Skip to contentSkip to content
🇬🇧
Regional Benchmark

PCI Compliance in United Kingdom

UK organisations operate under FCA oversight and must balance PCI DSS with UK GDPR post-Brexit. Card brands enforce compliance through UK acquirers including Barclaycard, Worldpay, and Lloyds Cardnet. The UK remains one of Europe's largest card payment markets following Brexit.

Run PCI Benchmark →
1,090
Avg Audit Hours
annually
£140k
Avg Cost (GBP)
≈ $177k USD
61/100
Avg Maturity
maturity score

Post-Brexit, UK organisations are no longer subject to EU-level EBA guidance but must follow the FCA's own Payment Services Regulations. UK GDPR diverges slightly from EU GDPR, and organisations processing data of both UK and EU residents may need to satisfy both regimes independently.

Top PCI-Active Industries in United Kingdom

Financial ServicesE-CommerceRetailFinTechTravel & HospitalitySaaS

Regional Compliance Context

UK GDPR Data Residency
Post-Brexit data transfer rules require UK-EU adequacy decisions or SCCs for EU data flows
FCA SYSC Operational Resilience Rules
FCA-regulated firms must demonstrate operational resilience including payment processing systems
UK Cyber Essentials Alignment
NCSC Cyber Essentials certification overlaps with PCI DSS baseline controls; many UK firms pursue both
PSD2 Strong Customer Authentication
SCA requirements for online card payments under UK Payment Services Regulations interact with PCI scope

Frequently Asked Questions

Is PCI compliance required in the UK?

PCI DSS is not a UK law but is mandated by card brands through acquiring bank contracts. The FCA also expects regulated payment institutions to maintain robust security controls consistent with PCI DSS. Non-compliance can result in card scheme fines, higher interchange rates, and FCA supervisory scrutiny.

How does UK GDPR affect PCI compliance post-Brexit?

UK GDPR (retained EU law, amended by the Data Protection Act 2018) requires organisations to protect personal data including cardholder information. While PCI DSS satisfies many UK GDPR technical security requirements, UK GDPR adds data subject rights, lawful basis requirements, and data transfer restrictions that PCI does not address.

What is PSD2 SCA and how does it interact with PCI DSS?

Strong Customer Authentication (SCA) under the Payment Services Regulations 2017 requires two-factor authentication for online card transactions. SCA implementation (3DS2) is complementary to PCI DSS — PCI governs the security of cardholder data environments while SCA governs the authentication process. 3DS2 implementations must themselves be PCI compliant.

How much does PCI compliance cost in the UK?

UK organisations average £140,000 (approximately $177,000 USD) annually for PCI compliance. Small UK merchants using SAQ-A typically spend £12,000–£40,000; large Level 1 merchants and payment service providers can spend £300,000 or more annually.

Run PCI BenchmarkIntelligence DashboardPCI DSS GuideCost Calculator

Get Your United Kingdom PCI Benchmark

See how your compliance programme compares to United Kingdom industry averages.

Run Free Benchmark →