What Is PCI DSS Compliance? What Do Retailers Need to Do?

PCI DSS stands for the Payment Card Industry Data Security Standard. It is a regulatory standard that was established in 2006 to ensure that consumers can use their credit and debit cards in any environment or store, without fear that their card information will be compromised. But how does it affect you?

If you sell anything and take payment using a credit or debit card, then you need to be aware of PCI DSS.

What If I Use One of the Big Banks?

You probably get a card machine or merchant services from one of the big “Acquirers” like WorldPay, Lloyds CardNet, First Data (now Fiserv), Global Payments or Barclays Merchant Services. If so, they will charge you a monthly managed service fee, normally around £5, to take care of it “for you”.

For this, they will do their best to ensure that you complete an annual self-assessment, by sending you regular email and printed reminders. But remember, merchants must take ownership and do it themselves. If you do not do it, you will be fined a monthly penalty charge (this can be as high as £75), or worse, a per transaction penalty in addition. It is a pain, but it gets expensive if you don’t. So, don’t ignore those letters and emails!

What If I Use Someone like Zettle or PayPal?

If you get services from an Aggregator, like Zettle, Square, Sum Up, PayPal or Stripe, you need to worry less. The higher risks associated with you not doing an annual self-completion questionnaire (they don’t ask you to do one) are built into the cost of card processing. Therefore, you pay significantly more to process card payments through them.

What If I Connect My PDQ via Broadband?

If you use a traditional card machine or PDQ, and you connect it via Broadband, you will also be expected to run a quarterly scan on the router to which your card machine is connected. They just want to make sure that no gadgetry is connected to the router that could enable a hacker to get access to a customer’s card-holder information. Via an open port, for example. The Acquirer will do the scan for you (occasionally they out-source the service to a 3rd party like Security Metrics) but all you must do is supply the IP address for the router you use. They do the rest.

What If I Use EPOS or e-Commerce?

It may be that you use card processing services linked to an EPOS system or to take e-Commerce transactions. In that case when you come to do your self-assessment you will need to make the Acquirer or PCI DSS management program aware of this fact, and they will adapt the self-completion questionnaire to suit.

In virtually all the above cases however, most of your PCI DSS obligations are mitigated over to the Acquiring Bank who handle the sensitive bits of data themselves. This is still the case for online transactions if you use a hosted-form solution where all of the card processing is done on a 3rd party server that is completely PCI DSS compliant and secure. And separate from your website.

However, if you take card payments via your own e-Commerce site using a payment gateway that connects to an Acquiring bank via an API, then you may well process or store some of the card holder information on your own website or servers at some point. If this is the case, then you need to engage with a 3rd party consultant to ensure that you have all the right security measures in place. There will be stringent measures that you need to put in place, and you will be audited annually.

Who Manages PCI DSS Globally?

PCI DSS is managed by the PCI Security Council on behalf of the major card issuers listed below.


It is an independent body, but it was set up by the following card companies after some high-profile breaches of card holder information in the early part of the Century…

  • Visa
  • MasterCard
  • American Express
  • Discover
  • JCB

Leave a Comment