platforms
A switch to a new payment gateway, marketplace, booking platform, or subscription billing tool can alter risk even if the customer experience looks similar. Some providers reduce PCI scope effectively. Others still leave important obligations with you.
Before you sign, review service descriptions, liability clauses, security promises, incident reporting terms, and any obligations to complete annual validation or questionnaires.
Outsourcing web development or IT support
External developers, managed service providers, ecommerce agencies, and software vendors can all affect PCI DSS compliance. If they touch the checkout journey, host infrastructure, maintain plugins, or access admin systems, they may also affect your security position.
This is one of the biggest contract gaps for SMEs. Founders engage a supplier to build or maintain the payment journey, but the contract says little about security standards, change control, testing, breach notification, or responsibility if the supplier introduces a vulnerability.
Practical Steps And Common Mistakes
The safest approach is to reduce your PCI scope where possible, document responsibilities clearly, and make sure your legal documents and operational practices match the way payments actually work.
You do not need to become a payment security specialist overnight, but you do need a realistic view of your setup. Here are the main areas to sort out.
Map your payment flow properly
You need a clear picture of where card data goes, who touches it, and which systems sit in the chain. Without that map, it is hard to know what level of PCI DSS effort may be required.
Your payment flow review should cover:
- your website, app, or booking system
- payment gateways and merchant acquirers
- third party plugins, scripts, and integrations
- point of sale devices and connected networks
- staff processes for phone, email, or manual payments
- cloud hosting, IT support, and development access
A founder might believe all payments are outsourced, then discover a form plugin captures card numbers before sending them to the processor. That kind of detail matters.
Choose lower risk payment architecture where possible
If your business can use hosted payment pages, tokenised billing tools, or provider controlled checkout environments, that can reduce PCI exposure. The right setup depends on your product, customer journey, and technical needs, but simpler payment architecture is often easier to manage.
This is also a commercial decision. A customised checkout may look attractive, but the legal and security burden can be heavier than expected.
Review your supplier contracts
Payment compliance is not only about internal policy. Your supplier contracts should deal with security, responsibility, and incident handling in practical terms.
Key points to review include:
- what security standards the supplier agrees to follow
- whether PCI DSS obligations are mentioned expressly
- who is responsible for secure configuration, updates, and patching
- access controls for developers and support providers
- data processing clauses where personal data is involved
- breach notification timeframes and cooperation duties
- liability caps and exclusions that may leave you exposed
- termination rights if the supplier creates security risk
If the contract is silent, the business customer often carries more risk than expected.
Align PCI work with privacy and data security documents
Your privacy notice, internal data handling policy, incident response plan, and supplier terms should not contradict the way payment data is managed. PCI DSS is narrower than privacy law, but the two should work together.
For example, if staff can see customer names, email addresses, billing details, and masked card information through a payment dashboard, your UK GDPR documentation and access controls still matter. Payment data issues often sit inside a broader personal data environment.
Train staff on real world behaviour
Most SMEs do not fail because they never heard of PCI DSS. They fail because day to day practices drift.
Common examples include:
- staff asking customers to email card details
- writing card numbers on paper to process later
- saving screenshots or recordings containing payment data
- sharing terminal logins or admin credentials
- installing website plugins without checking security impact
- using personal devices to handle payment admin
Policies only help if the team understands what not to do and why shortcuts can be expensive.
Do not treat the self assessment as a box ticking task
Many businesses will encounter a self assessment questionnaire through their acquirer or provider. That document matters. Inaccurate answers can create contractual problems later, especially after an incident.
Before you complete any validation document, make sure the answers match your actual technical setup. If you are unsure what your developer or provider has implemented, ask before certifying anything.
Keep records of decisions and responsibilities
Good record keeping helps if your provider queries your compliance status or if there is later disagreement about who was meant to secure what. You should be able to show what payment method you chose, why, which supplier was responsible for each layer, and what controls you put in place.
This can include:
- supplier contracts and data processing terms
- system diagrams and payment flow notes
- internal payment handling procedures
- staff training records
- incident logs and remediation actions
- copies of questionnaires, attestations, or provider communications
Watch for website changes that expand your risk
A business can start with a relatively simple, low scope payment setup and drift into a riskier position after website changes. New scripts, marketing tags, custom payment fields, recurring billing tools, or agency modifications can all alter the picture.
This is why change control matters. Before you approve a redesign or new plugin, ask whether it affects payments, data capture, or security obligations.
Common mistakes UK businesses make
The same patterns come up repeatedly:
- assuming a payment processor takes on all PCI DSS responsibility
- not checking whether card data touches the website environment
- failing to reflect security obligations in supplier contracts
- letting staff create informal payment handling workarounds
- confusing PCI DSS with general privacy compliance
- signing up to provider questionnaires without understanding the answers
- forgetting that physical terminals and office networks can create scope too
Most of these mistakes are fixable early. They become far more expensive after a breach, a provider audit, or a dispute about liability.
FAQs
Is PCI DSS a legal requirement in the UK?
PCI DSS is usually not a standalone legal requirement in the same way as an Act or regulation. In practice, it is often contractually required through card scheme rules and your payment service arrangements, so businesses that accept cards generally need to take it seriously.
Does PCI DSS apply if I use Stripe, Shopify, Square, or another third party provider?
It can still apply, although your scope may be lower depending on how the payment flow is set up. Using an established provider helps, but it does not automatically remove all obligations, especially if your website, staff, or suppliers still interact with the payment journey.
Do small businesses need to complete PCI paperwork?
Often yes. Many SMEs are asked to complete a self assessment questionnaire or related compliance steps by their acquirer or processor. The type of paperwork depends on your payment method and transaction environment.
Is PCI DSS the same as UK GDPR compliance?
No. PCI DSS focuses on payment card security standards. UK GDPR governs personal data more broadly, including transparency, lawful processing, data rights, security, and processor arrangements. Many businesses need to consider both.
What should I review before signing with a payment provider or developer?
Check who is responsible for security, how the payment flow works, whether card data touches your systems, what incident reporting obligations apply, and whether the contract allocates liability fairly if a security failure occurs.
Key Takeaways
- PCI DSS matters to many UK startups and SMEs that accept card payments, even where payment functions are outsourced.
- Your actual payment flow determines how much PCI exposure your business has, so map it carefully before you launch online or change providers.
- Supplier contracts should spell out security responsibilities, breach reporting, access controls, and liability allocation.
- PCI DSS does not replace UK GDPR, privacy notices, or wider data security governance, and the documents should work together.
- Staff behaviour is a major risk area, especially for phone payments, manual processing, and informal workarounds.
- Questionnaires and compliance declarations should only be completed once you understand your real setup.
- Early legal and operational review can reduce risk before you sign a contract or spend money on setup.
If your business is dealing with pci dss and wants help with payment provider contracts, supplier terms, privacy documentation, or data security obligations, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
Alex SoloCo-Founder
