PCI DSS v4.0 Policies for UK Retailers & SaaS

12 policies mapped to all 12 PCI DSS v4.0 requirement families. Written for UK retailers and e-commerce SMEs — ready for SAQ submission or QSA audit.

PCI DSS v4.0 UK Retail E-commerce

PCI DSS Retail Starter Pack pack

12 policies · £400 one-off

Lifetime access · no renewal · v4.0-ready

Get Started — Buy Pack Free account · preview sample policies · buy pack when ready
UK registered & ICO compliant 197 frameworks · 8 jurisdictions · 990+ bespoke policies Lifetime purchase · no renewal

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is the contractual standard governing every business that stores, processes or transmits cardholder data. It is enforced by the card schemes (Visa, Mastercard, Amex, Discover, JCB) via acquiring banks — not by a government regulator — but the penalties for non-compliance include fines, increased transaction fees, and loss of card-acceptance privileges.

The current version is PCI DSS v4.0 (v4.0.1 as of June 2024), with all future-dated requirements mandatory from 31 March 2025. Key v4.0 additions include targeted risk analysis, authenticated internal scans, phishing-resistant MFA, and script-integrity monitoring on e-commerce payment pages.

Who needs PCI DSS?

  • UK e-commerce retailers — every Shopify, WooCommerce, or custom-built store accepting card payments.
  • UK SaaS firms that take card payments — either directly or via Stripe/Adyen/GoCardless.
  • Subscription businesses and marketplaces processing recurring payments.
  • Hospitality, ticketing, and events firms handling card-present transactions.
  • Service providers and payment processors — stricter requirements under Section 12.

Policies you need for PCI DSS

Each of the 12 PCI DSS requirement families needs documented policies and procedures. Our PCI DSS Retail Starter Pack delivers all 12, bespoke to your merchant scope:

Information Security Policy

Req 12 — overarching ISMS owned by leadership.

Network Security

Req 1 — firewalls, segmentation, network diagrams.

Vulnerability Management

Req 6 & 11 — patching, scans, penetration tests.

Access Control

Req 7 & 8 — need-to-know, MFA, session timeouts.

Monitoring and Logging

Req 10 — audit logging, log retention, review cadence.

Security Testing

Req 11 — ASV scans, pen testing, script monitoring (v4.0).

Vendor Management

Req 12.8/12.9 — TPSP list, AoC tracking, responsibility matrix.

Incident Response

Req 12.10 — CDE breach handling, card-brand notification.

Physical Security

Req 9 — device controls, visitor logs, media handling.

Data Classification

Req 3 — PAN storage rules, masking, truncation.

Encryption

Req 3 & 4 — key management, TLS standards, in-transit encryption.

Change Control

Req 6 — change approvals, separation of environments.

Realistic timeline to PCI DSS compliance

For most UK SMEs on SAQ A or A-EP, 4–8 weeks from day zero to submitted AoC. SAQ D or Level 1 QSA assessments take 3–6 months.

  1. Week 1: Scope assessment — map card data flows, identify your SAQ type, pick an ASV. Buy the pack and receive 12 bespoke policies in 48 hours.
  2. Week 2–3: Fix common gaps — enforce MFA everywhere, enable logging, document network diagram, implement v4.0 script monitoring.
  3. Week 4: First quarterly ASV scan, remediate findings.
  4. Week 5–7: Complete the SAQ, collect evidence, sign AoC.
  5. Week 8: Submit to acquirer. Set calendar for quarterly ASV + annual renewal.

Policy packs for PCI DSS

PCI DSS Retail Starter Pack

12 policies · £400 · all 12 PCI DSS v4.0 requirements

ISO 27001 Core Set

16 policies · £400 · broader ISMS for SAQ D / Level 1

InfoSec 38 Enterprise Pack

38 policies · £900 · full enterprise depth

Third-Party Risk & Contracting

10 policies · £300 · TPSP management Req 12.8/9

Further reading

Frequently asked questions

Which PCI DSS version should I comply with?

PCI DSS v4.0 is the current version; v3.2.1 was retired on 31 March 2024. All future-dated v4.0 requirements became mandatory on 31 March 2025 — targeted risk analysis, authenticated scans, phishing-resistant MFA for admin, anti-phishing mechanisms, and client-side script integrity monitoring. Our pack uses v4.0/v4.0.1 language.

Do I need a QSA audit or can I self-assess?

Level 1 merchants (over 6 million transactions/year, or any merchant post-breach) need an annual QSA-led Report on Compliance. Levels 2–4 usually self-assess via the appropriate SAQ (A, A-EP, B, C, D). Most UK SMEs are Level 4 — SAQ plus quarterly ASV scan is sufficient.

Does outsourcing payments to Stripe make me compliant?

Using Stripe Checkout or a hosted iframe reduces scope to SAQ A — the lightest version — but you still need documented policies, access controls, a data-flow map, vendor management over Stripe, and v4.0 script monitoring on any page that interacts with card data. Our pack covers SAQ A, A-EP and D scenarios.

How much does PCI DSS cost for a UK SME?

SAQ A/A-EP: £300–£1,500/year for ASV scanning plus internal time. SAQ D: £3,000–£10,000 of consultant help if scope is complex. Level 1 QSA assessment: £15,000–£40,000. PolicySuite replaces the policy-drafting element with a one-off £400 pack.

What policies do I need for PCI DSS v4.0?

PCI DSS has 12 high-level requirements, each requiring documented policies and procedures. Our pack covers all 12 — information security, network security, vulnerability management, access control, logging, testing, vendor management, incident response, physical security, data classification, encryption, and change control.

What does the PCI DSS Retail Starter Pack include?

12 PCI DSS v4.0-aligned policies covering all 12 requirement families, written for UK retailers and e-commerce SMEs on Shopify, WooCommerce, Stripe Checkout and similar. Covers SAQ A and A-EP scoping explicitly — see live pricing.

Skip the PCI DSS paperwork

Get 12 bespoke PCI v4.0 policies ready in 48 hours — lifetime access.

Get Started — £400