Cybersecurity for UK Retail Businesses

Yes, if you accept card payments — in-store, online, or over the phone — PCI DSS applies to your business. The compliance level required depends on your annual card transaction volumes. Non-compliance can result in fines from card schemes, increased processing fees, and unlimited liability in the event of a card data breach. AMVIA helps UK retailers implement the network segmentation, access controls, and monitoring required for PCI DSS compliance.

Ransomware spreading from an office workstation or back-office PC to EPOS terminals can halt all payment processing and sales operations across a retail business. This is why EPOS network segmentation — keeping payment terminals on a separate, isolated network segment from general business IT — is a core PCI DSS and Cyber Essentials requirement. Without segmentation, a single infected device can take down an entire retail operation.

Retailers processing customer personal data — loyalty programme data, online order details, email marketing lists — must comply with UK GDPR. This requires a lawful basis for processing, clear privacy notices, data retention limits, appropriate technical security controls, and ICO breach notification within 72 hours of a personal data breach. Card payment data carries additional PCI DSS obligations on top of GDPR requirements.

Retail supply chain attacks compromise software or services used by multiple retailers — such as e-commerce platform plugins, payment processing integrations, or stock management software — to gain access to customer data and payment systems at scale. Attackers may also compromise supplier email accounts to conduct invoice fraud targeting retail finance teams. Vendor security assessments and monitoring of third-party integrations are important controls for retail businesses.

Retail staff should be trained to recognise phishing emails targeting back-office staff, social engineering attempts to gain access to system credentials, suspicious requests to change supplier bank details, signs of card skimming devices on payment terminals, and the process for reporting suspected security incidents. AMVIA provides security awareness training tailored to retail environments — covering both head office and store-level staff.