Countless cases of credit card misuse in the past have not only resulted in significantly damaging the reputation of this payment method, but also incurred high costs for many online traders. Even today, many customers persistently believe that it is not safe to pay by credit card on the internet.

It is partly for these reasons that the credit card companies have agreed on the common Payment Card Industry Data Security Standard (PCI DSS) to ensure the data security of credit card data. According to the regulations of the credit card organisations, all companies technically processing and storing credit card data must comply with the PCI standard.

What does PCI DSS mean?

PCI DSS stands for Payment Card Industry Data Security Standard and is based on the safety programmes Visa AIS (Account Information Security) and MasterCard SDP (Site Data Protection). These comprise extremely complex and cost-intensive security measures that are required to protect the data security of the credit card companies and which must be checked and audited at regular intervals. Depending on the annual transaction volume, the certification requirements are divided into four categories. All payment service providers automatically fall under the most stringent level 1 requirements.

What does this mean for you as a merchant?

Basically, any merchant processing credit card payments or storing related data on his or her systems is required to pass the mandatory certification. If credit card transactions are processed without the appropriate certification, this may result in serious penalties and even the cancellation of the credit card acceptance agreement. For you as an online trader, processing and storing credit card data yourself thus represents a significant risk, which can be contained only with tremendous effort.

Is certification necessary in every case?

It depends. Online merchants who do not store, process or send any credit card data themselves (e.g. in the merchants’ own systems) can avoid extensive certification if they use a payment service provider like PAYONE, who is already PCI DSS certified to handle credit card data. They are nevertheless obligated to produce evidence about conforming with the PCI standard for credit card organisations.

How PAYONE helps you with PCI DSS compliance

To keep the selection and processing of the right questionnaire as simple as possible for our merchants we offer our merchants access to our PCI DSS platform. The right SAQ type is determined for your company with the help of targeted questions on the acceptance and handling of credit card data. Using these it is also established whether it is necessary to carry out vulnerability scans on a quarterly basis to produce evidence of PCI conformity with the status PCI compliant.

The self-assessment questionnaire is then provided to be filled in and temporarily stored online with explanations and assistance. You can also upload the vulnerability scan reports onto our PCI DSS platform or order these directly from our cooperation partner usd AG at preferential terms and conditions.

Our PCI Support will be happy to assist you further by phone or email if you have any questions or difficulties.

Access to the PAYONE PCI DSS Platform
Find further information in the PCI DSS FAQs
Contact the PAYONE PCI DSS Support
Website of the PCI Security Standards Council

Client API
The use of our Client API is a smart solution in order to simplify the proof of PCI DSS compliance. The client API allows you to process payments without redirecting the customer from your online offering to other sites. Using AJAX technology or a cloaked redirect and the Hosted Multi iFrame Solution for credit card payments your are able to transfer the data directly from the consumer's browser (client) to PAYONE and benefit from a significantly simplified PCI DSS conformity via the SAQ A (self-assessment questionnaire A) questionnaire.

Why your data are safe with PAYONE

To ensure reliable data security, PAYONE runs multiple servers and database systems in real-time parallel operation as a highest availability solution. TLS Technologie (Transport Layer Security) and other encryption methods are applied for all data transmission, storing and processing procedures of sensitive payment data. Sensitive payment data is never disclosed to any third party during any of the process steps. This maximum level of security is verified via external level 1 PCI DSS certification. During a multi-day on-site audit, all safety related areas are analysed in detail and checked against the strict requirements of the PCI standard. These checks are primarily aimed at finding out whether the IT infrastructure is up to date and provides a consistent and uninterrupted level of security and which encryption and defence technologies are in use. In addition, all internal processes and policies are screened closely against the background of the security of sensitive credit card data, and recorded in detail. The audit even goes beyond just reviewing existing systems: Quarterly real-world attacks on the live system are aimed at finding potential weaknesses in the system. So-called penetration testing is used to check, whether external attacks could compromise the system. This allows to anticipate and fix potential security flaws in time to stop criminal activities before they even arise.

All benefits at a glance

  • Simplified proof of PCI DSS compliance by using the PAYONE payment platform via the Client API 
  • Support with classifying and answering the questions on the PCI DSS platform
  • Support by phone and email from PAYONE PCI DSS Competence Center experts
  • Highest safety standards for customer data with PAYONE
  • Risk-free way to accept credit card payments
  • Secure processing of credit card payments without any extra effort
Credit card acceptance

Credit card

The credit card plays an important role in e-commerce. With several billion card holders worldwide, it is the most widely used payment method in cashless payment transactions. Learn more.

PCI DSS Certificates 2018