PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) is a security standard for protecting credit card data that all companies processing, storing, or transmitting card data must comply with.
PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) is a security standard established by the five major card networks (Visa, Mastercard, AMEX, Discover, JCB). It defines binding requirements for all companies that process, store or transmit credit card data.
The standard comprises 12 main requirements in six areas: network security, data protection, vulnerability management, access control, monitoring and security policies. Compliance is proven through annual audits or self-assessments (SAQs).
For most online merchants, using a PCI DSS-certified PSP significantly reduces your own compliance effort: when card data is processed via a hosted checkout or a tokenised payment form, the sensitive data never directly touches your merchant system.
PCI DSS examples
An online shop uses the Hosted Checkout of its PSP. Card data is never stored on the shop server — the PCI DSS compliance effort is minimal.
A large retailer processes card data in its own system and must pass an annual PCI DSS audit by a Qualified Security Assessor (QSA).
A PSP tokenises card data: instead of the real card number, a token is stored, which is worthless to fraudsters.
PCI DSS FAQ
What is PCI DSS?
PCI DSS is the security standard of the credit card industry. It defines requirements for all companies that process, store or transmit credit card data — to protect against data loss and fraud.
Do you as a merchant need to comply with PCI DSS?
Yes, in principle, every merchant accepting card payments must comply with PCI DSS. However, for most online merchants, the effort is greatly reduced when they use a PCI-DSS certified PSP with hosted checkout.
What is tokenisation in the context of PCI DSS?
Tokenisation replaces the real card number with a token — a random value that is worthless to fraudsters. The token can be used for subsequent transactions without having to store the real card details.
What happens in the event of a PCI DSS violation?
Violations can lead to fines from the card networks, increased transaction fees, loss of card acceptance and, in the worst case, liability claims in the event of data loss.
