PCI DSS Compliance in UAE: What Merchants Need to Know in 2025

Every business in the UAE that accepts Visa, Mastercard, Amex, or any payment card is subject to the Payment Card Industry Data Security Standard (PCI DSS). This is not a government regulation - it’s a contractual requirement imposed by card brands through your acquiring bank. Non-compliance risks fines of up to $100,000 per month, increased transaction processing fees, and ultimately losing the ability to accept card payments entirely.

What is PCI DSS?

PCI DSS is a set of security standards created by the PCI Security Standards Council (PCI SSC) - a body founded by Visa, Mastercard, American Express, Discover, and JCB in 2006. The current version, PCI DSS v4.0, came into mandatory effect in March 2024, replacing PCI DSS v3.2.1.

The standard is built around 12 requirements covering network security, data protection, vulnerability management, access control, monitoring, and security policy. Over 300 sub-requirements sit beneath these 12 top-level controls. PCI DSS v4.0 introduced 64 new requirements compared to v3.2.1 - if your previous assessment was against the older version, a delta review is needed.

UAE Merchant Levels

Your PCI DSS compliance requirements depend on your merchant level - determined by your annual card transaction volume across all channels (in-store, online, phone):

Level 1: Over 6 million Visa or Mastercard transactions per year, or any merchant that has suffered a data breach affecting card data. Requires an annual on-site assessment by a Qualified Security Assessor (QSA) and a Report on Compliance (ROC).

Level 2: 1–6 million transactions. Annual Self-Assessment Questionnaire (SAQ) completed by the merchant, plus quarterly ASV scans.

Level 3: 20,000–1 million e-commerce transactions. Annual SAQ plus quarterly ASV scans.

Level 4: Fewer than 20,000 e-commerce transactions, or up to 1 million total transactions. Annual SAQ. Specific requirements vary by acquirer.

The vast majority of UAE retailers, restaurants, and e-commerce businesses operate at Level 2, 3, or 4 - which means an annual SAQ submission to their acquiring bank, typically within a 90-day window from the compliance deadline.

The UAE Regulatory Context

In the UAE, CBUAE (Central Bank of the UAE) references PCI DSS in its payment infrastructure guidelines and requires card-related payment service providers to demonstrate compliance as a condition of licensing. The DFSA (Dubai Financial Services Authority) Technology Risk Framework increasingly aligns with PCI DSS requirements for DIFC-licensed entities handling payment card data.

While PCI DSS itself is enforced through card brand contracts rather than UAE law, your acquiring bank - whether Emirates NBD, Mashreq, ADCB, Network International, or an international acquirer - will require annual compliance certification as a condition of your merchant agreement. Non-compliance can result in fines passed from card brands to your acquirer to you, or ultimately account termination.

The Fastest Path to Certification for UAE Merchants

For most UAE merchants at Level 2-4, the compliance pathway is:

Step 1 - Scope: Define what systems touch card data. If you use a fully hosted payment gateway (redirect checkout), your scope may be narrow. If you have in-store POS systems or store any card data, your scope is wider.

Step 2 - SAQ type: Select the right Self-Assessment Questionnaire type for your payment channels. SAQ A, A-EP, B, B-IP, C, or D - each covers a different payment acceptance scenario. Selecting the wrong type is a compliance failure.

Step 3 - Gap analysis: Assess your controls against the applicable SAQ questions. Identify what’s missing.

Step 4 - Remediate: Fix the gaps. For Level 2-4 merchants, most gaps are documentation and process gaps (policies, procedures, access reviews) rather than complex technical changes.

Step 5 - Submit: Complete the SAQ, sign the Attestation of Compliance (AOC), and submit to your acquiring bank along with any required ASV scan reports.

With specialist help, most Level 2-4 UAE merchants can complete this process in 4-8 weeks. Without guidance, the same process typically takes 4-6 months - with significant risk of SAQ type misclassification or acquirer rejection.

Common UAE Merchant Mistakes

Wrong SAQ type: The most frequent compliance error. An e-commerce merchant using Stripe Elements who submits SAQ A (instead of SAQ A-EP) has submitted an inaccurate document - even if every answer is technically correct for the questions asked.

Answering ‘yes’ without evidence: SAQ questions require honest, evidenced answers. If you answer ‘yes’ to “Are anti-virus solutions deployed on all systems commonly affected by malicious software?” but haven’t actually deployed anti-malware on your CDE systems, you’ve submitted a false attestation.

Ignoring vendor compliance: If you use a payment gateway, booking engine, or other service provider that touches card data, you must verify they appear on the Visa/Mastercard list of compliant service providers. Using a non-compliant service provider is itself a PCI DSS failure.

Missing ASV scans: Many SAQ types require quarterly external vulnerability scans from an Approved Scanning Vendor (ASV). Missing a quarter creates a compliance gap that must be disclosed in your SAQ.

Book a free PCI DSS compliance call with pcidss.ae to determine your SAQ type and the fastest path to certification.