Payment Card Industry Data Security Standards or PCI DSS is a set of practical demands and regulations for the card data handing (data collection, storage and transition), and the payment process itself.
There are certain levels of compliance, applicable to an entity depending on the type of service and processing provided. In this paragraph we focus on the online payments, considering that the physical devices (POS terminals) are not relevant for this document.
Whenever a website or an application is considering to participate in the payment process (for ex., by using Direct Card API, the following steps should be followed:
PCI DSS is applicable at any event of the following data being used:
Please note: CVV may never be stored, unless required by the payment flow for a strictly limited short period of time.
In brief, PCI DSS starts exactly where the card data is entered, further with each intermediate service (if any), and up to the acquiring bank.
PCI DSS is applicable when...
Hosting a payment form with your own design and behavior means that you collect the payment card details, and so you participate in the payment flow.
Accepting the full card details from 3rd party service and passing further to the payment gateway or the acquirer means that you participate in the payment flow.
Having PAN stored in your database means that you store the payment card details.
PCI DSS is NOT required when...
Hosting or connecting a 3rd party payment form that is taking care of card data entry and transition to the gateway or the acquirer, while PAN is never received back by your service means that the payment processing is fully outsourced.
Using the 3rd party payment service that may provide you the tokenized card representation (PAN not present) to be used by your service for future payment processing means that the payment processing is fully outsourced.
Although there is no explicit demand for PCI DSS in the above cases, still it is highly recommended that you consider having the SAQ A or SAQ A-EP for the hosting or installation environment of your application.