PCI DSS v4.0.1 for UK small merchants

PCI DSS v4.0.1 has been mandatory since 1 April 2025. UK small merchants complete a Self-Assessment Questionnaire (SAQ) annually through their acquirer. Most UK SMBs need SAQ-A (hosted e-commerce) or SAQ-B-IP (IP terminal only). Key v4 change is multi-factor authentication on payment-system access. Tap to Pay on iPhone keeps the scope minimal.

PCI DSS in 60 seconds

PCI DSS is a global standard set by the Payment Card Industry Security Standards Council (Visa, Mastercard, AMEX, Discover, JCB). It defines how merchants must protect cardholder data. Non-compliance triggers fines from the schemes (passed through by your acquirer) plus liability if a breach happens.

The standard applies to every business that accepts payment cards, regardless of size. The compliance burden scales by transaction count. Most UK SMBs sit at Level 4 (under 20,000 e-commerce or under 1m total transactions/year) and complete a SAQ once a year.

Merchant levels (2026 thresholds)

Level Annual transaction count Compliance route
16m+ Visa or MastercardFull Report on Compliance (RoC) by Qualified Security Assessor (QSA), annually
21m to 6mSAQ + on-site assessment, annually
320k to 1m e-commerceSAQ-A or SAQ-A-EP + quarterly ASV scan
4Under 20k e-commerce or under 1m totalSAQ via acquirer dashboard (most UK SMBs)

Which SAQ for your business?

The SAQ is a yes/no questionnaire. The right one depends on how cardholder data flows through your business:

SAQ Applies if Question count
SAQ-AE-commerce only; full payment flow on a third-party (Stripe Checkout, Shopify, Squarespace). Card data never touches your servers.~22 questions
SAQ-A-EPE-commerce where your site renders the payment page (e.g. Stripe Elements) but does not store card data.~85 questions
SAQ-BDial-up or analogue terminals only (rare in 2026); no e-commerce.~25 questions
SAQ-B-IPIP-connected terminals (most modern UK in-person flows); no e-commerce; no card data stored.~70 questions
SAQ-C-VTVirtual terminal only (web browser-based MOTO).~75 questions
SAQ-CStandalone PoS systems with internet, no card data stored.~140 questions
SAQ-P2PEValidated point-to-point encryption hardware only (some Worldpay deployments).~35 questions
SAQ-DCatch-all for any merchant who stores or processes card data, or has mixed flows.~330 questions

SAQ-A walkthrough (most common UK SMB)

SAQ-A is the simplest. It applies to e-commerce merchants who use a fully-hosted payment processor (Stripe Checkout, Shopify, Squarespace Commerce, Wix Payments, Square Online). Card data goes from the customer's browser directly to the processor; your servers never see PAN, expiry or CVV.

The 22 SAQ-A questions cover:

  • Confirmation that all card data is processed by a PCI-DSS-compliant third party
  • The third party is on the Visa Global Registry or Mastercard SDP-compliant list
  • You receive an annual Attestation of Compliance from the third party
  • Strong passwords and MFA on admin access to the e-commerce platform
  • Anti-malware and patching on systems used to administer the e-commerce platform

Most UK SMBs running on Shopify, Stripe Checkout or Squarespace can complete SAQ-A in 30 minutes through the acquirer dashboard.

SAQ-D walkthrough (the catch-all)

SAQ-D applies to any merchant who:

  • Stores card data anywhere (database, paper, voice recording, screenshot)
  • Has card data flowing through systems they own (custom checkout, internal admin tool that displays PAN)
  • Mixes flows in ways the simpler SAQs cannot describe

SAQ-D has 330 questions across 12 control objectives:

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored cardholder data
  4. Protect cardholder data with strong cryptography during transmission over open public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by business need to know
  8. Identify users and authenticate access to system components (multi-factor authentication)
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organisational policies and programmes

SAQ-D for UK SMBs typically takes 4-12 hours plus quarterly external scans (Approved Scanning Vendor) at £100-£300 per scan. Most SMBs avoid SAQ-D by re-architecting their payment flow to fit SAQ-A.

v4.0.1 key changes from v3.2.1

  • Multi-factor authentication everywhere. v3.2.1 required MFA only for remote access to card data systems. v4.0.1 requires MFA on all access including local. For UK SMBs this means the small-business owner needs MFA on the acquirer dashboard, the e-commerce admin, and any system component handling card data.
  • Phishing protection explicit. Email filtering or anti-phishing training is now a defined control. Most modern email platforms (Gmail Business, Microsoft 365) include adequate filtering by default.
  • Customised approach option. v4 allows a security-equivalent alternative to prescribed controls if you can document the equivalent risk reduction. For most SMBs the prescribed approach is simpler.
  • Strong cryptography updates. SHA-1 deprecated. TLS 1.0 and 1.1 prohibited. TLS 1.2 minimum for all card data transmission.
  • Vulnerability management cadence. Risk-based timing rather than fixed 30-day patching cycle for non-critical vulnerabilities.
  • Document expectations clarified. Information security policy must be reviewed at least once a year, signed by senior management.

Common UK SMB compliance gaps

From acquirer-side audit data, the gaps that fail UK SMB SAQs most often:

  1. No MFA on the acquirer dashboard. v4 mandate. Enable in Stripe, SumUp, Square, Dojo dashboards. Authenticator apps preferred over SMS.
  2. Storing card data in writing. Phone-order forms with PAN, expiry, CVV written down. Always non-compliant. Use a PCI-compliant virtual terminal or invoice-pay-by-card link instead.
  3. Sending card data by email or SMS. Always non-compliant.
  4. Weak passwords on the e-commerce admin. 12+ characters with complexity, rotated annually if no MFA.
  5. Out-of-date e-commerce platform. Patched within the vendor's recommended cycle.
  6. Voice recording of card details. Phone payments captured on call recordings without redaction. Either use a IVR-style payment capture or document a redaction process.

PCI for Tap to Pay on iPhone (and Android)

Tap to Pay on iPhone uses PCI MPoC (Mobile Payments on Commercial off-the-shelf devices) certification at the platform level. The merchant's scope is reduced because:

  • Apple's Secure Element handles cardholder data
  • The acquirer's SDK (Stripe, SumUp, Square) is PCI-validated
  • The merchant just confirms they are not storing card data

In practice, UK SMBs running Tap to Pay on iPhone via SumUp or Square complete an SAQ-A or SAQ-A-EP (depending on whether they also have a website checkout). Tap to Pay on Android (Google Wallet path) follows similar principles.

Cost of compliance in 2026

  • SAQ-A or SAQ-B-IP via acquirer dashboard: £0-£60/year (acquirer tooling)
  • SAQ-D (DIY): £200-£600/year for SAQ tooling plus £400-£1,200/year for quarterly ASV scans
  • SAQ-D + on-site assessment (Level 2): £3,000-£8,000/year
  • Level 1 RoC: £15,000-£50,000/year

For most UK SMBs the answer is: minimise scope. Use a hosted checkout (Stripe Checkout, Shopify), use a PCI-validated terminal (SumUp, Square, Dojo), avoid storing card data anywhere. SAQ-A is achievable in an afternoon and costs nothing. SAQ-D is a multi-day project.

Cross-link: PCI breaches and termination

A PCI breach often triggers acquirer termination plus a MATCH listing under reason code 12 (PCI DSS Non-Compliance). See our MATCH list and TMF UK guide for the listing flow and our account-terminated runbook for the recovery flow.

Frequently asked questions

What is PCI DSS and does it apply to my UK small business?

PCI DSS (Payment Card Industry Data Security Standard) is the global standard for handling payment card data. It applies to every UK business that accepts cards, regardless of size. The level of compliance work depends on your annual transaction count and how you accept payments. Most UK SMBs fall into Level 4 (under 20,000 e-commerce or under 1m total transactions a year) and complete a Self-Assessment Questionnaire (SAQ) annually.

When did PCI DSS v4.0.1 become mandatory?

Version 4.0.1 has been mandatory since 1 April 2025. It replaced v3.2.1, which was retired on 31 March 2024. Some new v4 controls have a longer transition period and only became fully mandatory on 31 March 2025. By May 2026 every UK merchant must be on v4.0.1; v3.2.1 SAQs are no longer accepted.

Which SAQ should I complete?

It depends on how you take payments. SAQ-A: e-commerce only with the entire payment flow handled by a third-party processor (Stripe, Shopify, Squarespace etc), no card data ever touches your servers. SAQ-A-EP: e-commerce where your site directly handles the payment page but redirects for processing. SAQ-B: dial-up or analogue terminals only (rare in 2026). SAQ-B-IP: IP-connected terminals, no e-commerce. SAQ-C-VT: virtual-terminal use only. SAQ-D: most other situations, including any business that stores or processes card data internally.

What is the biggest change from v3.2.1 to v4.0.1?

Three: (1) much stronger authentication requirements (multi-factor authentication on all access to card data systems, not just remote), (2) phishing protection requirements explicit, (3) "customised approach" option allowing a security-equivalent alternative to a prescribed control. For UK SMBs the practical change is MFA: anyone accessing the payment system must have MFA, including the small-business owner.

Who enforces PCI DSS in the UK?

The card schemes (Visa, Mastercard, AMEX) enforce via the acquirers. Your acquirer is contractually required to ensure you complete an annual SAQ. They face fines from the schemes if a merchant has a breach and was non-compliant. For UK SMBs, the acquirer asks you to complete the SAQ once a year through their dashboard. Failure to complete usually triggers a monthly non-compliance fee (£15-£30) plus eventual termination if persistent.

What if I have a card data breach?

Three obligations: (1) notify your acquirer within 24 hours, (2) commission a forensic investigation through an approved PCI Forensic Investigator (the acquirer arranges this), (3) notify the ICO within 72 hours under UK GDPR if personal data is involved. Fines can be £5,000 to £1m+ depending on scale. PCI DSS non-compliance at the time of the breach worsens fines materially. The acquirer almost always terminates and adds the merchant to MATCH under code 12.

Does PCI DSS apply to Tap to Pay on iPhone?

Yes but the heavy lifting sits with the acquirer (Stripe, SumUp, Square). You as the merchant complete a streamlined SAQ-A or SAQ-A-EP because you are using a software-based EMV reader rather than handling card data directly. Apple's implementation is PCI MPoC (Mobile Payments on Commercial off-the-shelf devices) certified, which keeps your scope minimal.

What is the cost of PCI compliance in 2026?

For most UK SMBs running SAQ-A through their acquirer dashboard: £0-£60 a year (acquirer-provided tooling). For SAQ-D or larger merchants: £200-£2,000 a year for SAQ tooling plus quarterly external scans. For Level 1 merchants (6m+ Visa or Mastercard transactions): £15,000-£50,000 a year for the full Report on Compliance. Tap to Pay on iPhone keeps most UK SMBs at SAQ-A pricing.

Need a UK acquirer with strong PCI tooling?

Some acquirers make PCI compliance painless (Stripe, Square, SumUp Tap to Pay); others bury you in paperwork. Our matcher surfaces UK acquirers with documented PCI dashboards. No obligation, no upfront fees.

Open quote form →
OM

Oliver Mackman

Director, AcceptCard

Oliver leads AcceptCard's editorial and comparison research. With a background in UK commercial finance, he oversees provider analysis, rate verification, and industry reporting across all verticals.

Last reviewed: 10 May 2026