PCI DSS compliance for subscription businesses with Fibonatix

March 13, 2026

Ori Levy

Head of Client Success

PCI DSS v4.0.1, the Payment Card Industry Data Security Standard’s current mandatory framework, became the sole active standard in March 2025. For UK subscription businesses, recurring billing means your systems repeatedly store, process, or transmit cardholder data, putting you firmly in scope for its most demanding requirements.

Compliance goes beyond PCI DSS alone. Visa and Mastercard impose their own rules on subscription term disclosure, cardholder consent, and cancellation handling, layered on top of UK GDPR obligations. Getting one right while neglecting another is a common and costly mistake.

This guide covers what PCI DSS v4.0.1 requires of UK subscription businesses, where card scheme rules add further obligations, and how an FCA-regulated payment service provider can reduce your compliance burden without disrupting billing operations.

» Want to learn more about how we can support your company? Speak to our payment experts

What is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS) compliance is a set of security requirements, maintained by the PCI Security Standards Council, that governs how businesses protect payment card data. PCI DSS applies to any organisation that stores, processes, or transmits cardholder data, regardless of size or industry. For subscription businesses, this scope is particularly broad: every recurring billing cycle that touches card credentials is a compliance event.

Is PCI DSS compliance mandatory in the UK?

PCI DSS is not a UK statute, so no law directly mandates it. In practice, however, it is non-negotiable: Visa and Mastercard contractually require compliance from every business that accepts their cards, enforced through your acquiring bank. Non-compliance exposes you to fines from your acquirer, liability shifts in the event of a breach, and ultimately the termination of your ability to process card payments. 

For UK subscription businesses, the ICO may also take an interest in a PCI-related breach under the Data Protection Act 2018, adding a regulatory dimension on top of the contractual one.

PCI DSS v4.0.1: What changed for subscription businesses

The shift from v3.2.1 to v4.0 introduced 64 new requirements, the majority of which were designated as future-dated and became mandatory on 31 March 2025.

Requirement 6.4.3 now requires that every script running on your payment pages is inventoried, justified, and subject to integrity checks. Subscription checkout flows that load third-party scripts for analytics, chat, or tag management need to be audited against this requirement specifically. A script you have no record of authorising is now a compliance gap.

Requirement 11.6.1 mandates a change and tamper detection mechanism for payment pages, so that unauthorised modifications are identified and responded to promptly. This is a direct response to web-skimming attacks, where malicious code is injected into checkout pages to silently capture card data at the point of entry.

Beyond these two requirements, v4.0.1 expands multi-factor authentication obligations and introduces the option of a customised approach, allowing businesses to demonstrate an equivalent security outcome rather than follow prescriptive controls. For established subscription businesses with mature security programmes, this offers more flexibility in how compliance is evidenced.

PCI compliance levels

Your validation obligations under PCI DSS scale with transaction volume. The PCI Security Standards Council defines four merchant levels, with Visa and Mastercard setting the thresholds as follows:

LevelAnnual card transactionsValidation requirement
1Over 6 millionOn-site audit by a Qualified Security Assessor (QSA) + quarterly ASV scans
21 million to 6 millionAnnual Self-Assessment Questionnaire (SAQ) + quarterly ASV scans
320,000 to 1 million (e-commerce)Annual SAQ + quarterly ASV scans
4Fewer than 20,000 (e-commerce)Annual SAQ recommended + quarterly ASV scans recommended

Most UK subscription businesses processing through an e-commerce or recurring billing model fall into Level 3 or Level 4. That includes CBD wellness brands, online dating platforms, and digital goods providers, all of which typically process recurring card payments below the Level 2 threshold. 

That does not mean compliance is lightweight: the SAQ your business must complete depends on how your payment environment is configured, not just your volume. A subscription business that stores any cardholder data, even temporarily, will face a more demanding SAQ than one that has fully outsourced card data handling through tokenisation. 

Reducing PCI scope for subscription billing

The single most effective way to reduce your PCI DSS compliance burden is to ensure your systems never touch raw cardholder data in the first place. For subscription businesses, tokenisation is the primary mechanism for achieving this.

How tokenisation works in recurring billing

When a customer first enters their card details, your payment service provider captures that data and returns a token: a unique reference string with no exploitable value outside the payment system that issued it. Every subsequent recurring charge uses the token. Your billing infrastructure, your database, and your internal systems never see the primary account number (PAN).

Systems that do not store, process, or transmit cardholder data fall outside PCI DSS scope entirely.

» Explore Fibonatix’s recurring billing solutions

The compliance reduction is material

Without tokenisation, a subscription business handling raw card data may need to complete SAQ D, which covers 252 controls. With tokenisation and outsourced card capture, many businesses qualify for SAQ A, which covers a fraction of that scope. The difference in audit effort, remediation cost, and ongoing maintenance is substantial.

» See how Fibonatix’s rebill solution handles tokenised recurring payments

What this means for breach liability

When a token is issued by a PCI DSS Level 1 compliant provider, the compliance burden for securing the raw card data and the token vault sits with that provider rather than with you. If your systems are breached, there‘s no cardholder data to extract. That materially reduces your financial and reputational exposure if something goes wrong.

It’s worth being precise here: tokenisation does not eliminate your accountability entirely. The PCI Security Standards Council is explicit that merchants retain ultimate responsibility for the proper implementation of any tokenisation solution they use. What shifts is the operational security burden for protecting the underlying card data. How you integrate and manage the tokenisation solution still falls within your compliance scope.

The consequences of non-compliance

For a subscription business in any sector, whether that is CBD wellness products, online dating, or digital goods, non-compliance with PCI DSS doesn’t produce a single penalty. It triggers a cascade: fines first, then liability exposure, then reputational damage, and in the worst cases, loss of the ability to process card payments entirely.

Financial penalties

Acquirers can pass through fines from Visa and Mastercard for PCI non-compliance, typically ranging from £4,000 to £80,000 per month depending on the duration and severity of the breach. These are not one-off charges. They accumulate monthly until compliance is demonstrated. For a subscription business operating on predictable recurring revenue, sustained fines of this magnitude are a direct threat to cash flow.

Legal liability

A breach that exposes cardholder data can trigger claims from affected customers and, in the UK, regulatory scrutiny from the ICO (Information Commissioner’s Office) under the Data Protection Act 2018. ICO fines for serious data breaches can reach £14 million. Liability for fraudulent transactions may also shift to the merchant where compliance cannot be demonstrated.

Reputational damage

Subscription businesses are structurally dependent on customer trust. A publicised breach does not just cost you the customers whose data was exposed; it undermines confidence in your billing model among your entire subscriber base. Churn triggered by a security incident is difficult to reverse.

Account termination

The most immediate operational risk is merchant account termination. If your acquirer determines that non-compliance created unacceptable exposure, they can withdraw processing facilities with limited notice. For a subscription business, losing the ability to process recurring card payments is not a temporary disruption; it is an existential one.

» Learn how Fibonatix’s risk management team monitors for compliance gaps

How Fibonatix supports subscription businesses with PCI DSS compliance

Reduce your compliance burden

The fastest way to shrink your PCI DSS scope is to ensure raw cardholder data never enters your systems. Fibonatix supports tokenisation for recurring billing, meaning subsequent charges can reference a token rather than the card number rather than the card number. Businesses that configure this correctly can often qualify for SAQ A rather than SAQ D, a meaningful reduction in audit effort and ongoing maintenance cost.

Avoid card scheme penalties

Compliance gaps most often surface after a breach or a scheme audit, by which point the financial damage is already accumulating. Fibonatix’s team of payments compliance and risk management experts monitors your payment environment on an ongoing basis, working proactively to identify fraud and dispute exposures before they escalate. 

Combined with 3D Secure authentication and advanced risk management tools, this supports lower fraud-to-sales and chargeback-to-sales ratios—reducing the operational and reputational risk that follows elevated chargeback levels.

Maintain compliance through regulatory changes

PCI DSS is not static, and neither are Visa and Mastercard’s subscription billing rules. Fibonatix provides ongoing compliance support to subscription businesses across CBD, online dating, and other specialised sectors, helping them update payment processes as requirements evolve rather than scrambling to retrofit compliance after the fact. 

As an FCA-regulated payment institution and PCI DSS Level 1 compliant provider, Fibonatix carries the accreditations your auditors and acquirer will ask to see.

» Reduce your compliance exposure with Fibonatix’s risk management solutions

How do I get started with Fibonatix?

PCI DSS v4.0.1 has raised the bar for every business that accepts card payments, and subscription businesses face a higher baseline than most. Recurring billing keeps you in scope permanently, card scheme rules layer obligations on top of PCI DSS, and the consequences of getting it wrong compound quickly. 

The businesses that manage this well are not necessarily doing more work; they are structured so that compliance is handled at the infrastructure level rather than retrofitted after the fact.

Before speaking to anyone, ask yourself three questions this article can help you answer: Do you know which SAQ (self-assessment questionnaire) your current payment setup requires? Have your payment pages been audited against Requirements 6.4.3 and 11.6.1? And does your recurring billing infrastructure use tokenisation, or is raw cardholder data still moving through your systems?

If any of those answers are uncertain, it is worth a conversation. Fibonatix works with subscription businesses to reduce PCI scope through tokenisation, monitor for compliance gaps before they become scheme-level problems, and provide ongoing advisory support as requirements evolve.

» Speak to our payment experts today

Disclaimer: Fibonatix is a UK-based, FCA-regulated payment service provider (FRN 768776) specialising in merchant accounts for B2C businesses globally, but B2B exclusively to the UK and EEA. Verify our regulatory status on the FCA Financial Services Register.

FAQs

What is PCI DSS compliance?

PCI DSS (Payment Card Industry Data Security Standard) compliance means meeting the security requirements set by the PCI Security Standards Council for protecting payment card data. Any business that stores, processes, or transmits cardholder data must comply, regardless of size or industry.

Is Fibonatix PCI DSS compliant?

Yes. Fibonatix holds PCI DSS Level 1 certification, the highest level of compliance under the standard. This means the security of card data processed through Fibonatix’s infrastructure is validated annually by a Qualified Security Assessor.

Is PCI DSS compliance mandatory in the UK?

Not by statute, but effectively yes. Visa and Mastercard contractually require it from every business that accepts their cards, enforced through your acquiring bank. Non-compliance can result in fines, liability shifts, and merchant account termination.

Is Fibonatix regulated in the UK?

Yes. Fibonatix is authorised and regulated by the Financial Conduct Authority as a payment institution (FRN 768776). You can verify this on the FCA Financial Services Register.

Can Fibonatix support subscription businesses in the EEA as well as the UK?

Yes. Fibonatix operates across the UK and EEA, with offices in the UK and Germany. Merchant services are available to businesses operating in both markets.

What industries does Fibonatix work with?

Fibonatix specialises in subscription businesses operating in sectors that require a more experienced payment partner, including CBD wellness, online dating, adult physical goods, and online trading platforms.

How does Fibonatix help with chargeback management?

Fibonatix’s dedicated risk management team monitors chargeback ratios proactively and integrates with chargeback alert tools to address disputes before they escalate. This is particularly relevant for subscription businesses, where recurring billing disputes are a common driver of elevated chargeback ratios.

What changed with PCI DSS v4.0.1 for subscription businesses?

Two requirements carry the most weight. Requirement 6.4.3 mandates that every script on your payment pages is inventoried and subject to integrity checks. Requirement 11.6.1 requires a tamper detection mechanism for payment pages to catch unauthorised modifications. Both became mandatory on 31 March 2025.

How does tokenisation reduce PCI scope for recurring billing?

Tokenisation replaces the card number with a secure token after the initial transaction. All subsequent recurring charges use the token, meaning your systems never store or process the primary account number. Systems outside the card data flow fall outside PCI DSS scope, which can reduce your applicable SAQ from SAQ D to SAQ A.

Does Fibonatix support tokenisation for recurring billing?

Yes. Fibonatix supports tokenisation through its Paragon payment gateway, allowing subscription businesses to configure recurring charges against a stored token rather than raw card data. This can significantly reduce your PCI DSS scope depending on how your payment environment is set up.

What are the fines for PCI DSS non-compliance in the UK?

Acquirers can pass through card scheme fines ranging from £4,000 to £80,000 per month, accumulating until compliance is demonstrated. A breach that also exposes personal data may trigger ICO enforcement under the Data Protection Act 2018.

Do I need PCI DSS compliance if my payment provider is already compliant?

Yes. Your provider’s compliance covers their systems, not yours. If your checkout pages, servers, or internal systems interact with cardholder data in any way, you remain in scope. Using a compliant provider and implementing tokenisation correctly can significantly reduce your scope, but it does not eliminate your compliance obligations.

What is the difference between PCI DSS compliance and UK GDPR?

PCI DSS is a contractual requirement set by card schemes, focused specifically on protecting payment card data. UK GDPR is a statutory obligation under the Data Protection Act 2018, covering all personal data and enforced by the ICO. A payment card breach can trigger obligations and penalties under both frameworks simultaneously.

How often do I need to validate PCI DSS compliance?

Level 1 merchants require an annual on-site audit by a Qualified Security Assessor (QSA). Level 2, 3, and 4 merchants must complete an annual SAQ. All levels require quarterly vulnerability scans by an Approved Scanning Vendor (ASV). Some acquirers impose additional validation requirements beyond the scheme minimums.

What SAQ should a subscription business complete?

It depends on your payment environment. If you have fully outsourced card capture and use tokenisation for recurring billing, you may qualify for SAQ A. If your systems store, process, or transmit cardholder data in any form, you will likely need SAQ D, which is significantly more demanding. If you are unsure which applies, your acquirer or a QSA can confirm your scope.