Online Payment Security and Compliance for UK SMEs

Every business that sells online, whether through a WooCommerce store, a Shopify site, or a simple payment link, takes on legal and technical responsibilities the moment a customer enters their card details. Most small business owners know they need to be “secure.” Fewer understand what that actually means in practice, what the law requires, and how the decisions made during a website build shape their compliance obligations for years afterwards.

This guide covers the essentials of online payment security and payments compliance for UK and Irish SMEs: the standards you must meet, the risks if you don’t, the technology that does the heavy lifting, and the choices you need to make when setting up or upgrading your e-commerce site.

What Is Online Payment Security?

Online payment security refers to the combination of technical standards, legal regulations, and operational practices that protect financial data during an e-commerce transaction. It covers everything from how card data is transmitted across a network to how a business stores customer records to how it responds when something goes wrong.

For UK and Irish businesses, the regulatory environment has three main layers. First, the Payment Card Industry Data Security Standard (PCI DSS) applies to any organisation that processes, stores, or transmits cardholder data. Second, the UK GDPR and the Data Protection Act 2018 govern how customer data, including payment records, must be handled and stored. Third, Strong Customer Authentication (SCA), introduced under the Payment Services Regulations 2017 and now enforced by the Financial Conduct Authority (FCA), requires additional identity verification for most online card transactions.

None of these is optional. A business operating an online shop in Northern Ireland, the Republic of Ireland, or anywhere else in the UK is bound by all three.

The Cost of Getting It Wrong

A payment data breach is not just a reputational problem. Under the UK GDPR, the Information Commissioner’s Office can issue fines of up to £17.5 million or 4% of a company’s global annual turnover, whichever is higher. Card scheme penalties for PCI DSS non-compliance are separate and can be levied by your acquiring bank independently of any ICO action. For a small business, either fine category can be existential.

Beyond fines, the practical costs of a breach include customer notification obligations, potential litigation, and the commercial damage that follows the loss of customer trust. In a market where customers have multiple options for every purchase, a single publicised incident can redirect revenue permanently.

How Online Payments Actually Work: Gateway, Processor, Merchant Account

Understanding the roles of the three main components in a payment transaction makes compliance decisions much clearer.

The Payment Gateway

The payment gateway is the technology that securely transmits card data from the customer’s browser to the payment processor. It encrypts the data at the point of entry and passes it through a secure channel. The gateway is also where Strong Customer Authentication checks are applied. When a customer is asked to approve a transaction via their banking app, that challenge is typically triggered by the gateway.

For most SMEs, the gateway is provided by services like Stripe, PayPal, Opayo (formerly Sage Pay), or Worldpay. Choosing a gateway that is already PCI DSS Level 1 certified shifts the majority of the compliance burden away from the merchant.

The Payment Processor

The processor handles the actual movement of funds between the customer’s bank and the merchant’s acquiring bank. It communicates with card networks (Visa, Mastercard) and issues approvals or declines in real time. Most SMEs never deal with a processor directly; their gateway provider manages this relationship.

The Merchant Account

A merchant account is the holding account where funds are held between a customer’s payment and a payout to the business’s main bank account. Modern payment service providers like Stripe bundle the merchant account into their service, which simplifies the setup considerably compared to applying for a dedicated merchant account through a bank.

Understanding this structure matters because compliance responsibilities are distributed across these three roles. The gateway provider and processor take on significant PCI DSS obligations, but the merchant, the business selling the product, retains its own set of requirements regardless of who processes the payment.

The Foundational Security Protocols Behind Every Transaction

Three protocols underpin every secure online transaction: SSL/TLS encryption, tokenisation, and Strong Customer Authentication. Each addresses a different vulnerability in the payment journey, and all three must be in place for a site to meet current UK compliance standards.

SSL/TLS Encryption

Every e-commerce site must use SSL/TLS (Secure Sockets Layer / Transport Layer Security). This is the technology behind the padlock icon in a browser’s address bar and the “https” prefix in a URL. SSL/TLS encrypts all data in transit between a customer’s device and the web server, making it unreadable to anyone who might intercept it.

TLS is the current standard; SSL is its predecessor and is now considered insecure. Any reputable hosting provider and any competently built e-commerce site will use TLS by default. The practical issue for SMEs is not understanding the technology but ensuring it is correctly configured, kept up to date, and covers every page that handles customer data, not just the checkout page.

When ProfileTree builds e-commerce sites for clients, SSL/TLS configuration is part of the development standard, not an optional extra. Search engines treat HTTPS as a ranking signal, so a site without it suffers in both organic search and security. Our website development services include full SSL setup and ongoing monitoring as part of the build.

Encryption and Tokenisation

Encryption converts sensitive data into a coded format that can only be decoded with the correct key. In payment processing, encryption protects card data as it moves from the customer’s browser to the gateway.

Tokenisation goes a step further. Rather than storing card data at all, tokenisation replaces it with a randomly generated string of characters (a “token”) that has no exploitable value on its own. The token can be used for future transactions (useful for subscriptions or repeat purchases) without the underlying card data ever being stored in the merchant’s system.

For most SMEs, tokenisation is handled automatically by a compliant gateway. The business never sees the raw card number. This is deliberately how modern payment infrastructure is designed: removing card data from the merchant’s environment is the single most effective way to reduce PCI DSS scope.

Strong Customer Authentication (SCA)

SCA is the UK’s implementation of a European payment security requirement, now enforced by the FCA. It requires that most online card transactions be verified using at least two of the following: something the customer knows (a password or PIN), something the customer has (a registered mobile device), or something the customer is (a fingerprint or facial recognition).

In practice, SCA typically manifests as the 3D Secure 2.0 (3DS2) flow, where customers are redirected to their bank’s authentication screen or asked to approve the transaction via their banking app. Transactions that fail SCA checks must be declined by the issuing bank.

SCA applies to most UK card-not-present transactions above £30. There are exemptions: recurring transactions, low-value transactions, and transactions the issuing bank considers low-risk, but merchants cannot choose to apply or waive SCA themselves. The card schemes and issuing banks control this.

The practical implication for SMEs is that checkout friction has increased. A poorly configured gateway that triggers unnecessary SCA challenges will increase cart abandonment. A well-configured gateway that correctly applies exemptions will provide a smoother customer experience. This is a technical configuration question that sits at the intersection of development and payments strategy.

PCI DSS Compliance: What Small Businesses Actually Need to Do

PCI DSS is often misunderstood as something that only concerns large retailers. In fact, it applies to any business that accepts card payments. The requirements are tiered by transaction volume, but the smallest merchants are not exempt: they face a lighter assessment process, not a lighter standard.

How Compliance Works in Practice

PCI DSS has 12 core requirements covering areas including network security, access control, encryption, monitoring, and vulnerability management. For a large business processing millions of transactions, achieving compliance is a significant ongoing programme. For a small business using a hosted payment page from a compliant gateway provider, the scope is much narrower.

The key distinction is whether the business’s own systems ever come into contact with cardholder data:

• Hosted payment page (e.g., Stripe or PayPal redirect): The customer enters card data on the gateway provider’s page, not on the merchant’s server. The merchant’s PCI scope is minimal, and completing a short Self-Assessment Questionnaire (SAQ A) is typically sufficient.
• Integrated payment form (card fields embedded on the merchant’s site): Even if the data is sent directly to a gateway via JavaScript, the merchant has a broader scope and must complete a more detailed SAQ.
• Server-to-server processing (merchant collects and transmits card data themselves): The merchant must achieve full PCI DSS certification independently. This is rare for SMEs and inadvisable unless there is a specific business reason.

For most SMEs, the clear advice is to use a hosted or embedded payment solution from a certified gateway provider and avoid ever having raw card data pass through your own systems. The choice of payment architecture is made at the website build stage, which is why involving a development team that understands compliance is valuable from the outset.

For further reading on the broader compliance picture for UK e-commerce businesses, our guide on navigating data privacy laws in e-commerce covers how payment compliance intersects with GDPR and consumer protection obligations.

SAQs and the Compliance Process for Small Businesses

The PCI Security Standards Council provides Self-Assessment Questionnaires that allow smaller merchants to assess their own compliance without engaging an external Qualified Security Assessor. SAQ types range from SAQ A (the simplest, for businesses using a fully hosted payment page) to SAQ D (the most complex, for businesses with server-side card processing).

Your acquiring bank, the bank that processes your card payments, is your primary contact for PCI DSS compliance. They are responsible for ensuring the merchants in their portfolio are compliant, and they may charge non-compliance fees if you fail to submit a valid SAQ or scan results within the required timeframes.

Authentication Methods in Transaction Processing

Two-Factor and Multi-Factor Authentication

Two-factor authentication (2FA) requires two distinct forms of verification. In the context of payment security, this most commonly appears as the SCA flow described above: a customer presents their card details (something they have) and then verifies via their banking app (something they have or something they are).

Multi-factor authentication (MFA) is the broader principle: using more than one verification method to confirm identity. For SME business owners, MFA is relevant not just to customer-facing payments but to the admin access to their own payment dashboards, e-commerce backends, and hosting accounts. An attacker who gains access to a Stripe or WooCommerce admin account can do far more damage than one who intercepts a single transaction.

Requiring MFA for all staff with access to payment systems and e-commerce backends is a straightforward and non-negotiable security practice.

Biometric and Behavioural Authentication

Biometric authentication, including fingerprint recognition and facial ID, is now standard on mobile devices and is the primary SCA method for many banking apps. Customers approving payments via Face ID or fingerprint are completing a biometric authentication step as part of the 3DS2 flow.

Behavioural authentication is a more sophisticated layer used primarily by fraud detection systems rather than by the customer directly. It analyses patterns such as typing rhythm, mouse movement, and transaction timing to identify activity that deviates from a user’s normal behaviour. This technology operates in the background within gateway fraud tools like Stripe Radar.

Fraud Prevention for SME E-Commerce

Fraud prevention in online payments operates at several levels, and understanding which levels a small business controls directly and which are managed by their technology providers prevents both overconfidence and unnecessary complexity.

What Your Gateway Handles

A certified payment gateway provides built-in fraud detection as part of its service. Card Verification Value (CVV) checks and Address Verification Service (AVS) are standard features that compare the details submitted at checkout against what the card issuer holds on record. Transactions that fail these checks are automatically flagged or declined.

Gateway providers also operate their own machine learning fraud models. Stripe Radar, for example, uses data from millions of transactions to identify patterns associated with fraudulent activity and can apply rules that block suspicious transactions before they are processed.

What the Merchant Controls

Beyond the gateway, the business has several levers:

Order review processes. High-value orders, orders with mismatched billing and shipping addresses, and orders from high-risk regions can be held for manual review before fulfilment. This is a business process, not a technology one, but it remains one of the most effective tools for catching fraud that automated systems miss.

Chargeback management. A chargeback occurs when a customer disputes a transaction with their bank, which then reverses the payment. Excessive chargebacks can result in penalties from card schemes and, ultimately, loss of the ability to accept card payments. Keeping clear transaction records, using delivery confirmation for physical goods, and having a clear refund policy reduces chargeback exposure.

Staff access controls. Limiting who within the business has access to payment data and transaction records is both a fraud prevention and a PCI DSS requirement. No member of staff should have access to payment systems beyond what their role requires.

Fraud risk management is closely linked to a wider question of website security. Our guide on how to protect your website from cyber attacks covers the technical controls, including firewalls, software updates, and access management, that reduce the risk of the broader security incidents that often precede payment fraud.

Securing Payment Gateways: What to Look For

When choosing a payment gateway, PCI DSS Level 1 certification is the minimum requirement. Beyond certification, the key factors for SMEs are:

Hosted versus embedded checkout. A hosted checkout redirects the customer to the gateway provider’s own page to enter card details. This minimises the merchant’s PCI scope and places the security burden on the gateway. An embedded checkout keeps the customer on your site, improving the user experience, but requires more careful technical implementation to ensure card data never touches your server.

3DS2 support and exemption handling. The gateway should support 3D Secure 2.0 and apply SCA exemptions correctly to minimise unnecessary friction for genuine customers.

Fraud tooling. Look for built-in fraud detection rules that can be configured to your business’s risk profile. A digital product business has different fraud patterns from a physical goods retailer.

Dispute management tools. A clear dashboard for managing chargebacks and disputes saves significant time. Some gateways provide automated evidence submission for dispute responses.

Integration with your platform. Whether you’re on WooCommerce, Shopify, or a custom-built site, the gateway must integrate cleanly. A payment solution that requires custom development to work properly introduces risk. Our web development company handles gateway integrations across all major platforms and can advise on the platform and gateway combination that best suits a client’s transaction volumes and compliance requirements.

Protecting Customer Data: GDPR and Payment Records

Payment data is personal data. UK GDPR applies to how you collect, store, process, and retain any information that can identify a customer, including their purchase history and payment method (even tokenised).

The key GDPR obligations for e-commerce businesses in the context of payments include:

Lawful basis for processing. Processing payment data to fulfil a contract with the customer (the purchase) is straightforward. Using that data for marketing, profiling, or any purpose beyond fulfilling the transaction requires either a separate lawful basis or explicit consent.

Data minimisation. Collect only what you need. If you don’t need to store card data for future transactions, don’t. If you don’t need to retain order data beyond a reasonable period, delete it.

Retention limits. Payment records may need to be retained for tax and accounting purposes (typically six years in the UK), but they should be deleted once the retention period has passed. Keeping data indefinitely is a GDPR violation.

Breach notification. If payment data is compromised, UK GDPR requires notification to the ICO within 72 hours of becoming aware of the breach, and notification to affected customers where the breach is likely to result in risk to their rights and freedoms.

For a more detailed look at how these obligations interact with the broader digital compliance landscape, our article on UK digital compliance for e-commerce websites provides a comprehensive overview. For businesses that handle customer data across multiple channels, our guide to designing GDPR-compliant web forms addresses the data-collection side of the compliance equation.

Building a Secure E-Commerce Website: The Build-Stage Decisions That Matter

Most payment security problems that SMEs face are not caused by sophisticated attacks. They are caused by decisions made during the initial website build that were never revisited: outdated plugins left unpatched, payment forms that inadvertently capture card data, admin accounts with weak passwords and no MFA, and hosting environments with default configurations never hardened.

Getting the build right from the start is significantly cheaper than remediating problems after launch.

Platform Selection

Platform choice affects payment compliance in concrete ways. WordPress with WooCommerce offers the most flexibility but requires ongoing maintenance: plugin updates, security patches, and proper configuration of payment extensions. Shopify’s hosted environment handles more of the PCI DSS burden centrally, at the cost of flexibility and ongoing subscription fees.

For SMEs uncertain about the technical demands of maintaining a self-hosted e-commerce site, the cost of a WordPress website guide covers the full picture, including ongoing maintenance costs, which are often underestimated when businesses make initial platform decisions.

SSL Configuration

SSL/TLS must be configured correctly, not just installed. A mixed-content issue, where a secure page loads some resources over an insecure HTTP connection, will trigger browser security warnings and undermine customer confidence. Annual SSL certificate renewals must be managed proactively; an expired certificate takes a site offline for legitimate customers and bad actors alike.

Plugin and Software Maintenance

In a WordPress context, the majority of security vulnerabilities exploited against e-commerce sites come from outdated plugins, not from sophisticated attacks on core WordPress itself. A disciplined update schedule and removal of unused plugins are basic hygiene requirements for any site accepting payments.

Firewall and Malware Scanning

A web application firewall (WAF) intercepts malicious traffic before it reaches your site. For WordPress e-commerce sites, solutions like Cloudflare or Sucuri provide WAF functionality, malware scanning, and DDoS protection. Our dedicated guide on implementing firewalls for small business websites covers the options in more detail.

As Ciaran Connolly, founder of ProfileTree, notes: “When we audit e-commerce sites for clients, the security problems we find most often aren’t exotic. They’re unpatched plugins from three years ago, payment forms that weren’t built correctly, and admin accounts that have never been reviewed. The gap between ‘we have a checkout’ and ‘we have a secure checkout’ is almost always a series of small decisions that no one revisits after launch.”

AI and Payment Fraud Detection: What SMEs Should Know

Fraud detection at scale now relies heavily on machine learning. The major gateway providers use AI-driven models trained on vast datasets to identify real-time transaction patterns associated with fraud. For SMEs using platforms like Stripe or PayPal, this capability comes built in.

The practical question for most small businesses is not whether to build AI fraud detection themselves: they won’t. The question is whether they understand the tools available in their existing gateway and use them effectively. Stripe Radar, for example, allows merchants to set custom rules based on factors like transaction velocity, card country, or order value. Understanding and configuring these rules for your specific business type is a meaningful step in fraud prevention.

For SMEs thinking more broadly about AI adoption, our analysis of AI adoption rates in UK SMEs provides a picture of how AI is being used across UK businesses. For businesses further along in their AI journey, our work with SMEs successfully implementing AI solutions shows the practical approaches that work.

Digital Wallets and Evolving Payment Methods

Digital wallets, including Apple Pay, Google Pay, and PayPal, have become standard payment options for UK e-commerce. From a merchant’s perspective, they offer several security advantages.

When a customer pays via Apple Pay or Google Pay, the transaction uses a device-specific token rather than the actual card number. The merchant never receives the underlying card details. This inherently reduces PCI DSS scope and eliminates a category of card data risk.

Digital wallets also satisfy SCA requirements through device biometric authentication (Face ID, fingerprint), eliminating the additional 3DS2 challenge step for wallet payments. This produces a faster, lower-friction checkout than a standard card transaction, with positive effects on conversion rates and security.

Enabling digital wallet payments requires gateway support and typically a small amount of development work to add the relevant payment buttons to the checkout flow. For most WooCommerce or Shopify stores, this is straightforward. It is worth prioritising: in the UK, wallet payments are growing as a proportion of online transactions, and a checkout that doesn’t offer Apple Pay or Google Pay is increasingly falling short of customer expectations.

Northern Ireland and Cross-Border Trade: Specific Considerations

Northern Ireland businesses trading across the Irish border face specific payment considerations that mainland UK businesses do not.

Dual currency. Businesses selling to customers in both Northern Ireland (GBP) and the Republic of Ireland (EUR) need to consider whether to price in both currencies, which currency to present at checkout, and how their gateway handles cross-border settlements. Most major gateways support multi-currency, but the configuration requires attention.

Cross-border transaction fees. Since Brexit, UK-issued cards used for transactions with EU merchants, and vice versa, attract higher interchange fees from card schemes. For Northern Ireland businesses selling to ROI customers, or ROI businesses selling to Northern Ireland customers, this creates a cost consideration that didn’t exist pre-2021. Our analysis of the impact of Brexit on digital marketing touches on the broader regulatory changes that have affected UK-EU digital commerce.

Regulatory alignment. Northern Ireland businesses must comply with both UK FCA regulations (covering SCA and payment services) and, where relevant, EU requirements that apply to transactions with ROI customers. In practice, the major gateway providers handle this automatically, but it is worth confirming with your gateway that cross-border transactions are correctly categorised and authenticated.

Getting Online Payment Security Right

Payment security is one of those topics that feels abstract until something goes wrong. The regulatory obligations are real, the financial penalties for non-compliance are significant, and the reputational damage from a breach is rarely fully recoverable for a small business.

The good news is that the fundamentals can be achieved without specialist security expertise in-house. Use a PCI DSS-certified gateway, choose a payment architecture that keeps card data out of your systems, configure SSL correctly, keep software up to date, and require MFA on every admin account. These steps address the vast majority of risks that UK SMEs actually face.

The decisions that matter most are made before a site goes live. Getting the platform choice, gateway integration, and security configuration right at the build stage is far less costly than fixing problems afterwards. For businesses reviewing an existing site, the same principles apply: audit what you have, identify where card data flows, and close the gaps.

If you’re building or upgrading an e-commerce site and want to get the payment infrastructure right from the start, ProfileTree’s web development team works with SMEs across Northern Ireland, Ireland, and the UK on exactly these decisions.

FAQs