What does less cash and more digital payments mean for your business’ compliance?

13 January 2023

Card transactions are projected to reach 800 billion globally in 2026, an increase of 45% in comparison to 2021. This trend is likely to impact businesses of all sizes – because increased transactions can mean merchants must meet additional regulatory requirements. In addition, new payment card security standards are being introduced globally in 2024. Creating a backdrop of significant regulatory change to which businesses must adapt.

IntaForensics’ Qualified Security Assessor (QSA) team has helped hundreds of companies achieve compliance in a constantly changing regulatory world. Here, we cover the current payment card compliance thresholds and outline three questions to consider to help you prepare for the 2024 regulatory changes.


The UK’s payment card security standards and what they mean for your business

All UK merchants that handle card payment data must gain a detailed, 15-page certificate called an ‘Attestation of Compliance’ (AoC). Which proves the business is compliant with the data security standards set by the Payment Card Industry Security Standards Council.

“The whole rationale is to protect consumer’s credit and debit card data,” says David Macphail, Lead Qualified Security Assessor at IntaForensics. “Whether you’re in a cafe or high street store or you’re shopping online, whether you’re paying with a card or mobile device. The Data Security Standards (DSS) help you sleep easy by creating a secure ecosystem.”


How your business can remain proactively compliant

Many businesses make the mistake of thinking this is a ‘one and done’ activity. But an Attestation of Compliance (AoC) only lasts for one year or until the company moves into a higher tier, whichever is sooner.

There are two routes to gaining compliance. Firstly and ideally, merchants monitor their payment transaction volumes, identify when they move into a new tier and carry out the relevant assessment.

This relies on businesses continuously monitoring their transaction volumes and conducting security assurance activities.

However, most businesses only realise they’ve moved into a new tier when their acquiring bank contacts them. Merchants are then asked to formally assess themselves or complete an audit depending on the relevant tier.

As David notes, moving into a new tier can happen quite easily and not always because of an increase in business: “We worked with a media company which changed its subscription model from annual to monthly. This immediately tipped them into a higher tier with additional reporting requirements.”

Business’ regulatory obligations and what they need to do to be compliant vary based on a tier system:

  • Tier 1:
    • Covers merchants with over 6 million transactions a year across all channels plus any merchant that has experienced a data breach.
    • These companies must complete a full compliance audit carried out by an internal or external security assurance specialist.
  • Tier 2:
    • Encompasses merchants with 1 to 6 million online transactions annually.
    • They must complete an online self-assessment which must be countersigned by the business’ internal Security Assessor. Or, if the business doesn’t have one, an external Qualified Security Assessor.
  • Tier 3:
    • Includes merchants with 20,000 to 1 million online annual transactions.
    • Merchants independently complete an online self-assessment questionnaire.
  • Tier 4:
    • For merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million card-present transactions a year.
    • Merchants independently complete an online self-assessment questionnaire.


The three questions to help your business stay secure

Card payment security standard 3.2.1 will be retired throughout 2023 and replaced by version 4.0 in 2024. To prepare your business for this change – and protect your customers and business at the same time – there are three key questions to ask:

  1. Are the people in your business well trained so they know what to look for to help prevent payment fraud?
  2. Are your processes clearly documented and well understood so your people can implement them effectively?
  3. Are you getting the technology basics right, like updating your virus software and using sufficiently complex passwords?

Exploring your security from these three angles will help you identify any issues. Giving you the opportunity to take action and close the gap between where your business’ security is now and where it needs to be.


For additional expert card security support, contact one of our team on 0247 771 7780 or at sales@intaforensics.com.

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission