PCI-DSS Guide for UK Software Development (2025)

🔒 PCI-DSS 4.0💳 SAQ-A to QSA💷 UK Market🇬🇧 FCA Aligned🆓 Free Assessment
June 202511 min readClickMasters FinTech Team

Direct Answer

PCI-DSS (Payment Card Industry Data Security Standard) applies to any UK business that processes, stores, or transmits cardholder data. The key scope reduction strategy: use hosted payment fields (Stripe Elements, Adyen Drop-in) so your system never touches cardholder data — this reduces your annual compliance obligation to SAQ-A (self-assessment questionnaire), the simplest tier. ClickMasters designs PCI-DSS scope out of your application by default.

PCI-DSS SAQ Types — Which Applies to UK Software?

This guide covers PCI-DSS v4.0 (effective March 2024, with some requirements active from March 2025). PCI-DSS v4.0 introduced significant changes to web skimming controls and customised approach requirements. Always consult a QSA (Qualified Security Assessor) for your specific compliance programme.

SAQ TypeWho It Applies ToCard Data HandlingAnnual Requirements
SAQ-ACard-not-present merchants using entirely outsourced payment processing (Stripe Elements, Adyen Drop-in)No cardholder data on your systems — fully outsourcedSelf-assessment questionnaire, no penetration test required
SAQ-A EPE-commerce merchants with payment page scripts from a third party but with some redirect controlScripts touch payment pagePen test + script integrity controls required (PCI v4.0)
SAQ-D (Merchant)Merchants that store, process, or transmit cardholder data directlyFull cardholder data environment (CDE)Full 300+ requirements, QSA assessment, annual pen test
SAQ-D (Service Provider)Service providers storing, processing, or transmitting cardholder data for othersFull CDEFull requirements + additional service provider controls

Scope Reduction — The Most Important PCI-DSS Decision

ArchitecturePCI-DSS ScopeCompliance Effort
Stripe Elements / Adyen Drop-inSAQ-A — your servers never see card dataLow — self-assessment, no pen test
iFrame redirect (PayPal-style)SAQ-A-EP — some control over checkout pageMedium — pen test required, script controls
Direct card API (PAN on your server)SAQ-D — full cardholder data environmentHigh — QSA assessment, quarterly scans, pen test
Card storage (vaulting)SAQ-D + tokenisation controlsVery high — stringent requirements, expensive

PCI-DSS v4.0 Key Changes (2024/2025)

Requirement 6.4.3: all scripts loading in the browser on payment pages must be authorised, have their integrity maintained (SRI hashes), and be inventoried. This affects SAQ-A-EP merchants significantly.

Requirement 11.6.1: detection mechanism for unauthorised script changes on payment pages (web skimming detection — Magecart-style attacks).

Customised approach: alternative to standard requirements — allowed where equivalent security is demonstrated. Requires QSA validation.

Targeted risk analysis: some requirements now require organisation-specific risk analysis to determine frequency of controls.

PCI-DSS v4.0 introduced requirements particularly relevant for e-commerce software:

FCA and UK GDPR — How PCI-DSS Interacts

Cardholder data is personal data under UK GDPR — both frameworks apply to cardholder data processing.

UK GDPR Article 32 (security) and PCI-DSS Requirement 12 (security policy) share common controls — document once, satisfy both.

Data breach notification: UK GDPR requires ICO notification within 72 hours. PCI-DSS Requirement 12.10.7 requires card scheme notification — typically faster than 72 hours. Both obligations apply.

FCA Consumer Duty: payment UX must be clear and not misleading — Stripe Elements satisfies Consumer Duty Consumer Understanding for payment screens.

PCI-DSS and UK GDPR overlap for payment data:

Frequently Asked Questions

Common questions about pci-dss guide for uk software development (2025).

Not automatically. Using Stripe Elements correctly (hosted payment fields — card data goes directly to Stripe, never to your server) reduces your scope to SAQ-A and makes compliance achievable with a self-assessment. You still need to: complete the SAQ-A annually, ensure your Stripe Elements implementation correctly scopes card data out of your system, and ensure your web application does not have XSS vulnerabilities that could steal card data client-side.

SAQ-A (Stripe Elements): annual self-assessment (2–4 hours), no cost beyond time. SAQ-A-EP: annual self-assessment + penetration test (~£2,000–£5,000/yr). SAQ-D: QSA assessment (£10,000–£50,000/yr depending on scope), quarterly ASV scans, annual pen test. ClickMasters designs SAQ-A architecture for all projects — eliminating the expensive QSA assessment by keeping cardholder data entirely within Stripe's environment.

About the Author

ClickMasters FinTech Team PCI-DSS and payment compliance specialists ClickMasters designs PCI-DSS scope reduction into all payment software projects. All projects use hosted payment fields — SAQ-A compliance by default.

Free PCI-DSS Architecture Review ClickMasters will...

Free PCI-DSS Architecture Review ClickMasters will review your payment architecture and confirm your PCI-DSS SAQ type. Free 30-minute call. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation