Skip to content


PCI DSS compliance for websites

Author: Ben Jeffery

If you're taking credit or debit card payments for your e-commerce site you need to be compliant with the new "PCI DSS" requirements.

What are PCI DSS?

PCI DSS stands for the Payment Cards Industry Data Security Standards. The PCI is an organisation made up of major card companies like Visa, Mastercard, JCB and American Express.

These new international standards are designed to improve the security of card payments and reduce fraud.

Does it apply to me?

As of 2011, all businesses taking card payments are required to comply with the PCI DSS rules. If you take any card payments, whether that's through a third party like SagePay or your own card terminal, you do have to comply. The level of requirements depends on how you handle these payments.

If you take online card payments through a provider like SagePay or Paypal, then they are effectively handling the customer's card details. This means the liability and compliance lies with them rather than you, but you'll still need to complete a self-assessment questionnaire each year.

Even if you don't have a physical terminal, you may still be processing offline card payments. This could include using a "virtual terminal" to process card details over the phone, by post or email. These payment methods require further action for compliance, such as scans of your internet connection.

What if I don't comply?

Although the PCI DSS requirements are not legal, they are mandatory for any business wishing to take card payments for their customers, and will form part of the terms of your merchant account.

Failure to comply can lead to increasing fines, and you may already be paying "non-compliance" fees to your bank without realising it.

How do I become PCI DSS compliant?

If you have a merchant account, your bank should help you get the necessary compliance. There are a number of organisations that help you become compliant and notify your bank for a small annual fee. We recommend:

There are plenty of providers but it's best to use a recommended supplier and check for alternative quotes. Both the providers above charge around £75 a year based on an e-commerce website with a virtual terminal used from one location.

Please note we are not experts on PCI DSS compliance. This article provides a quick and superficial overview to help our clients and we recommend you ask the experts if you need more advice. Call Security Metrics on 0207 993 8030 and they'll ask a few questions then tell you what you need (with no obligation).