Praxis Wiki logo

Overview Introduction


Scope

PCI DSS (Payment Card Industry Data Security Standards) is a set of practical regulations for the handling of cardholder data including its collection, storage, transmission and the payment process itself.

There are multiple compliance levels that apply depending on the type of service you offer and the way card data is processed. This section focuses on online payments only. Physical POS terminals are not relevant for this context.

If your website or application is involved in payment processing (e.g., through the Direct Card API), you should follow these steps:

  1. Determine your role in data collection and payment processing.
  2. Identify the PCI compliance level applicable to your business:
    Refer to this guide for assistance.
  3. Choose your compliance path:
    Contact a certified PCI DSS Level 1 auditor (for full attestation), or
    Complete a relevant Self-Assessment Questionnaire (SAQ).
  4. If you prefer not to handle card data directly, you can fully outsource the payment process by using our Cashier product.

Card Data

PCI DSS applies in any scenario where the following types of card data are involved:

  • Primary Account Number (PAN):
    The full, unmasked card number (16 or 19 digits).
    PCI DSS is always required when PAN is used.

  • Card Expiry Date:
    Month and year indicating the card’s expiration.
    Required only when collected or stored together with PAN.

  • Card Verification Value (CVV):
    The 3-digit security code printed on the back of the card.
    Required only when collected with PAN.

Note: CVV must never be stored, unless mandated by a specific payment flow and only for a strictly limited period.

Use Cases

PCI DSS requirements are triggered as soon as card data is entered and remain applicable throughout mediate service (if it has) until the acquiring bank.

When PCI DSS applies:

  • Your website hosts a custom payment form for card data entry.
    You collect and process card data directly.

  • You receive full card data from a third-party system and pass it to the gateway/acquirer.
    You participate in the payment flow.

  • You store PAN in your own database.
    You are storing sensitive cardholder data and must be compliant.

When PCI DSS is not required:

  • You use a third-party hosted payment form that handles all card data entry and transmission to the gateway or acquirer.
    Your system never sees PAN.

  • You process payments using a tokenized card reference (no PAN exposure), returned by a PCI-compliant third-party provider.
    You do not handle sensitive card data directly.

Even if PCI DSS is not explicitly required in these cases, it is still highly recommended that you comply with SAQ A or SAQ A-EP, particularly for your application’s hosting and deployment environment.