PCI DSS and SCA Compliance: A Guide for UK Merchants
Two compliance frameworks govern how UK merchants handle card payments: PCI DSS, which sets security requirements for cardholder data, and SCA (Strong Customer Authentication), which requires multi-factor authentication for online transactions under UK PSD2.
We cover what each framework requires, which SAQ type applies to your business, how 3DS2 implements SCA, what exemptions are available, and what completing your PCI compliance actually involves as a small UK merchant.
PCI DSS: What It Is and Who It Applies To
PCI DSS (Payment Card Industry Data Security Standard) is a security framework maintained by the PCI Security Standards Council. Version 4.0, released in March 2022 and mandatory from March 2025, applies to any business that stores, processes, or transmits cardholder data.
Your obligations under PCI DSS depend on your compliance level, which is determined by your annual transaction volume.
Level 4 covers merchants processing fewer than 20,000 card-not-present transactions per year. We find this is the correct level for the vast majority of small UK independent businesses.
At Level 4, your obligation is to complete an annual self-assessment questionnaire (SAQ) and, for some SAQ types, run quarterly network vulnerability scans. No external assessor is required at this level.
PCI DSS is not enforced directly by the card schemes. Your acquirer enforces it. If you do not complete your annual SAQ, your acquirer charges a monthly non-compliance fee â typically £15â£30. Persistent non-compliance can result in account termination.
PCI DSS SAQ Types: Which One Applies to Your Business
The self-assessment questionnaire you complete depends on how card data flows through your environment. The less card data touches your systems, the simpler the SAQ.
SAQ A applies when you use a fully hosted payment page â Stripe Checkout, PayPal Standard, or similar. Card data never reaches your server. You redirect your customer to a provider-controlled page for payment.
SAQ A has approximately 22 questions and takes around one hour to complete. We recommend this architecture for any business where checkout customisation is not a priority â it is the lowest-risk and lowest-effort compliance path.
SAQ A-EP applies when you use a JavaScript-tokenised inline form such as Stripe Elements or Braintree Drop-in UI. Your customer enters card details on your page, but a JavaScript widget hosted by the provider captures and tokenises the data before it reaches your server.
SAQ A-EP has more questions than SAQ A and may require an Attestation of Scan Compliance from an Approved Scanning Vendor for internet-facing systems. It is still self-assessment â no QSA required.
SAQ D applies to all other environments, including any custom integration where your systems handle raw card data. It covers over 200 controls and typically requires significant technical preparation. We find this route is rarely appropriate for small UK merchants.
If you are unsure which SAQ applies, your acquirer or payment provider can advise. Stripe, PayPal, and SumUp all publish guidance on which SAQ their integration supports.
PCI non-compliance fees: how to eliminate them
Most acquirers charge £15â£30/month in PCI non-compliance fees when a merchant has not submitted their annual SAQ. Completing SAQ A for a hosted-gateway business takes approximately one hour and eliminates the fee immediately. Log into your acquirer portal, find the PCI compliance section, and complete the SAQ â it is a one-off annual task.
SCA and 3DS2: What UK Merchants Need to Know
Strong Customer Authentication (SCA) is required for online card payments under the UK Payment Services Regulations 2017 (UK PSD2). It requires authenticating the customer using two of three factors: something they know (password, PIN), something they have (phone, hardware token), or something they are (biometric).
For card payments, SCA is implemented through 3DS2 (3D Secure version 2). When a customer pays online, your gateway passes transaction data to the card scheme. The issuing bank runs a risk assessment and either approves silently (frictionless flow) or challenges the customer to authenticate via their banking app.
The frictionless flow â where the transaction is approved without any customer action â is the outcome for most low-risk transactions. Your customers only see a challenge step when the issuer determines the risk warrants it.
We find that properly implemented 3DS2 via Stripe, PayPal, or Checkout.com adds minimal friction for most transactions. The challenge rate on well-optimised checkouts is typically low for established merchants with good fraud track records.
SCA Exemptions: When Authentication Is Not Required
Not every online card transaction requires SCA. Several exemptions reduce the friction burden on your checkout.
Low-value transactions under £30 are exempt from SCA requirements. A cumulative limit applies: after five consecutive SCA-exempt transactions or £150 in total, the issuer requires a full authentication before further exemptions apply.
Merchant-initiated transactions are SCA-exempt. When a customer sets up a subscription or recurring billing and authenticates at the first payment, all subsequent charges under that mandate are classified as merchant-initiated. Your gateway marks these transactions accordingly.
Low-risk transaction exemptions allow your acquirer or the issuer to skip SCA based on real-time fraud analysis. If both acquirer and issuer fraud rates are below scheme thresholds, the transaction may be processed without challenge.
Trusted beneficiary exemptions let customers whitelist your business through their bank. Once whitelisted, future transactions with your business skip the SCA challenge. This is issued-bank functionality â you cannot trigger it yourself.
In practice, your payment gateway handles exemption requests and 3DS2 routing automatically. You do not need to manage this per-transaction. We recommend confirming with your provider that 3DS2 is enabled on your integration â it is default on Stripe, PayPal, and Checkout.com.
PCI SAQ Types and SCA Status by Integration (UK, 2026)
We have set out the main UK merchant integration types with their corresponding PCI SAQ, SCA implementation, and compliance effort.
| Integration type | Example providers | PCI SAQ | SCA / 3DS2 | Compliance effort |
|---|---|---|---|---|
| Hosted payment page (redirect) | Stripe Checkout, PayPal Standard | SAQ A (~22 questions) | Provider handles 3DS2 | Low â ~1 hour/year |
| Inline tokenised form (JS) | Stripe Elements, Braintree Drop-in | SAQ A-EP | Provider handles 3DS2 | Medium â may need ASV scan |
| Standalone IP terminal | Dojo, Worldpay, Barclaycard | SAQ B-IP | SCA via PIN/contactless | Low â terminal manages scope |
| Custom API integration | Any raw card data handling | SAQ D (200+ controls) | Merchant must implement 3DS2 | High â significant preparation |
PCI Compliance in Practice: What Small Merchants Need to Do
If you use a hosted payment page from Stripe, PayPal, SumUp, or Square, your compliance path is SAQ A. Log into your acquirer or payment provider portal, locate the PCI compliance section, and complete the questionnaire. Most acquirers use a third-party compliance portal such as SecurityMetrics or ControlScan.
SAQ A asks approximately 22 questions about your website security, access controls, and whether card data is ever stored or transmitted by your systems. For a hosted-gateway business, most answers are straightforward.
We recommend setting a recurring annual reminder to resubmit your SAQ. Compliance lapses after 12 months and the non-compliance fee resumes. The process is the same each year â it does not grow more complex.
If you use Stripe Elements or a similar inline tokenised form, we recommend confirming with your acquirer whether you need SAQ A-EP and whether an Approved Scanning Vendor (ASV) quarterly scan is required for your specific setup. Some acquirers waive the scan requirement for low-volume merchants.
For in-person payments via a standalone Dojo, Worldpay, or Barclaycard terminal, your PCI scope is SAQ B-IP. The terminal itself handles card data; your network configuration is the main scope question.
SCA Liability and Conversion Impact
The most commercially significant benefit of SCA for your business is the liability shift. When a transaction is authenticated via 3DS2 and the issuer approves it, fraud liability for that transaction moves from you to the issuing bank.
This means that if a 3DS2-authenticated transaction is later disputed as fraudulent, the issuer â not you â bears the chargeback cost. For businesses with meaningful chargeback rates from fraud, this is a real financial benefit.
The trade-off is potential checkout friction. 3DS2 risk scoring minimises challenge rates, but some transactions will receive a challenge step. We find that clearly communicating the authentication step reduces abandonment â customers who understand what the bank authentication pop-up is will complete it.
For recurring billing, the SCA obligation sits at the first payment. Once authenticated, subsequent merchant-initiated transactions do not require re-authentication. This applies to subscriptions, retainers, and instalment plans set up through Stripe Billing, GoCardless, or similar.
If you have an elevated chargeback rate from card-not-present fraud, we recommend enabling 3DS2 authentication on all eligible transactions â your payment provider can advise on configuration.
Bottom line: Use a hosted payment page to stay on SAQ A, complete it annually to avoid non-compliance fees, and confirm 3DS2 is enabled to protect against chargeback fraud.
Frequently Asked Questions
What is PCI DSS and do I need to comply?
PCI DSS (Payment Card Industry Data Security Standard) is a security framework that applies to any business accepting, processing, or storing card payments. If you accept cards â online or in person â you are subject to it. For most small UK merchants, compliance means completing an annual self-assessment questionnaire (SAQ) through your acquirer. The SAQ type and complexity depends on how card data flows through your systems. Using a hosted payment page keeps your scope minimal and your compliance effort to approximately one hour per year.
Which SAQ do I need to complete?
If you use a fully hosted payment page â Stripe Checkout, PayPal Standard, or a similar redirect-based checkout â you qualify for SAQ A, which has around 22 questions. If you use an inline JavaScript tokenised form (Stripe Elements, Braintree Drop-in UI), you need SAQ A-EP. If you have a standalone IP-connected terminal (Dojo, Worldpay countertop), you need SAQ B-IP. Custom integrations that handle raw card data require SAQ D, which covers over 200 controls. Confirm your SAQ type with your acquirer before submitting.
What is SCA and does it apply to my business?
Strong Customer Authentication (SCA) requires online card transactions to be authenticated using two of three factors: something the customer knows, has, or is. It applies to all UK merchants accepting online card payments under the Payment Services Regulations 2017. For most businesses, SCA is handled automatically by your payment gateway via 3DS2 â Stripe, PayPal, and Checkout.com all implement 3DS2 by default. You do not need to configure it manually; confirm with your provider that it is active on your integration.
What is the SCA liability shift and why does it matter?
When a transaction is authenticated via 3DS2 and the issuing bank approves it, fraud liability for that transaction shifts from you to the issuer. If the transaction is later disputed as fraudulent, the issuer bears the chargeback cost rather than you. This is the most commercially significant protection SCA provides for merchants. For businesses with high card-not-present fraud exposure, enabling 3DS2 on all eligible transactions directly reduces chargeback costs.
Do SCA exemptions reduce checkout friction?
Yes. Several exemptions mean many transactions do not require a customer authentication step. Low-value transactions under £30 are exempt. Merchant-initiated transactions (subscriptions after the first payment) are exempt. Low-risk transactions may be exempted by your acquirer or the issuer based on fraud scoring. Your payment gateway applies exemption requests automatically. In practice, the majority of transactions on well-optimised checkouts pass via the frictionless 3DS2 flow without requiring any action from your customer.
How do I stop being charged PCI non-compliance fees?
Complete your annual SAQ through your acquirer’s compliance portal. Non-compliance fees â typically £15â£30/month â are charged when you have not submitted a current SAQ. For a hosted-gateway business on SAQ A, the questionnaire takes approximately one hour. Once submitted, the non-compliance fee stops immediately. Set a calendar reminder to resubmit annually â the fee resumes after 12 months if the SAQ is not renewed. Log into your acquirer portal, find the PCI or compliance section, and follow the link to the SAQ.
How we put this guide together
PCI DSS compliance requirements from PCI DSS v4.0 (PCI Security Standards Council, mandatory from March 2025). SAQ types and eligibility criteria from PCI SSC SAQ guidance documents. Non-compliance fee ranges from acquirer published terms: Dojo, Worldpay, Barclaycard, Stripe (April 2026).
SCA and 3DS2 implementation from the UK Payment Services Regulations 2017 and FCA published SCA guidance. SCA exemption thresholds (£30 low-value, £150 cumulative) from FCA regulatory technical standards.
This is editorial guidance, not regulated legal or financial advice. PCI DSS and SCA requirements can vary by acquirer, card scheme, and business type â confirm your specific obligations with your acquirer before making compliance decisions.