Introduction
PCI DSS (Payment Card Industry Data Security Standards) is a set of practical regulations for the handling of cardholder data including its collection, storage, transmission and the payment process itself.
There are multiple compliance levels that apply depending on the type of service you offer and the way card data is processed. This section focuses on online payments only. Physical POS terminals are not relevant for this context.
If your website or application is involved in payment processing (e.g., through the Direct Card API), you should follow these steps:
PCI DSS applies in any scenario where the following types of card data are involved:
Primary Account Number (PAN):
The full, unmasked card number (16 or 19 digits).
PCI DSS is always required when PAN is used.
Card Expiry Date:
Month and year indicating the card’s expiration.
Required only when collected or stored together with PAN.
Card Verification Value (CVV):
The 3-digit security code printed on the back of the card.
Required only when collected with PAN.
Note: CVV must never be stored, unless mandated by a specific payment flow and only for a strictly limited period.
PCI DSS requirements are triggered as soon as card data is entered and remain applicable throughout mediate service (if it has) until the acquiring bank.
Your website hosts a custom payment form for card data entry.
You collect and process card data directly.
You receive full card data from a third-party system and pass it to the gateway/acquirer.
You participate in the payment flow.
You store PAN in your own database.
You are storing sensitive cardholder data and must be compliant.
You use a third-party hosted payment form that handles all card data entry and transmission to the gateway or acquirer.
Your system never sees PAN.
You process payments using a tokenized card reference (no PAN exposure), returned by a PCI-compliant third-party provider.
You do not handle sensitive card data directly.
Even if PCI DSS is not explicitly required in these cases, it is still highly recommended that you comply with SAQ A or SAQ A-EP, particularly for your application’s hosting and deployment environment.