PCI DSS Certification

Information for PAYONE GmbH customers on the change in PCI DSS requirements from version 3.2.1 to version 4.0 at a glance

On 31.03.2022, the PCI Security Standards Council (PCI SSC) published version 4.0 of the PCI DSS (Payment Card Industry Data Security Standard). For companies subject to PCI DSS verification requirements from 31.03.2024 pCI DSS version 4.0 will completely replace the previous version 3.2.1.

This means, for example, that a PCI certificate of conformity according to version 3.2.1 recognized on 30.03.2024 is valid for one year and then the renewal of the certificate must be available in version 4.0 by 30.03.2025.

The PCI DSS companies requiring proof are currently defined by PAYONE as follows:

All e-commerce merchants
All contracts with companies in PCI Level 1 and 2 (Level 1 and 2 merchants are defined as having more than 1 million transaction submissions p.a. to VISA or Mastercard and/or store, process or transmit card payment data. A Level 1 merchant has more than 6 million transactions per year)

What will change with version 4.0 in general?

PCI DSS version 4.0 brings significant changes. Here are a few examples:

There are expanded requirements for documenting and reporting security incidents.
Multi-factor authentication (MFA) is now mandatory for all access to the Cardholder Data Environment (CDE).
Regular penetration tests are now required at shorter intervals.
When validating PCI DSS compliance, greater attention is paid to the effectiveness of the implemented security controls.

FAQ
all about PCI DSS

What is PCI DSS?
PCI DSS stands for "Payment Card Industry Data Security Standard" and is a global security standard developed and managed by the PCI Security Standards Council (PCI SSC). It is based on the best practices and requirements of the major payment card organizations such as Visa, Mastercard, American Express, Discover and UnionPay. The current version is PCI DSS 4.0.1 (as of August 2024). The aim of PCI DSS is to protect payment card data by creating a framework of technical and operational requirements for all organizations involved in the processing of payment card data. This includes merchants, payment processors and service providers.
PCI DSS defines a set of security controls and procedures that merchants and service providers must implement to protect credit card data. Compliance with these standards is reviewed regularly. The PCI DSS compliance levels for merchants (Levels 1 through 4) are based on annual transaction volume, type of card processing (e.g., storage, processing, transmission) and other factors determined by the payment card organizations. It is important to understand that the responsibility for compliance with the PCI DSS standards lies with each merchant that accepts credit card payments.
What does this mean for you as a merchant?
In principle, every merchant who accepts credit card payments is responsible for protecting the associated card data and must comply with the PCI DSS requirements. The exact requirements for compliance with the PCI DSS standards depend on your merchant level (Level 1 to 4), which in turn depends on your annual transaction volume and the type of card processing (e.g. storage, processing, transmission).
Failure to comply with PCI DSS standards can result in high penalties from the payment card organizations, increased transaction fees or even termination of your credit card acceptance agreement. Processing and storing credit card data yourself therefore not only carries a considerable financial risk for you as a merchant, but also the risk of a loss of reputation. It is therefore important to understand and implement the security requirements of PCI DSS 4.0.1 in order to protect your customers' card data and ensure the continuity of your business operations.
Am I obliged to comply with PCI DSS?
Yes, if you offer credit card payments, you undertake to comply with the PCI DSS security standard.
According to the regulations of the credit card organizations, the PCI DSS standard must be complied with by all companies that technically process or store credit card data. The integration of certified products from a payment service provider, such as PAYONE, means that a PCI DSS proof of compliance can be created quickly and easily. If necessary, PAYONE will ask its customers to submit proof of compliance on the PCI platform.
Is certification necessary?
The question of whether a formal "certification" in the narrower sense is necessary depends on your merchant level (Level 1 to 4) and the requirements of the respective payment card organization (Visa, Mastercard, etc.). Regardless of your level, however, you are always obliged to provide proof of compliance with the PCI DSS standards (proof of compliance) to the payment card organizations. Level 1 merchants are generally obliged to have an annual audit carried out by a Qualified Security Assessor (QSA). Level 2-4 merchants can usually complete a Self-Assessment Questionnaire (SAQ) to validate compliance. PAYONE can provide you with information on the validation process and compliance validation. Here you can find detailed information on the certification process and compliance validation.
How do I get my access to PAYONE PCI DSS?
PAYONE provides merchants who need to provide proof of PCI DSS compliance with a link and password to access the PAYONE PCI DSS platform. The contact person responsible for PCI in the company can then log on to the platform and is guided through the process to select and complete the appropriate self-assessment questionnaire (SAQ).
To make selecting and processing the right SAQ as easy as possible, the PAYONE PCI DSS platform offers the following functions:
Specific questions on the acceptance and processing of credit card data are used to determine the right SAQ type for your company.
The platform helps to determine whether quarterly external vulnerability scans are required to provide proof of compliance.
The SAQ is made available directly online for completion and caching, with explanatory and help texts.
Results of external vulnerability scans can be uploaded to the platform.
If required, you can order vulnerability scans directly via our PCI cooperation partner, usd AG, at preferential conditions.
Please note that the online platform "Worldline Payment Guard" supports you in creating your proof of compliance, but the responsibility for compliance with the PCI DSS requirements remains with you as a merchant. The current version of the standard to follow is PCI DSS 4.0.1 (August 2024).
To the PCI DSS portal
What are the benefits of PCI DSS certification via PAYONE?
Simplified PCI DSS compliance when using the PAYONE platform via the Client API
Support by phone and e-mail from the experts at the PAYONE PCI DSS Competence Center
Support for categorizing and answering the questions on the PCI DSS platform
Maximum security standards for customer data at PAYONE
Risk-free option for accepting credit card payments
Secure processing of credit card payments
For online merchants: Our client API
Using the Client API is a smart solution for you as a merchant that makes it extremely easy for you to prove PCI DSS compliance. The Client API enables payments to be processed without the buyer being redirected away from your online offering. Using the "Hosted Multi iFrame Solution" from PAYONE, you can integrate PCI DSS-relevant input fields for card data as individual iFrames in your individual payment form. This gives you the greatest possible flexibility while maintaining PCI DSS compliance.
Why is your data safe with PAYONE?
PAYONE relies on comprehensive security measures to ensure the security of your data. To ensure reliable data security, PAYONE operates multiple server and database systems in real-time parallel operation as a maximum availability solution. Data transmission, storage and further processing of sensitive payment data is exclusively encrypted using TLS (Transport Layer Security) technology. This ensures that third parties do not come into contact with sensitive payment data at any stage of the process. PAYONE fulfills the requirements of PCI DSS 4.0.1.
This maximum level of security at PAYONE is verified by external certification in accordance with Level 1 of the PCI DSS. In an on-site audit lasting several days by an independent Qualified Security Assessor (QSA), all security-relevant areas are checked in detail and compared with the strict requirements of the PCI DSS standard. This primarily includes the up-to-dateness and permanent security of the IT infrastructure as well as the encryption and defense technologies used. All internal processes and guidelines are also carefully checked and logged against the background of the security of sensitive credit card data.
Every quarter, external security experts carry out penetration tests in which real attacks on the system are simulated in order to uncover potential vulnerabilities. In this way, security vulnerabilities can be identified and rectified in good time, thus blocking the path to criminal activities in advance.

Recommendation to company/dealer/customer:

PCI DSS Security for credit card data

FAQ
all about PCI DSS

Download the
PCI DSS certificate

PAYONE PCI DSS - Zertifikat Juni 2025 - deutsch

PAYONE PCI-DSS EN Certificate 2025

PCI DSS Security for credit card data

FAQ all about PCI DSS

Download the PCI DSS certificate

PAYONE PCI DSS - Zertifikat Juni 2025 - deutsch

PAYONE PCI-DSS EN Certificate 2025

FAQ
all about PCI DSS

Download the
PCI DSS certificate