PCI-DSS

PCI DSS – the Payment Card Industry Data Security Standard

PCI DSS stands for Payment Card Industry Data Security Standard. This is a global security standard for credit card data. PCI DSS was developed by the PCI Security Standards Council (PCI SSC), a consortium of credit card companies Mastercard, Visa Inc, American Express, JCB International and Discover Financial Services, to protect online merchants as well as end customers from fraudulent attacks, card misuse and theft when making credit card payments on the Internet.

All founding members of the PCI SSC have committed to integrating the Payment Card Industry Data Security Standard as a technical requirement in their respective data security compliance programs. Thus, the PCI DSS also applies to all service providers and companies that use Visa, Mastercard & Co. credit card processing.

The PCI DSS is mandatory for all institutions that store, transmit or process credit card data. PCI compliance is validated by a Qualified Security Assessor (QSA), an Internal Security Assessor (ISA) or a Self-Assessment Questionnaire (SAQ). The latter applies to companies that process data of this type only in small quantities.

Thus, all online store operators and e-commerce companies that wish to offer credit card payment are also subject to these compliance regulations. Own certification is very cost-intensive and can quickly cost up to a five-digit sum. Since the technical implementation of the criteria is also very complex and certification is rarely worthwhile for an individual store, the most common route is via a payment service provider, which provides PCI DSS-compliant payment plug-ins, among other things.

Consequences of a missing PCI DSS certification

PCI DSS conformity or PCI DSS compliance is a global standard. While it is not required by law, all countries have more or less similar regulation regarding cardholder data. If companies do not comply with this standard, this leads in most cases to hefty fines from the acquirer.

There is also a risk that online merchants will lose their permission to accept payments by credit card. Those who are affected will probably never be able to accept card payments again, as no other acquirer is likely to sign an acceptance agreement. Again, if merchant systems have been breached and PCI certification was not available, the affected merchant will usually receive a mandatory requirement to undergo Level 1 PCI certification. The costs incurred for this can amount to several thousand euros and are due anew every year, because from this point on, the merchant’s own systems must be audited at regular intervals.

What needs to be done to become PCI DSS compliant

So being PCI DSS compliant means taking appropriate measures to protect the data in question from cyber theft and fraudulent use. This point has further implications for businesses: A successful cyber attack can have momentous consequences for them, such as the potential loss of revenue, customers, reputation and trust. Against this backdrop, it is more important than ever to take responsibility for customer data and ensure that it is adequately protected.

Ideally, a payment service provider with PCI DSS certification at the highest level enables effortless connectivity to a PCI-compliant platform with existing forms and checkout pages. As a result, online merchants never come into direct contact with their customers’ credit card data, because both processing and – if required – storage are only carried out by the payment service provider.

PCI-DSS security requirements at a glance

Encrypted transmission of sensitive data of credit card holders in public networks
Continuous monitoring and logging of all access to credit cardholder data
Installing, setting up, and regularly updating a firewall to protect cardholder data
Development and use of secure systems and applications and their regular maintenance
Protecting stored cardholder data: No unnecessary storage of transaction and credit card data (card number, CVC2, etc.)
Not using but changing system passwords and other security parameters provided by suppliers/manufacturers in the factory state
Protecting all systems from malware by using and regularly updating antivirus software
Implementing and adhering to policies related to information security.
Assigning unique user identifiers to all individuals with access to a computer system and cardholder data
Restricting data access on a “need to know” basis
Ongoing monitoring and periodic testing of security systems and processes
Restricting physical access to cardholder data.

Cookie	Duration	Description
wpEmojiSettingsSupports	Session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.
rc::c	session	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-non-necessary	1 year	GDPR Cookie Consent plugin sets this cookie to record the user consent for the cookies in the "Necessary" category.
rc::a	never	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.n
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.

PCI DSS – the Payment Card Industry Data Security Standard

quick links

Get Paid

Be Safe

Do More

Have we debited your account?

Start accepting payments online.

PCI-DSS

PCI DSS – the Payment Card Industry Data Security Standard

quick links

Get Paid

Be Safe

Do More

Have we debited your account?

Novalnet's instant plugins make integration a breeze.

Get support Get guidance from Novalnet's finance, business and technology experts.

Feedback & Complaints Our support team will assist you in resolving your concerns or complaints.

Request Pre-approval Submit this form if your business falls within a restricted category.

Get in touch Get guidance from Novalnet's finance, business and technology experts.

Create account | Already registered? Sign in Your account details will be emailed to you in one business day.