PCI DSS v4.0.1 for UK small merchants

PCI DSS in 60 seconds

PCI DSS is a global standard set by the Payment Card Industry Security Standards Council (Visa, Mastercard, AMEX, Discover, JCB). It defines how merchants must protect cardholder data. Non-compliance triggers fines from the schemes (passed through by your acquirer) plus liability if a breach happens.

The standard applies to every business that accepts payment cards, regardless of size. The compliance burden scales by transaction count. Most UK SMBs sit at Level 4 (under 20,000 e-commerce or under 1m total transactions a year) and complete a SAQ once a year.

Merchant levels (2026 thresholds)

Which SAQ for your business?

The SAQ is a yes/no questionnaire. The right one depends on how cardholder data flows through your business:

SAQ-A walkthrough (most common UK SMB)

SAQ-A is the simplest. It applies to e-commerce merchants who use a fully-hosted payment processor (Stripe Checkout, Shopify, Squarespace Commerce, Wix Payments, Square Online). Card data goes from the customer's browser directly to the processor; your servers never see PAN, expiry or CVV.

The 22 SAQ-A questions cover:

• Confirmation that all card data is processed by a PCI-DSS-compliant third party
• The third party is on the Visa Global Registry or Mastercard SDP-compliant list
• You receive an annual Attestation of Compliance from the third party
• Strong passwords and MFA on admin access to the e-commerce platform
• Anti-malware and patching on systems used to administer the e-commerce platform

Most UK SMBs running on Shopify, Stripe Checkout or Squarespace can complete SAQ-A in 30 minutes through the acquirer dashboard.

SAQ-D walkthrough (the catch-all)

SAQ-D applies to any merchant who:

• Stores card data anywhere (database, paper, voice recording, screenshot)
• Has card data flowing through systems they own (custom checkout, internal admin tool that displays PAN)
• Mixes flows in ways the simpler SAQs cannot describe

SAQ-D has 330 questions across 12 control objectives:

1. Install and maintain network security controls
2. Apply secure configurations to all system components
3. Protect stored cardholder data
4. Protect cardholder data with strong cryptography during transmission over open public networks
5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software
7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components (multi-factor authentication)
9. Restrict physical access to cardholder data
10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly
12. Support information security with organisational policies and programmes

SAQ-D for UK SMBs typically takes 4-12 hours plus quarterly external scans (Approved Scanning Vendor) at £100-£300 per scan. Most SMBs avoid SAQ-D by re-architecting their payment flow to fit SAQ-A.

v4.0.1 key changes from v3.2.1

• Multi-factor authentication everywhere. v3.2.1 required MFA only for remote access to card data systems. v4.0.1 requires MFA on all access including local. For UK SMBs this means the small-business owner needs MFA on the acquirer dashboard, the e-commerce admin, and any system component handling card data.
• Phishing protection explicit. Email filtering or anti-phishing training is now a defined control. Most modern email platforms (Gmail Business, Microsoft 365) include adequate filtering by default.
• Customised approach option. v4 allows a security-equivalent alternative to prescribed controls if you can document the equivalent risk reduction. For most SMBs the prescribed approach is simpler.
• Strong cryptography updates. SHA-1 deprecated. TLS 1.0 and 1.1 prohibited. TLS 1.2 minimum for all card data transmission.
• Vulnerability management cadence. Risk-based timing rather than fixed 30-day patching cycle for non-critical vulnerabilities.
• Document expectations clarified. Information security policy must be reviewed at least once a year, signed by senior management.

Common UK SMB compliance gaps

From acquirer-side audit data, the gaps that fail UK SMB SAQs most often:

1. No MFA on the acquirer dashboard. v4 mandate. Enable in Stripe, SumUp, Square, Dojo dashboards. Authenticator apps preferred over SMS.
2. Storing card data in writing. Phone-order forms with PAN, expiry, CVV written down. Always non-compliant. Use a PCI-compliant virtual terminal or invoice-pay-by-card link instead.
3. Sending card data by email or SMS. Always non-compliant.
4. Weak passwords on the e-commerce admin. 12+ characters with complexity, rotated annually if no MFA.
5. Out-of-date e-commerce platform. Patched within the vendor's recommended cycle.
6. Voice recording of card details. Phone payments captured on call recordings without redaction. Either use a IVR-style payment capture or document a redaction process.

PCI for Tap to Pay on iPhone (and Android)

Tap to Pay on iPhone uses PCI MPoC (Mobile Payments on Commercial off-the-shelf devices) certification at the platform level. The merchant's scope is reduced because:

• Apple's Secure Element handles cardholder data
• The acquirer's SDK (Stripe, SumUp, Square) is PCI-validated
• The merchant just confirms they are not storing card data

In practice, UK SMBs running Tap to Pay on iPhone via SumUp or Square complete an SAQ-A or SAQ-A-EP (depending on whether they also have a website checkout). Tap to Pay on Android (Google Wallet path) follows similar principles.

Cost of compliance in 2026

• SAQ-A or SAQ-B-IP via acquirer dashboard: £0 to £60 a year (acquirer tooling)
• SAQ-D (DIY): £200 to £600 a year for SAQ tooling plus £400 to £1,200 a year for quarterly ASV scans
• SAQ-D + on-site assessment (Level 2): £3,000 to £8,000 a year
• Level 1 RoC: £15,000 to £50,000 a year

For most UK SMBs the answer is: minimise scope. Use a hosted checkout (Stripe Checkout, Shopify), use a PCI-validated terminal (SumUp, Square, Dojo), avoid storing card data anywhere. SAQ-A is achievable in an afternoon and costs nothing. SAQ-D is a multi-day project.

Cross-link: PCI breaches and termination

A PCI breach often triggers acquirer termination plus a MATCH listing under reason code 12 (PCI DSS Non-Compliance). See our MATCH list and TMF UK guide for the listing flow and our account-terminated runbook for the recovery flow.