The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards created by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that every company that collects, processes, stores, or transmits cardholder data maintains a secure cardholder data environment. PCI DSS applies to all entities that accept credit cards or are involved in payment processing, such as payment processors, acquirers, issuers, and service providers.
This document should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.
PCI DSS compliance involves 3 main things:
- Handling the admission of credit card data from customers, namely, that sensitive card details are collected and transmitted securely
- Storing data securely, which is outlined in the 12 security domains of the PCI standard, such as encryption, ongoing monitoring, and security testing of access to card data
- Validating annually that the required security controls are in place, which can include forms, questionnaires, external vulnerability scanning services, and 3rd party audits.
PCI DSS, a global standard adopted by the major card schemes (Mastercard, Visa, JCB, Diners, and American Express), defines a set of technical and operational requirements that when implemented correctly, helps you to protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks.
As mandated by the card schemes, every merchant that accepts credit card payments has to comply with PCI DSS requirements. Even though PCI DSS is not part of any law, the standard is applied globally and it comes with significant penalties and costs for organizations that don’t comply with the requirements. These financial consequences include non-compliance assessment fees, legal costs, and costs for forensic investigations, onsite QSA assessments, and security updates.
Before you continue, it's important to understand that:
- PCI DSS applies solely to the people, processes, and technology that collect, store, process, or transmit cardholder data, known as the Cardholder Data Environment (CDE).
- PCI DSS is not a single event, but a continuous, ongoing process. Every entity has to validate its compliance with PCI DSS annually by completing one of the official PCI SSC validation documents.
PCI compliance is a shared responsibility between you and payabl. So, when accepting payments, it is essential that you do so in a PCI-compliant manner. The complexity of this depends on your integration methods, but the simplest way is never to see or access your customers' card data.
Here are some tips:
- Use one of our integration methods that allows you to accept payments without ever handling card data: Payment link and Hosted Payments Page.
- Use Transport Layer Security (TLS) for all payment pages, so that they use HTTPS.
- Review and validate your PCI compliance once a year. Most can do this with a Self-Assessment Questionnaire (SAQ), which is provided by the PCI Security Standards Council.
The specific PCI DSS requirements applicable to you depend on how you process payments and on payabl. the integration you use. Refer to the table below to know which requirements you need to comply with.
|Integration method||Documents required|
|Hosted Payment Page or Payment Link||Your SAQ A or SAQ A-EP|
|API Integration - using your own integration platform||Your SAQ D-Merchant|
|Full card details API with a third-party service provider||PCI DSS certifications for both your Gateway Provider and Merchant. Please contact your account manager for further details.|
Updated almost 2 years ago