What is PCI Compliance?

At Merchant Advice Service we are asked regularly about PCI DSS Compliance. Customers want to know what it stands for and, importantly, what it what it means to their business.

PCI DSS is an acronym for payment card industry data security standard and it was introduced to the UK in September 2006 to create a secure environment for all companies that accept and process card transactions and consumer data.

The PCI Security Standards Organisation manages and administers the policy. They are an independent body created by card companies; Visa, MasterCard, American Express, JCB International and Discover Financial Services. The council is led by a policy-setting committee consisting of representatives from the five founding card companies. IMPORTANT: Acquiring banks are responsible for enforcing the compliance itself, not the organisation.

The PCI compliance checklist consists of six categories:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management programme
  • Implement strong assess control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Before you read on

Many customers come to us having looked at their transaction statements noticing large amounts coming out of their account every month for PCI and other fees. In a lot of cases PCI compliance is a simple process – yet they pass extortionate fees onto the customers. We work with companies across the whole merchant services industry and work with some that charge no PCI fees whatsoever (very rare) and industry topping rates.

Our service is completely free so if you’d like to save money we will look at everything and provide you with our best recommendations with no obligation and no cost to you.


PCI compliance levels

UK businesses are placed into one of four PCI compliance levels determined by Visa transaction volume. Each level has different validation requirements set out by Visa and MasterCard:

Level one – validation requirements:

Merchant’s processing over 6 million Visa transactions per year
An annual compliance report by a qualified assessor (QSA Qualified Security Assessor), quarterly network scan by an approved scan vendor (ASV) and attestation of compliance form.

Level two – validation requirements:

Merchant’s processing between 1 million and 6 million Visa transactions per year. An annual PCI self-assessment questionnaire (SAQ,) quarterly network scan by ASV and attestation of compliance form.

Level three – validation requirements:

Merchant’s processing between 20 thousand and 1 million ecommerce Visa transactions per year. Annual SAQ, quarterly network scan by ASV and attestation of compliance form.

Level four – validation requirements:

Merchant’s processing fewer than 20 thousand ecommerce Visa transactions OR any merchant (regardless of acceptance channel) processing up to 1 million Visa transactions per year. An annual SAQ recommended, quarterly network scan by ASV (if applicable) and compliance validation requirements set by the merchant bank.
What does this mean for merchants?

Ensuring your business is PCI DSS compliant demonstrates that you are doing the upmost to keep customer data safe and secure to prevent fraud. E-commerce websites are particularly vulnerable and have a high risk of being targeted by hackers. Having measures in place, such as controls associated with PCI DSS to minimise this risk, are excellent deterrents. PCI DSS compliance requirements may seem confusing, but it’s compulsory for all businesses processing card payments to obtain one.

How do I find a PCI compliant assessor?

Trustwave, Control Scan, SRM-Soultions all provide external assessments to name but a few. Towards the end of this page you can find a list of contacts and handy links.

PCI DSS compliance costs

Costs vary depending on the company, however the average price is around £150. And the self-assessment is free. Assessments are carried out annually.

Some big-name merchant account providers such as Paypal, World Pay and Payment Sense ensure that the merchant is PCI compliant and manage this on the merchant’s behalf and charge for this either on an annual or monthly basis. This tends to be around £5- £20 per month with additional costs for ASV scans. Equally some merchants offer this service free of charge, it’s important to look at this when comparing merchant quotes and costings. I’m not bothered about giving the names away purely because it’s not what we are interested in, we are selling merchant services without these fees – so the fact that large companies such as these charge for the service, makes us look good.

PCI DSS non-compliance charges could also be made if your company is not complaint, this is a type of fine which is based on the work involved to make a business compliant, this fee will then be removed once the company has reached compliancy.

If your business is not PCI compliant then costs can escalate quickly. The minimum fine that card schemes could charge is £3000. Equally, if your data is compromised and the card issuer requires you to certify your compliance using a qualified security assessor (QSA), this could cost up to £850 per day and usually takes up to two weeks to complete. PCI compliance fines can be avoided if the correct procedures are followed so it’s important you are aware of the pitfalls to avoid getting caught out!

PCI DSS compliance programme, useful links;




PCI questions

Get in touch with us today with any questions about your PCI fees or anything else to do with merchant services. We can compare the market in-depth for you and recommend the best service providers. We’re truly an independent advisory service and will look at your business as a whole, from the fees to the rates you pay to any specific business requirements you have.


Make a quick enquiry

Speak to us directly and get any questions you have answered. Submit your details and we’ll be in touch shortly.


    Tick this box to allow Merchant Advice Service and partnering firms to contact you in relation to your enquiry and associated services. Note we do not use pre-ticked boxes or any other type of default consent. We may use the data on this form to to pass you onto an advisor who suits your specific needs. You may withdraw your consent at any given time.

    We will keep record of your data and consent granted to us. Your consent will be reviewed on a five yearly basis to ensure that our relationship and the purpose of the data have not changed.

    We act on requests to withdraw the information we hold on you as soon as we can.

    For further information please refer to our full terms and conditions HERE.

    Scroll to Top