Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?

‍​‌‌‌‌​​​‌‌​​‌‌‌​​​‌‌​​​​‌​​​‌‌‌​​​​​​​‌‌​‌​​​‌​​‌​‌‌‌‌‌​‌‌​​​‌​‌‍Two cyber standards. Different scopes. Both apply to UK retailers and hospitality operators handling card data. PCI DSS is the payment-card industry's mandatory standard for the cardholder-data environment. Cyber Essentials Plus is the UK government scheme for the broader IT estate. The two cover different scopes and one cannot replace the other.

This article walks through where each standard applies, how the two scopes fit together, what the SAQ types mean for smaller merchants, and the cases where holding both is not just sensible but mandatory.

What each standard actually covers

PCI DSS is the Payment Card Industry Data Security Standard, set by the PCI Security Standards Council (a consortium of Visa, Mastercard, Amex, Discover, and JCB). It applies to any organisation that handles, stores, or transmits cardholder data. Compliance is mandatory for the merchant relationship with the acquiring bank. Non-compliance can mean fines, increased transaction fees, or termination of the merchant relationship.

PCI DSS scopes the cardholder-data environment (CDE): the systems that handle, store, or transmit card data, plus the systems connected to them. The CDE may be the entire network if the firm has not segmented; it may be a small isolated subnet if proper segmentation is in place. The 12 PCI DSS requirement areas cover firewalls, default password changes, cardholder data protection (encryption), encryption of cardholder data in transit, anti-virus, secure systems, restricted access, unique IDs, physical access, monitoring and logging, regular testing, and information security policy.

Cyber Essentials Plus is the UK government scheme covering five technical controls applied across the firm's IT estate. The scope is set by the assessment scoping conversation. The certificate lasts 12 months. The CE Plus version adds an external assessor running a technical sample on a subset of devices.

The shapes are different. PCI DSS is mandatory and tightly scoped to card data. CE Plus is procurement-driven and broadly scoped to the IT estate.

SAQ types for smaller merchants

PCI DSS recognises that smaller merchants who handle a low volume of card transactions can self-assess via the SAQ rather than face the full Report on Compliance audit. The SAQ type depends on how the merchant handles cards:

• SAQ A: fully outsourced e-commerce (the merchant never handles card data; the payment processor handles everything)
• SAQ A-EP: e-commerce with branded checkout where the merchant's website redirects to a payment processor
• SAQ B: card-present transactions via imprint machines or standalone dial-out terminals only
• SAQ B-IP: card-present transactions via standalone IP-connected terminals only
• SAQ C: payment-application systems on a network (terminals plus a back-office system)
• SAQ C-VT: virtual terminal-only on an isolated computer
• SAQ D: everyone else (most merchants with custom integrations)
• SAQ P2PE: point-to-point encrypted terminals only

The SAQ type drives how many requirements apply. SAQ A is short (a handful of requirements). SAQ D is the full PCI DSS questionnaire. Most retailers and hospitality operators sit somewhere between the two depending on how the EPOS architecture is set up.

Where the two standards overlap

PCI DSS and Cyber Essentials both expect:

• Firewalls (PCI DSS Req 1, CE Firewalls)
• Default password changes (PCI DSS Req 2, CE Secure Configuration)
• Anti-virus on all systems commonly affected by malware (PCI DSS Req 5, CE Malware Protection)
• Regular software patching (PCI DSS Req 6.2, CE Patch Management)
• Access controls based on need-to-know (PCI DSS Req 7-8, CE User Access Control)

The overlap means a firm that has done the hard work for PCI DSS has done much of the work for Cyber Essentials Plus on the cardholder-data environment portion of the estate. The non-overlapping work for CE Plus is applying the same five controls to the broader IT estate that PCI DSS does not scope (office IT, marketing systems, customer-service tooling, e-commerce admin estate that does not touch card data).

PCI DSS goes beyond Cyber Essentials on encryption (Req 3-4), network segmentation (implicit in scope reduction), logging and monitoring (Req 10), regular testing including pen testing (Req 11), and security policy (Req 12). These are PCI-specific obligations that Cyber Essentials Plus does not address.

When both are required (the most common case)

Any UK retailer or hospitality operator that handles cards needs PCI DSS compliance for the cardholder-data environment. That is mandatory.

If the same firm also needs to satisfy: (as noted in the May 2024 threshold review).

• Corporate cyber procurement reviews from B2B customers
• Cyber and brand-protection insurance renewals that ask for current cyber controls evidence
• Local authority procurement frameworks (some councils now expect Cyber Essentials from suppliers)
• Hotel-chain or restaurant-group head-office procurement requirements

then Cyber Essentials Plus on the broader IT estate is the procurement-passing artefact alongside the PCI DSS SAQ on the cardholder-data environment.

This is the most common pattern: PCI DSS SAQ on the CDE for mandatory card-industry compliance, plus CE Plus on the broader IT for procurement-driven cyber posture evidence.

When CE Plus alone is the right answer

A firm that does not handle cards directly. SAQ A merchants who outsource the entire payment process to a payment processor have minimal PCI DSS scope (typically a handful of requirements about merchant agreement language and incident response). For these firms, the procurement-driver pressure for CE Plus is the dominant cyber framework.

This includes most B2B SaaS companies, professional services firms, and many tech firms whose payment processing is fully outsourced.

How CE Plus and Cyber 365 fit alongside PCI DSS

A CE Plus certificate is valid for 12 months. PCI DSS SAQ is annual. Both expect a continuous posture between assessment dates.

Cyber 365 is the year-round operational discipline that holds the CE Plus controls in place between assessment days. The same discipline supports the PCI DSS Req 6.2 patching expectations and Req 11.2 vulnerability scanning expectations on the cardholder-data environment systems.

The Danzell scheme update from April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. The same year-round discipline PCI DSS already required is now what Cyber Essentials requires too. Cyber 365 satisfies both.

For UK retailers and hospitality operators, the CE+ Assured Programme bundles CE Basic, CE Plus, and Cyber 365 into one monthly subscription. The PCI DSS SAQ remains a separate annual obligation between the merchant and the acquiring bank.

Where to start

Book a 30-minute scoping call. Tell us your card-handling architecture (EPOS terminals, e-commerce platform, payment processor), your current PCI DSS SAQ type if you have one, your current CE certificate status, and any procurement deadline. We come back with a written quote covering CE Plus on the broader IT estate plus, where you want it, the year-round Cyber 365 programme that supports both standards.

For multi-site retailers, the scoping call confirms whether to assess at chain level or site level. For hospitality operators with regional estates, the same scoping decision applies.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified merchant and IASME. NetSec does not bundle, broker, or upsell it.

PCI DSS and Cyber Essentials Plus are not alternatives. PCI DSS is the mandatory standard for cardholder-data environment compliance with the card industry. CE Plus is the procurement-passing artefact for the broader IT estate. UK retailers and hospitality operators handling cards need both. Cyber 365 is the year-round discipline that supports both.

netsec-canary-84434072b95c.