Your complete guide to taking card payments online, in person, and over the phone — with UK legal requirements, fee breakdowns, and honest provider comparisons.
Quick Verdict
- Best for new/small businesses: Square Reader (2nd Gen) — £19 + VAT, 1.75% flat, no monthly fee, excellent PCI support.
- Best for fast payouts: SumUp Solo — rates from 0.99%, built-in printer option.
- Best for online-only or developer-led setups: Stripe — 1.5% + 20p for UK cards, powerful API.
- Best for high-volume established businesses: Worldpay dedicated merchant account — custom interchange-plus pricing.
What This Guide Covers
This guide is for UK small business owners, sole traders, and freelancers who want to start accepting credit and debit card payments. It covers:
- How to accept card payments online, in person, and over the phone
- An honest comparison of the main UK providers — Square, SumUp, Stripe, PayPal Zettle, and Worldpay
- How to keep transaction fees under control
- The UK legal requirements you must meet, including PCI DSS, Strong Customer Authentication, and UK GDPR
- A step-by-step setup guide from choosing a provider to taking your first payment
- Fast-track options for freelancers and sole traders
Card payments account for the majority of UK consumer spending. Businesses that don’t accept cards risk losing sales to competitors who do. The setup process is more straightforward than many owners expect.
Square Reader (2nd Generation)
Tide Card Reader
SumUp Solo Card Reader and Printer
- Quick Verdict
- What This Guide Covers
- Step 1: Choose How You’ll Accept Card Payments
- Step 2: Compare UK Providers
- Step 3: Understand the True Cost of Card Payments
- Step 4: Meet Your UK Legal and Security Obligations
- Step 5: Set Up Card Payments – A Step-by-Step Checklist
- Common Pitfalls to Avoid
- Card Payment FAQs
- Your Next Step
Step 1: Choose How You’ll Accept Card Payments
Before comparing providers, decide which payment method — or combination — suits your business. The three main channels are online, in person, and over the phone, and each requires slightly different tools.
Accepting Card Payments Online
Online card payments require three components working together:
- A digital storefront — your website, an e-commerce platform (Shopify, WooCommerce), or a marketplace listing.
- A payment gateway — the secure interface where customers enter card details. Providers like Stripe, Square Online, and PayPal handle this.
- A payment processor — the infrastructure that communicates with the card networks (Visa, Mastercard), the customer’s bank, and your business bank account to transfer funds.
Accepting Card Payments Over the Phone
Phone payments — also called card-not-present (CNP) or MOTO (Mail Order / Telephone Order) transactions — don’t require unique hardware in most cases. The two main methods are:
- Virtual terminal — a secure web-based interface where you manually key in card details provided by the customer over the phone. Most major providers (Stripe, Square, Worldpay) offer this as an add-on or include it in their dashboard.
- Dedicated MOTO solutions — if you take a high volume of telephone orders, some providers offer streamlined phone payment flows that reduce manual input and improve compliance.
Important: PCI DSS and Phone Payments: Taking card details over the phone creates specific PCI DSS obligations. You must never record or write down full card numbers during a call. Use a compliant virtual terminal that avoids your call recording infrastructure capturing cardholder data. Speak to your provider before enabling phone payments.
Step 2: Compare UK Providers
The table below compares the main UK providers across the factors that matter most for small businesses. Rates shown are standard published rates as of February 2026 — always request a personalised quote, as fees can be negotiated at higher volumes.
| Provider | Setup Cost | Monthly Fee | Transaction Fee | Settlement | PCI Support | Best For | Learn More |
|---|---|---|---|---|---|---|---|
| Square Reader (2nd Gen) | £19 + VAT | £0 | 1.75% flat | 1–2 business days | Managed | New & low-volume | Visit Square |
| SumUp Solo | £39 | £0 | 0.99%–1.69% | 1–3 business days | Managed | Quick payouts needed | Visit SumUp |
| Stripe | No hardware required (online) | £0 | 1.5% + 20p (UK cards) | 2 business days | Managed | Online / developers | Visit Stripe |
| PayPal Zettle | £29 (1st reader) | £0 | 1.75% | 1–3 business days | Managed | Existing PayPal users | Visit Zettle |
| Worldpay (dedicated) | Terminal rental varies | From ~£19.95/mo | Interchange-plus (custom) | 3 business days | Full support | High-volume established firms | Visit Worldpay |
A note on aggregators vs dedicated merchant accounts: providers like Square, SumUp, Stripe, and PayPal Zettle operate as payment aggregators — they give you a sub-account under their master merchant account with an acquiring bank. This means fast onboarding (often same day) and simple flat-rate pricing, but account restrictions or holds are possible if unusual activity is detected. Worldpay and similar dedicated merchant account providers involve more paperwork and underwriting, but offer direct contractual terms and often lower per-transaction costs once you’re processing significant volumes.
Which Provider Is Right for Your Business Type?
- Retail shop or café: Square or SumUp for the in-person reader, plus their POS software.
- Freelancer or consultant: Stripe or Square for hosted payment links — send a URL, customer pays by card.
- E-commerce business: Stripe (best API), Square Online, or PayPal for established platform integrations.
- Tradesperson or mobile business: SumUp or PayPal Zettle mobile reader.
- High-volume business (>£50k/month): Request quotes from Worldpay, Barclaycard, or Lloyds Cardnet for bespoke interchange-plus pricing.
Step 3: Understand the True Cost of Card Payments
Headline transaction rates rarely tell the full story. Every card payment involves several underlying cost components, and the pricing model your provider uses determines how visible — or hidden — these are.
The Three Main Pricing Models
- Flat-rate pricing: One fixed percentage per transaction, regardless of card type. Simple to forecast, but you may overpay on lower-cost cards (like UK debit) and underpay on higher-cost ones (like premium rewards cards). Used by Square, SumUp, and PayPal Zettle.
- Interchange-plus pricing: Interchange and scheme fees are passed through at cost, with a fixed acquirer margin on top. More transparent and usually cheaper at volume, but harder to forecast. Typical for dedicated merchant accounts.
- Blended or tiered pricing: Transactions are grouped into rate bands. Often used to make higher fees less visible — treat this model with caution and always request the full pricing schedule.
| Fee Component | What It Is | What to Watch For |
|---|---|---|
| Interchange | Paid to the cardholder’s issuing bank | Capped for UK consumer debit/credit cards; higher for commercial or cross-border cards |
| Scheme Fee | Charged by Visa or Mastercard for using their network | Varies by transaction type (e.g. contactless vs card-not-present) |
| Acquirer Margin | Your processor’s profit margin | Negotiable at higher volumes; ask for interchange-plus pricing |
| Terminal / Gateway | Typically £10–£25 per dispute, regardless of outcome | Can add £20–£50/month on top of transaction fees |
| Chargeback Fee | Admin charge per disputed transaction | Typically £10–£25 per dispute regardless of outcome |
| PCI Non-Compliance | Penalty for not completing validation steps | Can reach £30–£50/month until you complete your SAQ |
In the UK, the Payment Surcharges Regulations 2012 (as amended) prohibit businesses from adding surcharges to most consumer credit and debit card transactions. You cannot pass your processing fees on to customers as a line-item charge for standard consumer cards.
| Watch Out For Minimum monthly service charges, terminal rental fees, and different rates for card-not-present (online/phone) vs card-present (in-person) transactions. A provider with a competitive in-person rate may charge significantly more for online payments. Always check the full tariff document, not just the headline rate. |
Step 4: Meet Your UK Legal and Security Obligations
Accepting card payments makes your business subject to mandatory security standards and UK regulations. These apply regardless of your size or trading volume. Failure to comply can result in financial penalties, increased liability for fraud losses, or — in serious cases — the withdrawal of your ability to accept cards.
PCI DSS: Payment Card Industry Data Security Standard
PCI DSS applies to any business that stores, processes, or transmits cardholder data. For most small businesses, compliance means completing an annual Self-Assessment Questionnaire (SAQ) — a checklist that confirms your handling of card data meets minimum security standards. Which SAQ you complete depends on how you take payments:
- SAQ A: You use a fully outsourced payment solution (e.g. Stripe or Square hosted checkout) — the simplest version.
- SAQ A-EP: You have your own e-commerce site with a redirected payment page.
- SAQ B or C: You use a standalone card terminal not connected to other systems.
- SAQ D: You store cardholder data electronically — the most complex, and one to avoid where possible.
Using a PCI-compliant provider reduces your compliance scope significantly, but it does not remove your responsibility. Your business remains accountable for how card data is handled in your environment, by your staff, and on your systems. Never store full card numbers, CVV codes, or PINs unless your setup specifically requires and permits this under PCI rules.
Strong Customer Authentication (SCA)
SCA is required under the UK Payment Services Regulations 2017 (as amended) for most electronic payments. It requires customers to verify their identity using at least two independent factors from: something they know (password or PIN), something they have (their phone), or something they are (biometrics). Most providers implement SCA through 3D Secure 2 (3DS2) for online payments. You must ensure 3DS2 is correctly configured for your checkout — your provider should handle this, but you need to confirm it is enabled.
UK GDPR and Data Protection Act 2018
Cardholder information is personal data under UK GDPR. You must process it lawfully, only collect what you need, store it securely, and not retain it longer than necessary. If you process personal data, you are likely required to have a privacy notice and, depending on your data processing activities, may need to register with the ICO. Do not store raw card details in spreadsheets, emails, or paper notes.
HMRC Tax Reporting
All income received by card must be declared to HMRC in the same way as cash income. Card processor statements are admissible evidence in tax investigations. Keep accurate records of all transactions and reconcile them against your accounting records.
| Compliance Checklist – Complete the correct PCI DSS Self-Assessment Questionnaire for your payment setup. – Confirm 3D Secure is enabled for all online card payments. – Use only PCI-compliant hardware and payment software. – Never record or store full card numbers outside a compliant system. – Publish a UK GDPR-compliant privacy notice on your website. – Train all staff who handle payments on secure data handling. – Report all card income to HMRC accurately. |
Step 5: Set Up Card Payments – A Step-by-Step Checklist
Follow these steps in order. Skipping stages, particularly the compliance steps, is where most small businesses run into trouble.
- Research providers. Compare at least two providers and shortlist based on your channel (online/in-person / phone), expected monthly volume, and fee structure. Request a full tariff document — not just the headline rate.
- Apply. Submit your application. Aggregators (Square, Stripe, SumUp) typically approve same day with minimal documentation. Dedicated merchant accounts (Worldpay) require business details, bank statements, and underwriting — allow 3–7 days.
- Set up hardware or a gateway. For in-person payments, configure your card terminal or mobile reader and install POS software. For online payments, integrate the payment gateway with your website or e-commerce platform. For phone payments, set up your virtual terminal.
- Complete PCI DSS validation. Identify which SAQ applies to your setup and complete it. Arrange quarterly network scans if required. Your provider’s compliance team can advise.
- Configure fraud prevention tools. Enable 3D Secure for online payments. Configure AVS (Address Verification Service) and CVV checks. Set transaction velocity limits where available.
- Test everything. Run test transactions before going live. Confirm authorisation, settlement, and refund flows all work correctly.
- Confirm settlement times. Check how long it takes for funds to reach your account. This varies by provider and is not fixed by regulation. Square: 1–2 days; Stripe: 2 days; SumUp: 1–3 days; Worldpay: ~3 days.
- Train your team. Brief everyone who handles payments on: not recording card details on paper, what to do if a customer disputes a transaction, and how to spot suspicious activity.
Freelancers and Sole Traders: Fast Track Setup
If you invoice clients or take occasional payments, you don’t need a full POS setup. These two options cover most freelancer scenarios with minimal admin:
Hosted Payment Links
Create a payment link in your provider’s dashboard and send it to clients via email or message. The client clicks the link and pays by card on a secure hosted page — no website integration required. Available through Stripe, Square, and SumUp at no extra cost. Ideal for invoiced work, deposits, or one-off payments.
Virtual Terminal
Log in to your provider’s web dashboard, enter the card details your client provides over the phone, and process the payment manually. Stripe, Square, and Worldpay all offer virtual terminals. Note that you take on more PCI DSS responsibility with this method — confirm your SAQ type with your provider before using it regularly.
| Freelancer Compliance Reminders – You are still subject to PCI DSS requirements relevant to your payment method, even as a sole trader. – Comply with UK GDPR when storing client payment details or contact information. – Declare all card income to HMRC — your processor’s year-end statement will show total receipts. |
Common Pitfalls to Avoid
The Chargeback Blindspot
A chargeback occurs when a customer disputes a transaction with their bank. The transaction amount is debited from your account while the dispute is investigated, and you face an admin fee (typically £10–£25) regardless of the outcome. A sudden increase in chargebacks can trigger account restrictions — a café owner who sees a spike after a busy weekend promotion can find their account placed under review, blocking card acceptance at exactly the wrong time. Maintain clear refund policies, keep transaction records, and respond to disputes promptly.
Assuming Your Provider Handles All Compliance
The most common compliance error is assuming that because you use a reputable provider like Stripe or Square, PCI DSS is fully covered. It isn’t. You remain responsible for your own environment — your devices, your staff practices, your physical security. Complete your annual SAQ and keep records.
Cross-Border Fees Catching You Off Guard
A consultant billing overseas clients on a flat-rate provider may find that cross-border interchange and scheme fees apply on top of their advertised rate, sometimes adding 1–2% per transaction. If you regularly bill international clients, check your provider’s cross-border fee schedule explicitly.
Overlooking Exit Fees
Some providers — particularly those offering lower ongoing rates — include early termination fees or minimum contract periods. Read the full contract before signing. Aggregators (Square, SumUp, Stripe) typically operate on a rolling monthly basis with no exit fee, which is valuable flexibility for a growing business.
Card Payment FAQs
What is the cheapest way to accept card payments for a small business in the UK?
For most small businesses, a payment aggregator with no monthly fee and a flat transaction rate offers the lowest total cost. Square (1.75%), SumUp (from 0.99%), and PayPal Zettle (1.75%) all have no monthly fee and competitive rates for in-person payments. For online-only businesses, Stripe at 1.5% + 20p for UK cards is highly competitive. Always calculate your all-in cost including hardware before choosing.
Do I need a merchant account, or can I use an aggregator like Square or Stripe?
For most small businesses and startups, an aggregator is the right choice — fast setup, no underwriting, simple pricing. A dedicated merchant account (from providers like Worldpay, Barclaycard, or Lloyds Cardnet) makes sense when you’re processing significant volumes, want interchange-plus transparency, or need bespoke terms. The trade-off is more paperwork and longer setup time.
What are the UK legal requirements for accepting credit card payments?
You must comply with PCI DSS (complete the relevant Self-Assessment Questionnaire), Strong Customer Authentication under the Payment Services Regulations 2017 (for online payments), UK GDPR and the Data Protection Act 2018 (for handling cardholder personal data), and HMRC income reporting requirements. Failure to meet these standards can result in fines, increased liability for fraud losses, or suspension of your card acceptance facility.
How do I accept card payments over the phone?
Use a virtual terminal — a secure web dashboard where you manually enter card details provided by the customer. Most major UK providers include this. For high call volumes, look at providers with dedicated MOTO (Mail Order / Telephone Order) solutions. Never write down or record full card numbers. Confirm with your provider which PCI DSS Self-Assessment Questionnaire applies to your phone payment setup.
Can freelancers accept card payments without a complex setup?
Yes. Payment service providers allow freelancers to accept card payments through a relatively simple online sign-up. Hosted payment links (send a URL, client pays by card) require no website integration and work for invoice-based businesses. You still need to complete the relevant PCI DSS SAQ for your setup and comply with UK GDPR for client data.
How long does it take to start accepting card payments?
With an aggregator like Square, Stripe, or SumUp, you can be set up and taking payments on the same day you apply — often within an hour. A dedicated merchant account requires underwriting and typically takes 3–7 business days. Hardware delivery adds 1–3 days on top if you need a physical card reader.
Am I allowed to charge customers extra for paying by card?
Generally, no. The Consumer Rights (Payment Surcharges) Regulations 2012 prohibit surcharges on most consumer credit and debit card payments in the UK. You cannot add a card payment fee as a separate line item for standard consumer Visa or Mastercard transactions. Some exceptions apply for commercial cards — check the regulations or take professional advice if you’re unsure.
Your Next Step
Build a shortlist of two or three providers that match your channel (online, in-person, or phone), your expected monthly volume, and your compliance appetite. For most small businesses, an aggregator with no monthly fee is the right starting point.
Before you commit:
- Request a full tariff document — not just the headline rate.
- Confirm which PCI DSS SAQ you’ll need to complete.
- Check contract terms for exit fees or minimum periods.
- Test the signup flow — the quality of onboarding usually reflects the quality of ongoing support.
Taking these steps now protects your margins, keeps you legally compliant, and means you can start accepting cards with confidence.
