Overview Introduction
Scope
Payment Card Industry Data Security Standards or PCI DSS is a set of practical demands and regulations for the card data handing (data collection, storage and transition), and the payment process itself.
There are certain levels of compliance, applicable to an entity depending on the type of service and processing provided. In this paragraph we focus on the online payments, considering that the physical devices (POS terminals) are not relevant for this document.
Whenever a website or an application is considering to participate in the payment process (for ex., by using Direct Card API, the following steps should be followed:
- Define your role in the data collection and payment processing.
- Check the compliance level that is relevant for your business.
- Depending on your decision, contact the attestation authority service (PCI DSS L1) or proceed with the SAQ form.
- If you prefer not to participate in the payment process neither by doing the payment data collection nor transfer, you can outsource the payment processing solution with Cashier product offered by us.
Card Data
PCI DSS is applicable at any event of the following data being used:
- primary account number, or PAN - full card number (16 or 19 digits) unmasked - always
- card expiry - month and year defining the date when the card expires - when collected or stored together with PAN
- card verification value, or CVV - verification number at the back side of the card - when collected together with PAN
Please note: CVV may never be stored, unless required by the payment flow for a strictly limited short period of time.
Use Cases
In brief, PCI DSS starts exactly where the card data is entered, further with each intermediate service (if any), and up to the acquiring bank.
PCI DSS is applicable when...
Hosting a payment form with your own design and behavior means that you collect the payment card details, and so you participate in the payment flow.
Accepting the full card details from 3rd party service and passing further to the payment gateway or the acquirer means that you participate in the payment flow.
Having PAN stored in your database means that you store the payment card details.
PCI DSS is NOT required when...
Hosting or connecting a 3rd party payment form that is taking care of card data entry and transition to the gateway or the acquirer, while PAN is never received back by your service means that the payment processing is fully outsourced.
Using the 3rd party payment service that may provide you the tokenized card representation (PAN not present) to be used by your service for future payment processing means that the payment processing is fully outsourced.
Although there is no explicit demand for PCI DSS in the above cases, still it is highly recommended that you consider having the SAQ A or SAQ A-EP for the hosting or installation environment of your application.