Get started
Managing your finances
Protecting your business

What is PCI DSS compliance?

27 February 2025

3 min read

Keeping your customers’ information secure is a top priority. That’s why, if your business accepts card payments, it’s important to know the basics of PCI DSS (Payment Card Industry Data Security Standard).

PCI DSS* is a set of rules designed to help businesses process, store, and transmit cardholder data safely. It’s overseen by the Payment Card Industry Security Standards Council (PCI SSC).

Do I need to be PCI compliant?

While PCI DSS compliance isn’t a legal requirement in the U.K, protecting your customers’ personal data most certainly is – through legislation like the Data Protection Act and UK GDPR. If you handle credit or debit card payments in any capacity, following PCI DSS is a crucial part of keeping your customers’ data secure and avoiding potential regulatory or legal trouble from bodies such as the Information Commissioner’s Office (ICO).

How Tyl by NatWest supports PCI compliance

All payments made using Tyl by NatWest card machines, NatWest Tap to Pay, or our online Payment Gateway are encrypted by default with End to End Encryption (E2EE). In addition, for merchants requiring PCI compliance of level three or above, Tyl provides access to a PCI DSS compliance validation service, for merchants who must meet enhanced requirements.

  • Monthly fee: Our PCI service is charged on a monthly basis (per business location, whether that’s a physical shop or online store).
  • Easy validation: You’ll be guided through a straightforward self-assessment questionnaire (SAQ) and a vulnerability scan to confirm your business is handling cardholder data securely.

By partnering with Tyl, you have the reassurance that you’re backed by a provider who is committed to protecting your customers’ data at every stage of the payment journey.

Steps to becoming PCI compliant

PCI compliance isn’t a one-off exercise, but an ongoing commitment to securing card data. Here are some general steps you can take to help safeguard your payments:

  1. Avoid storing sensitive customer card data, including customer till receipts.
  2. Keep your merchant till receipts locked away securely.
  3. Use secure, complex passwords for all systems and devices.
  4. Protect business devices (e.g. laptops, tablets, mobiles) with up-to-date anti-virus software.
  5. Check your payment terminals regularly to ensure they haven’t been tampered with.

The four levels of PCI compliance

PCI DSS groups businesses into four different compliance levels, typically based on annual card transaction volume (whether in-store or online):

  • Level 4: Fewer than 20,000 e-commerce transactions per year, or up to one million total transactions.
  • Level 3: Between 20,000 and one million e-commerce transactions per year.
  • Level 2: Between one and six million transactions per year (regardless of channel).
  • Level 1: More than six million Visa transactions per year or more than six million Mastercard/Maestro transactions combined per year, or a business that has previously suffered a data breach.

Types of PCI assessments

Once you’ve identified which PCI level your business falls under, you can determine the type of PCI assessment you’ll need to complete:

  1. Qualified Security Assessor (QSA) – An external security organisation approved by the PCI Security Standards Council (SSC) to certify PCI compliance.
  2. Internal Security Assessor (ISA) – A trained in-house expert, recognised under the PCI SSC ISA programme, who can evaluate your business’s PCI controls.
  3. Report on Compliance (ROC) – Level 1 businesses must present an annual ROC from a QSA or ISA.
  4. Self-Assessment Questionnaire (SAQ) – Typically completed by Level 2, 3, or 4 businesses to confirm compliance.

As a Tyl merchant, you’ll receive guidance from us if you need access to the Safe Pay portal, hosted by Viking Cloud; or to complete an SAQ. Our team is here to support you at every stage, and Safe Pay simplifies much of the process.

Costs of PCI compliance

Compliance costs can vary based on your business’s needs and transaction volume. For smaller companies, this might mean the monthly PCI service fee plus investment in basic security measures (like anti-virus software).

For businesses handling millions of annual transactions, you may need additional audits or IT infrastructure to maintain robust security standards. Either way, mitigating the risks of a potential breach is typically far more cost-effective than dealing with the fallout of data theft or fraud.

*fees apply

Trustpilot

Still have some questions? We’re ready to help

How much could you save?

If you fancy getting a bit more bang for your buck, get a no-obligation quote from us and see if you could save on your current rates.

Get a quote

Help and support

Our FAQs provide some useful tips and how-to videos to help you with your account and card machines.

See our FAQs

Get in touch

Give us a call or chat to us online. We’re open Monday to Saturday 8am to midnight and Sunday 9am to 5pm (bank holidays may vary).

Contact us
Get started